Legal

Risk management policy

Muscope Cybersecurity Srl is aware of the importance of risk management in the context of information security and recognizes its fundamental role in ensuring the protection of information and operational resilience. Our Risk Management Policy has been developed to guide our organization in proactively managing risks related to information security, in order to protect our customers, partners, employees, and all stakeholders.

To achieve these goals, Muscope Cybersecurity is committed to:

Promote a culture of risk assessment throughout the organization, integrating it into decision-making processes and strategic planning.
Use established methodologies, such as the FAIR Methodology and ISO/IEC 27005:2022 and ISO/IEC 27001:2022 standards, to identify, assess, and manage risks effectively and consistently.
Ensure transparency in communicating risk profile information and management strategies to all stakeholders, including executives, board members, shareholders, and other stakeholders.

For vulnerability management and, in general, risk management related to infrastructure and information, Muscope Cybersecurity Srl uses internally designed and developed tools, including the Cyber Security Rating (CYSR). The CYSR facilitates the identification of vulnerabilities and enables an up-to-date and accurate risk analysis for the company. This analysis process is carried out twice a month, ensuring constant monitoring of potential threats and the ability to quickly adopt mitigation measures, if necessary.

Furthermore, the use of the CYSR risk analysis tool is extended to all Muscope Cybersecurity suppliers. This approach ensures a comprehensive risk assessment along the entire value chain, allowing for minimizing issues and improving the overall resilience of our information security ecosystem. By constantly monitoring risks associated with our suppliers, we are able to adopt appropriate measures to reduce exposure to potential threats and protect the data of customers, partners, and stakeholders.

Through the use of the CYSR, Muscope Cybersecurity Srl is able to proactively manage risks associated with information security and protect the data of customers, partners, and stakeholders.

The Risk Management Policy applies to all team members, collaborators, partners, and stakeholders of Muscope Cybersecurity Srl and extends to all operations and business activities. Its effectiveness depends on the awareness, responsibility, and adherence of all concerned. The following are the main aspects of our policy that guide our actions and decisions in risk management:

Policy objective: The objective of Muscope Cybersecurity Srl's Risk Management Policy is to identify, assess, and address risks associated with information security, ensuring the protection of data for our customers, partners, and stakeholders.
Scope: The Risk Management Policy applies to all team members, collaborators, partners, and stakeholders interacting with Muscope Cybersecurity Srl.
Responsibility: Management is responsible for defining and approving the Risk Management Policy. Sector managers and work teams are responsible for implementing the policy, while the Chief Information Security Officer (CISO) is responsible for monitoring and reviewing the policy.
Risk identification: Muscope Cybersecurity Srl identifies Cyber Risk Quantifications through a systematic and continuous process of analyzing the operational context, emerging threats, and vulnerabilities associated with technologies and business processes.
Risk assessment: Our company uses the FAIR (Factor Analysis of Information Risk) methodology to assess information risks, improve risk understanding, and make informed decisions about risk mitigation.
Risk treatment: Muscope Cybersecurity Srl addresses risks through various options, such as mitigation (implementation of security measures), transfer (insurance or contracts with third parties), acceptance (assuming the risk as part of the decision-making process), or risk avoidance (not proceeding with the activity that generates the risk).
Risk monitoring and review: We monitor and review risks continuously to ensure that mitigation measures are effective and up-to-date. This process also includes identifying new risks and reviewing risk treatment strategies.
Communication and consultation: Communication and consultation with stakeholders are essential components of the risk management process. Muscope Cybersecurity Srl is committed to actively involving stakeholders in risk management and communicating clearly and promptly.
Adherence to standards: Our company follows the ISO/IEC 27005:2022 standard for information security risk management, identifying, analyzing, assessing, and addressing information security risks.
Implementation of the ISMS: Muscope Cybersecurity Srl follows the ISO/IEC 27001:2022 standard to implement an Information Security Management System (ISMS), which helps manage information security risks systematically and in a structured way.
Training and awareness: Muscope Cybersecurity Srl is committed to providing training and resources to all team members, collaborators, and partners to ensure they understand the importance of risk management and are able to follow industry best practices. Training is provided regularly and is updated based on new threats, vulnerabilities, and industry trends.
Policy review and update: The risk management policy is reviewed and updated periodically to ensure its effectiveness and adherence to international standards, local laws, and business needs. Sector managers and the CISO are required to report to management on the status of risk management and any necessary updates to the policy.

Muscope Cybersecurity Srl's Risk Management Policy is an ever-evolving document that guides our organization in managing risks related to information security. Its effectiveness depends on the awareness, responsibility, and adherence of all team members, collaborators, partners, and stakeholders.

This document was created on October 24, 2022 and last updated on January 9, 2023.