1. Purpose and field of application

The purpose of this document is to describe the general principles of Information Security defined by OMNYS S.r.l. in order to develop a functional Management System for the Security of Information (ISMS).

2. Description

For OMNYS, Information Security has as its primary objective the protection of data and information that the organization processes both for internal activities and for the provision of the services offered to its clients.

This means obtaining and maintaining an Information Security Management System, within the scope defined for the ISMS, through compliance with the following basic requirements:

• Confidentiality: ensuring that the information is accessible only to duly authorized subjects and/or processes; 
• Integrity: safeguard the consistency of the information from unauthorized changes; 
• Availability: ensuring that authorized users have access to the associated information and architectural elements when they request it; 
• Control: ensure that the management of information always takes place through safe and tested processes and tools; 
• Authenticity: ensuring a reliable source of information; 
• Data Protection: guarantee the protection and control of personal data. 

As part of the management of the services offered by OMNYS, through its technological infrastructure, compliance with the levels of Information Security established through the implementation of the ISMS, assures the guarantee of: 

• the choice of a reliable partner for the treatment of their information assets,
• the choice of a partner with a significant corporate image,
• full compliance with the agreements established with customers,
• to obtain services with a high level of professionalism,
• compliance with current regulations and international safety standards.

For this reason OMNYS has implemented an Information Security Management System following the specified requirements of UNI CEI EN ISO/IEC 27001:2017 and mandatory laws as a means to manage at best the Security of Information in the context of its activity.

3. Scope of application

OMNYS Information Security Policy applies to all internal personnel and third parties who collaborate in the management of information and to all the processes and resources involved in design, development, start-up, delivery, application maintenance in the context of the services provided.

4. Information Security Policy

OMNYS Information Security Policy represents the organization's commitment to customers and third parties to ensure the security of information, physical, logical and organizational for the processing of information in all activities.

OMNYS Information Security Policy is geared towards the following objectives:

1. guarantee the organization full knowledge of the information managed and the evaluation of their criticality, in order to facilitate the implementation of the appropriate levels of protection;
2. guarantee secure access to information, so as to prevent unauthorized processing or carried out without the necessary rights;
3. ensure that the organization and third parties collaborate in the processing of information by adopting procedures aimed at respecting adequate levels of security;
4. ensure that the organization and third parties that collaborate in the processing of information are fully aware of security issues;
5. ensure that anomalies and incidents affecting the information system and corporate security levels are promptly recognized and correctly managed, through efficient systems prevention, communication and reaction in order to minimize the impact on the business;
6. ensure that access to the operational headquarters and individual company premises is carried out exclusively by authorized personnel, to guarantee the safety of areas and assets;
7. guarantee compliance with legal requirements and compliance with the security commitments established in contracts with third parties;
8. guarantee the detection of anomalous events, incidents and vulnerabilities of information systems in order to respect the security and availability of services and information;
9. guarantee Business Continuity and Disaster Recovery, through the application of established security procedures.

5. Accountability for the Information Security Policy

The Management is responsible for the information security management system, in line with the evolution of the business and market context, evaluating any actions to be taken in the face of events such as:

• significant business evolutions,
• new threats compared to those considered in the risk analysis activity,
• significant security incidents,
• evolution of the regulatory or legislative context regarding the secure processing of information.

6. Continuous improvement

The Information Security Policy is formalized in the ISMS, is constantly updated to ensure its continuous improvement and is shared with the organization, third parties and customers, through specific communication channels.