The Project was divided into three macrophases.
The first macrophase was the assessment of Roma Capitale’s (RC) Cyber Posture by using the NIST-based Italian National Framework for Cyber Security and Data Protection, composed of five domains of analysis:

• Identify: verification of Cyber Security management within the Body;
• Protect: verification of technical devices adopted to protect the Body’s information and infrastructure;
• Detect: verification of the Body’s ability to detect abnormal events within its IT network;
• Response: verification of the ability to respond to security incidents;
• Recovery: verification of the ability of the systems to recover following a security incident.

The intervention was performed on the entire IT perimeter of Roma Capitale, including both on-premises and cloud-based managed systems (IaaS or SaaS). For on-premises services, the readiness of the migration process will be subject to assessment.
The second macrophase included the Vulnerability Assessment and Penetration Test. In this stage, known and unknown vulnerability analysis tasks were carried out on critical systems, applications and infrastructure, as a completion of the previous phase. A risk-based approach was used to obtain qualitative and quantitative data that can contribute to the definition of remediation actions.
The third phase entailed the establishment of RC’s Cyber Security Strategy, including the adoption of a policy and the development of processes and procedures to enhance cyber security management capability. The Body’s staff was trained based on roles, responsibilities and operational processes. By doing so, information security has become part of the day-to-day activities of the Body and the culture of its employees.