Technical organisational security measures
The following table summarises the technical and organisational security measures, grouped by field of competence, implemented today by Archiva S.r.l. in the supply of its business services.
The list is to be intended as a minimum and not exhaustive extract of the wider set of security controls implemented also in view of the ISO certifications obtained.
Application area
| Control | Title | Description | Security measure implemented |
|---|---|---|---|
| A.9.4.1 | Limitation of access to information. | Access to information and application system functions must be limited in accordance with the policies to control access. | Management of access rights through profiles. Application of the principle of minimum essential access for users. |
| A.9.4.2 | Secure log-on procedures. | When required by the policies to control access, access to systems and applications must be controlled by secure log-on procedures. | Limitation on time of sessions. Limitation on size and number of sessions. Mechanisms to reinforce the management of the user sessions. |
| A.9.4.3 | Password management system. | The password management systems must be interactive and must ensure quality passwords. | Absence of confidential data in the application logs. |
| A.10.1.1 | Policy on use of cryptographic checksums. | A policy must be developed and implemented on the use of cryptographic checksums to protect information. | Cryptographic protection of the data transmitted. |
| A.12.4.1 | Collection oft logs. | The registration oft logs, user activities, exceptions, malfunctions andts relating to the security of information must be carried out, maintained and periodically reviewed. | Tracking of relevantts. |
| A.12.4.2 | Protection of log information. | The structures to collect logs and log information must be protected against manipulation and unauthorised access. | Protection of logs against changes of users of the application. |
| A.14.1.1 | Analysis and specification of the requirements for the security of information. | The requirements relating to the security of information must be included in the requirements for the new information systems or must update the existing systems. | No processing of critical data on the client. |
| A.14.2.1 | Policy for secure development. | The rules for the development of software and systems must be established and applied within the organisation. | Management of all application errors. Review of the security of the code. |
| A.14.2.5 | Principles for the secure engineering of systems. | The principles for engineering secure systems must be established, documented, maintained and applied for every initiative to implement an information system. | Analysis and validation of operations on data before their execution. Filter on input information to the application. Filter on output information from the application. All the validation checks carried out on the client are repeated on the server. Block on requests that do not correspond to an authorised use of the system. |
| A.14.2.9 | Acceptance tests of systems. | Test and acceptance programs must be established as well as the criteria relating to them for the new information systems, updates and new versions. | Realisation of the load and robustness test of the application. |
| A.14.3.1 | Protection of test data. | The test data must be chosen carefully, protected and kept under control. | Limitation/controlled use of the production data for development or test purposes. |
| A.18.2.3 | Technical check on conformity. | The information systems must be regularly reviewed for conformity with the policies and with the rules for the security of the organisation. | Carrying out of vulnerability assessment or penetration test on applications. |
Information Management
| Control | Title | Description | Security measure implemented |
|---|---|---|---|
| A.05.1 | Policies for the security of information. | A collection of policies for the security of information must be defined, approved by management, published and communicated to staff and relevant external parties. | Drafting and maintenance of policies and procedures to support information security as per the certification ISO/IEC 27001 and AgID (Italian Digital Agency). |
| A.05.2 | Review of policies for the security of information. | The policies for the security of information must be reviewed at planned intervals or, should there have been significant changes, in order to constantly guarantee their suitability, adequacy and efficacy. | Drafting and maintenance of policies and procedures to support information security as per the certification ISO/IEC 27001 and AgID (Italian Digital Agency). |
| A.6.1.2 | Separation of duties. | The duties and areas of responsibility which are in conflict must be separated to reduce the chances ofmimproper use of and unauthorised or accidental changes to the organisation’s assets. | Delegation of control over critical operations to at least two different people. |
| A.11.2.7 | Secure disposal or reuse of equipment. | All the equipment containing storage supports must be checked to ensure that all critical data or software granted under licence is removed or written over in secure fashion prior to disposal or reuse. | Secure cancellation of the data on supports which must be reused or undergo maintenance. |
| A.15.1.2 | Include security in agreements with suppliers. | All the requirements relating to the security of information must be established and agreed with each supplier who might access, process, archive, transmit or supply IT infrastructure for the organisation’s information. | Plan for the supplier's operational continuity for services to support the preservation process. Contractual clauses relating to the confidentiality and conformity of the data shared with suppliers in regard to the applicable legal requirements; no stage of the preservation process is outsourced. |
Technological platform
| Control | Title | Description | Security measure implemented |
|---|---|---|---|
| A.9.2.4 | Management of confidential information to authenticate users. | The assignment of confidential authentication information must be controlled through a formal management process. | Deactivation or renaming of default accounts from DB to preservation system support. |
| A.9.4.1 | Limitation on access to information. | Access to information and application system functions must be limited in accordance with the policies to control access. | Control of authorisations on server for each operation. |
| A.9.4.2 | Secure log-on procedures. | When required by the policies to control access, access to systems and applications must be controlled by secure log-on procedures. | Multi-factor authentication. Block on multiple authentication attempts with the same user. |
| A.9.4.3 | Password management system. | The password management systems must be interactive and must ensure quality passwords. | Single-factor authentication with password management policy. Secure storage and transmission of passwords. |
| A.10.1.2 | Management of keys. | A policy must be developed and implemented on the use, protection and duration of cryptographic keys across their whole life cycle. | Management of encryption keys through dedicated solutions. |
| A.12.2.1 | Controls against malware. | Controls must be implemented for identification, prevention and recovery in regard to malware, together with appropriate awareness on the part of users. | Deployment of anti-virus/anti-malware solutions. |
| A.12.3.1 | Back-up of information. | Back-up copies must be made of information, software and images of the systems and then be subject to periodic tests in accordance with an agreed backup policy. | Back-up of data. |
| A.12.4.1 | Collection oft logs. | The registration oft logs, user activities, exceptions, malfunctions andts relating to the security of information must be carried out, maintained and periodically reviewed. | Tracking of access to data. |
| A.12.4.2 | Protection of log information. | The structures to collect logs and log information must be protected against manipulation and unauthorised access. | Preparation of Preservation System logs. |
| A.12.6.2 | Limitation on installation of software. | Rules must be established and implemented to govern the installation of software by users. | Non-deployment of software which is no longer supported by the supplier. |
| A.13.1.2 | Security of network services. | The security mechanisms, the service levels and the requirements to manage all the network services must be identified and included in the service level agreements relating to the network, regardless of whether these services are provided internally or are outsourced. | Filter between network segments using a firewall. |
| A.13.1.3 | Segregation in networks. | In the networks it is necessary to segregate groups of services, users, and information systems. | Segmentation of the network in VLAN. Segregation of servers from clients. |
| A.13.2.1 | Policies and procedures to transfer information. | There must be policies, procedures and formal controls and protection of the transfer of information through the use of all types of communication structures. | Adoption of secure protocols for the administration (e.g. ssh) and removal of those which are not secure (e.g. telnet). |
| A.14.1.3 | Protection of transactions of application services. | The information involved in the transactions of application services must be protected in order to prevent incomplete transmission, routing errors, unauthorised alteration of messages, unauthorised dissemination, unauthorised duplication of messages or "replay" style attacks. | Electronic signature functions at application level managed through an accredited certification authority. |
| A.14.2.7 | Development outsourced. | The organisation must supervise and monitor the outsourced development of systems. | Contractual clauses relating to the quality and security of the code developed by suppliers. |
| A.15.1.2 | Include security in agreements with suppliers. | All the requirements relating to the security of information must be established and agreed with each supplier who might access, process, archive, transmit or supply IT infrastructure for the organisation’s information. | Contractual clauses for suppliers to recover data and to cancel it securely at the end of the contract. |
| A.16.1.6 | Learning from incidents regarding the security of information. | The knowledge acquired from the analysis and handling of incidents relating to the security of information must be used to reduce the likelihood or impact of future incidents. | Solutions for the response to DDoS style attacks. |
| A.17.2.1 | Availability of structures to process information. | The structures to process information must be realised with sufficient redundancy to satisfy the availability requirements. | Redundancy of the network components to connect to the Internet. |
| A.18.2.3 | Technical check on conformity. | The information systems must be regularly reviewed for conformity with the policies and with the rules for the security of the organisation. | Carrying out of vulnerability assessment or penetration test on infrastructure. |