INFORMATION SECURITY POLICY

1. Purpose: 
1.1. This Information Security Policy (the “POLICY”) is intended to establish the organization's Information Security guidelines and assignment of responsibilities, with a view to promoting confidentiality, integrity and availability of its information.

2. Scope: 
2.1.     This POLICY applies to all employees who access information stored by the organization, whether in its own facilities, business partners or personal mobile devices and/or devices owned by the organization, as smartphones, notebooks or other technological resources.

3. Definitions: 
3.1. For all purposes and rights provided for in relation to this POLICY, the following definitions shall apply:
 
“Information Life Cycle” – comprises the phases of creation, collection, classification, storage, transmission, use and disposal of Information.
 
“Employee(s)” – any individual or legal entity that, by tacit or express contractual relationship, promotes achievement of the organization's social objectives, with or without access to Information, regardless of its classification. This category includes, not limited to, the organization's employees, managers, partners, suppliers and service providers.
 
“Information Manager” – the employee assigned to manage the Information, in charge of validating, releasing and canceling access to the Information.
 
“Hardening” – a process of mapping cyber threats, mitigating risks and executing corrective activities, with a focus on infrastructure.
 
"Information" - set of knowledge and data related to the organization's business, its customers, suppliers, employees and other stakeholders, including, without limitation, of commercial, technical, financial, personal, marketing or product nature, regardless of the information repository. Information can be classified as Confidential, Internal Use or Public.
 
“Information Repositories (or Assets)” – any physical or electronic resource for storing or handling Information. This concept includes paper documents, physical files, computers, servers, software, databases, telephone lines, disks, dvds, cds, floppy disks, hard-drives, pen-drives, flash memory, among others.
 
“User” – any person authorized to access, read, respond to, enter, change or delete certain Information.

4. Assignment of Responsibilities: 

  • Employees: (i) understand and apply the POLICY; and (ii) report violations of this POLICY.
  • Managers: (i) guide their teams towards full compliance with this POLICY; and (ii) guide contracted service providers on applicable information security practices and guidelines.
  • Service Providers: fully understand and comply with the POLICY, in accordance with the terms, agreements and respective amendments signed with the organization.
  • Senior Management: (i) supports implementation of information security measures; and (ii) annually, or whenever necessary, review this POLICY, seeking its continuous improvement and providing necessary changes.
  • IT/Infrastructure: (i) technical service, analysis and maintenance of this POLICY and any Information security rules; (ii) promotion of a culture of Information security; (iii) information security actions in line with business objectives; and (iv) operationalization of information security processes contained in this document. 
5. Penalties:
5.1. Failure to comply with or violation of the rules set forth in this POLICY may result in sanctions as described below:
  • Minor infractions: characterized as minor irregularities, employee's lack of interest in complying with the POLICY guidelines or acts of bad faith that lead to exposure to risks, without materialization of hazardous events. All cases will be discussed by the manager and the Senior Management to assess any penalty applicable: refresher training, verbal warning or written warning.
  • Moderate infractions: characterized as irregularities committed, whether intentional or not, that lead to materialization of internal-damage events to the organization, without external exposure or compromise of operations with its customers. All cases will be discussed by the manager and the Senior Management to assess any penalty applicable: written warning, reimbursement or suspension.
  • Serious infractions: practice of any of those referred to in art. 482 of the CLT, which, due to repetition or nature, represent a serious violation of the employee's duties and obligations, as well as those with severe impacts on operations carried out in the institution before its customers. All cases will be discussed by the manager and the Senior Management to assess any penalty applicable, which may result in dismissal of the offender. 
6. Reasonable Use of Technological Resources:
6.1. Technological resources are made available to authorized employees – whether regular employees, interns, service providers and other contractors – in order to assist them in their duties and in execution of their activities. Regarding use of technological resources available, the following are prohibited: 
  • Disabling information security mechanisms on workstations or other equipment.
  • Using computer resources or information with restricted access beyond the level of authorization.
  • Unauthorized access, storage or distribution of confidential information and/or data, electronically or by any other means.
  • Intentional compromising of information privacy and/or security.
  • Using resources available for discrimination or segregation on grounds of sex, race, color, religion, nationality, age, physical disability, health condition, marital status or any other condition provided for by law.
  • Promoting illegal communications, such as threats of violence, slander or defamation, child pornography, harassment and drug trafficking, as defined by law.
  • Storage of videos, images, music and/or computer games not related to the Company.
  • Using available resources for private businesses.
  • Downloading or installing applications or software of any nature from the Internet, e-mail, or any other source. Only formally approved and recommended apps are allowed. Employees may request an express authorization from the organization for installation of non-approved software, as necessary for their functions, and assessment regarding security of the software and approval or not of its installation will be at the organization's sole discretion. 
6.2. All equipment or technological resources are restricted to the organization's use, and must be kept in a safe place, with restricted access and protected against theft and physical damage. The level of security must be proportionate to the importance of the asset and information contained therein.
 
6.3. All employees and service providers are responsible for safekeeping, care and good use of technological resources available for execution of their activities.
 
7. Acceptable use of the Internet (browsing):
7.1. The Internet must be used to carry out professional activities, however, its use for personal purposes is allowed as long as it does not impact operation of the corporate network, activities in the area and project deadlines. Regarding Internet browsing, the following practices should be adopted: 
  • Every employee with Internet access can be held responsible for breaches that intentionally affect security or confidentiality of information.
  • Access to pornographic and illegal content websites is not allowed.
  • Sending, receiving or obtaining files for personal use, offensive or illegal, is not allowed, as well as their storage in resources available, as network directories and e-mail.
8. Acceptable Use of Corporate Email:
8.1. The corporate email is considered to be under the organization's control, and can be monitored through electronic tools. Regarding using of corporate email, the following practices should be adopted:
 
  • Sending files that may constitute a threat of virus propagation, at the organization's discretion, is not allowed.
  • It is not allowed sending messages through the electronic mail system, between any users or externally, which (i) may bring to equipment or network, malicious codes, viruses or any other elements that may compromise performance of network or systems; (ii) contain offensive or illegal content; (iii) contain material protected by intellectual property laws; (iv) contain music, videos or animation not specifically related to the work, as well as SPAM; and (v) contain “chains”, “rumors”, jokes, anecdotes and the like.
  • Sharing documents without authorization is not allowed.
  • Employees' e-mail should not be used to register on shopping websites, personal relationships, blogs, or any other website not related to professional activities.
  • It is prohibited to forge or attempt to forge e-mail messages, or to disguise or attempt to disguise identity when sending a message via e-mail.
  • It is prohibited to use other employees' e-mail to assume their identity.
  • Opening of messages of unknown origin, containing attachments or dubious content or with links to unknown sites and requesting download of files or personal data should be avoided. Messages with such characteristics should be deleted immediately. 

9. Acceptable Use of Social Media:
9.1. Social networks are allowed as long as this access is moderate and does not compromise deadlines or professional activities. Access is recommended during lunch break or before/after business hours. Regarding using of corporate email, the following practices should be adopted: 
  • It is prohibited to disclose information in virtual communities or social networks on behalf of the organization, therefore, one should not (i) disclose information about new technologies, services and systems; (ii) provide personal opinion in response to internet publications related to the organization; (iii) assume the identity of other employee to express opinions on their behalf; (iv) disclose information about professional routine, activities or projects in progress; (v) issue opinions on behalf of the Company; and (vi) publish an internal document.
  • In case of need to publish or disseminate information to the public, corporate channels on social networks must be used, through the representatives assigned for this purpose. 
10. Workplace:
10.1. Workstations (desktop or notebook) must be turned off at the end of the day or during a period of absence of more than 1 (one) day, with the exception of an operation team that, due to their professional activities, must block the workstation during their absence.
 
10.2. In case the employee leaves their desk, they must keep confidential information in a safe place.
 
10.3. If the user leaves the workstation (desktop or notebook) for any period of time, unless they turn it off, they must lock the screen (“Lock Computer”) or “Log Off”.
 
10.4 Confidential documents should be kept in locked cabinets or drawers.

11. Media Disposal: 
11.1 Custody, circulation and disposal of information stored in different media must occur through procedures and protection techniques, according to the level of criticality of the information.
 
11.2 All equipment containing data storage media must be checked before disposal to ensure the security, privacy and protection of possible data they store.
 
11.3 All media considered unusable or intended for disposal should be checked, physically destroyed or must have their information deleted or made illegible by means of techniques that make the original information unrecoverable.

12. Physical Access: 
12.1. Access of visitors to any facility of the organization must be authorized in advance and formally registered. Permanence of visitors must be monitored all the time. All facilities must be considered restricted spaces, and physical access must be controlled and registered.
 
12.2. IT equipment must be installed in a place with appropriate environmental and safety conditions, including fire and water ingress protection mechanisms.
 
12.3. Access to equipment must be restricted to those responsible for its administration and operation, and only for the purposes of their activities.
 
12.4. If any equipment needs to be moved to other physical location, as service or maintenance providers, this should be monitored by professionals specially assigned by the organization.

13. Other Information Security Conditions: 
13.1. Connecting third-party equipment to the corporate network is prohibited without prior authorization from the Senior Management, including those owned by employees.
 
13.2. Integrity of information must be protected through encryption in transit (VPN) and storage (disk and database encryption).
 
13.3. User names and passwords are personal and non-transferable. All employees must ensure protection of their access data, being prohibited the disclosure their passwords to third parties, as well as disposal in non-protected places, such as desks and monitors. Users are responsible for actions conducted under their personal login, unless confirmed unauthorized use by another employee or any other person with login access. The organization must execute, maintain and control a password creation procedure for employees, based on criteria considered secure by the sector.
 
13.4. Mobile devices (as notebooks and cell phones) that store confidential and/or strategic information must be adequately secured to prevent unauthorized access by unauthorized persons, including: 
  • Using an antivirus application with automatic update.
  • Enabling access password on the device.
  • Enabling login with user name and password at startup and locking after a period of inactivity.
  • Enabling information encryption function if the option is available on the device. 
13.5. Records (logs) of systems should be stored and analyzed periodically, in order to identify actions taken in cases of incidents, fraud, inspections and audits.