Information Security Policy
Revision #7 – 2025/06/11 Extracted from LiveQMS. For the latest version, refer to LiveQMS.PURPOSE
Our commitment is to establish guidelines and standards that guarantee the protection of information, ensuring confidentiality, integrity and availability of data. We aim to create a culture based on quality, security, privacy, trust and transparency, promoting good practices and safe behaviors among employees, customers and partners. We are also committed to continuous improvement of the Integrated Management System and compliance with business, information security, data privacy, and current legislation requirements.SCOPE
This Policy applies to all employees, former employees, service personnel and representatives who have had, have or will have access to information and/or use of computing resources within the organization’s infrastructure.POLICY STATEMENT
The Information Security policy includes guidelines in routines and other organizational areas. These are detailed in specific documents, processes and tools. All employees and third parties must follow these to support the organization’s objectives.Main Components:
- Information Security Architecture: Defines reference models and components based on system criticality.
- Technological Asset Management: Manages both internal and external physical and logical assets.
- Information Classification: Guides classification and protection based on confidentiality and importance.
- Information Security Awareness: Develops and promotes awareness programs.
- Business Continuity and Recovery: Ensures minimum operations during crises.
- Data Protection: Maintains confidentiality, integrity and availability.
- Remote Work: Establishes guidelines for secure off-site work.
- Identity and Access Management: Controls and segregates access.
- Risk Management: Identifies and handles risks that impact the organization.
- Incident Response: Responds to and mitigates security incidents.
- Metrics and Reports: Monitors exposure to information security risks.
- Network Security: Ensures secure data transmission and infrastructure.
- Information Security Operations: Supports security tools and user needs.
- Privacy: Preserves confidentiality and data subject rights.
- Monitoring: Detects and prevents unauthorized or harmful actions.
- Secure Development: Implements secure practices during system development.
- Security Strategy: Aligns security with business strategy.
- Third-Party Management: Evaluates compliance with security requirements.
- Threat Intelligence: Identifies threats and enables prevention.
- Vulnerability Management: Detects and addresses vulnerabilities.
- Cloud Security: Ensures secure cloud use and provider compliance.
COMPLIANCE AND ENFORCEMENT
- ABNT NBR ISO/IEC 27001:2022 – Information security, cybersecurity, and privacy protection.
- LGPD – General Personal Data Protection Law (Law No. 13.709/2018).
ROLES AND RESPONSIBILITIES
Executive Management
- Define and endorse the policy.
- Ensure allocation of resources.
- Promote a security culture.
Department Managers
- Implement and enforce the policy.
- Ensure team awareness and protection of sensitive information.
IT and Security Team
- Implement technical security measures.
- Conduct audits and risk assessments.
- Manage access controls.
- Respond to incidents and recover data.
Contributors
- Follow security policies.
- Report incidents immediately.
- Join training and awareness programs.
Partners and Suppliers
- Comply with contractual security requirements.
- Ensure alignment with the company’s standards.
Legal Area
- Include legal clauses ensuring compliance with this policy.
- Ensure proper data use and confidentiality.
Human Capital
- Ensure awareness of policies and procedures.
- Notify IT of employee terminations.
- Ensure return of IT and security assets.
Data Protection Officer (DPO)
- Monitor data protection law compliance.
- Act as liaison with authorities.
- Ensure data subject rights are upheld.
