ESG / Sustainability Report / 2022 CSR / Bilancio di Sostenibilità / 2022 - ISM03 Group Information Classification Policy: defines the basic controls for classifying information of the Engineering Group, with a view to ensuring that all employees know how to manage information securely. • MDR, which improves endpoint (client and server) - ISM04 Group IT Infrastructure Security Policy: aims to protection, even against complex attacks, through the provide direction within the context of IT infrastructure use of a best in class solution; security, identifying suitable security guidelines in light • Network Behaviour, which analyzes the traffic of technological developments and the results of the generated by company resources to identify monitoring activities conducted by the CISO. anomalous or suspicious events and report possible 0-day threats. Taking into consideration the continuous evolution of cyber attacks, the company has embarked upon a path The observable benefits of these projects include: more of strengthening its adverse event response capacity, control over the internal network (NAC), better capacity formalized in the design of the Engineering Group’s to detect and block security attacks and events (DNS Business Continuity Management System (BCMS), which Protection, strengthening of the SOC) and improvement will become fully operational in 2023. The BCMS calls for in the capacity to detect and respond to threats (MDR and the collaboration of every area of the company to boost Network Behavior). Etica e governance awareness and resilience capacity. In 2022, the Service Catalog baseline was finalized when the Business Impact Analysis (BIA) was performed on an initial group of services. In 2022, we also launched new project activities in keeping with the cyber security strategy: Ethics and governance• Strengthening of the oversight offered by the Security Operation Center (SOC) expanding the monitored scope by including servers, devices and security functions; • Activation of a (Network Access Control: NAC) solution capable of verifying compliance with endpoint security policies before allowing access to company resources; • Privileged Access Management (PAM), an identity protection solution that securely manages and stores critical system access credentials; • Analyzing and increasing the protection of the most critical systems; The most significant projects concluded in 2022 intended to improve the security of IT systems and the data used are described below. In detail, the following solutions were implemented: • DNS Protection, which is used to identify and block threats linked to online navigation; 68 Engineering © Engineering © 69