Information Security Policy

v1 of July 14, 2025

Scope of Application

This policy defines the framework, strategic objectives, and fundamental principles for the management of information security within SIINFO SRL. Its purpose is to protect the company’s information assets from all threats—internal or external, intentional or accidental—ensuring the confidentiality, integrity, and availability of information.

The policy applies to all personnel, collaborators, information systems, data, and processes that fall within the scope of the Information Security Management System (ISMS), in compliance with ISO/IEC 27001 standards.

Normative References

ISO/IEC 27001:2022 — Information Security Management Systems — Requirements.
Regulation (EU) 2016/679 (GDPR) — General Data Protection Regulation.
Legislative Decree No. 196 of 30 June 2003 — Personal Data Protection Code.
Directive (EU) 2022/2555 (NIS 2 Directive) — Measures for a high common level of cybersecurity across the Union, and related national transposition decrees.
Legislative Decree No. 81 of 9 April 2008 — Consolidated Act on Health and Safety in the Workplace.

Terms and Definitions

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity: The property of safeguarding the accuracy and completeness of assets.
Availability: The property of information being accessible and usable upon demand by an authorized entity.
Information Security Management System (ISMS): Part of the overall management system, based on a business risk approach, for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving information security.

Roles and Responsibilities

Top Management: Approves this policy, ensures alignment with corporate strategic direction, and guarantees the availability of necessary resources for the effective implementation of the ISMS.
Information Security Management System Manager (ISMS Manager): Responsible for implementing, maintaining, communicating, and reviewing this policy. Oversees the management of security incidents, promotes staff training, and reports to Top Management on the system’s effectiveness.
Department Manager: Ensures compliance with security principles and proper use of corporate resources by their team, enforcing the relevant policies.

Information Security Objectives

SIINFO SRL defines the following high-level strategic objectives for information security, consistent with its business context and strategic direction:

Confidentiality: Protect information from unauthorized access, ensuring the protection of customer data, staff data, and company know-how.
Integrity: Ensure the accuracy, completeness, and reliability of information and the systems that process it, preventing unauthorized or accidental modifications.
Availability: Ensure that information and related resources are accessible to authorized personnel when needed, supporting operational continuity and customer service delivery.
Compliance: Meet all applicable legal, regulatory, and contractual requirements regarding information security and personal data protection.
Continuous Improvement: Foster a culture of continual improvement of the ISMS to adapt to evolving threats and opportunities.

Top Management, supported by the ISMS Manager, is responsible for translating these strategic objectives into measurable and monitorable targets. The definition, planning, and monitoring of such objectives are managed in accordance with the procedure “PRO Objectives and planning for their achievement.”

Information Security Core Principles

Policy Management and Review

This policy serves as the overarching document of SIINFO SRL’s ISMS, in compliance with ISO/IEC 27001 requirements.

Top Management must approve this policy to ensure its adequacy and alignment with strategic direction.
The ISMS Manager is responsible for publishing, communicating, and making the policy available to all personnel and relevant interested parties.
The ISMS Manager must plan the review of this policy at scheduled intervals, at least annually, and whenever significant changes occur, as described in “PRO Change Management Procedure” and managed through “PRO Management Review.”
All personnel and collaborators must read, understand, and comply with the directives contained in this policy and related documents, such as the “Code of Conduct.”

Acceptable Use of Resources

All information assets and associated resources of SIINFO SRL, including hardware, software, networks, and data, must be used solely for authorized business purposes and in a responsible manner.

Limited personal use of corporate resources is tolerated only if it does not interfere with work activities, does not violate applicable laws, and does not introduce security risks.
The use of company resources for illegal, offensive, discriminatory activities, or actions that may harm the company’s reputation is strictly prohibited.
Detailed rules for resource usage are defined in the “POL Operational Security Policy” and the “Code of Conduct.”
Each employee is responsible for the proper use of resources assigned to them. Roles with coordination responsibility, such as Department Managers and Functional Managers, must ensure that their teams comply with these principles.

Security Event Reporting

All personnel and collaborators must promptly report any observed or suspected information security event, including weaknesses, threats, or incidents.

Reporting must be carried out through official channels and according to the methods described in the “PRO Information Security Incident Management Procedure.”
The ISMS Manager must ensure that reporting mechanisms are known, accessible, and that staff are trained in their use.
SIINFO SRL is committed to handling all reports with the utmost confidentiality and ensuring that no employee faces retaliation for reporting an incident or vulnerability in good faith.

Clear Desk and Clear Screen Policy

To reduce the risk of unauthorized access, loss, or damage to information, SIINFO SRL adopts the Clear Desk and Clear Screen principles.

Clear Desk: Sensitive or classified information in paper format or on removable media must not be left unattended on desks, printers, or in shared areas. At the end of the workday or during extended absences, such materials must be stored in locked cabinets or containers, in accordance with the “POL Information Classification and Labelling Policy.”
Clear Screen: All workstations, fixed or mobile, must be locked (using a password or other control mechanism) when left unattended. All corporate devices are configured to automatically lock screens after a predefined period of inactivity, which must not be disabled or bypassed by hardware or software tools.

All personnel must comply with these rules to protect information both during and outside working hours.

Security of Off-Site Assets

Company assets used outside SIINFO SRL premises (e.g., during remote work, at client sites, or while traveling) must be protected with a level of security equivalent to that maintained within the offices.

Personnel are directly responsible for the physical and logical protection of assigned assets (e.g., laptops, smartphones, documents) against theft, loss, damage, and unauthorized access.
The security measures defined in the “POL Operational Security Policy” must be applied, such as disk encryption and secure communication channels.
The loss or theft of a company asset must be reported immediately as specified in the “PRO Information Security Incident Management Procedure.”

Storage and Updates

This document is managed in a controlled format and archived in accordance with corporate procedures for managing documented information. It is reviewed at least annually, and whenever significant organizational, technological, or regulatory changes occur, under the supervision of the ISMS Manager and with Top Management approval, to ensure its ongoing suitability, adequacy, and effectiveness.

Reference Documents

PRO Objectives and planning for their achievement
PRO Change Management Procedure
PRO Management Review
Code of Conduct
POL Operational Security Policy
PRO Information Security Incident Management Procedure
POL Information Classification and Labelling Policy

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Information Security Policy

Get In Touch

Contact Info

Phone Number

Email address

Address info

Working Hours