Immagine GDPR su vari sfondi trasparenti

 

GDPR, General Data Protection Regulation is the European Privacy Regulation (EU Regulation 2016/679) in force across Europe; from 25 May 2018, it replaces the Former Privacy Regulation, the Directive 95/46/EC.

The major element of impact relating to former italian provision - Italian Privacy Regulation (D.Lgs. 196/2003) is provided by new huge economic sanctions, which incurs a fine of up to 20 Millions € or up to 4% of annual turnover.

Accordingly, privacy must be correctly managed, by impliciting can be proven, or above sanctions will be imposed.

With the backing of its experience gained in supporting several Client to compliance with former Italian Privacy Regulation, Malabo has prepared an own flexible and easily contextualizable method with the specific Client's reality through a set of documents and pre-set tools, in order to support a Company and a Public Institution to adjust themselves to this "new" Regulation in a correct and quick manner.

You can find an example of these documents and pre-set tools in the data sheet available downloaded free of charge, after loggin in this web site (NB: to register, click here).

To download the data sheet KIT GDPR, click (registered users) on the "download" botton below

{jd_file file==53}

 

 

 

fig frece stradali cost benefit

 

 

The corporate service "ICT Analysis Value" enables a qualitative and quantitative evaluation of the computer system's contribution to company's business, current or expected. The analysis methodology, which can be strongly customized according to the specific company needs, refers to the most established "best practice", such as COBIT, and to International Accounting Standards IAS/IFRS, specifically IAS 38 in relation to enhancement of intangible assets. 

The implemented metrics, changeable  as appropriate, can be applied to the full Information System (IS) value to increase the wealth of the entire Company/Institution, or with respect to only certain sections of IS concerning specific processes/activities (for example, sale online, industrial automation, etc) and/or particular departments/Business Unit.

The metrics used for qualitative analysis is summarised in the figure below and it is designed in 5 crucial stages: 

  • Identification of Critical Success Factors (CSF) of the company
  • Assessment of the contribution of the business processes to CSF
  • Assessment of the ICT contribution to business process
  • Assessment of the ICT contribution to FCS
  • Measure of ICT value for the company

Malabo has produced some spreadsheets which offer an easier and more uniform data collection, including assessments, concerning every manager and/or each business section. 

These spreadsheets work, at the same time, as questionnaire and processing tools: they include a limited number of questions (30-40), most of them  present a set of pre-defined answers to choose. 

After responding to the questionnaire, the business owner and the company's management carry out a "guided" analysis of strenghts and weaknesses as far as the use of ICT inside the company. 

In most cases, Malabo sets up a meeting with all partners in order to explain objectives, metrics and procedures for compilation. 

The quantitative analysis adds the analysis of ICT costs, both direct and indirect, to qualitative analysis mentioned above, in addition to economic assessment of their contribution to company's business, including direct, indirect and intangible input: the sales increase through eCommerce and web portal, the reduction of the stocks in warehouse,  the automation of some processes, the increase in efficiency and workforce productivity, reduction of overheads and office costs represent typical examples. 

The economic indicators shall be agreed with Administrative Director/Chief Financial Officer (CFO); they are settled down from Total Cost of Ownership (TCO), from Return of Investment (ROI) and DCF, Discounted Cash Flow. 

The Analysys results not only contribute to a realistic assessment of ICT contribution to business - as pointed out in graphics below - but also they aim to raise awareness concerning company's management for the continuos improvement and effective governance of ICT, aligned to the evolution and administration of the company.

 

 

 

image risk analysis

In addition to the parallel analysis of potential impacts on company's business continuity, IT risk analysis is a complex process which should be periodically activated. 

With the backing of its experts, Malabo carries out this type of intervention implementing its own approach to digital security (see the area concerning it and the following synthesis picture), starting from detection and analysis of ICT systems, of internal and external users, from summary report of past attacks and problems, contextualizing standard and best benchmarking practices within the Client's specific reality and aims. (for this reason, the first step in the mapping of the situation is represented by identifing Critical Success Factors (CSF). 

ICT risk analysis starts from the ue of service AVULlCT  regarding the ICT vulnerabilities analysis, focused on IS (Information System) technical vulnerabilitis of Client, taking into account and analyzing also its tertiary sections. AVULICT's application is preparatory, and mandatory, to risk analysis. 

 After acquiring the results obtained with AVULICT, in risk analysis: 

  • the vulnerability of organization is analyzed as far as Client's ICT and IS
  • the IS user's vulnerabilities, both final and priviliged, are analyzed, and in particular internal users within client's organizational structure
  • the vulnerabilities and risks of Client's ICT providers are analyzed, by verifying the existing contracts and their relative provisions about service levels, privacy and digital security
  • IS malfunctions and any attacks against it occurred in the past are analyzed
  • the results of the previous ICT risk analyses or regarding the whole company are analyzed, in addition to potential reports and articles that examined the dangers of industry sector to which the client belongs
  • the most feared problems and risks relating to IS are identified during the meetings with company management and with certain reference users, in addition to explanation of their reasons. 
  • the business impact analysis (BIA) can be optionally perfermed, tipically used in relation to the most serious identified risks. 

Malabo refers to and uses the following standards and the best international practices for the risk management, according to the specific Customer (non-exhaustive list): 

  • ISO 31000:2009 - Risk management -- Principles and guidelines;
  • Risk Management Standard della FERMA, Federation of European Risk Management Associations;
  • IRM Criteria , Institute of Risk Management.
  • For privacy: EU Regulation 2016/679, previous D.Lgs 196 and the various upgrades and regulations of the Italian Data Protection Authority.
  • For ICT risk analysis and management: ISO 27005, NIST SP 800-30, Octave Allegro.
  • For IS architecture and security: Togaf , OSA, NIST, Direttiva NIS.
  • For management IT security measures: ISO 27001-2, ITIL: 2013, COBIT v5.
  • For data protection (privacy), including outsourced and/or in cloud ones: ISO 27018.
  • For cloud services security:  ISO 27017, ISO 27018 and CSA Star.
  • For identification and authentication: PKI, X509, ISO, graphometry, NIST, and IDAS (SPID).

The result of risk analysis is a Report which details the identified risks in order of severity, their reasons and potential causes, the measures to be taken to eliminate e to reduce them. This Report is presented and explained to the company's top management during a meeting. 

By a consueling in relation to risk analysis (RA) and/or to BIA, Business Impact Analysis, usually carried out in the framework of an intervention for Business Continuity (BC) and/or for enhance IS digital security measures. Malabo may provide the client with periodic updating of AR, BIA and BC and/or may provide the client as Saas (in cloud) with their own IS tools for analysis and plans on these issues, tailored to the customer's specific needs (derived from the early consultation) and with a training support for direct and correct use by the Client.

 

 

 

Assessment ICT Skills, Roles and organizational structures in support of IS (hereafter ACROICT, for the sake of brevity) represents a well-established consueling intervention between ICT and staff management available to ICT companies and to IS Departments/Functions or Organisational Units (hereafter UOSI, for sake of brevity) which simultaneously allows: 

  • ICT skills placement of person respect to EUCIP/ECF european standards
  • analysis of the personal psycho - behavioral characteristics
  • analysis of the current position in the organisational structure
  • the concerted relocation of the person in an other role or its preservation, in both cases with a training plan which updates and completes the necessary skills, eventually with a coach/tutor support for a certain period of time.

 Fig aspetti competenze

 

ACR ICT intervention tipically develops for each person in different stages: 

a) one or more meetings with the client and the responsible for acquire information on his career and his current position (job description of current position, curriculum vitae, certifications, publications, etc), in addition to know their judgements on person both in professional terms and behaviorally;

b) "self-evaluation" of the invidual through "expert system" via web, known as RADAR, which allows to identify the most similar profiles compared to EUCIP/eCF ones in view of the provided answers; 

c) technical interview to check self-evaluation skills; the interview is carried out with an expert consultant certified eCF;

d) psycho-behavioral interview; this interview is usually held together with technical one, in critical cases and/or in those agreed with the client it is performed with an expert HR manager;

e) drafting of a personal report which tipycally contains the following features:

  • The main similar profiles emerged from led self-evaluation (including through expert system AICA for eCF);
  • Identification of the most pertaining profile to current role and to that desired one in the long term, the target profile
  • Assessment's evaluation reliably and sharing (or not) of the findings
  • Strenghts and weaknesses, both on a technical level and aptitudinal one
  • Identification and sharing of the role, current or target one
  • Determination of the main steps, training or not, in order to strenghten and improve the current role or to achieve the target role.
  • The training plan and/or support to coaching

f) possible customized intervention for support (coaching) and training.

image persona con pollice alzato

AVULlCT, ICT Vulnerabilities analysis and management

Fig vulnerabilita ICT lente su tastiera

 

ICT vulnerabilities represent the main causes of malfunctions and digital attacks, intentional or otherwise, to an Information System. 

Vulnerabilities for an IS are broken down in three main categories: technical vulnerabilities, staff vulnerabilities (end users and IS priviliged), organization vulnerabilities. 

AVULICT service concerns only software's technical vulnerabilities  installed on Client computer system. Staff and organization vulnerabilities  are examined in ICT Risk Analysis (ICTRA).

 AVULICT offers two service levels: 

  • software's vulnerabilities analysis automatically through specific software instruments, according to nature and complexity of IS Client, in addition to his available budget, for these analysis can be used both opensource tools, such as OpenVas, and paid trade instruments, such as Nessus, The result of this analysis, delivered and illustrated/explained to Client, is a Report which points out the discovered vulnerabilities in order to seriousness, and how to delete it or reduce its severity.
  • penetration test (pentest): After making the analysis mentioned above, Malabo's specialistis make non-destructive attack attempts to Client's IS especially to his most significant infrastructures and application more critical to company's businnes. The result of this analysis, delivered and illustrated/explained to Client, is a Report which points out the data breaches and critical aspects encountered in order of severity, and how to delete it or reduce its severity.

The result of technical vulnerabilities' analysis is a Report which, in order of severity, details the technical vulnerabilities detected, their potential causes, the interventions to be implemented in order to eliminate and riduce them, if there were not yet specific patch/fix for that software. This Report is illustrated and explained to the Client's Top Management during a meeting.

  1. SoC, Security Operation Centre (en)
  2. TT-HD, Truoble Ticketing Help Desk (en)
  3. ICTAssetM, ICT Asset Management (en)
  4. GOSI (en)

This website uses cookies from both its Joomla 3.x and from third party software to improve the browsing experience of users and to collect information on the use of the site itself.

Policy privacy Accept