Italy (IT)

National Cyber Security Strategy

Role of government: the 24th January 2013 Prime Minister's Decree has initially set forth a set of guidelines for national cybernetic protection and IT security. Based on this Decree, in December 2013 a National Plan for Cyberspace protection and ICT security has been released by the Presidency of the Council of Ministers. The National Plan sets out the roadmap for the adoption of the priority measures for implementing the National Strategi Framework by the public and private subjects identified in the Prime Minister's Decree. In order to give full operabilirty to these measures, the National Plan details eleven operational guidelines establishing specific objectives and consequent lines of action.
On February 4th 2016, an Italian Cyber Security Report authored by CIS Sapienza (Research Center of Cyber Intelligence and Information Security Sapienza Universita di Roma) and CINI (Cyber Security National Laboratory) has been released, drawing on inputs from various public and private organisations such as AON, Deloitte, AGID (Agenzia per l'Italia digitale) and the Italian Government Agency for Economic Development. The framework is based on the reference "Framework for Improving Critical Infrastructure Cybersecurity" developed by the U.S. National Institute of Standards and Technology (NIST) but expanded and updated to reflect the Italian context.

Investments: on 2015 the Italian government announced that two billion euros would be allocated for national security and education in 2016. 
As well, the 2016 budget will include 150 million euros for cyber security and another 50 million for better tools for law enforcement.

Adequate definition of critical infrastructure protection: yes.

Obj. 1 - Enhancement of the technical, operational and analytic expertise of all concerned stakeholders and institutions through a joint effort and a coordinated approach.

Obj 2 - Strengthening of the capabilities to protet national ritical infrastructures and strategic assets and stakeholders.

Obj 3 - Facilitation of all public-private partnerships.

Obj 4 - Promotion and dissemination of the Culture of Cybersecurity.

Obj 5 - Reinforcement of the capability to effectively contrast online criminal activities and illegal contents.

Ojb. 6 - Strengthening of international cooperation

To achieve the above guideline the Italian Government has identified eleven operational guidelines:

Act. 1 - Enhance the expertise of the intelligence community.
Act. 2 - Identify the Network and Information Security (NIS) Authority that will engage at the European level
Act. 3 - Develop a widely shared cyber taxonomy and promote a common understanding of cybersecurity terms and concepts.
Act. 4 - Foster Italy’s participation in international initiatives to enhance cybersecurity.
Act. 5 - Attaining the full operational capability of the National Computer Emergency Response Team.
Act. 6 - Legislative and compliance with international obligations.
Act. 7 - Compliance with standards and security protocols.
Act. 8 - Support for the industrial and technological development.
Act. 9 - Strategic communication.
Act. 10 - Allocation of adequate human, financial, technological and logistic resources to the strategic sectors of the Public Administration
Act. 11 - Implementation of a national system of information risk management.

 

Current status: National Cyber Security Strategy

 

 

Year of adoption 2013
Updates and revisions

Prime Minister's Decree - 24 January 2013

National Strategic Framework for Cyberspace Security

National Plan for Cyberspace Protection and ICT Security

Implementation and monitoring

The Presidency of the Council of the Ministers is the officially recognized organization responsible for implementing a national cybersecurity strategy, policy and roadmap.

Legal conditions

Policy requirements for an inventory of systems and classification of data. Policy requirements for security practices mapped against risk levels. Policy requirement for annual cyber-security audit. Requirement for public report on government capacity. Requirement for public and private procurement of cyber-security solutions based on international accreditation/certification schemes without additional local requirement.
Operational capabilities Implementation of national computer response team (CERT) and computer incident response team (CSIRT), established in 2014. 
Italy has officially recognized national or sector-specific educational and professional training programs for raising awareness with the general public, promoting cybersecurity courses in higher education and promoting certification of professionals through the National CERT and CNAIPIC (National Anti-Crime Computer Centre for Critical Infrastructure Protection).
Public private partnerships The Italian Cyber Security Report released in 2016 was the result of a public and private partnership between majors italian and international companies, Research centres and the italian government.
Sector specific cyber security plans Italy does not have sector specific cyber security plans.
Risk assessment plan Identified gap. Current industry approaches focus on detection and response rather than risk assessment.
Progress measures

No information currently available.

Date of last analysis July 2016

 

 

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident response teams (CSIRTs)

The National CERT supports citizens and companies through awareness-raising, prevention and coordination of the response to cyber events on a large scale.

GARR-CERT is aimed at implementing proactive measures to reduce the risk of computer security incidents for Italian Academic and Research Network.

CERT PA is a public structure that operates in the context of the Agenzia per l'Italia Digitale (AgID). CERT PA is responsible for the processing of computer security incidents domain consists of the public administration.

CERT Difesa is a public structure that operates in the context of the Italian Ministry of Defence. Its institutional purpose is to provide assistance in the field of defense of computer networks, while promoting the dissemination of information for preventive purposes in the field of information security.

CERT Posteitaliane is a private structure that operates within the Poste Italiane Group, its online services, providing services for security specialists, large organisations, clients, and consumers.

Best practices:


In 2013, The National Strategic Framework for Cyberspace Security has been released by the Presidency of the Council of Ministers. The document describes public-private partnerships as playing a central role in the future direction of cybersecurity in Italy, highlighting the intention of the Italian government to work closely with the private sector by sharing information and collaborating in the area of crisis management planning.

In 2016 the Italian Cyber Security Report has been released. The report introduces a National Framework for cyber security aimed at providing to organizations a homogeneous and volunteer approach to face up cyber security in order to reduce the risk linked to cyber threats, especially for small and medium-sized firms, as well as over the country’s major corporations. The approach of this Framework is strinctly linked to a risk analysis and not to technology standards.

Monitoring system

No information currently available.

Report an incident

National CERT: https://www.certnazionale.it/contatti/

GARR-CERT: http://www.cert.garr.it/en/reporting-form

CERT PA: https://www.cert-pa.it/web/guest/contatti

CERT Difesa: http://www.difesa.it/SMD_/Staff/Reparti/II/CERT/Pagine/default.aspx

CERT Posteitaliane: https://www.picert.it/contatti/

Languages

Italian, English

Date inserted July 2016

 

Contact us for more info