QUALITY AND INFORMATION SECURITY POLICY
SYGEST S.r.l.’s corporate objective is to:
- Organise the company through a system of controls aimed at consistently monitoring compliance with the quality standards defined by SYGEST S.r.l. for all its Suppliers;
- Demonstrate the ability to consistently provide a product that meets customer requirements;
- Implement, maintain and continually improve a Quality and Information Security Management System;
- Carefully define the roles in the company to ensure fluidity in the organisation;
- Ensure compliance with the Quality and Information Security Policy defined;
- Obtain certification and registration of the Quality and Information Security Management System from an external organisation;
- Seek continuous improvement at a process level through the application of the QMS;
- Standardise business management as much as possible in order to minimise any NCs;
- Share its commitment to quality with the Client;
- Ensure protection in terms of confidentiality, integrity and availability of information processed by the organisation, both in electronic and hardcopy form;
- Implement within the corporate structure a Secure Information Management System that complies with the prerequisites of the ISO 27001 standard and which is integrated with the Quality Management System, developed according to the UNI EN ISO 9001:2015 standard, along with a commitment to implementing the measures necessary to guarantee its application in order to protect the interests of the company and its customers as well as to make resources available for the activation of an QMS based on the following principles in regards to information security:
- IT security is a fundamental requirement of the company (taking into account the processing of the type of data deriving from orders and services typically offered by our business);
- Each member of the company is fully and personally involved in the Security Policy promoted, defined and disseminated within the organisation;
- The Security Policy is intended for all employees of the Company, with any form of employment contract, as well as all collaborators/consultants and service providers;
- The Security Policy and corporate procedures take into account the project, service and product requirements deriving from the contractual commitments entered into with customers for managing orders/services and the underlying security requirements (mandatory, optional or implicit);
- The Company has taken steps to define the instructional needs of its collaborators in conducting the projects and services, in relations between internal positions and third parties outside the company by adopting an information classification system and an authorisation structure for personnel for access to data consistent with the disclosure limits indicated/requested;
- The rights of access to information are assigned in compliance with corporate confidentiality criteria and on the basis of the principle of strict need for use, associated to the role and responsibilities assigned and defined within our organisation, with such rights being limited in terms of level and duration, as well as respecting the principle of restricting access to data on a “need to know” basis, according to the requirements of the individual commissions;
- The Company undertakes to implement all measures necessary to ensure the proper processing and integrity of the data acquired and managed on behalf of the customer, and to raise the degree of security for information systems that interface with those of the customer;
- The availability of our systems is of particular importance in order to guarantee the levels of service required by our customers. Each process/activity that utilises information resources must ensure the continuity and integrity of the service, hence it is the Company’s responsibility to draft procedures that govern the availability of personnel and infrastructures, the operation of equipment and the restoration of proper functionality of the resources in the event of compromise;
- Specifically, for the purposes of the regulations on processing personal data, the company is the Data Processor in relation to the information regarding the orders under its competence.
- With this in mind, the company strives to ensure that:
- The availability of information is guaranteed when requested;
- The integrity of the information is maintained;
- The confidentiality of the information processed is preserved;
- The legal obligations regarding the confidentiality of the information are fully satisfied through the implementation of a plan, formalised in the security planning document, which establishes:
- The definition of the organisation and processing responsibilities;
- The integration of employee training plans in relation to security management;
- The creation of an effective system for reporting incidents or weaknesses relating to security;
- The planning and management of activities to guarantee operational continuity in the event of accidents and emergencies.
The objectives of the information security management system are to:
- Carry out an adequate risk analysis, determining the value of the information resources involved and assessing the risk resulting from a loss of availability, integrity and confidentiality, by examining the vulnerabilities and associated threats;
- Ensure an acceptable level of risk by designing, implementing and maintaining adequate countermeasures and identifying, on a case-by-case basis, additional risk-handling options such as acceptance, transfer to third parties or the avoidance of situations of unmanageable risk by the organisation;
- Protect the interests of the company and its clients;
- Demonstrate to customers, partners and employees their commitment to information security;
- Identify critical areas through risk analysis and monitoring corporate information systems and services;
- Ensure that the information assets are retained within the company management system;
- Orient Security Policy implementation processes towards continuous improvement;
- Establish a culture of security within the organisation through training and informative deeds;
- Have a qualifying element to promote the image of the company amongst internal and external interlocutors, customers, shareholders and strategic partners.
In order to promote and favour the implementation of the policy objectives, an “Interfunctional Committee” has been established for coordinating and managing the activities necessary to guarantee the security of information, being composed of the CEO, RTEC, RCED and an external consultant. This Committee serves to promote security, identify and define the objectives, the commitment and availability of the resources necessary for protective actions.
The Company has a system of indicators for monitoring the implementation of the QMS objectives, ISO 27001 controls and service levels.
To achieve such objectives, the Company’s policy is to follow the following general concepts of:
- Compliance with the laws in force and the contractual regulations;
- Compliance with the chosen Quality Assurance standard: UNI EN ISO 9001:2015;
- Compliance with the UNI CEI ISO/IEC 27001:2017 standard;
- Achievement of the quality level established at minimum cost;
- Guaranteeing the customer an ever-faster service recovery time;
- Guaranteeing the customer an absence of service interruptions;
- Individual responsibility for the quality and security of data and information;
- Ensuring the maintenance of the necessary level of security for customer information and data;
- Responsibility of the superiors regarding the quality of the work carried out by their collaborators;
- Continuous improvement of quality;
- Structured training in the disciplines of information quality and the security of all functions across all levels;
- Measurement of the adequacy, compliance and effectiveness of the QMS through AUDITs;
- Availability and visibility of data records constituting objective proof of the product quality;
The application of this Policy foresees that the Company’s General Information Security and Quality Management System is documented in a manner able to integrate and coordinate all activities pertaining to Quality, carried out by all functions across all levels, as required to achieve the established objectives.
This documentation must be collated in the Quality Assurance and Information Security Manual, which is to be kept up-to-date in order to represent the intentions of the company regarding the total management of Quality and to serve as the basis for the Evaluation and Certification of the company by Clients and by National/International Bodies in charge of such.
The Information Quality and Security Policy must be understood across all levels of the corporate organisational structure. It is thus distributed to all those in possession of the Quality Assurance and Information Security Manual and to all personnel.
It is also included in staff training courses, in particular for new hires.
Artemio Bisaschi – CEO at Sygest S.r.l.