ESG / Sustainability Report / 2022 ESG / Sustainability Report / 2022 Furthermore, in the course of 2023 employee training As concerns the Continuous Strengthening of the Cyber was launched on the use of the tool for managing the Security Posture, we have launched and expanded projects Processing Register and additional personnel training to reinforce the company’s IT security. These activities are activities on privacy were planned for 2023, both “basic”, guided based on a constant analysis of Cyber Intelligence for refresher purposes, and “job specific”, according to the information from the OSINT (Open Source Intelligence - activities concretely carried out by each individual. public information relating to phenomena linked to Cyber trust us with their data. All of the Centers feature fiber monitor specific areas and/or customers. People are risks) and CLOSINT (information coming from sources Demonstrating the already strong, albeit continuously interconnects and there are Business Continuity solutions appointed to these roles on the basis of their knowledge outside the public domain) realms. improving, oversight of customer data protection, no data between Pont-Saint-Martin, Vicenza and Turin. The overall of business processes, their mastery of security and breaches were recorded in 2022.scope of services offered includes the management of compliance topics and their knowledge of the operations of Workstation security measures have been reinforced using roughly 22,000 servers, desktop management services their organizational area. technologies suitable to prevent and manage malware for 250,000 workstations, a network of 18,000 devices, attacks, and protection from phishing attacks has been Corporate cybersecuritydisk space of more than 10 peta-bytes, a hybrid and multi-The Committee operates in order to reach targets aligned strengthened. cloud platform that integrates the main hyperscaler clouds with specific KRIs and KPIs, which include the security An effective structure dedicated to cybersecurity is and private cloud platforms, more than 1,200 Wide Area ratings developed by BitSight and SecurityScorecard. In order to guarantee IT system security and Enable fundamental to mitigate and reduce risks relating to threats Network lines and over 2 million tickets (service requests The establishment of the Committee not only improves the Business, highlighting the brand’s reliability, the from the network and to protect the organization from the from users) handled per year. the information flow on security management trends Engineering Group has set up a series of procedures risk of cyber attacks.amongst the area contact persons and the GISO, but also and technologies to reduce the attack surface and also To guarantee the security of these sites, we have significantly contributes to strengthening cooperation and eliminate IT system vulnerabilities, in particular: At Engineering, we consider cybersecurity to be a developed an advanced cybersecurity infrastructure synergies amongst the individual areas in identifying critical • Attack Surface Reduction: is part of regular activities Ethics and governance key element of the Digital Transformation. We know and we work constantly to adopt adequate governance issues and solutions. that reaching “zero risk” is impossible, however it is measures and advanced technological solutions. and is indispensable to identify our “digital footprint”. indispensable to deploy the best prevention actions to The scope of governance solutions also includes obtaining Currently, the relative scores demonstrate the reduce risks and guarantee to Italian companies that In detail, our Security Operation Center (SOC) infrastructure and maintaining internationally recognized security excellence of our security levels. they can extract the maximum benefit from a digital - which can rely on the solutions of Cybertech, the Group standards and certifications. In particular: innovation that is not expected to ever slow down. It is also company specialized in cybersecurity - allows us to provide • Continuous Vulnerability Assessment: the indispensable to be ready to face new challenges, within our customers with advanced IT infrastructure security • our Data Security Management Systems are aligned Engineering Group has tools and processes for a continuously changing context, through adequate skills, services as well as real time monitoring of any incidents with the standards of the ISO 27001:2013 certification automatically identifying and eliminating perimeter technologies and processes that can face new threats.and their management. This efficient control system is (Information security management systems), which in vulnerabilities. The Vulnerability Assessment process Ethics and governancesupported by a constantly updated organizational model the course of 2021 we decided to extend to the 27017 receives input from the information obtained by The protection of IT systems is also the expression integrated at Group level. The main operational duties are and 27018 guidelines;the Group from public-private partnerships and the of our social commitment aimed at ensuring the full assigned to the Group Information Security Office (GISO), • the subsidiary Engineering D.HUB holds the analyses of leading Cyber Intelligence firms. operation of public players and businesses. Indeed, at which directs cybersecurity activities and supervises the ISO 20000:2011 certification for the provision of our Data Centers we store and manage, on behalf of our operational flows adopted. The structure was constantly ICT services as an outsourcer and its ISO 27001 • Attack attempt simulations are also performed customers, a considerable amount of highly sensitive reinforced in 2022 and this process is expected to continue certification is integrated with the ISO 27017 and (Penetration Test – Red Team), on infrastructure data used for highly critical business processes. On these in 2023. ISO 27018 guidelines, which enable companies that assets and on applications to check for any integrated networks, services are provided for a number provide services in SaaS, IaaS and PaaS mode or vulnerabilities and implement a remediation plan. Red of sectors, from high value added Information Technology In the course of 2022, the Cyber Security Strategy was are Cloud Service Providers to guarantee greater Team activities are carried out using the capabilities to outsourcing and innovation according to the Cloud updated to bring it into line with the Business Strategy and protection of the data processed to their customers. In of the Cybertech center of excellence and third-party Computing model. the NIST Cyber Security Framework. The Cyber Strategy particular, Engineering D.HUB has been accredited by leaders in the sector. consists of 4 pillars:AgID (Agency for Digital Italy) as a CSP-Cloud Service Relying on the most modern infrastructure and the most 1. Continuous strengthening of the Cyber Security Provider and as an IaaS and PaaS service provider. In The results of these activities are used to define a advanced technologies, the integrated network of our three foundations;2021, D.Hub also obtained the ISO 22301 certification continuous technological and organizational adaptation Data Centers guarantees the highest security, reliability 2. Cyber Security as a business enabler;on business continuity.plan, in order to further boost the security level of our and efficiency standards for the over 400 customers that 3. Regulatory alignment;information systems. 4. Being prepared to face any “unexpected” and adverse It is worth specifying that these certifications refer to the events. individual legal entities, which therefore encapsulate their The Cyber strategy keeps the evolution of sector own certification scope. regulations constantly under control, in order to guarantee In order to make the Cyber Strategy operational within Alignment with regulations in coordination with the the company organization and coordinate the adoption competent company structures. of policies amongst the Group companies, improvements have been made in the Information Security Committee, In the course of 2022, two new policies were published, a group made up of Information Security Managers who which are to be adopted by all Group companies: 66 Engineering © Engineering © 67