Certifications
nCore is certified ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018.
ISO/IEC 27001 certification is a highly esteemed recognition that attests to the implementation and maintenance of a superior-quality Information Security Management System (ISMS). This international standard provides a comprehensive and systematic framework for effectively managing information security, aiding organizations in identifying, managing, and mitigating data security risks.
ISO/IEC 27001 establishes requirements for an ISMS, a system designed to preserve the confidentiality, integrity, and availability of corporate information. This standard focuses on risk analysis, implementation of appropriate security measures, and continuous system improvement.
Obtaining ISO/IEC 27001 certification demonstrates an organization’s commitment to ensuring information security at all levels. This includes adopting security policies and procedures, managing computer risks, staff training, and ongoing review to maintain a high level of security.
This certification is crucial for organizations of any size or sector, demonstrating their commitment to protecting sensitive information and managing security-related risks. ISO/IEC 27001 is a badge of reliability for customers, partners, and stakeholders, showing the implementation of robust cybersecurity measures and dedication to safeguarding sensitive data.
ISO/IEC 27017 certification represents a fundamental guide for information security in the provisioning and use of cloud services. This standard provides specific guidelines and controls aimed at ensuring a secure and protected environment within the scope of services offered through the cloud. ISO/IEC 27017 focuses on issues related to data protection and privacy assurance within the cloud computing environment.
This certification establishes a set of controls and best practices for cloud service providers and users utilizing these services. Specifically, it provides guidance on the security measures necessary to protect sensitive and personal information. These measures include the implementation of access controls, encryption, identity protection, data confidentiality, and assurances of operational continuity.
ISO/IEC 27017 is crucial for ensuring that data processed in cloud services are managed and protected appropriately. This standard provides a series of guidelines aimed at preventing security and privacy breach risks, ensuring that data are handled in compliance with regulations and international best practices. Obtaining ISO/IEC 27017 certification demonstrates a commitment to ensuring adequate management of information security in the cloud computing environment.
ISO/IEC 27018 certification is an important standard that provides guidelines and specific controls for the protection of personal data within cloud services. This standard focuses on data privacy and ensures that cloud service providers handle personal information in compliance with privacy regulations.
This certification is of particular importance for organizations handling sensitive information, providing an additional guarantee regarding data privacy compliance. ISO/IEC 27018 demonstrates a commitment to protecting personal information within the cloud environment, ensuring that data is managed and processed in accordance with privacy regulations and industry best practices.
This certification is of particular importance for organizations handling sensitive information, providing an additional guarantee regarding data privacy compliance. ISO/IEC 27018 demonstrates a commitment to protecting personal information within the cloud environment, ensuring that data is managed and processed in accordance with privacy regulations and industry best practices.
Obtaining ISO/IEC 27018 certification means ensuring to customers and end-users that personal data are managed with utmost care and adhering to rigorous security and privacy policies. This standard emphasizes the importance of a responsible approach to handling personal data within the context of cloud computing.
Information security
Responsibilities regarding information security are fully defined and assigned. Tasks and areas of conflicting responsibility are separated to reduce the chances of misuse, unauthorized alteration, or unintentional modification of the organization’s assets.
nCore adopts all necessary measures to ensure that staff and collaborators are aware of their responsibilities for information security and fulfill them.
Competent functions ensure that new employees, collaborators, contract staff, or individuals generally designated to operate within the company are suitable for their roles and understand their responsibilities, in order to reduce the risk of damage or fraud.
Competent business functions conduct checks to verify suitability characteristics on all job applicants, in accordance with laws, relevant regulations, and ethics. These checks are performed in proportion to business needs, the classification of information to be accessed, and the perceived risks in the intended employment. Contractual agreements with staff and collaborators specify their responsibilities and those of the organization regarding information security.
The nCore management requires all staff and collaborators to apply information security in accordance with the policies and procedures established by the organization. All nCore staff and, where appropriate, external collaborators, receive adequate awareness, instruction, training, and periodic updates on organizational policies and procedures relevant to their work activities.
Access permissions are revoked upon termination of employment/collaboration or modified in case of changes in organizational structures or assignments.
nCore has implemented “perimeter” security systems within its Data Centers, which are in use for all systems located within the Data Center itself, with specific reference to accesses to and from internet networks; below are described these systems and their management.
nCore limits access to information and information processing services based on the “need to access” principle, which refers to the actual and legitimate operational needs of each individual. nCore issues specific Policies regarding the use of individual workstations and computing devices, including mobile ones, as well as email and internet services. Additionally, nCore publishes a Security Policy on the use and management of authentication credentials in computer systems.
All nCore staff and relevant third parties are informed of the existence of a specific Policy for the management and control of logical access to resources. They are bound, depending on their responsibilities or competencies, to adhere to its provisions.
The instrumentation and instructions for access control are consistently maintained to meet the business and security needs of access, including in relation to organizational and technological developments.
In order to ensure correct and effective use of encryption to protect the confidentiality, authenticity, and/or integrity of the information, nCore provides for the use of suitable cryptographic controls.
Where deemed necessary, with appropriate analysis of impending risks to assets, cryptographic controls are implemented to protect information from threats to confidentiality and data integrity, including for the purpose of non-repudiation of their authenticity.
Responsible functions for assets protected by cryptographic controls envisage suitable protection techniques and establish the duration of cryptographic keys throughout their entire lifecycle.
nCore aims to ensure the protection of business-relevant assets and information security against any risk of damage, theft, loss of confidentiality, natural disasters, or malicious acts. nCore implements suitable measures for physical access control and access rules for employees, and ensures security in the management of acquired equipment to safeguard the provision of technological services such as emergency generators, fire suppression systems, flood prevention, and intrusion prevention, which require periodic monitoring of the location and condition of assets in general, as well as planning maintenance interventions for systems, machinery, equipment, and assets in general, and disposing of assets that are obsolete and/or no longer repairable when necessary.
Operational activity security
nCore aims to prevent the loss, damage, theft, or compromise of assets and the interruption of the organization’s operational activities.
nCore aims to ensure that operational activities within information processing facilities adhere to information security best practices. Suitable operational procedures are documented and made available to all users who require them. Changes to the organization, business processes, information processing facilities, and systems that could impact information security are controlled. Resource usage is monitored and fine-tuned. Future capacity requirements are projected to ensure required system performance.
Backup copies of information, software, and system images are made and subjected to periodic testing according to an agreed backup policy.
Relevant events are logged, and evidence is generated.
Registration of event logs, user activities, exceptions, malfunctions, and information security events are performed, maintained, and periodically reviewed.
Log collection facilities and log information are protected from tampering and unauthorized access.
Activities of administrators and system operators are recorded through logs, and these logs are protected and periodically reviewed.
The integrity of production systems is an essential security requirement for nCore. Procedures are implemented to control the installation of software on production systems.
Communication security
nCore issues a specific Policy for Network Access Control.
Networks are adequately and consistently monitored and controlled against intrusion attempts, interception, and attacks to protect information in systems and applications. Security mechanisms, service levels, and network service management requirements are identified and included in network service level agreements, whether these services are provided internally or outsourced. Within networks, service groups, users, and information systems are segregated according to the level of risk to the respective assets. Development and production environments are separated, defining suitable subnets that are either isolated or with controlled interconnections.
- system-level management of the firewall: The firewall, as a software system, undergoes version updates. Updates are carried out according to manufacturer recommendations to maintain it continuously efficient;
- administrative management of the firewall: Administrative management involves implementing rules that allow or deny access to systems downstream of the firewall or access to the internet from these systems. Rules are implemented based on application needs upon client request, following a joint assessment of adherence to general policies and any security risks these rules may pose.
- system-level management of the IPS: The IPS, as a software system, undergoes version updates. Updates are carried out according to manufacturer recommendations to keep it constantly efficient;
- administrative management of the IPS: Administrative management involves implementing traffic analysis rules aimed at identifying possible attempts to breach the systems. The rules are updated when the Provider releases a new set (typically several times a month). Rule updates are applied automatically according to the configurations recommended by the Provider, with manual intervention if false positives emerge that block application functionality.
nCore has developed a defense system against Distributed Denial of Service (DDoS) attacks capable of detecting and blocking anomalous traffic before it reaches the client’s Internet connection. Anomalous traffic, in this context, refers to a massive influx of malicious requests originating from distributed sources and directed towards one of the provided services, capable of saturating the bandwidth or processing capacity of network devices. Effective protection against DDoS attacks requires interception mechanisms for malicious traffic distributed throughout the connectivity provider’s network infrastructure (telecommunications operator), allowing intervention as “upstream” as possible in the flows from attack sources to their targets (which in our case are located within nCore data centers). In the event of such an alarm, reported by nCore’s monitoring systems or those of the telecommunications operator, the DDoS mechanism involves the operator diverting anomalous traffic towards a “traffic scrubbing” system, capable of forwarding only “clean” traffic to nCore. To avoid false alarms, the diversion process will not be activated automatically but only upon explicit request from nCore.
- nCore implements controls to protect the transfer of information for all types of communication;
- secure transfers of business information between the organization and external parties are formalized in specific agreements;
- information transmitted via electronic messaging is appropriately protected relative to the risk of interception, alteration, or confidentiality breach.
- Confidentiality or non-disclosure agreements (NDAs) are provided based on the need to protect relevant information for nCore’s security and business in contracts and agreements with third parties.
Business Continuity Management
Information security continuity is integrated into the organization’s business continuity management systems.
The organization determines its own requirements for information security and for the continuity of information security management in adverse situations, such as during crises or disasters. Adequate instructions are provided to employees to ensure the required level of continuity for information security during adverse situations.
nCore verifies, at regular intervals, the continuity controls of information security established and implemented to ensure that they are valid and effective during adverse situations.
All services at the primary site are delivered in a High Availability logical and physical architecture and comply with stringent backup policy requirements. Risk factors have been analyzed, and appropriate countermeasures have been implemented where possible. The area is at the minimum level of seismic risk, and there is no evidence of risks from natural phenomena. Similar results emerge from consulting civil protection maps, which do not highlight situations of potential risks with high probability and/or magnitude.
Furthermore, nCore has a Disaster Recovery Data Center in additional locations in Frankfurt.
nCore aims to ensure the highest possible availability, in accordance with the SLAs established with customers and applicable provisions, of information processing facilities. Information processing facilities are designed with sufficient redundancy to meet availability requirements.