Quality and Information Security Policy
1. Introduction
Information is one of the most important drivers of the economy today and is a major factor in business development and management.
All the data owned by expert.ai, regardless of the form in which they are processed, managed, or stored, defines the Information Assets of the company, which is a paramount contributing factor to drive its choices and to support its operational processes. expert.ai refers to all companies belonging to the group (Italy, France, Germany, Spain, USA, UK, Canada).
In today’s fast-changing and dynamic market environment, technologies are making it faster and easier to collect and process information to achieve business objectives.
Growing competition pushes companies to seek new forms of customer relationships. This encourages the search for solutions based on emerging technologies and the development of innovative channels designed to support an increasingly pervasive amount of high-value information.
In this context, profound and rapid changes are taking place in the solutions, which leads to exposure to new risk scenarios; it is therefore necessary to monitor innovation, in a continuous and timely manner, in order to choose and adapt protection and risk mitigation measures in time.
This will help to meet growing customer demand for security and protect the company’s value and competitiveness.
Furthermore, the protection and secure management of information are relevant issues of national and international regulations, which are increasingly binding and require, also from an organisational point of view, behaviour, control systems and actions aimed at protecting information.
The protection of Information Assets is therefore of strategic importance and arises from the preparation of adequate reference standards to guide the necessary organisational, technological, and regulatory interventions.
The development of artificial intelligence software constitutes the core business of the organisation, which, over time, has made state-of-the-art artificial intelligence-based natural language understanding technologies suitable for this purpose.
Today’s increasingly attentive and demanding market, however, imposes methods oriented towards ensuring that the final service/product possesses peculiarities that make it easily assimilable by Customers, as well as compliant with international regulations and standards.
Sensitive to this need, the organisation has implemented a Quality Management System.
Formally defining and documenting the Quality Management System requires a global approach to the company’s reality, implemented through successive steps of analysis and optimisation of each phase and each aspect of the offered service. In this context, the involvement of the company’s personnel is of primary importance, starting with the Top Management that sets the strategic objectives of the Management System. In a nutshell, these objectives can be summarised as promoting customer satisfaction, achieved through the supply of a quality product. This satisfaction is seen as an unavoidable prerequisite for affirming and increasing the organisation’s success.
For the provision of its services/products, the company has therefore followed the principles stated in the ISO 9001:2015 standard, aimed at guaranteeing the Quality of its supply, while pursuing customer satisfaction and the effectiveness of its Quality Management System.
The following principles were therefore pursued in defining the Quality Management System:
- Customer-centric focus: a constant attention to the satisfaction of Customers’ needs.
- Continuous improvement: the dynamics of the improvement process cannot proceed in a discontinuous manner, but rather by “gradual” objectives whose attainment is verified every time, consequently adopting new initiatives and setting new goals.
- Involvement of the entire organisation: all the resources belonging to the company are involved in the implementation of the Quality Management System and all the corporate functions cooperate to achieve the set objectives.
2. Motivation
Expert.ai is a company operating in the field of Information Technology Natural Language Understanding.
Given the nature of its activities, the organisation considers quality and information security to be fundamental elements to guarantee the protection of its technological infrastructure, its information assets and the services offered to its customers. Moreover, quality and information security management are a competitive advantage in the design and development processes of its products and services.
With regard to information security, expert.ai designs and develops technologies to transform the way people find, understand and use information: information security is therefore considered an indispensable factor to guarantee the Quality of its products.
Expert.ai’s mission is to develop artificial intelligence software that understands the human language, with the speed and accuracy needed to discern, manage and use strategic information at scale. This focus on information management processes requires a special focus on its security and quality.
In addition, one of expert.ai’s goals is to position itself as a leading company in the development of artificial intelligence on the international market; therefore, a commitment to the continuous improvement of its processes, at both the organisational and the technical level, is imperative.
On this basis, expert.ai intends to take the necessary technical and organisational measures to guarantee the integrity, confidentiality and availability of its information assets.
3. Purpose and commitment
Aware of the importance of the organisation’s image and aiming to achieve quality objectives in the management of processes and the provision of services, we intend to actively maintain and continuously improve the Integrated Quality and Information Security Management System (ISQMS) in accordance with ISO 9001 and ISO/IEC 27001, together with the objective of efficiently and effectively managing the organisation and ensuring its continuity.
In pursuing these ends expert.ai intends to:
- Enhance the skills of all organisation’s members and provide them with constant training and professional development;
- Guarantee the resources necessary for the operation and maintenance of the ISQMS;
- Foster the technological development of the entire organisation;
- Guaranteeing its customers and stakeholders compliance with privacy regulations (EU Regulation 2016/679 – GDPR, General Data Protection Regulation), as well as confidentiality, integrity and availability of information;
- Increasing the culture of Quality and Information Security;
- Motivate and empower staff to contribute to the achievement of the company’s objectives;
- Satisfying the customers in order to strengthen the company’s market positioning;
- Ensuring compliance with the scheduled time frames for the execution of the projects;
- Involve strategic suppliers and outsourcers in the provision of quality services and in the compliance with SLAs;
- Minimising operational risks and the possibility of incurring offences under Legislative Decree 231/2001;
- Standardise operating methods and implement controls to reduce errors;
- Set up a continuous improvement cycle and improve implementation processes to reduce service turnaround times;
- Understand, examine and evaluate the needs and expectations of all stakeholders.
Therefore, in order to pursue its objectives expert.ai commits itself to:
- support, disseminate and explain the Quality and Information Security Policy by making documentations available to staff and promoting targeted training and involvement actions.
- communicate, as appropriate, this policy to interested parties;
- define the objectives for each process by providing the expertise and resources to achieve them;
systematically review the ISQMS policy and objectives, and the risks associated with their fulfilment.
4. Quality and Information Security Communication
The quality and security of information and the ways in which it is guaranteed within the processes and services provided are the subject of specific communications from the relevant corporate functions to the parties involved.
All employees receive appropriate updates on quality and information security processes, as well as on the measures implemented by the organisation through specific training initiatives. In addition, all updated documentation relevant to ISQMS is made available in a dedicated area of the company’s intranet site.
As for third parties (customers and/or suppliers), communications relating to quality and information security are regulated in accordance with the company policies forming part of the ISQMS and also with the provisions of contracts.
expert.ai allows the communication and dissemination of information to the outside world only for the proper performance of its activities, which must take place in compliance with the rules dictated by the company’s organisational models and in compliance with mandatory regulations.
Finally, adequate contacts are maintained with the Authorities responsible for data and information security, as well as with the bodies and associations of reference in the field of Cybersecurity and Privacy, with the aim of providing cooperation at any juncture, as well as updating their skills in relation to research areas in the field of artificial intelligence.
5. Roles and responsibilities
The organisation’s Quality and Information Security Management System establishes the following roles and responsibilities within it:
Chief Information Security Officer (CISO): responsible for establishing and implementing security governance within the organisation based on business risks and objectives.
Chief Data Officer (CDO): responsible for developing and managing the company’s data and information management strategy. He reviews and updates the policies and procedures formulated by the company regarding privacy and information security to ensure compliance, integrity, adequacy and alignment with the corporate framework.
Cyber Security Engineer: responsible for the design and implementation of secure network solutions for defence against hackers, cyberattacks and other persistent threats. The engineer is also responsible for testing and monitoring the company’s systems, ensuring that all security measures are up to date and in working order. He is also responsible for carrying out penetration testing.
Cyber Security Specialist: responsible for strategic guidance and implementation of security measures on company systems to mitigate cyber risks and monitor and analyse security events; is responsible for reviewing changes resulting from the application of the ISQMS and maintaining third-party assessment metrics.
IT & Systems Administrators: they are responsible for the definition, implementation and technical maintenance of the security devices and technologies that make up the organisation’s ICT networks and resources that are part of the Information Security Management System.
The documentation of the Information Security Management System also includes the term IT Department, which refers to the appointed and authorized technicians and System Administrators who operate on company systems and ensure the correct management of the devices and networks.
The CISO, the CDO, the Cyber Security Specialist and the Cyber Security Engineer constitute the Quality and Information Security Staff, i.e., is the advisory and controlling body of the Quality and Information Security Management System and which drafts and implements its policies and procedures, reviews them and monitors their implementation.
The Quality and Information Security Staff is also entrusted with the task of promoting the culture of quality and security of data and information within the organisation, planning specific and periodic security training courses for all personnel, cooperating with the relevant internal corporate functions, so as to make the latter aware of the risks. This body is also responsible for adopting and observing risk analysis and management methods and criteria, as well as for suggesting organisational, procedural, and technical security measures to protect the security and continuity of the organisation’s activities. Finally, it is responsible for verifying security incidents and adopting appropriate countermeasures.
The skills of all the aforementioned bodies have been appropriately assessed in relation to their respective roles. The HR Department keeps track of the skills and training of the resources involved in the quality and information security management system.
6. Strategic and Business Objectives
The strategic and business objectives concerning the organisation and its market positioning are consistent with the ISQMS objectives and the objectives for quality and information security. These are declined on the basis of certain guiding principles as follows:
First of all, the ISQMS defines a set of measures to enable the strategic declination of the “Customer first” principle, in compliance with internationally accepted security requirements. expert.ai, through the ISQMS, aims to protect its own and its customers’ information assets in the best possible way.
Secondly, expert.ai follows the “Be process driven” principle, which concerns the creation of structured and measurable processes for achieving results. expert.ai, through the ISQMS, therefore, aims to best preserve the image of the company as a reliable and competent supplier, while respecting the indications of current and binding regulations.
In addition, expert.ai positions itself on the market by strategically defining the “Focus on product” principle, which identifies the organisation’s need to offer innovative and competitive solutions through the supply of its products, which must be developed and adapted to the needs of customers in compliance with the policies and procedures of the ISMS, in a manner suitable to ensure the security and efficiency of processes as well as the integrity, availability and confidentiality of information.
Finally, the guiding principle “Empower your colleagues” is implemented through the adoption of measures aimed at guaranteeing staff loyalty and professionalism, also increasing the level of awareness and competence on security issues.
All this is consistent with the strategic and market objectives as set out by the organisation:
- expand its market, positioning itself as an international reference company in the development of artificial intelligence;
- improve product life cycle management;
- lower service costs to be more competitive in the market;
- improve communication and internal organisation in an appropriate way for an innovative and developing company;
- progressively promote its products on the international market, increasing investments in R&D and marketing to be more competitive.
It is the responsibility of the Quality and Information Security Staff to monitor the proper implementation of the quality and information security objectives. The objectives for quality and information security are periodically checked on a four-month basis and form part of the documentation to be analysed during the Management Review.
The objectives for information security are:
- promote the spread of the security and protection of data and information, in particular of confidentiality, integrity and availability of data and information, among its employees, collaborators, partners and third parties regarding their roles and responsibilities in this area;
- train staff to carry out activities to protect company assets and information processed according to the Information Security Management System;
- protect company assets and managed information assets;
- protect data and information from unauthorized access;
- protect the image of the Company;
- respect ethics in the workplace, among colleagues and with third parties;
- deal quickly, effectively and scrupulously with emergencies or accidents that may occur in the activities, also by collaborating with third parties or bodies in charge;
- comply with applicable laws and regulations, and in any case adhere to standards identified with a sense of responsibility and awareness based on risk assessment;
- verify and monitor the continuity of information security for critical services even after major incidents that could potentially compromise the survival of the company itself;
- monitor, review and improve the information security management system.
Quality objectives, on the other hand, are aimed at the pursuit of customer satisfaction, trust and loyalty, as they guide the organisation in developing, implementing and improving its quality management system.
The specific objectives for quality are:
- continuous improvement of all company processes, involving all employees;
- provide quality products and services that meet the initial and subsequent needs and expectations of customers and other third parties;
- the will to pursue the commitment to comply with the requirements regulated by applicable laws, as well as contractual commitments;
- compliance with all internal rules and regulations for the safety of workers in the workplace;
- the availability of the necessary resources, in terms of qualified personnel and appropriate equipment;
- ensure the company’s own development through the continuous improvement of semantic technology in order to enter new market segments;
- training and refresher courses for each employee, within the scope of their duties;
- an adequate control system to measure activities, solve problems and provide the Management with suitable elements to carry out reviews and ascertain that the Quality Policy is always suitable and consistent with the Company’s mission.
7. Management of Information Security Resources
Top Management is aware of the importance of information security in terms of availability, integrity, and confidentiality and of the fact that technological components alone cannot guarantee security. This is because the human factor is predominant for the purposes of correct and, above all, secure management of corporate resources and information processed.
Top Management considers appropriate that the Policies and Procedures on information security be implemented and made operative in such a way as to put in place the planned objectives, which are, in particular:
- to protect company assets and information;
- to protect data and information from unauthorised access;
- to protect the image of the Company;
- to respect ethics in the workplace among colleagues and with third parties;
- comply with the regulations in force.
Subject to exceptions, which will be assessed and approved by the Quality and Information Security Staff, it is therefore generally prohibited:
- the use of personal devices in the company;
- the use of company devices for private purposes;
- the storage of personal data and anything else that is not strictly work-related;
- the processing of data outside the applications/databases made available by the company (copying/managing data locally on personal devices, etc.).
For security and maintenance purposes, authorized expert.ai personnel may monitor devices, systems and network traffic at any time as described and regulated by applicable law.
In addition to the above, the Top Management provides that:
- All users must keep their credentials secure and not share their accounts. Users are responsible for their own passwords and accounts;
- all assets must be protected with password-protected screensavers activated automatically or disconnected in the event of removal from the workstation where technological tool cannot be effective;
- Users should use extreme caution when opening attachments to e-mail messages received from unknown senders, which may contain viruses, worms, or general malware, and promptly report spam messages or other suspicious activities to IT.
In particular, Top Management considers it totally unacceptable, without exception, to engage in one or more of the following activities:
- infringement of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property;
- exporting software, technical information, software or encryption technology in violation of international or national laws;
- the introduction of malicious programs (malware) into the network or servers;
- disclose your password to others or allow others to use your account;
- using an expert.ai resource to obtain or transmit material that violates national or international laws (e.g. pornographic material);
- undermine network security or disrupt network communications;
- port scanning and security scanning are expressly prohibited;
- perform any kind of network monitoring aimed at intercepting data not addressed to the user’s host, unless these tasks are part of the user’s regular work activity;
- circumvent user authentication or security of any host, network or account;
- use of any program/script/command or sending of messages of any kind with the aim of interfering with or disabling one’s own functions or another of another user;
- provide information on employees, collaborators, interns and temporary employees, consultants, companies and, in general, all subjects that have direct or indirect contacts with expert.ai;
- use the company e-mail box for reasons other than those strictly related to work;
- surfing the Internet for reasons other than work-related and in no way for individual purposes.