Information Security
Information is more at the centre of our lives now than it ever has been, a fact which raises both opportunities and risks. At Mediobanca, one of our key commitments is to keep information secure in the process of developing our services
Because of the nature of our business, we collect, process and manage information of various kinds, regarding our clients and staff, on a daily basis both in paper and electronic form.
For us safeguarding information – ensuring its confidentiality, integrity, availability and authenticity – is a non-negotiable commitment, which not only meets the regulatory obligations to which our services are subject, but underpins the relationship of trust which we have with our stakeholders.
We work consistently to improve our information risk control management systems, which includes implementing increasingly sophisticated cyber-security solutions and services.
We also work hard to enhance our information security management strategy, to protect information, its integrity, availability and authenticity throughout its life-cycle.
In recent years we have continued to bolster the security measures put in place to protect confidential data, such as the encryption of the data recorded in our databases, and the masking of the data present in the development and testing environments. Particular attention has been focused on the distribution phase, in which secure communications protocols, digital certificates, and Data Loss Prevention solutions are used.
To ensure information is not accessed without authorization, the need-to-know, least privilege, and need-to-use principles are applied in managing logical access by users.
Ongoing security checks and risk management activities are also performed on a regular basis, to ensure that adequate control, organizational and technological measures are in place across the whole scope of the operations performed by Mediobanca and its subsidiaries, and regular security awareness campaigns are run for our staff and clients, to increase corporate awareness on information protection issues.
The Information Security Awareness programme is now well established, and is updated annually in view of the developments in cyber threats.
The main information security and information risk management policies and directives are listed below.
This Policy describes the objectives and general principles that Mediobanca and its subsidiaries adopt to protect the availability, integrity and confidentiality of data, services, information capital and IT assets, both proprietary and those of clients, and the security of the information and network systems used, on which the continued offering and quality of its financial services depends, even when adverse events occur.
This Policy defines the organizational and methodological framework that Mediobanca and its subsidiaries adopt in the information risk management area, to ensure the ICT resource protection measures implemented are effective and efficient, and to set increasing mitigation measures based on information risk status.
This Policy provides the Business Continuity Management principles adopted by Mediobanca and its subsidiaries. In particular it governs the specific Business Continuity issues for the IT area, to ensure a rapid and effective response to incidents that could impact on IT resources, with reference to the following aspects in particular:
- IT Business Continuity Plan
- IT response and recovery plans
- IT Business Continuity Testing.
This Policy describes the general objectives and principles that Mediobanca and its subsidiaries adopt in managing and monitoring their IT resources or assets, to support the needs of their business and to guarantee the confidentiality, integrity, availability and authenticity of the information.
This Directive sets out the criteria and regulations with which users must comply in order to ensure that information is classified and managed appropriately, to guarantee an adequate level of protection for the company’s information capital.
This Directive sets out the general criteria and rules to be complied with in management of encryption and data masking, in accordance with the information classification and IT risk management methodology adopted, and in view of the implications in terms of personal data privacy.
This Directive provides the criteria and general rules to be observed with regard to managing log management systems and activities.
This Directive describes the actions to be adopted in order to identify, manage and notify incidents related to information systems or information security that could damage, disrupt of impact negatively in some other way on the network and information systems, on users of those systems and on other persons.
This Directive provides the general criteria and rules to be observed in managing identities to enable the identification and single authentication of users and systems accessing the information of Mediobanca and its subsidiaries, to ensure that access rights are assigned correctly.
This Directive lays down the rules for adopting and managing a Data Loss Prevention (DLP) solution in order to preserve the availability, authenticity, integrity and confidentiality of the information managed by the Bank, and to ensure that the right balance is maintained between the risk of business operations being interrupted and that of the information ceasing to be confidential.
This Directive provides the general criteria and rules to be complied with to guarantee secure management of the telecommunication networks, in accordance with the external and internal regulations on information security.
This Directive sets out the criteria and rules for secure management of payment services to be complied with in order to provide the best possible support for the needs of the business and users, protecting the security of the information shared and transmitted, and ensuring that the regulations in force are complied with and adequate risk management is guaranteed.
This Directive sets out the criteria and lays down the rules to be followed during the operations phase to ensure that a high level of security is attached for the company’s information systems, so that the information processed by them is adequately protected.
This Directive sets out the general criteria and rules for the acquisition, development and maintenance of IT systems in order to guarantee the availability, authenticity, integrity and confidentiality of the data.