Information Security Policy

(M 01 rev. 1 of 10/25/2024)

As part of the implementation of its information security management system, brought into compliance with the UNI CEI EN ISO/IEC 27001:2024 standard and in consideration of its strategic importance for the company’s business, the management of Punto EXE Srl has adopted an adequate security policy.

Punto EXE Srl is aware that information security management is a complex cultural process that involves the human resources assigned to all organizational units within the certification perimeter defined in the manual.

Punto EXE Srl believes that the quality of its services (understood as the ability to meet associated needs) and information security are the result of a combination of scientific, technological, organizational, procedural, relational, and communication elements. A key role is played by human factors that interact strongly in production processes, resulting in a constant commitment to user centricity and the improvement of its services.

Furthermore, as provided for by the new European Regulation on Privacy n. 679/2016 (hereinafter, also “GDPR”), the new key principle when approaching the processing of Privacy and information security is that ofAccountability, that is, active responsibility in terms of data processing, is therefore a mandatory step: promoting and developing an environment that is aware and attentive to the issue of information management.

The objectives of Punto EXE Srl in fulfilling its mission are:

 

• • Maintain the centrality of the customer (user and client), which is the guiding principle on which the company management system was developed. The company aims to demonstrate this commitment to its employees, customers, suppliers, and other stakeholders by defining its own policy.

• • ensure an adequate level of data and information security in the design, development and delivery of products and services, through the identification, assessment and treatment of the risks to which the services themselves are subject.

• • ensure that staff and collaborators have adequate knowledge and awareness of the problems associated with information security, in order to acquire sufficient awareness of their responsibilities regarding its processing;

• • ensure that all external suppliers are aware of Punto EXE Srl’s information security issues and comply with the adopted security policy;

• • establish guidelines for the application of standards, procedures and systems to implement the information security management system (ISMS);

• • adopt the UNI CEI EN ISO-IEC 27001-2024 standard as the standard for implementing the information security management system and pursuing compliance;

• • ensure that all Punto EXE Srl staff are aware of the technical and organizational rules for using company information systems;

• • ensure that all staff are informed of their responsibility for managing information;

• • use appropriate resources and technologies that guarantee the performance results;

• • Ensure security conditions in every type of activity or phase of processing of personal and sensitive data.

To achieve these objectives and intentions, Punto EXE Srl guarantees and undertakes to:

 

• • to develop, maintain, monitor and constantly improve the information security management system (hereinafter referred to as SGSI), in compliance with the UNI CEI EN ISO-IEC 27001-2024 standard, capable of satisfying the declared requirements and continuously improving the effectiveness, reliability and availability of the IT services provided and of the primary and ancillary processes;

• • to draft, update, and monitor development plans so that IT infrastructure and services support business activities, adopting appropriate security policies;

• • to the secure storage of the information managed;

• • to the adequate definition of the technical content of the services provided (service specifications) which is reflected in a series of specialized regulatory references including IT protocols and technical-scientific documentation;

• • to the qualification and competence of the personnel involved;

• • to the correct execution of investigation, analysis (including experimental), design and assistance activities, essential prerequisites for the validity of the services provided, ensured by the competence and reliability of the personnel, according to validated and recognized protocols and, secondarily, to the compliance of the system with the UNI CEI EN ISO-IEC 27001-2024 standard;

• • to provide a structural framework for establishing and reviewing information security objectives;

• • to disseminate the principles and values ​​declared in the company policy by the organization and to make communication to and from the various interested parties active and effective so that it is understood and participated in;

• • to comply with the rules and laws that regulate the services and the processing of the related data and to maintain the security of the complex of records and information managed;

• • to periodically review its policy and objectives whenever necessary, following the implementation of changes that affect it, to ensure its continued suitability and to make its commitment to improvement effective.

Management will periodically review the effectiveness and efficiency of the Information Security Governance System, ensuring adequate support for the adoption of necessary improvements to enable the activation of a continuous process that must monitor changes in surrounding conditions or corporate business objectives to ensure its proper adaptation.

Campobasso, 25/09/2024 Approved by Management