In order to ensure the security and regularity of the provision of Air Navigation Services, in compliance with current national and international norm, ENAV assumes the full conviction that the staff protection , infrastructure and the information security it receives, produces, uses and transfers are crucial and essential elements in order to protect the community which, directly and indirectly, makes use of its services.
The Security Policy expresses ENAV's commitment to ensuring the security of its facilities and personnel to prevent undue interference in the provision of air navigation services, and the protection of its systems and data from threats to information security that may lead to illicit interference in the provision of air navigation services and to vital and relevant information also of interest of the financial community.
Security management system
ENAV has developed its own Security Management System, certified according to standard UNI EN ISO 27001:2014: it is a system that consists of technical and organisational measures implemented in order to increase, overall, the ability to prevent and mitigate the effects of acts of unlawful interference in the provision of air navigation services and of protecting persons and corporate information assets that have a direct impact on ENAV's institutional activity. The activity is strongly characterised by the management of the entire security life cycle and it finds a defining point in the activities of the Security Operation Centre, which constitutes the operating engine of the processes of prevention, detection, containment, response and assistance to recovery, under the assumption of security-injurious events. ENAV participates in the National Cyber Security Strategy and the protection framework of national security and defence interests, in its dimension of critical infrastructure and provider of essential services.
A brief description of the main processes that make up the security management system below.
The process is aimed at identifying the risks associated with possible dangerous situations regarding ENAV Security and specifically for the security of ENAV's installations and personnel and the information that ENAV receives, produces or uses and to plan and implement the security countermeasures necessary to reduce these risks to levels deemed acceptable for ENAV. Risk management is expressly extended to staff missions.
Classification of information
The purpose of the information classification process is to support the correct application, in the entire business context, of the rules and the principles of confidentiality of information by the definition of the classification level in terms of confidentiality, and the definition of persons authorised to process information, inside of the organisation and outside.
Physical security management
The physical security management process aims to avoid unauthorised access, damage and interference to ENAV's staff, technological infrastructures and real estate by means of protective measures commensurate with the nature of the own structures , the type of services they have performed, the resident staff and, more generally, the risk analysis carried out on the specific installation.
Logical access management and Backup and restore of data
The management processes of logical accesses, relevant both to the operational and managerial scope, have the objective of preventing unauthorised access to ENAV's computer resources.
The data backup and restore activities are carried out both for operational and managerial data in order to guarantee their availability and integrity and are planned with a view toward guaranteeing the continuity of the institutional and related services for the pursuit of the mission.
Security event monitoring and ICT security Audits
The activities of monitoring the level of security of ICT infrastructures related to the ENAV's operational network and the management network, carried out in continuity by the Security Operation Centre in connection with all ENAV's line functions, aim to identify any abnormal behaviour and, in case of attack/threat detection, to activate the security incident management process.
The ICT security audits, on the other hand, aim to verify that the ICT assets comply with the mandatory rules, the "ICT Security Policy", the SecMS Rules and the security standards considered applicable.
The process, inspired by continuous improvement logic, aims at the constant monitoring of threats and the early detection and contextual resolution of vulnerabilities, with a constant connection to Threat intelligence processes and the acquisition of information from Bodies responsible for the national security and defence.
Reporting and managing security incidents
The main objectives of the incident reporting and handling process are the timely identification of security incidents, the provision of what is necessary to prevent security-related incidents from causing greater effects in terms of extent and/or intensity of damage, the elimination of the causes at the incident origin, and the restoration of initial conditions to return, as soon as possible, to normal operation. This activity is crucial to the protection of the Group's vital interests and to the protection of core values in its constitutional architecture. This responsibility is the task of the Security Operation Center, in its dual structure of reference centre for physical and personal security and information security.
The main activities carried out for security
The security activity is based on a risk analysis process, built on the ISO 31000 standard and the analysis activity, every year, covers the three domains of physical, personnel and information security with a process inspired by continuous improvement. Risk management is developed through the principles of "security by design" and "security through lifecycle" and addressed through procedures, which are continuously updated, that consider the issuance of technical-operational requirements, metrics and indicators aimed at strengthening the culture and awareness of security (both with training programmes and exercises carried out for all personnel, at differentiated levels).
The substantial evolution of ENAV's Security Operation Center continued, with a strong characterisation towards open source tools, some of which were developed internally. Consistent actions have been established to ensure the security of staff who are on mission and to initiate overall adjustments for full compliance with the European regulation on the security of personal data (GDPR). Cooperation with the national infrastructure and cybernetics security institutions continues, following the signing of an agreement with the Department of Public Safety at the Ministry of the Interior for the protection of the physical security of ENAV's infrastructure and personnel, which is added to the conventions on the security of information and data with the same National Authority of Public Safety and with the national Cybernetic Authority (DIS), for the complete and effective fulfilment of the duty of diligence enshrined in the Security Policy. In implementing the principles of the Security Policy, ENAV continued its campaign to promote the culture of security with different modalities to achieve the expected levels of value-sharing. A further development of ENAV's operational continuity plans, complying with the ISO 22301 Standard, also involved the component of the Group's systems management and maintenance processes.