Cyber security policy

1. Overview

Most of the vectors of cyberattacks outside of malware are web application vulnerabilities. Before publishing any web application, it is essential to access and fix vulnerabilities.

Purpose:

The main purpose of this IT security policy (hereinafter the “Policy”) is to define the security assessment of the websites of AlgoLab di Nardini Tommaso (hereinafter the “Company”). These assessments are made periodically to identify any realized or potential security breaches due to bad configuration, improper or insufficient error handling, weak authentication, information leakage, etc. The discovery and subsequent mitigation of vulnerabilities on AlgoLab’s web application will limit the surface of attackers on both available internal and external services along with complying with existing relevant policies.

2. Scope of application

This policy covers all website security assessments made or requested by an individual, contactor, group or department for the purpose of maintaining security compliance, posture, change in control technologies and risk management on the AlgoLab website. The results of this process are considered confidential and must be distributed to all users and employees on a “need-to-know” basis. Unless with the approval of the Chief Information Officer, distribution of these results outside the Company is strictly prohibited and illegal. Unless explicitly limited, any relationships with tiered applications noticed during the scoping phase will be included in the assessment. All limitations and subsequent justifications will be documented prior to the start of the evaluation. It will be the responsibility of every employee of the company to carefully read, understand and comply with this policy. Any employee with access to non-public information will receive the necessary training on this policy.

3. What the company is protecting

It is the obligation of all users of the company’s systems to protect the company’s technological and information assets. This information must be protected from unauthorized access, theft and destruction. The company’s technological and information assets consist of the following components:

• Computer hardware, CPU, disk, Email, web, application server, PC systems, application software, system software, etc.
• System software which includes: operating systems, database management systems and backup and recovery software, communication protocols, and so on.
• Application software: used by the various departments within the company. This includes custom written software applications and off the shelf commercial software packages.
• Communications network hardware and software, including: routers, routing tables, hubs, modems, multiplexers, switches, firewalls, private lines, and associated network management software and tools.

Lastest update: March 2023