Company Policy

QUALITY AND INFORMATION SECURITY

Siena Imaging S.r.l. (“SI”) aims to pursue and guarantee Customer satisfaction and offer adequate tools to ensure optimal service in medical image management. SI also aims to ensure that the entire production process is carried out ensuring the confidentiality and protection of the data analyzed; given the nature of its activities, in fact, SI considers information security an indispensable factor for the protection of its information assets and a factor of strategic value easily transformed into competitive advantage.

The approach used to achieve these goals is that of continuous improvement of its business, organization and services.
Improvement requires the involvement and participation of everyone and is based on the following points:

  1. The involvement of all levels of the company is a fundamental prerequisite for the continuous improvement of the organization and service;

  2. The activities under the Integrated System are the means to effectively realize this involvement and contribute to service improvement;

  3. Improvement ideas and proposals must be favored within the company’s activities. Siena Imaging makes the design, development and delivery of image management services its core business and aims to always be at the forefront of technology and science;

  4. Corporate leadership is responsible for coordinating its employees, directing them toward continuous improvement

  5. For the company, working in quality means getting things right the first time. This means more effort up front, but fewer corrections over time, especially given the sensitive nature of the industry in which the organization operates;

  6. Management annually defines an Improvement Plan, specifying the Company and individual goals. Managers, based on Management’s direction, provide for the development of their own Quality and Information Security Goals;

  7. The Customer must be protected, and to do this, management, ensures a risk-based thinking approach to identify improvement goals and to ensure the complete safety of the Customer;

  8. Suppliers must be involved in the improvement program. They are in fact a link in the production chain;

  9. The success of the Company requires the professional and cultural improvement of individual resources at all levels. There must therefore be a Training Plan aimed at effective growth;

  10. Each stage of the production process must be carried out while complying with all cybersecurity guidelines, that is, preserving the confidentiality, integrity and availability of information through a risk management process.

Specifically, for Information Security, the Integrated Management System defines a set of organizational, technical, and procedural measures to ensure that the basic security requirements listed below are met:

  • Confidentiality: the ownership of the information should be known only to those who have the privileges;
  • Integrity: the ownership of information should be changed only and exclusively by those who have the privileges;
  • Availability: the ownership of information must be accessible and usable when required by the processes and users with privileges.

Attraverso la Politica Aziendale, Siena Imaging intende formalizzare i seguenti obiettivi nell’ambito della sicurezza delle informazioni:

  • To best preserve the company’s image as a reliable and competitive supplier;
  • Protect their information assets;
  • To best avoid delays in delivery;
  • Take measures to ensure staff retention and professionalization;
  • Fully meet the requirements of current and mandatory regulations;
  • Increase, in their staff, the level of awareness and competence on security issues.

SGI applies to all analysis, design, development, and maintenance activities, services, and related data: all information that is created or used by Siena Imaging is to be safeguarded and must be protected, according to its assigned classification, from its creation, during its use, until its disposal. Information must be handled securely, accurately, and reliably and must be readily available for permitted uses. “Use of information” is here to be understood as any form of processing that makes use of electronic or paper media or allows, in any form, verbal communication.

Relative to the area of design and development, this system provides – in accordance with ISO/IEC 27001 NORM – that the Information Security Officer periodically conducts a risk analysis that takes into account the strategic objectives expressed in this Policy, any incidents that may have occurred, and strategic, business and technological changes that have occurred; the purpose of the risk analysis is to assess the risk associated with each asset to be protected with respect to the threats identified. Management shares with the Chief Information Security Officer the methodology to be used for the risk assessment, approving the relevant document; in the methodology report, Management also participates in the definition of the value scales to be used to value the parameters that contribute to the risk assessment. Following the development of the risk analysis, the Management evaluates the results obtained by accepting the acceptable risk threshold, the risk mitigation treatment above this threshold, and the residual risk following the treatment.

This analysis will also be weighed against the business value of the individual assets to be protected and should clearly identify the actions to be taken, ranked according to a priority scale that respects the business objectives, the available budget, and the need to maintain compliance with current regulations and laws. This analysis should also be carried out in the face of events that may change the overall risk profile of the system.

All Personnel who, in any capacity, work with the company are responsible for compliance with this policy and for reporting anomalies, even if not formally codified, of which they become aware

The Information Security Officer is responsible for designing the IMS in the following areas:

  • Enact all necessary procedures, including the type of document classification so that the business organization can conduct, in a safe manner, its activities;
  • Adopt criteria and methodologies for risk analysis and management;
  • Suggest organizational, procedural, and technological security measures to protect the safety and continuity of Siena Imaging’s activities;
  • Plan specific, periodic information security training for staff;
  • Periodically monitor the exposure of business services to major threats, review security incidents, and take appropriate countermeasures;
  • Promote the culture related to information security.

All external parties, who have relations with Siena Imaging, must ensure compliance with the security requirements made explicit in this Security Policy, including through the signing of a “Confidentiality Agreement” at the time of assignment (when this type of constraint is not expressly mentioned in the agreements).

This Policy applies indiscriminately to all organs of the company. Its implementation is mandatory for the staff and should be included in the regulation of agreements with any external party who – in any capacity – may become aware of the information managed in the company.

Siena Imaging will periodically review the effectiveness and efficiency of the Quality and Information Security Management System, ensuring adequate support for the adoption of necessary improvements in order to enable the activation of a continuous process that monitors the changing conditions or business objectives of the company in order to ensure its proper adaptation.