The Project is divided into three macrophases, all of which include a series of interventions.
The first macrophase is the assessment of Roma Capitale’s (RC) Cyber Posture by using the NIST-based Italian National Framework for Cyber Security and Data Protection, composed of five domains of analysis:

• Identify: verification of Cyber Security management within the Body;
• Protect: verification of technical devices adopted to protect the Body’s information and infrastructure;
• Detect: verification of the Body’s ability to detect abnormal events within its IT network;
• Response: verification of the ability to respond to security incidents;
• Recovery: verification of the ability of the systems to recover following a security incident.

The intervention will be performed on the entire IT perimeter of Roma Capitale, including both on-premises and cloud-based managed systems (IaaS or SaaS). For on-premises services, the readiness of the migration process will be subject to assessment.
The second macrophase includes the Vulnerability Assessment and Penetration Test. In this stage, known and unknown vulnerability analysis tasks will be carried out on critical systems, applications and infrastructure, as a completion of the previous phase. A risk-based approach will be used to obtain qualitative and quantitative data that can contribute to the definition of remediation actions.
The third phase entails the establishment of RC’s Cyber Security Strategy, including the adoption of a policy and the development of processes and procedures to enhance cyber security management capability. The Body’s staff will be trained based on roles, responsibilities and operational processes. By doing so, information security will be part of the day-to-day activities of the Body and the culture of its employees.