Security Measures

Below are the technical measures taken by the provider to protect data processed in cloud services:

Firewall

Personal data are protected against the risk of intrusion by firewall systems, which are kept up-to-date with the best available technology.

Malware protection

The systems are protected against malware through the use of anti-malware that is constantly kept up to date.

Authentication credentials

The systems are configured in such a way as to allow access only to persons with unique authentication credentials (username and password).

Password

The password has the following basic characteristics: requirement to be changed at first access, minimum length, complexity rules, expiry, history, contextual evaluation of robustness, hash storage.

Logging

The systems are configured in such a way that access can be tracked, and where appropriate the same is true for activities performed by the various types of users protected by adequate security measures that guarantee their integrity, confidentiality and availability. Upon request, the Supplier can provide customers with the application logs

produced by them in the use of the services, restricted to the data of the requesting party.

Backup & Restore

Appropriate measures are taken to ensure that access to the data can be restored in the event of damage to the data or electronic instruments. A business continuity and disaster recovery plan is in place, ensuring availability and access to systems even in the event of major adverse events.

Vulnerability Assessment & Penetration Test

The supplier periodically performs technical vulnerability analyses and notes the state of exposure to known vulnerabilities, both with respect to infrastructure and applications. Where deemed appropriate in relation to the potential risks identified, these checks are periodically supplemented with Penetration Tests, through simulations of

intrusions using different attack scenarios. The results of the tests are examined in detail to identify and implement the necessary improvements to guarantee the expected level of security.

System Administrators

A log management system is managed for all users who will be provided as System Administrators, whose assigned functions are appropriately defined in specific appointment documents. This system is aimed at the timely tracking of accesses made and the conservation of such data with unalterable methods suitable for allowing ex post monitoring.

Data Centre

Physical access to the Data Centre is restricted to authorised persons only. For details of the security measures adopted with regard to the data centre services provided by the subcontractor, see the security measures described by them and made available on their institutional websites.

Communications security

To the extent of its competence, secure communication protocols in line with what technology makes available are adopted by the supplier. Specifically, data flows to and from cloud systems exposed to the Internet are protected using a secure TLS channel to ensure:

• Server authentication (2048-bit RSA key)
• Session encryption with a symmetric encryption algorithm, currently considered reasonably secure, with a session key of at least 128 bits

Cryptography

The supplier uses the latest encryption techniques on the data in the databases in order to make them unusable to anyone who is not authorised to view them. Encryption is also applied in communications to and from the supplier’s systems.

Hardening

Special hardening procedures are in place to prevent the occurrence of adverse events by minimising architectural weaknesses in operating systems, applications and network equipment

Secure development

The supplier’s software development environment is only accessible to coding and testing personnel. The supplier’s development process follows secure development guidelines aimed at ensuring compliance with the principles of Security by Design. Code testing follows a predefined process aimed at evaluating both the functionality of the code

and the presence of serious vulnerabilities. The transition to production is done manually, and any changes are tracked. The development, test and production environments are logically separated.