With RedTurtle, enterprises have at their disposal services including analysis, project and implementation of complete security management solutions.

Experiences

RedTurtle has written and implemented the D.P.S. (“Programmatic Document on Security” requested by D.Lgs. 196/2003) in different situations: Local Public Administrations, professional agencies, small and medium enterprise, multinational enterprises.

Risk analysis

Risk analysis is aimed at identifying which entities should be protected and how to modulate the protection strategy according to the different values of the entities to protect.
Risk analysis is needed because the application of the same effort and of the same defenses to each resource is absolutely unpractical.

Security testing

The analysis of an IT structure involves several steps:
a static analysis of the physical infrastructure, of the network and of the communication apparatuses
a logical analysis of the interactions among users, data, programs, apparatuses and network
an intrusive analysis (penetration test)
The aim of IT structural analysis is clear: to verify that the structure has not hidden vulnerabilities and to ensure that it is in a “safe” state in reference to given prerequisites.

Security Policy

What’s a Security Policy? It is a regulatory document aimed at the univocal definition of the IT structure choices about security. Technologies and methodologies applied have a tactical value: their application may be temporary, provisional or context-dependent.
Security policy must integrate each countermeasure in a broader strategic scenario. A Policy can have the form of regulation (if oriented to the users), of a manual or of other kinds of document depending on which security aspect is covered (Resource Access Policy, Acces Code Management Policy…).
A security policy should also explain why rules are what they are: arbitrary choices or mere bureaucracy can only worsen the state of security.

Safeguard of personal data

The Italian law safeguarding personal data is the so-called “Testo Unico” (T.U.), introduced by D.Lgs. 196/2003. It defines the “Programmatic Document About Security” (DPS in short).
The DPS should be drafted by 31 March of each year, by any person in charge of sensible or judiciary data, or by a person in charge of the DPS. It’s a document (or a collection of documents like regulations, guidelines, dispositions, controls) containing, as prescribed in the B attachment of the T.U., among other things, also the rules for Information Systems Management, for accessing the resources, and for the control of data integrity and availability.
One of the criticalities in the DPS, that every organization should define on the basis of its specific features, comes from the fact that laws and regulations have a direct relation with the IT infrastructure, with enterprise procedures and with other legal norms (like law 300/1970 “norm about the safeguard of freedom and dignity of the workers” prohibiting the use of audiovisual installations and other devices for the remote control of the personnel)