Information security

in

EU21For its role in the electricity sector, Terna has in its databases confidential information of the users of the transmission and dispatching services, in particular electricity producers and traders. Such information includes, for example, specific data regarding plants, with the related production capacity and injection plans presented to the electricity exchange.

Considering its significant commercial value, this information is classified and handled as sensitive data and specific protection measures are in place for preventing information being accessible to unauthorized third parties or subjected to undue violations. The same also applies to:

  • the data collected from industry companies for the purpose of compiling the industry statistics, a task performed by Terna within the framework of the National Statistics System;
  • the data made available by the industry Authority for monitoring the electricity market (as established by Resolution no. 115/08 of the AEEG).

Terna also increasingly uses “Information & Communication Technologies” (ICT) systems to support its core activities regarding the electricity system, joining high standards of operating continuity with efficient cyber-security practices.

To guarantee security to corporate information and ICT systems, Terna adopted an advanced Information Security Governance Model, based on the main international standards, where the Framework and Policies are established for also protecting law requirements regarding handling of personal data provided to Terna in compliance with the Security Planning Document, with relative roles, responsibilities and executive modalities.

2011 registered an increase in the application level of the Security Framework within the ICT field and verification, control and monitoring systems were finalized for the security level. The year was also characterized by an extensive plan for training and creating awareness within the company of the security of information resources, with the twofold objective of increasing the widespread awareness and trust of people involved in these issues with the Framework’s rules and methods.

The most significant initiatives and projects include the following:

  • achieving, in July 2011, the ISO / IEC 27001:2005 certification of the TIMM (Integrated Text for Monitoring the electricity market) application, an accomplishment that marks Terna's concern for security governance and improves trust between the Company and its stakeholders. The new certification, even if it refers to a specific corporate area with a reduced ICT boundary, underlines a high management / organization standard. Many of the controls provided by the standard and verified by the certifying Body, indeed, do not only have positive effects on the field being certified, but rather they generate cross-cutting benefits for protecting the entire Company's information assets. The structure of the ISO / IEC 27001 standard, by adopting a continuous improvement approach, is consistent with that of other corporate management systems at Terna (Quality-Environment-Security);
  • establishing an advanced corporate platform for vulnerability management of ICT infrastructures, capable of rendering systematic the technological assessment and vulnerability analysis activities that can expose Terna to cyber-risks. The platform functions – applicable to the whole ICT assets (networks, workstations, servers, etc…) – provide detailed information on the vulnerabilities, as well as correction or deletion methods and have the ability to perform trend analysis. In the 2012-2013 two-year period, they will be further enhanced by the addition of new features, such as testing and reporting;
  • extending the real time security monitoring services with new functions in the SIEM system (Security Information Event Management) which is active within the Security Operations Center, i.e. the control center which monitors the security of facilities and of computer networks. By strengthening this event management platform, a greater capacity is ensured to monitor the security status and provide a timely response to any anomalous events affecting grids and IT assets.

PR8Regarding personal data protection, as in previous years, in 2011 no complaints were recorded regarding violations of privacy or imprudent use by unauthorized users of personal data entrusted to Terna, neither through the specific email for reporting (privacy@terna.it), nor through or any other reporting channel.