Page 46 - Consolidated Non Financial Statement
P. 46
Banca Ifis
| 2020 Consolidated Non-Financial Statement
3.3 Data protection
Policies and other reference documentation
• Group IT security management policy
• Group IT risk assessment and management policy
• Information security incidents management organisational procedure
• Organisational Procedure Handling of privacy issues concerning the rights of data subjects and the relationship
with the Italian Data Protection Authority (Cap.Ital.Fin., Ifis Rental Service, Ifis Npl, Credifarma)
• Organisational Procedure Management of Personal Data Processors
• Methodological manual for data processing risk analysis and data protection impact assessment (DPIA)
• Privacy regulatory manual
• Group Regulations governing the use of company equipment
• Group business continuity policy
• Group ICT strategic planning policy (Banca Ifis, Ifis Finance)
• Organisational Procedure for the Management of the development, purchase and maintenance of the
application software and technological infrastructure
• Group Policy for the monitoring and measurement of performance (Banca Ifis, Ifis Finance)
• Organisational Procedure for managing logs (Banca Ifis)
• Organisational Procedure for managing logical access (Banca Ifis)
• Group internet payment system policy (Banca Ifis, Ifis Finance)
The growing spread of ICT products and services based on processing personal data has made privacy and
information security more and more strategic for companies over the years.
The Banca Ifis Group considers the protection of personal data a mandatory principle that is key for building trust and
developing a sense of security with customers as well as protecting the Group's reputation. The Group is also committed
to preventing and managing information security incidents in a timely manner in order to protect the Bank's
proprietary information, which includes, among other things, the data of customers, employees, suppliers, and any
other party with which Banca Ifis does business. 2020 saw the Group further consolidate the measures required by the
European General Data Protection Regulation (GDPR).
Information security
The Privacy & Security organisational unit constantly monitors information security and helps assessing IT risk through
the Information Security Organisational Unit.
Raising employee awareness of cybersecurity
In order to raise the awareness of all its colleagues to the topic of cybersecurity, in 2020, the Banca Ifis Group made
multiple communications with a view to alerting recipients to the risks of the campaigns in progress. For example, an
awareness campaign has been launched on the Group’s employees, through the “Ifis Talks - Cybersecurity” initiative aimed
at sensitising employees to topics relating to harmful e-mail campaigns in respect of the dissemination of malware,
phishing, attempted fraud and ransomware. Cyber Intelligence services were also continued, as was OSINT research
carried out in support of the structure’s activities and awareness throughout the company. The Bank has adhered to the
CERTFin service so as to receive real time reports of attempted fraud in the banking area. Such reports have been shared
with the colleagues of the other bank structures concerned.
The information security incident management process is aimed at ensuring that any unusual events with potential
repercussions on the Group's level of physical and logical security and the availability of IT Services are promptly
recognised as information security incidents, and therefore addressed appropriately by the competent structures.The
38
