Your browser version is not updated, please update it.

Cyber Security Poste Italiane has always considered the security of digital service as a strategic, fundamental component of its business.

Within the scope of performing its activity, Poste Italiane manages numerous personal data and confidential and sensitive information, which it undertakes to process in compliance with the legal provisions in force. For the Company guaranteeing high levels of security in the selection and use of its IT systems in order to protect customers and individuals and combat cybercrime represents a commitment, apart from a fundamental value.

Given that for Poste Italiane the adoption of measures needed to prevent Cyber Security risk represents a priority, a unique hub was created at organisational level to monitor risks related to the security of information and the information systems by means of:
  • identifying a single interlocutor for risk associated to IT security;
  • the integrated management of Cyber Security risk;
  • greater efficacy and efficiency in operations by means of reducing the fragmentation of operational processes amongst functions.
In order to guarantee better management, the responsibility of IT security for the Group was assigned to a Chief Information Security Officer (CISO).

In recent years, the company has actuated three technological hubs to guarantee and monitor IT security.

The Security Innovation Lab, created in Trento in collaboration with the Italian EIT Digital node – core partner of the European Institute of Innovation and Technology (EIT) – it is engaged in applied research and launched several project initiatives in relation to European programmes FP7. The 7th Framework Programme and Horizon 2020, a European Framework Programme for Research and Innovation (2014-2020).

The Computer Emergency Response Team (CERT) established by a team of security experts having the task of coordinating all computer emergency response activities. CERT is aimed both at security specialists and large organisations, customers and consumers to which to offer its experience and competencies to guarantee a correct use of the internet. In particular, the Centre is engaged with preventing, analysing and protecting from IT threats and avails of a Cyber Security Competence Centre, located within the CERT (Rome) which is dedicated to studying new technologies for combating IT emergencies and building relations with private parties aimed at the mutual exchange of knowledge in the Cyber Security field.

The Cyber Security Technological District of Cosenza, created in relation to the National Operational Programme “Research and competitiveness 2007-2013” funded by the MIUR. Its purpose is to realise solutions for the protection of electronic payments. The District’s main objective is to study, define and implement evolutionary models, methodologies and prototypes for analysing cyber threats and the protection of personal data in order to heighten defensive capacity and the response of Poste Italiane and guarantee an effective and efficient management of aspects concerning privacy within the Group, also by virtue of the release of the European Regulation on Data Protection.

During 2017 the Company also organised several training activities carried out with 7 workshops. The main topics of the workshops held during the year were the new Privacy Regulation with related requirements, Information Resilience and the protection of business, Internet of Things, the human factor and Cyber Security, open data and data science, security in the new digital bank and lastly the topic of trust in the digital era.

As regards awareness on the matter of Cyber Security and Cyber bullying, in 2017 the Company organised various activities and specific initiatives, which involved over 2,500 users, of which 2,000 were students who filled in 900 self-assessment tests about related knowledge. Among such initiatives, worth of mention are in particular the “Heroes and victims of social media” exhibition, the Cartoon Festival “Roads in the landscape” and the Cartoon Competition on Cyber Security “Navigate with Care”.

Lastly, the Company expanded the scope of its activities on Cyber Security awareness by supporting Calabria University in the creation of two Level Two Masters, recognised by the Academic Committee of the University, on Ethical Hacking and Secure Information.

Within the Group both SDA and Postel SpA have undertaken the commitment of Poste Italiane in data security and the protection of privacy. Indeed, SDA set up an internal body (ITC Privacy Compliance & IT Security) which defines and updates the corporate policy on managing secure information and personal data (data Privacy), establishing the guidelines and general rules to be applied internally. On the other hand Postel established the Information Technology Function as a strategic lever supporting the business. This function manages data and information essential to achieving the corporate mission. From this viewpoint, Postel obtained ISO 27001:2013 certification, the objective of which is to ensure, mainly among end users, the security of information manage in operational process of supplying products and services.


International commitment to Cyber Security

Poste Italiane’s commitment to Cyber Security is also translated into participating in international organisations promoting IT security and cooperation among the various players involved, such as:
European Electronic Crime Task Force (EECTF). Founded in 2009 by Poste Italiane, in partnership with the Postal and Communications Police, the Department of Public Safety of the Ministry of the Interior and the United States Secret Service, the EECTF was created with the objective of creating a strategic alliance for sharing operational information on cybercrime. Furthermore, the involvement of public institutions, the police force, the academic world, magistracy and private sector allow an aggregation of competencies and expertise at European level.

Global Cyber Security Center (GCSEC). A non-profit organisation created to promote IT security in Italy and the rest of the world. The Centre was founded, funded and coordinated by Poste Italiane and other associated companies, its seat is in Rome and it collaborates with Italian and international government Institutions, private entities, research institutes and international organisations. The Foundation’s mission is to develop and circulate knowledge and awareness regarding IT security, creating the conditions to improve ability in the use and protection of internet.


CERT services and activities for information security

The services and activities carried out by CERT have the purpose of addressing the security of information held and processed by the Company so as to contain, within acceptable limits, the risk of jeopardising confidentiality, integrity and the availability of information, in order to avoid any negative consequences in terms of damage, both to the Group’s image and economic ones. In particular, CERT offers the following security services:
  • Information Sharing. A service that guarantees a constant exchange of information both within the Group and with qualified networks for the purpose of detecting, preventing and combating potential attacks;
  • Early Warning. A service aimed at collecting, analysing and disclosing information regarding technological vulnerability;
  • Brand Protection. A highly specialised service which represents a means for protecting indiscriminate and illegitimate use of registered trademarks by competitors on the internet, identifying all possible improper uses;
  • Data Breach. A service based on monitoring and analysing systems for seeking out potential unauthorised access to sensitive or confidential data;
  • Cyber Threat Intelligence. A service by which Poste Italiane collects and analyses information in the network provided by the community and in general by external sources, to seek out any attack models on the infrastructures and information of Poste Italiane.
​The main activities conducted by the Centre during 2017 can be, in turn, divided into the following three macro-areas of action:
  1. IT SECURITY RISK ASSESSMENT AND SECURITY BY DESIGN
    In 2017, apart from having drawn up the Policies and Guidelines needed to retain ISO 27001:2013 certification for CERT and the Privacy Services Centre, a Risk Analysis was conducted on the Digital Public Identity System (SPID) with an extension of the scope of analysis to components required for issuing the service present in Poste Italiane. The Risk analysis for the comprehensive scope was concluded in December 2017 with the development of the identified Risk Treatment Plan. Furthermore, there was an assessment of the correct implementation of the privacy requirements associated to the appointment of the Managers and Supervisors in charge of the processing of personal data and the system Directors inasmuch as persons involved in the management of information related to the SPID service for various reasons.

    Moreover, with regard to risk assessment, the Cyber Risk assessment was completed for any purchases of insurance cover to guarantee liabilities connected with IT related risks, with the possibility of Crime Clause (internal and external fraud) and Reputation Clause extension.

    Moreover, during the year CERT participated in various project activities, supplying support to the analysis and development phase of new projects/services, in order to guarantee an approach oriented to Security by Design by means of observing the binding normative and corporate policies, as well as punctual definition of the security requirements. The main supervised projects are: SPID; Tower GECT; Data Governance; New BPIOL platform; Business Portal; BancoPosta Consumer Account, Tower Payment Engine; smart Savings Books; dematerialised PIN.

    Lastly, as a continuous activity during the course of the year, CERT executed Quick Assessment & BIA (Business Impact Analysis) activities regarding corporate project initiatives. The process objective was to classify processed information, identify any impact on business in the case of loss of confidentiality, integrity and availability of the processed information, and direct the security baselines to be implemented and the continuity targets.
     
  2. INFORMATION SHARING
    The activity of Information Sharing in 2017 made the sharing of information possible with regard to recently discovered threats together with the related Impairment Indicators (IoC) concerning threats, attacks and specific vulnerability to potential impact on corporate infrastructures and assets. 

    Thanks to the Brand Protection service, reports were made for posted information concerning Poste Italiane on social channels, after which unauthorised profiles were blocked, whereas in relation to the Early Warning activity, security bulletins were distributed within Poste Italiane which concerned the vulnerability of IT assets, reported by the main institutional alerting services and vendors.

    Thanks to the Cyber Threat Intelligence activity, the Poste Italiane CERT analysed and reported various cases of IT threats to the structures of competence, such as Ransomware Wannacry (May 2017), Petya Attack (June 2017) and various attempts of Ceo Fraud Attack (July and November 2017) which were aimed at Poste Italiane employees.

    Responding to requests received from its clientele, the Poste Italiane Cyber Security Department in 2017 managed all activities concerning the motions as per art. 7 Legislative Decree 196/03 (for example: access to data, correction, integration, erasure), it analysed cases of presumed Data Breach and provided support to the Legal Affairs Function regarding reports, appeals and complaints to the Guarantor for the Protection of Personal Data.
     
  3. RESEARCH, DATABASES CENSUS AND OTHER INITIATIVES
    With regard to the activities of research and development conducted by CERT in 2017, worth of mention is in particular the implementation of three initiatives: closure of the European Project EUOF2CEN for the creation of an information exchange platform regarding bank fraud between European Police, EUROPOL and Financial Institutes; presentation of the project proposal SHADOW2 within the framework programme of the European Commission, Horizon 2020; presentation of the project Distributed Ledger for Secure Open Communities, within the MUIR PNR 2015-2020 Programme.

    Lastly, in November 2017 the Census of the Databases was completed, an activity that is part of the wider corporate Databases Management Process for the purposes of privacy and falls among the actions carried out by Poste Italiane, not only to guarantee availability, confidentiality and integrity of personal data held by the Company, but also to safeguard the business and minimise the risk of sanctions.


Poste Italiane’s IT Security framework

In order to guarantee adequate levels of confidentiality, integrity and availability of data, information and services issued to its clientele, Poste Italiane has developed and adopted a dedicated IT security framework. This objective was reached by adopting, apart from technological measures, also those of the internal devices and operating security processes, guaranteeing a suitable level of performance of the security measures, adequate resilience of the business services and feeding information flows towards the internal control bodies and/or Authorities of reference. Such security framework is divided into different levels of intervention:
  • IT Security Policy and supporting documental system
    The Policy expresses the objectives and strategic directives aimed at addressing the management of security in IT resources and process supporting business services. The Policy’s objective is to contain, within predefined acceptable limits, the risk of jeopardising the confidentiality, integrity and availability of information, both from the viewpoint of protecting business and contributing to the fight against cybercrime.
  • Analysis of IT risk
    Poste Italiane avails of a method for assessing and managing IT risk aimed at containing risks regarding loss of confidentiality, integrity and availability of the corporate IT systems supporting business services, guaranteeing a correct distribution of security investments, in line with the identified risk profiles. The objective of the risk treatment process is that of effectively and efficiently steering initiatives and resources aimed at containing security risks.
  • The Permanent Security Plan (PPS)
    The Plan is formed of all the transversal interventions and technological projects required for guaranteeing the presence, update and correct function of the security platforms. The Plan’s chain of interventions is of a permanent nature, depending on the continuous evolution of IT risks and envisaging the implementation of transversal technological infrastructures in the IT systems, in support of all the issued services.
  • Security by Design
    An activity that, in the context of phases of analysis, design, realisation and applied production of the new services or modification of existing services, apart from within the processes of change in the IT systems, are aimed at identifying security requisites for guaranteeing adequate protection of the involved ICT resources. The ultimate purpose of Security By Design activities is that of affecting the entire chain of value and ensure conformity to legal norms and standards regarding IT security, as well as integrating IT security in IT processes and those of Service Creation.
  • Transversal technological security infrastructures 
    Given the pervasiveness and complexity which characterises the Poste Italiane information systems, the Group supervises the design, realisation and maintenance of transversal security solutions, based on the market’s leading technologies. The realised solutions allow activities of prevention, monitoring and centralised management of security aspects to be carried out, with the purpose of protecting corporate information assets against targeted cyber-attacks, by using avant-garde measures.
  • ​IT security incident management
    So as to comply with the obligations established by the normative in force regarding data security, prevention and combating cybercrimes, Poste Italiane – in line with Legislative Decree 196/2003 – adopted a specific Incident Handling measure for the prevention, management and escalation of all IT security incidents leading to the violation or threat to confidentiality, integrity and availability of corporate information assets. The methodology for managing IT security incidents implemented by Poste Italiane and formalised in a dedicated Operating Procedure is in accordance with the Good Practice Guide for Incident Management dell’ENISA - European Union Agency for Network and Information Security.
  • Certifications
    Faced with the pressures of the external context, caused by an increasing complexity of the business and normative and regulatory developments, as well as developments in the internal context, Poste Italiane guarantees a structured supervisions of matters of quality regarding IT and security, adopting an Integrated Management System of IT Quality and Security which transposes the aspects highlighted by the international standards and sector benchmarks1.
  • ​Projects for innovation with regard to security
    Poste Italiane pursues innovation on the matter of IT security with reference to realising studies and scenario research on vertical security topics, specifically focusing on issues regarding identity management, mobile security and distributed ledgers2 (blockchain technology). The Company activated a set of projects having the objective of managing new emerging risks, not only as regards protection but also prevention, within a context such as it is at present, which requires new technologies and high competitiveness in order for the business to grow.

1In 2017 the Parent Company coordinated activities preparatory to retaining and subsequently renewing Certifications ISO 9001 – 20000 – 27001 for ICT services, PEC [certified email] for employees, GECT Graphometric Signature and the SPID Service and, furthermore, obtained an extension of Certifications ISO 9001 and 27001 also regarding the PosteCert loyalty services of PosteCom (PEC, Digital Signature, Timestamp and Digital Archiving).

2Distributed Databases means Ledgers that can be updated, managed, controlled and coordinated no longer only at central level but in a distributed manner, by all players.


Innovation projects for corporate and business security

Since 2013 Poste Italiane has activated a set of funded projects regarding IT security by means of European and National programmes having the objective of managing, not only in the context of protection, but also and above all of preventing new emerging risks, within a context, such as it is today, that requires products, processes or services having original characteristics, new technologies, drastic and swift transformations and highly competitive, in order for the business to grow.

Its participation in such projects has led to advantage of a technological, procedural and economic nature, as well as allowing Poste Italiane to enter a network of over 50 partners between academic realities (Universities and research centres) public institutions (Ministries and Agencies) and private enterprises (amongst which large enterprises and SMEs) that are spread around various member countries.

In order to reach the objective of supplying innovative services to its clientele which are secure and without negative impacts on the time-to-market, for some years Poste Italiane has applied a strategy for innovation in security based on its participation in innovative projects funded by the European Commission and, at national level, by Ministries and Regions.

By means of the European and national programmes dedicated to Security, it was possible to fund key elements of the assets envisaged for defending the digital services of Poste Italiane. Such opportunities allowed Poste Italiane to anticipate the processes of innovation of the business and to develop projects that are always in line with the objectives of the Strategic Plan.

Indeed, over the years it has been possible to consolidate specific competencies in the sectors of IT security (for example in the segments of insurance, digital identity, mobile security, digital health services, digital finance, smart logistics, smart energy management), participating in the design, realisation and implementation of innovative security solutions and pilot activities in the aforementioned sectors, also with a view to technological transfer towards corporate functions which operate on such markets on a daily basis.


The role of innovation in IT security


Security Project Portfolio

 
Funded national projects in the field of IT security:
PROTECT ID   The Protect ID project has the purpose of improving functions related to managing digital identity, building
innovative security services and solutions in the context of managing Digital Identity, guaranteeing the
protection of privacy and secure sharing of personal information in the network. Advanced behavioural
analysis and real-time monitoring services constitute the backbone of the project’s outcome.
 
Funded European projects in the area of IT security: 
MOBILE
SHIELD
The objective of the Mobile Shield project is to produce two new mobile malware detection services, develop new hypervisor technology to protect mobile devices and end users from malware and ransomware and to protect the communications and sensitive data by means of innovated solutions conceived for the protection of mobile business customers of Poste Italiane.
SDIM The SDIM Secure Digital ldentity Management project has the objective of developing secure innovative methods for managing digital identity and guaranteeing privacy in the use of e-Government services. The project was especially significant in respect of developing the national system for supplying SPID Digital Identity.
MOBILE
SHIELD II
Project Mobile Shield II, an extension of Mobile Shield, has the objective of producing fraud detection services on mobile platforms. Such services are aimed at protecting business users and consumers using mobile devices from common attacks (for example data or identity theft). Real-time protection is aimed at predicting fraudulent activities rather than intervening once money has been subtracted.
FIDES Project FIDES Federated IDEntity management System, has the objective of developing secure methods for managing digital identity by developing cross-border solutions for issuing services based on digital identity in the European Union. The project implements services for Anonymity, Unlinkability, Unobservability and Pseudonymity by enabling particularly innovative scenarios for Security and Business.
FIDES II Project FIDES II extends the management of federated digital identity at international level, integrating innovative technologies supporting mobile platforms and integrating Strong Authentication systems having the highest level security standards. A multi-protocol broker guarantees the support for the state of the art of technologies specialised in issuing services based on Digital Identities.
VAMOSS Project VAMOSS Vulnerability Analysis and Management for Open-Source Software implements a technology that supports the development cycle of software to assess the impact of open-source code on Java applications, whether mobile, web or stand-alone applications. The service, provided in SaaS mode, was used in the in-line analysis in the process of developing software in Poste Italiane.
WAFFLE Project WAFFLE Web Application Firewall for Large-scalE phishing attacks (WAFFLE) has the objective of realising a solution for protecting companies from large scale phishing attacks and from spearphishing. Therefore a solution for protecting personnel and top management based on machinelearning methods using a high performance self-learning Project DLS-OCS Distributed Ledger Services for Online Contract Settlement has the objective of creating solutions for a “trusted market” able to support the stipulation and automatic management of B2B and B2C contracts to manage the exchange and energy balance (physical and financial) in the energy market without intermediation by a Central Authority. An enabling platform for the direct exchange of energy between producers, consumers, prosumers and accumulators.
ESSENCE The ESSENCE Empowering Safer homes project creates a network of sensors for monitoring the activities of senior citizens and the disabled within their homes (3D geo-fencing). Situations of emergency (malaise, falls, anomalous behaviour, etc.) are detected and reported to operators who can take actions remotely by means of a network of actuators (close gas and water valves, automatic opening of the front door, etc.). All fully observing the security and privacy of the users.
 
 Funded European projects in the area of IT security:
DCOT Project DCoT Digital Chain of Trust has the objective of creating a multi-service, multi-function solution based on blockchain technology which allows the realisation of Digital Chains of Trust. The solution is validated within an applicative context in the Logistics sector (parcel tracking) but is open to strong applications in relation to Digital Forensics.
API ASSISTANT Project API Assistant Automated Security Assessment of Apps for the API economy has the objective of creating a virtual assistant for mobile app developers, capable of increasing the knowledge of users with regard to Cyber Security and managing threat mitigation in Apps for mobile devices based on the API, offering a Toolkit to arm the code against known security problems.
CYBEROAD Project CYBEROAD Development of the Cybercrime and Cyberterrorism Research Roadmap has the objective of identifying current and future topics concerning the fight against Cybercrime and Cyberterrorism and defining a strategic roadmap for research in the field of IT security. The European Commission used the results of CyberRoad, contributing to the definition of future funding interventions.
ECOSSIAN Project ECOSSIAN European Control System Security Incident Analysis Network has the objective of improving the current context of the Protection of Critical Infrastructures by means of an integrated approach for the detection and cooperation management of IT incidents. To this end, the project developed a system that facilitates the activity of Threat Detection, Early Warning, Threat Mitigation, Information Sharing and Disaster Management.
SISSDEN Project SISSDEN Secure Information Sharing Sensor Delivery Network improves security for European organisations, developing Situational Awareness and operational information Sharing, deploying a distributed network of thousands of sensors scattered over 100 countries of the world, based on existing honeypot/darknet technologies and the creation of a high performance data-processing centre.


Security Innovation Lab

The Security Innovation Laboratory promotes alignment between the needs of Corporate and Business Security and the proposition of innovative and disruptive solutions in the security sector. The Laboratory is a natural engine for technological transfer of security to the Company’s business segments. The following take place in the laboratory:
  • activities of technological transfer by means of Demo, Proof-of-Concept and actions for developing competencies;
  • prototype components are developed for projects funded by the European Commission;
  • pilot installations;
  • malware Analysis & Reverse Engineering. 
​In collaboration with the existing competent legal functions, an appropriate management of Intellectual Property is also realised (e.g. IPR, Consortium and Licence Agreements).

Completing the picture are activities aimed at identifying innovative business models for setting up sustainable security in economic terms.

The ultimate objective is to predict the requirements of Research and Innovation in the field of security by developing a profound knowledge of applications for secure and sustainable business, which follows the rapidly changing demands of the market and Poste Italiane clientele.


Mobile Malware Analysis Lab

Amongst the relevant projects concerning innovative environments is the activity that Poste Italiane runs for making mobile Apps safe, also given the centrality that such channel is assuming in the development of digital business. The purpose of the project is to:
  • analyse the types of data collected and sent, as the case may be, from the used Apps;
  • prevent claims from Customers regarding offences traceable to the use of the App, directly, indirectly or presumed, that are associated to the Poste Italiane brands and Group Companies;
  • prevent direct damage (for example, fraud etc.) due to improper use of the Apps or indirect damage (e.g. damage to image, etc.) due to improper use of the brands;
  • protect intellectual property rights (source code, logos, trademarks, etc.).

​The activities shown below involved all Apps bearing marks traceable to Poste Italiane or Group Companies, they are developed by and/or on behalf of the Group or by third parties or offer functions envisaging the processing of customer data and are not only usable via official markets (Google Play Store and Apple Store), but also via alternative markets: