Information Security Policy
Version 3a - 27/09/2022
1 - Objectives
The purpose of the Information Security Policy (PSI) is to provide guidelines to protect information, the flow of information and services provided to customers, as well as the data and IT services that guarantee the company's operations. In addition, PSI must consider the company's intellectual property, such as source codes, employee information and privacy, and customer data.
Data protection must take into account the laws and regulations regarding company and customer data and the services provided. This also applies to customer data subject to specific regulations for the customer's industry (eg Financial Institutions). Among these rules and laws we cite:
- Civil Framework.
- General Data Protection Act (LGPD).
- B3 (PQO) - for financial market clients.
- Central Bank RESOLUTION No. 4,893 - for financial market customers.
All these documents are available in the SGSI Information Security Management System directory, in the Documentation/Legislation folder. PSI also contemplates the commitments assumed in the contracts with customers in order to comply with the security requirements stipulated therein.
2 - Scope
This policy applies to all users of WINCO SISTEMS information, including any individual or organization that has or has had a relationship with WINCO SISTEMS, such as employees, former employees, service providers, former service providers, collaborators, former -employees, who have, have or will have access to WINCO SISTEMAS information and/or have made, make or will use computing resources included in the WINCO SISTEMS infrastructure.
3 - Roles and Responsibilities
3.1 Information Security Management Committee - CSI
It is a permanent multidisciplinary Working Group, carried out by the board of WINCO SISTEMAS, whose purpose is to address issues related to Information Security.
It is the responsibility of the CSI:
- Analyze, review and propose the approval of policies and standards related to information security;
- Ensure the availability of the necessary resources for an effective Information Security Management;
- Ensure that information security activities are performed in compliance with PSI;
- Promote the dissemination of PSI and take the necessary actions to disseminate a culture of information security in the WINCO SISTEMS environment.
3.2 Information Security Management
The Information Security Management, together with the infrastructure team, is responsible for:
- Conduct the Management and Operation of information security, based on this policy and other CSI resolutions;
- Develop and propose to the CSI the information security standards and procedures necessary to enforce this PSI;
- Identify and assess the main threats to information security, as well as propose and, when approved, implement corrective measures to reduce the risk;
- Manage information security incidents, ensuring their proper handling.
3.3 Information Users
Information users are employees with an employment relationship from any area of WINCO SISTEMS or third parties allocated to the provision of services to WINCO SISTEMAS, regardless of the legal regime to which they are subject, as well as other individuals or organizations duly authorized to use to manipulate any information asset of WINCO SISTEMAS for the performance of their professional activities.
It is the responsibility of Information Users:
- Read, understand and fully comply with the terms of the Information Security Policy, as well as other applicable security standards and procedures;
- Forward any doubts and/or requests for clarification on the Information Security Policy, its rules and procedures to the Information Technology Department or, when applicable, to the CSI Information Security Management Committee;
- Communicate to the Informatics Advisory any event that violates this Policy or puts/may put at risk the security of information or computing resources of WINCO SISTEMS;
- Sign the Terms of Use for WINCO SISTEMS Information Systems, formalizing awareness and full acceptance of the provisions of the Information Security Policy, as well as other security rules and procedures, assuming responsibility for their compliance;
- Sign the Confidentiality Agreement or NDA (Non Disclosure Agreement) by which you undertake not to disclose information that is not public and to ensure its confidentiality.
- Read, understand and fully comply, with the availability of training or the described material, the precepts of document DO-A7-07 - Terms of use of information systems.
3.4 Information Manager
Information Manager is an information user who has been assigned responsibility for one or more information assets created, acquired, manipulated or placed under the responsibility of their area of expertise.
It is the responsibility of the employees appointed as Information Manager:
- Define the classification of information under its responsibility based on the classification categories defined by PSI, keeping an updated record of classified items;
- Control the information generated in your area of business and performance;
- Periodically review the classification of information in your custody.
3.5 Ownership of Physical and Information Assets
Both computers and devices used for work, as well as data generated by the operation of Winco are considered Assets. The Information Assets generated while executing work for third parties and regulated by a service provision contract belong to the third party. The Physical Assets used by employees and third parties to perform their work, in accordance with document DO-A7-07 - Terms of use of information systems, belong to Winco.
4 - Information Classification
For the purposes of classifying information, we have defined the following categories:
- PUBLIC INFORMATION: Information officially released by WINCO SISTEMS to the general public. The disclosure of this type of information does not cause problems for WINCO SISTEMS or its customers, and can be freely shared with the general public, as long as its integrity is maintained.
- INFORMATION FOR INTERNAL USE: Information released exclusively for users and specific departments of WINCO SISTEMS, and cannot be shared with the general public. This information can only be shared with express authorization.
- CONFIDENTIAL INFORMATION: Information of a confidential nature, which may be communicated exclusively to specifically authorized users who need to know them for the performance of their professional tasks at WINCO SISTEMS. Unauthorized disclosure or alteration of this type of information can cause serious damages and losses to WINCO SISTEMAS and/or its customers, therefore its sharing must be restricted and done in a controlled manner.
A classificação da informação deverá ser realizada pelos gestores da informação ou colaboradores designados por estes.
5 - Prevention of Security Incidents
All occurrences that may have a negative impact on the confidentiality, integrity or availability of information assets/services or computing resources of WINCO SISTEMS LTDA will be characterized as an information security incident, and such occurrences must be treated in order to minimize any type of impact and recover the information security characteristics of the affected items.
The incident prevention policy encompasses:
- Control of access to data and information systems;
- Protection against cyber attacks;
- Data backups.
5.1 Access Control
WINCO SISTEMS provides its authorized users with access accounts that allow the use of information assets, information systems and computing resources, such as the corporate network. Access to information assets/services is provided at the discretion of WINCO SISTEMS, which defines permissions based on the work needs of users.
Said access accounts are provided exclusively so that users can carry out their work activities and access to them must be authenticated with passwords or digital certificates used together or separately.
5.2 Protection from Cyber Attacks
Protection against cyber attacks includes but is not limited to:
- Use of antivirus on servers and workstations;
- Use of firewall;
- Segmentation of networks, including those hosted in the cloud;
- Security update of operating systems and applications;
- Periodic vulnerability testing.
5.3 Data Backup
Data is backed up daily. Its guidelines follow the document DO-12-04 - Backup Policy, which is available in the Information Security Management System directory.
6 - Incident response
In the event of an incident, WINCO SISTEMS will activate the Incident Response Plan. This plan should include:
- Definition of immediate action to stop or minimize the incident;
- Incident Investigation - raise the origin and causes;
- Restoration of affected resources;
- Removal of possible failures that allowed the incident to occur;
- Reporting the incident to the appropriate channels.
More information about the Disaster Recovery Plan is in the document: PL-17.1-01 - Business Continuity Disaster Recovery Plan.
7 - Training on Confidentiality and Data Protection
All WINCO SISTEMS employees will undergo training regarding confidentiality and data protection.
The following subjects will be addressed:
- Importance of Confidentiality of company data, customers and company employees;
- Proper use of passwords;
- Security best practices where you will be warned against:
- Phishing;
- Social engineering;
- Security tools like antivirus.
In addition to training, all employees must sign a Confidentiality Agreement/NDA (Non Disclosure Agreement) that explains the confidential information as well as the commitment to maintain their confidentiality. The Confidentiality Agreement / NDA Models are in the document: FO-A7-01- NDA and Confidentiality Agreement.
Failure to observe the company's information security policies and other topics taught in the training provided to employees give rise to penalties, according to document DO-A7-07 - Terms of use of information systems.
8 - Continuous Improvement of Security Management
Continuous improvement of information security systems and controls must be ensured in order to identify and improve possible weaknesses.
Security systems and controls must also undergo periodic reviews to update them in the face of changes both in the internal and external scenario. As an example of changes we can mention new legislation, new services and contracts as well as technological changes and the adoption of new systems.
All security incidents must be analyzed to identify improvements that can prevent or mitigate the recurrence of the event. A critique of the incident response procedure should also be made to assess possible improvements to it.
Sincerely,
Winco Team