REV. 5 DATED MAY 15th 2023 - ABSTRACT

NAITEC INFORMATION SECURITY POLICY

1. DEFINITIONS OF INFORMATION SECURITY MANAGEMENT SYSTEM - ISMS

1.1 CONTENTS OF THE DOCUMENT

This Security Information Policy illustrates the Naitec Information Security Management System in line with the needs, objectives, security requirements, organizational structures and the main countermeasures adopted by Naitec regarding information security in order to:

• - ensure the security of information and information systems used to process them;
• - ensure the compliance with the guidelines of the administrator of risk management and information protection
• - ensure the logical and physical protection of company information;
• - provide the organizational addresses for the management of corporate information security in compliance with the laws, internal regulations and contractual requirements relating to Information Security.

1.2 INFORMATION SECURITY

For Information Security is meant the fulfillment of the following requirements :

• - Confidentiality: Services and Information must be protected to prevent unauthorized access;
• - Integrity: Services and Information must be correct, complete and protected from abuse and from unauthorized modifications;
• - Availability: Services and Information must be accessible by users when required, in line with defined security levels.

These requirements are pursued at every stage of the information life-cycle.
Breaches in information security can result in reputational and economic damages, business interruption, sanctions or civil liability.

2. ISMS SCOPE

The scope of the Information Security Management System and of the indications given in this document is extended to all Naitec, namely to the:
Design, Development, Assistance and Maintenance of IT solutions.

3. MANAGEMENT COMMITMENT

Through its management, Naitec considers highly strategic the protection of its information assets, as well as a critical factor in the success of the company business, and an enabling factor for the efficient and necessary sharing of information.

For this reason, Naitec management intends to take all necessary measures in order to ensure:

• - the assignment of updated security responsibilities;
• - the protection of information assets in a manner commensurate with their value and according to the results of the risk analysis;
• - a continuous promotion of understanding and harmonization with general and specific laws and regulations for its own activities;
• - the design, development and supply of services in compliance with the security requirements and signed contractual requirements;
• - the design, development of IT solutions in compliance with security requirements;
• - the adequate training of staff on the subject of Security according to the roles and security responsibilities assigned to it;
• - the continuous improvement of the Management System not only through adequate control and governance, but also through activities aimed at achieving a greater efficiency;
• - the adequate management, through specific procedures, of possible information security incidents in order to mitigate their impact and minimize direct and indirect damage to company operations.

4. RESPONSABILITY OF EMPLOYEES, COLLABORATORS AND THIRD PARTIES

All Naitec employees, collaborators and third parties are required to follow all instructions regarding the correct behavior for their activity as weel as in the management of the assigned operations.

In particolar, it’s the task of each one:

• - To refer to all available information on the Regulation on the use of IT devices or to any specific contractual restrictions, ensuring the protection of the assigned assets with a proper use, by keeping full awareness and understanding of the rules and procedures for the protection of assets and of the company data
• - To ensure an adequate classification and control on all information owned by Naitec for which he /she is responsible ;
• - To be be aware of Security Regulations by promptly reporting incidents in case of infraction or suspected activity.

5. CONFORMITY AND VIOLATION

The compliance with the policies of this document is mandatory: each recipients must be aware of his/her role and responsibilities regarding the protection of information assets.

Any violation of the principles expressed in this document will have to be evaluated by the CISO, so that he can take all the necessary actions to minimize the impact and reduce the likelihood of reiteration.