Cyber Security Posture Assessment, definition of Roma Capitale's Cyber Strategy, Vulnerability Assessment and Penetration Testing

Cybersecurity (Mission 1, Component 1, Investment 1.5)

Italy’s Recovery and Resilience Plan provides this investment to strengthen Italy’s defences against the risks posed by cybercrime, notably through the implementation of a ‘National Perimeter for Cyber Security’ (PSNC), in line with the security requirements set out in the Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), and by strengthening national cyber-defence capabilities of technical inspection and risk monitoring.

The measure envisages the development of a state-of-the-art, integrated system, tightly interconnecting different entities across the country and connecting internationally with partners and trusted technology providers. This is articulated on four pillars: (i) Strengthen front line capabilities towards the public and companies/entities to manage alerts and actual publicly recognized events; (ii) Build/strengthen the country’s inspection and audit capabilities of hardware and software used by subjects with essential functions to certify trustworthiness/pre-empt threats; (iii) Power up units of law enforcement and cyber units within the Police forces in charge of investigations of criminal activities; (iv) Strengthen significantly cyber asset and human resources in charge of national security and response to cyber threats.

The investment is financed by the Recovery and Resilience Plan by EUR 623 million.

As part fo this investment, the project is divided into three macro phases, each comprising a series of interventions. The first macro phase is the assessment of Roma Capitale’s (RC) Cyber Posture using the NIST-based Italian National Framework for Cyber Security and Data Protection, which includes five domains of analysis: Identify (verification of cybersecurity management within the organization); Protect (verification of technical measures adopted to safeguard the organization’s information and infrastructure); Detect (verification of the organization’s ability to detect abnormal events within its IT network); Respond (verification of the ability to respond to security incidents); and Recover (verification of the systems’ ability to recover following a security incident). The intervention will cover the entire IT perimeter of Roma Capitale, including both on-premises and cloud-based managed systems (IaaS or SaaS). For on-premises services, the readiness for the migration process will also be assessed. The second macro phase includes the Vulnerability Assessment and Penetration Test. In this stage, analysis of known and unknown vulnerabilities will be carried out on critical systems, applications, and infrastructure, as a continuation of the previous phase. A risk-based approach will be used to obtain qualitative and quantitative data to support the definition of remediation actions. The third phase involves establishing RC’s Cyber Security Strategy, including the adoption of policies and the development of processes and procedures to enhance cybersecurity management capabilities. The organization’s staff will be trained according to their roles, responsibilities, and operational processes. This approach will integrate information security into the day-to-day activities of the organization and foster a security-aware culture among its employees.

This project is financed by the Recovery and Resilience Facility with EUR 856.000,00