An Information Security and Privacy Management System

The security posture offered to our Clients is the result of constantly improved management policies, honed through years of experience in the most ambitious sectors, and a continuous search for and implementation of the most advanced security measures. All of this is aimed at providing Clients with a simple and transparent solution in terms of compliance.

Below are some of the policies and procedures that make up the Information Security and Privacy Management System adopted by Diennea:

  • General Information Security Policy: regularly reviewed by top management, this policy defines strategies to achieve security goals through the appropriate management of assets, processes, roles, and responsibilities.
  • IT Usage Policy: this policy establishes controls to regulate the use of devices (PCs, laptops, tablets, smartphones, USB devices, etc.), including remote usage, such as enforcing configurations that protect information and prevent the installation of unauthorized software.
  • Information Classification Policy: This policy provides a categorization framework to help DLP (Data Loss Prevention) systems precisely intercept the potential transmission of confidential content.
  • Clear Desk & Clear Screen Policy: Aimed at enhancing the security and confidentiality of information, particularly those classified as confidential or secret.
  • Security Incident Management Policy: Aligned with industry regulations, this policy ensures thorough analysis of every event, organizational processes, and includes a real-time Status Page to display the service status.
  • Physical and Environmental Security Policy: Applies to both primary and secondary data centers as well as operational offices, defining physical security measures for protecting company assets.
  • Cooperation with Authorities Policy: This policy defines the procedures the company follows during inspections, information requests, and audits conducted by regulatory authorities.
  • System Administrator Policies and Operational Procedures: This policy governs the management of system administrators and their access logs, in accordance with the provisions of the resolution of Italian Data Protection Authority of 27/11/2008 (and subsequent amendments).
  • Background Check Policy and Procedure: Defines how background checks are conducted for incoming personnel, in compliance with applicable laws, regulations, and ethical standards.
  • Malware and External Intrusion Protection Policy: Involves the adoption of specific anti-malware and anti-ransomware solutions on both client and server systems, with automatic updates and scans. This includes scanning of shared files, emails and attachments, downloads, and web pages.
  • Cryptographic Control Policy: Requires the use of strong cryptographic algorithms on all devices, both for “at-rest” and “in-transit” information.
  • Logging and Monitoring Policy: Active 24/7, in compliance with regulatory requirements, industry standards, and best practices, focusing on the centrality of information security.
  • Network Management Policy: Includes control of connected devices, traffic restrictions, and resource allocation within the corporate office networks and data centers, through multiple VLAN levels, VPNs, and traffic management and analysis tools such as firewalls and IDS/IPS.
  • Secure Development Policy: Specifies software development lifecycle in dedicated environments, including static code analysis, OWASP checks, test data usage, and a QA process, with 11 evolutionary and corrective releases per year.
  • Vulnerability Assessment and Penetration Testing Policy: Involves periodic, independent, and objective testing by third parties, who are rotated over time to prevent familiarity with the system and avoid expectation biases.
  • BCP & IT DRP Policy: Ensures the resilience of services in the event of disasters, guaranteeing predefined RTO and RPO.
  • Patch Management Policy: Applies to workstations, servers, network devices, and other company-owned or managed hardware assets. It includes continuous monitoring of vulnerabilities (CSIRT, technology vendors) and the use of tools for centralized update management where possible, as well as specific update processes for individual assets based on criticality.
  • Change Management Procedure: Manages and monitors changes that may impact information security, arising from business processes, systems, applicable technical regulations, or application features.
  • Backup Management Policy: Defines how backups are executed, their frequency, storage, physical and cryptographic protection measures, and verification processes. Backup copies of information managed by Magnews are made daily, replicated across two data centers about 450km apart, and stored for up to 60 days.
  • IT Systems Audit Policy: Involves periodic risk analysis (at least annually) and the execution of an audit program covering both internal organizational areas and suppliers, coordinated by the Audit Team, whose members hold specific ISO certifications.
  • Third-Party Management Procedure: Involves a careful risk analysis of each supplier starting from the initial due diligence phase and continuing through the contractual relationship, including ongoing maintenance audits.
  • Personal Data Transfer Policy: Regulates how personal data transfers are handled.
  • Legal Basis for Processing Policy: Describes the legal principles underlying the processing of personal data by the organization and lists the legal bases that Diennea may use to justify the purposes pursued.
  • Personal Data Retention Policy: Provides for transparent retention of various types of data processed by the organization, with customizable parameters based on client requests.
  • Governance and Accountability Policy: Ensures the organization aligns with applicable data protection laws and, in particular, establishes Diennea’s governance structure, describing roles, responsibilities, objectives, risks, documents, and operational controls to implement the accountability principle introduced by the GDPR.
  • Data Breach Management Procedure: Provides practical guidelines to follow in the event of a personal data breach affecting the organization, both as a Data Controller and Data Processor.
  • Credential and Authorization Profile Management Procedure: Regulates the secure use of access credentials and proper management of information access according to the principle of least privilege.
  • Exercise of Data Subject Rights Procedure: Provides operational guidelines to ensure the exercise of data subject rights under the GDPR.

Simplicity and reliability for the Client

  • Certified Guarantees.
  • A prepared partner focused on security and data protection, with staff undergoing continuous training programs and attack simulations.
  • Attention to the supply chain, limiting the number of sub-processors involved and avoiding transfers of personal data outside the EEA.
  • Direct management of the IT infrastructure, without the use of subcontractors or reliance on CSPs (Cloud Service Providers).
  • Phone and email support, available in both Italian and English.
  • Bug Bounty Sessions that subject the platform to testing by ethical hacker communities.

Optional support upon request

  • Availability to conduct periodic maintenance audits by the Client.
  • Availability to submit the Platform to PT/VA (Penetration Testing / Vulnerability Assessment) by the Client.
  • Availability for direct involvement of the Security Team staff.
  • Support during the exit phase for service internalization or migration to another external platform.

Technological Infrastructure

The magnews infrastructure is designed to ensure the highest security standards on the market.
The data centers hosting magnews servers, through colocation services, implement technical and organizational measures such as:

  • Smoke and fire detectors with automatic fire suppression systems that activate to saturate the environment in case of a fire.
  • Liquid detection probes under the floor near connectors, valves, and main water distribution lines. Any water leaks are properly redirected and discharged outside.
  • Integrated intrusion detection system connected with smoke detection, fire suppression, CCTV, access control systems, and technological alarms.
  • Intrusion sensors within the building activated and deactivated by signals from the access control system.
  • Motion detection cameras positioned to monitor the building’s perimeter, entrances, interlocked doors, and any other critical areas.
  • Air conditioning system that maintains stable environmental conditions (relative humidity between 20% and 80%, with air exchanges at a minimum of 1.5 volumes/hour).
  • Static uninterruptible power supplies (UPS) with batteries providing 15-20 minutes of autonomy under full load or D-UPS systems with a rotating inertial mass to ensure power continuity during the brief transition from the main power grid to the emergency system, which in turn guarantees at least 36 hours of autonomy to support the entire facility.
  • Armed security surveillance 24/7, access registration procedures and identification of personnel entering on behalf of the Clients. Access to systems rooms is electronically controlled via badges and fingerprint recognition systems. Perimeter control using infrared systems, periodic evacuation tests, and security procedures with identification and assignment of responsibilities.
  • Access restricted to authorized personnel only, allowing on-site operations on their systems and devices, with appropriate identification within the IDC, and prior reservation and identification.
  • Registration of all authorized incoming and outgoing visitors, with checks by guard staff to verify that visitors are in the areas permitted to them.

 

The main security measures adopted on the magnews Platform include:

  • Logical separation of customer data through a “multi-tenant” management model using dedicated data tables on databases, with strict low-level controls. Data access is managed and translated directly by the platform (no queries are executed directly on the DBMS). The same segregation is applied at the memory level (distributed cache and threads) and at the filesystem level.
  • Two data centers located in Italy 450 km away from each other, with multiple certifications, including uptime Institute TIER IV, ANSI/TIA 942-B-2017 Rating 4 “As Built,” ISO 27001, ISO 22301, ISO 22237, and ISO 9001.
  • Use of hyper-converged solutions for maximum scalability, flexibility, and redundancy.
  • Network segmentation to enhance security.
  • Access control to ensure restricted access.
  • NGFW (Next Generation Firewall) with active IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) features.
  • Encryption of “at-rest” data on all devices (laptops, servers, removable drives) using the AES-256 algorithm.
  • Encryption of “in-transit” data via secure protocols (HTTPS, SSH, SFTP, FTPS, STARTTLS) between application components and and to/from external services, wherever possible (for example, if an email is sent to a recipient whose mail server does not support STARTTLS, the system will forego encryption unless explicitly forced to reject the sending through configuration.
  • Distributed backups across data centers, encrypted with AES-256 and utilizing specific functions for freezing and immutability.
  • Certified destruction of decommissioned hardware containing data.
  • DLP (Data Loss Prevention) enforced for all personnel.
  • Antivirus, anti-malware, and EDR (Endpoint Detection and Response) installed on all clients and servers, and regularly updated.
  • Password storage using hashing generated with the PKBDF2 algorithm with 600,000 iterations.
  • possibility of independently configuring the security level of application access through 2FA (Two Factor Authentication) enablement for a single user, IP blocking/enabling, personalized blocking logics for consecutive authentication errors, password characteristics (length, uppercase characters /lowercase/numbers/special, duration, automatic suspension due to inactivity, session duration, number of previous passwords not to be reused), predefined and customizable user profiles.

The Organization is able to offer the following services upon the Client’s request:

  • Web Application Firewall and active anti-DDoS mitigation active on the application backend;
  • 24/7 monitoring by a SOC (Security Operations Center) with the use of SIEM (Security Information and Event Management), CTI (Cyber Threat Intelligence), and OSInt (Open Source Intelligence) platforms to monitor attack threats and anomalous behaviors;
  • 24/7 IT support with dedicated personnel;
  • Integration with the Client’s IAM (Identity and Access Management) using SAML v2;
  • Proactive notifications in the event of security incidents.

A "by design" Platform

The magnews Platform offers a solution designed “by design” to facilitate GDPR compliance while ensuring the safety of your clients’ personal data.
The functionality of the Platform is based on data protection principles from the design stage in compliance with Article 25 of the GDPR and is certified through the following requirements:

  • a careful assessment of the risks associated with the processing of personal data for which the magnews Platform is intended;
  • the provision of modules, technical, and organizational measures that allow the Client, as the Data Controller or Data Processor, to ensure an adequate level of protection for personal data processed through the Platform;
  • transparent communication with the Client about the security features and privacy by design aspects of the Platform, allowing them to assess whether, from a technical standpoint, the magnews Platform meets their needs and the specific characteristics of personal data processing they intend to carry out through it.

For a more detailed analysis of the magnews Platform elements that assist the Client in GDPR compliance, click here: link.

On the magnews Platform, the following optional modules can be activated:

  • enabling a precise and customizable log of all changes to consents and consented data for the data subjects (module “Consent Tracker”);
  • forcing the inhibition of email sending to mail servers that do not accept encryption protocols, while also providing functionality to manage fallbacks to alternative communication channels.