We stand with Ukraine

Public Information Security Policy

1. Introduction

Information is one of the most important drivers of the economy today and is a major factor in business development and management.

All the data owned by expert.ai, regardless of the form in which they are processed, managed, or stored, defines the Information Assets of the company, which is a paramount contributing factor to drive its choices and to support its operational processes. expert.ai refers to all companies belonging to the group (Italy, France, Germany, Spain, USA, UK, Canada).

In today’s fast-changing and dynamic market environment, technologies are making it faster and easier to collect and process information to achieve business objectives.

Growing competition pushes companies to seek new forms of customer relationships. This encourages the search for solutions based on emerging technologies and the development of innovative channels designed to support an increasingly pervasive amount of high-value information.

In this context, profound and rapid changes are taking place in the solutions, which leads to exposure to new risk scenarios; it is therefore necessary to monitor innovation, in a continuous and timely manner, in order to choose and adapt protection and risk mitigation measures in time.

This will help to meet growing customer demand for security and protect the company’s value and competitiveness.

Furthermore, the protection and secure management of information are relevant issues of national and international regulations, which are increasingly binding and require, also from an organizational point of view, behaviour, control systems and actions aimed at protecting information.

The protection of Information Assets is therefore of strategic importance and arises from the preparation of adequate reference standards to guide the necessary organizational, technological, and regulatory interventions.

2. Motivation

expert.ai is a company operating in the field of Information Technology Natural Language Understanding.

Given the nature of its activities, the organization considers information security to be a fundamental element for the protection of its technological infrastructure, its information assets and the services offered to its customers. Moreover, information security management is a competitive advantage in the design and development processes of its products and services.

expert.ai designs and develops technology which transforms the way people find, understand, and use information: information security is therefore considered an essential factor for the organization.

expert.ai’s mission is to develop artificial intelligence software that understands the human language, with the speed and precision needed to discern, manage and use strategic information at scale. This focus on information management processes requires a special focus on information security.

Moreover, expert.ai’s goal is to position itself as a reference company in the development of artificial intelligence on the international market; a commitment to the continuous improvement of its processes is therefore essential, both at an organizational and technical level.

On this basis, expert.ai intends to adopt all those technical and organizational measures necessary to guarantee the integrity, confidentiality, and availability of its information assets.

3. Purpose and commitment

We want to provide the strategy to be pursued in order to prevent the risks associated with the processing of information and to protect the corporate information assets and those of interested parties.

Information is a strategic component of the organization’s corporate assets. It is the basis of the most important corporate processes, and its correct and timely sharing is an essential condition for the effective pursuit of corporate objectives.

Therefore, the organization has established an Information Security Management System (hereinafter also ‘ISMS’) and is committed to its implementation, maintenance, and continuous improvement.

In particular, the main objectives of the ISMS are:

  • guarantee the availability, integrity, and confidentiality of corporate information and the relative security of information systems;
  • define a model that includes the definition, implementation, monitoring and continuous improvement of information security;
  • implement and apply controls to manage information security risks.
  • ensure an adequate level of data and information security in the design, development and delivery of the organization’s services and products.

The ISMS model aims to ensure an adequate and proportionate set of security controls to protect corporate information resources in terms of confidentiality, integrity, and availability, in line with the level of risk identified in the area of IT security.

Specifically, the Top Management approved the ISMS model considering:

  • indications deriving from the reference context;
  • the information of the security objectives that Top Management aims to achieve;
  • best practices in information security, with reference to the ISO/IEC 27001 standard Information Technology – Security Techniques – Information Security Management Systems – Requirements.

4. Information Security Communication

The security of information and the ways in which it is guaranteed within the processes and services provided are the subject of specific communications from the relevant corporate functions to the parties involved.

All employees receive appropriate updates on information security and on the measures implemented by the organization through specific training initiatives. In addition, all updated documentation relevant to the ISMS is made available in a dedicated area on the Company’s intranet site.

As for third parties (customers, suppliers), communications relating to information security are regulated in accordance with the company policies forming part of the ISMS and also with the provisions of contracts.

expert.ai allows the communication and dissemination of information to the outside world only for the proper performance of its activities, which must take place in compliance with the rules dictated by the company’s organizational models and in compliance with mandatory regulations.

Finally, adequate contacts are maintained with the Authorities responsible for data and information security, as well as with the bodies and associations of reference in the field of Cybersecurity and Privacy, with the aim of providing cooperation at any juncture, as well as updating their skills in relation to the research areas in the field of artificial intelligence.

5. Roles and responsibilities

The organization’s Information Security Management System establishes the following roles and responsibilities within it:

Chief Information Security Officer (CISO): responsible for establishing and implementing security governance within the organization based on corporate risks and objectives.

Chief Data Officer (CDO): responsible for developing and managing the company’s data and information management strategy. He reviews and updates the policies and procedures formulated by the company regarding privacy and information security to ensure compliance, integrity, adequacy, and alignment with the corporate framework.

Cyber Security Engineer: responsible for the design and implementation of secure network solutions for defence against hackers, cyberattacks and other persistent threats. The engineer is also responsible for testing and monitoring the company’s systems, ensuring that all security measures are up to date and in working order. He is also responsible for carrying out penetration testing.

Cyber Security Specialist: responsible for strategic guidance and implementation of security measures on company systems to mitigate cyber risks and monitor and analyse security events; is responsible for reviewing changes resulting from the application of the ISMS and maintaining third-party assessment metrics.

IT & Systems Administrators: they are responsible for the definition, implementation and technical maintenance of the security devices and technologies that make up the organization’s ICT networks and resources that are part of the Information Security Management System.

The documentation of the Information Security Management System also includes the term IT Department, which refers to the appointed and authorized technicians and System Administrators who operate on company systems and ensure the correct management of the devices and networks.

The CISO, the CDO, the Cyber Security Specialist and the Cyber Security Engineer constitute the Information Security Staff, i.e., the advisory and control body of the Information Security Management System, which drafts up and implements its own policies and procedures, reviews them, and monitors their application.

The Information Security Staff is also entrusted with the task of promoting a culture of data and information security within the organization, planning specific and periodic training courses on security for all the personnel, collaborating with the competent internal departments of the company, to make them aware of the risks. This body is also responsible for adopting and observing risk analysis and management methods and criteria, as well as for suggesting organizational, procedural, and technical security measures to protect the security and continuity of the organization’s activities. Finally, it is responsible for verifying security incidents and adopting appropriate countermeasures.

The skills of all the aforementioned bodies have been appropriately assessed in relation to their respective roles. The HR Department keeps track of the skills and training of the resources involved in the information security management system.

6. Strategic and Business Objectives

The strategic and business objectives concerning the organization and its market positioning are consistent with the ISMS objectives and the information security objectives. These are defined in relation to its guiding principles as follows:

First of all, the Information Security Management System defines a set of measures to enable the strategic declination of the “Customer first” principle, in compliance with internationally accepted security requirements. expert.ai, through the ISMS, aims to protect its own and its customers’ information assets in the best possible way.

Secondly, expert.ai follows the “be process driven” principle, which concerns the creation of structured and measurable processes for achieving results. expert.ai, through the ISMS, therefore, aims to best preserve the image of the company as a reliable and competent supplier, while respecting the indications of current and binding regulations.

In addition, expert.ai positions itself on the market by strategically defining the “Focus on product” principle, which identifies the organization’s need to offer innovative and competitive solutions through the supply of its products, which must be developed and adapted to the needs of customers in compliance with the policies and procedures of the ISMS, in a manner suitable to ensure the security and efficiency of processes as well as the integrity, availability and confidentiality of information.

Finally, the guiding principle ‘Empower your colleagues’ is implemented through the adoption of measures aimed at guaranteeing staff loyalty and professionalism, also increasing the level of awareness and competence on security issues.

All this is consistent with the strategic and market objectives as set by the organization:

  • expand its market, positioning itself as an international reference company in the development of artificial intelligence;
  • improve product life cycle management;
  • lower service costs to be more competitive on the market;
  • improve communication and internal organization in an appropriate way for an innovative and developing company;
  • progressively promote its products on the international market, increasing investments in R&D and marketing to be more competitive.

The information security objectives are also checked periodically in relation to the reporting period and are part of the documentation analysed in the Management Review.

The objectives for information security are:

  • promote the spread of the security and protection of data and information, in particular of confidentiality, integrity and availability of data and information, among its employees, collaborators, partners and third parties regarding their roles and responsibilities in this area;
  • train staff to carry out activities to protect company assets and information processed according to the information security management system;
  • protect company assets and managed information assets;
  • protect data and information from unauthorized access;
  • protect the image of the Company;
  • respect ethics in the workplace, among colleagues and with third parties;
  • deal quickly, effectively and scrupulously with emergencies or accidents that may occur in the activities, also by collaborating with third parties or bodies in charge;
  • comply with applicable laws and regulations, and in any case adhere to standards identified with a sense of responsibility and awareness based on risk assessment;
  • verify and monitor the continuity of information security for critical services even after major incidents that could potentially compromise the survival of the company itself;
  • monitor, review and improve the information security management system.

7. Management of Information Security Resources

Top Management is aware of the importance of information security in terms of availability, integrity, and confidentiality and of the fact that technological components alone cannot guarantee security. This is because the human factor is predominant for the purposes of correct and, above all, secure management of corporate resources and information processed.

It is crucial to bear in mind that, with the current characteristics of corporate information systems, non-compliant behaviour by a user never has an effect limited to the local area, but inevitably triggers a generalised risk of vulnerability for the system as a whole.

The following provisions must be scrupulously observed to make all staff fully aware of the related risks and of the behavioural security measures to be applied to ensure appropriate use of information resources.

First of all, the Top Management emphasizes that the information and, more generally, all data created or transferred on the expert.ai’s network are the property of expert.ai, as limited and regulated by the current regulations.

Subject to exceptions, which will be assessed and approved by the Information Security Staff, it is therefore generally prohibited:

  • the use of personal devices in the company;
  • the use of company devices for private purposes;
  • the storage of personal data and anything else that is not strictly work-related;
  • processing of data outside the applications/databases made available by the company (copying/managing data locally on personal devices, etc.).

For security and maintenance purposes, authorized expert.ai personnel may monitor devices, systems and network traffic at any time as described and regulated by applicable law.

In addition to the above, the Top Management provides that:

  • all users must keep their credentials secure and not share their accounts. Users are responsible for their own passwords and accounts;
  • all assets must be protected with password-protected screensavers activated automatically or disconnected in the event of removal from the workstation where technological tools cannot be effective;
  • users should exercise extreme caution when opening attachments to e-mails received from unknown senders, which may contain viruses, worms, or general malware, and promptly report spam or other suspicious activity to IT.

In particular, Top Management considers it totally unacceptable, without exception, to engage in one or more of the following activities:

  • infringement of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property;
  • exporting software, technical information, software or encryption technology in violation of international or national laws;
  • the introduction of malicious programs (malware) into the network or servers;
  • disclose your password to others or allow others to use your account;
  • using an expert.ai resource to obtain or transmit material that violates national or international laws (e.g. pornographic material);
  • undermine network security or disrupt network communications;
  • port scanning and security scanning are expressly prohibited;
  • perform any kind of network monitoring aimed at intercepting data not addressed to the user’s host, unless these tasks are part of the user’s regular work activity;
  • circumvent user authentication or security of any host, network or account;
  • use of any program/script/command or sending of messages of any kind with the aim of interfering with or disabling one’s own functions or another of another user;
  • provide information on employees, collaborators, interns and temporary employees, consultants, companies and, in general, all subjects that have direct or indirect contacts with expert.ai;
  • use the company e-mail box for reasons other than those strictly related to work;
  • surfing the Internet for reasons other than work-related and in no way for individual purposes.