In order to ensure the security and regularity of the provision of air navigation services, ENAV is fully aware of the fact that the protection of personnel, infrastructure and the security of the information it receives, produces, uses and transfers is a crucial and essential element in protecting the community which directly and indirectly makes use of its services and one that contributes to defending public safety and the security of civilian aviation.
There is a strong interdependence between the concepts of safety and security relating to the risk of an aeronautical accident and aspects of continuity.
In the traditional conceptual model, safety deals with the measures to be taken to mitigate the risk of an aeronautical accident due to unintentional acts while security deals with the measures to be taken to mitigate the risk of an aeronautical accident due to intentional acts.
This model is progressively evolving with the recognition that user’s unintentional negligence, imprudence (such as an involuntary failure to implement a precautionary security measure) or inexperience (incorrect configuration of systems, a deficiency in the security measures) are elements that fall under Security, as they can result in vulnerabilities in the ATM system that can be exploited by third parties, generating a potential impact on safety.
The Security Policy expresses ENAV’s commitment to ensuring the security of its facilities, personnel and systems, including the data and information contained therein, to prevent any undue interference in the provision of air navigation services, and, in general, the unavailability or compromised integrity or confidentiality of corporate information, also in the interest of the financial community.
The system manages the entire security life cycle and its defining point is in the activities of the Security Operation Centre.
For the purpose of guaranteeing the highest level of security possible in its corporate processes, ENAV has developed its own Security Management System, certified according to the UNI EN ISO 27001:2014 standard.
The system consists of technical and organisational measures implemented in order to increase the overall ability to prevent and mitigate the negative effects of unlawful interference in the provision of air navigation services.
The system also aims at protecting ENAV’s employees and information assets, with direct effects on ENAV’s institutional activity.
The system manages the entire security life cycle and its defining point is in the activities of the Security Operation Centre, which serves as the operating engine of the processes of prevention, detection, containment, response and recovery assistance
in the event of a security threat.
ENAV participates in setting the national cyber security strategy and the protection framework of national security and defence interests, in its capacity as critical infrastructure and provider of essential services.
A brief description of the main processes that make up the security management system is provided below.
|Risk management||The process is aimed at identifying the risks associated with possible situations that may threaten ENAV’s security and, specifically, the security of ENAV’s equipment, personnel and the information that it receives, produces or uses. This process also plans and implements the security countermeasures needed to reduce these risks to levels deemed acceptable by ENAV. Risk management is expressly extended to staff working abroad.|
|Information classification||The purpose of the information classification process is to assist in the correct application, within the context of the business as a whole, of the rules and principles pertaining to the confidentiality of information by means of defining the confidentiality classification level and determining the persons authorised to process information, both within the organisation and on the outside.|
|Physical security management||The physical security management process aims at avoiding unauthorised access, damage and interference to ENAV’s staff, technological infrastructures and property by means of protective measures that are commensurate with the nature of the structures themselves, the type of services performed therein, the personnel it houses and, more generally, the risk analyses carried out on the specific location.|
|Management of logical accesses and data backup and recovery||The management processes responsible for logical accesses, in relation to both the operational and managerial contexts, are tasked with preventing unauthorised access to ENAV’s IT resources. The data backup and recovery activities are carried out both for operational and managerial data in order to guarantee their availability and integrity. These activities are planned with a view toward guaranteeing the continuity of institutional services as well as those that are related to the corporate mission.|
|Security event monitoring and ICT security audits||The Security Operation Centre, in collaboration with all of ENAV’s line functions, continuously monitors the security level of the ICT infrastructures in ENAV’s operational and management networks, in order to identify any abnormal behaviour and, in the event of an attack or threat, to activate the security incident management process. On the other hand, the ICT security audits verify whether the ICT assets comply with the mandatory rules, the “ICT Security Policy”, the Rules of the Security Management System and the applicable security standards. The process, inspired by a logic of continuous improvement, aims at constantly monitoring threats and at identifying and resolving vulnerabilities in a timely manner, operating in constant contact with the threat intelligence processes. It is provided with information from the bodies responsible for national security and defence.|
|Reporting and managing security incidents||The main objectives of the incident reporting and handling process are the timely identification of security incidents, the provision of what is necessary to prevent security-related incidents from causing greater effects in terms of extent and/or intensity of damage, the elimination of the causes of the original incident, and the resumption of normal operations as soon as possible. This activity is crucial in protecting the Group’s interests and the core values contained in its constitutional architecture. This responsibility is the task of the Secur|
The main activities carried out for security
The activities aimed at guaranteeing the safety of staff working abroad also continued in 2018 as did those pertaining to the overall adjustments for full compliance with the European General Data Protection Regulation (GDPR).
The security activity is based on a risk analysis process built on the ISO 31000 standard which, on an annual basis, covers the three security domains (physical, personnel and information security) by means of a constantly evolving process. Risk management is developed through the principles of “security by design” and “security through lifecycle” and is carried out through procedures that are continuously updated, and that take into account the issuance of technical-operational requirements, metrics and indicators aimed at strengthening the culture and awareness of security, both with training programmes and exercises carried out for all personnel, at different levels.
During the year, the evolution of ENAV’s Security Operation Centre continued, based on open source instruments, some of which were developed internally, for the purposes of consolidating competencies in the field of threat intelligence and to acquire the certification of important institutions at international level, among which Carnegie Mellon University. The activities aimed at guaranteeing the safety of staff working abroad also continued in 2018 as did those pertaining to the overall adjustments for full compliance with the European General Data Protection Regulation (GDPR). Cooperation with the national institutions tasked with infrastructure and cybernetics security continued, following the signing of an agreement with the Department of Public Safety at the Ministry of the Interior for the protection of the physical security of ENAV’s infrastructure and personnel, which is added to the conventions on the security of information and data with the same National Authority of Public Safety and with the national Cybernetic Authority (DIS), for the complete and effective fulfilment of the duty of diligence enshrined in the Security Policy. In implementing the principles of the Security Policy, ENAV continued its campaign to promote the culture of security by offering an on-line training course and by publishing informational pamphlets on security in order to achieve the expected levels of value-sharing. A further development in ENAV’s operational continuity plans, in compliance with ISO 22301 Standard, also involved the Group’s systems management and maintenance processes. Lastly, approval was granted for extending the procedures and rules on internal security management in ENAV’s Security Management System to the subsidiaries Techno Sky and ENAV Asia Pacific.