⚠️ Warning: Extraordinary electrical maintenance – Scheduled shutdown of the Cloud garr-ct1 region (Catania) from 22 to 29 July 2025. For more details, please read the maintenance notice.

Extract of the Information Security Policy

Consortium GARR (GARR) considers the information that users entrust or process through the IT technologies it makes available to be a valuable asset. Therefore, GARR intends to assume the responsibility of protecting and enhancing this asset by committing to ensure that such information can be used with the due guarantee of accuracy and completeness, and that it is adequately protected from improper use, unauthorized disclosure, and damage or loss.

This Information Security Policy expresses GARR's commitment, both to the institutions adhering to GARR and to its reference community, to guarantee the security of information, and of the physical, logical, and organizational tools suitable for processing information in all cloud service delivery activities.

Consortium GARR undertakes to preserve the confidentiality, integrity, and availability of the information it possesses for the performance of its cloud service provision activities, and to provide for the security of the tools used for their processing. To this end, Consortium GARR defines and implements an Information Security Management System (ISMS) compliant with the ISO 27001 standard.

GARR undertakes to motivate employees to proactively participate in the application of the ISMS and its continuous improvement. It also undertakes to allocate resources for its correct and effective application. It also undertakes to respect information security requirements, with the following objectives:

  • Data must be backed up on a regular basis, protected from unauthorized access or modification during archiving, and available to be recovered promptly in the event of an incident or disaster;
  • Encryption techniques must be used to protect sensitive data during transmission and storage;
  • Incident detection mechanisms must be implemented for all IT systems;
  • Security patches must be applied and vulnerability management processes must be implemented on IT resources;
  • Key security-related events, such as changes to user privileges, need to be recorded in order to identify potential unauthorized activity and facilitate appropriate follow-up actions;
  • Any changes to systems in use at GARR must be recorded and evaluated for security and risk impact;
  • Web applications related to GARR services must be designed, built, and verified to ensure that security is applied at all levels of the application and technology stack;
  • Facilities where critical information is stored or processed must be constructed and arranged in such a way that data is adequately protected from physical and environmental threats;
  • Network architecture must be commensurate with the requirements of current and future activities, as well as security threats;
  • Information security risks must be identified, mitigated, and monitored through a formalized risk management process;
  • All users who have access to GARR networks, systems, and IT services must adhere to specific rules regarding the use of resources.

Consortium GARR undertakes to disseminate this document to all interested parties, which include employees, users, the national and European scientific community, members, Italian and European citizens, and suppliers of Consortium GARR.