Information Security Policy
1. Objectives
The objective of this document is to regulate the information security policy applied to the MOST company, aiming at the protection of the information used by it, through rules and procedures to be followed by the company’s employees, directors, collaborators and partners.
2. Scope
The procedures and standards established by this document are applicable to all areas of the company, which are subject to various interferences, such as technological and physical, in order to prevent any damage.
3. Overview
The information that is in constant circulation within the company is a valuable asset for the entire organization. For this reason, they must be protected against any type of damage that may occur to them. Hence the obligation to follow this security policy, which covers the critical points of this process.
This normative must be understood as a set of actions to be carried out in order to reach a safety condition. To ensure this condition, the standards and procedures described here will define and classify the risks and threats, through knowledge of possible vulnerabilities, and a risk plan.
In this way, the document will present security actions and procedures, thus training human resources in ways to preserve information within the organization.
This document contains the rules responsible for ensuring that information is properly handled in the following five topics:
- Availability: Whenever necessary, the information must be available to all people who need to use it;
- Confidentiality: Information must be classified in such a way that only authorized persons have access to it;
- Integrity: Changes that may be necessary in the information should only be carried out by authorized persons;
- Authenticity: The information must remain original to its purpose, regardless of how it is used;
- Privacy: The places where sensitive information is manipulated or treated will have their access restricted and controlled by electronic systems.
4. Information Classification
4.1 Information management process
MOST information will be classified according to the following management process:
4.2 Asset Inventory
The main objective of information security is to protect information systems against unauthorized users, against modifications, leaks and unauthorized access to data.
Following MOST company policies, the information may be contained in:
- Digital media;
- Information systems / databases;
- Printed or written documents;
- Equipment capable of storing data;
- Verbal information;
- Internet;
- Cloud Computing;
- Emails.
4.3 Classification of information
The classification of information aims to create a hierarchy for the various types of information that circulate within the organization, so that only the necessary information will be available to the employee according to his role within the company;
In order to manage information during its life cycle (creation, handling, transport, storage, disposal), it is necessary to classify information into different levels:
- Confidential: Information that must be kept confidential, available only to authorized persons, and that directly influence the responsibility for secrecy and business continuity, if disclosed. Confidential information is considered, for the purposes of this Policy, any information considered not available to the public or reserved, data, technical specifications, drawings, manuals, sketches, models, samples, promotional materials, projects, studies, documents and other papers of any nature , tangible or in electronic format, files in any medium, computer programs and documentation, written, verbal or otherwise disclosed communications by MOST about itself or about its customers and partners, and obtained by the employee as a result of the execution of its Professional activities;
- Restricted: Strategic information that should be available only to restricted groups of employees. It is protected by passwords with restricted access to a network folder or directory;
- Internal: Information that can be accessed and used by all employees of the organization, but under no circumstances should it be disclosed to external people;
- Public: Information exempt from any restriction for disclosure. They can be accessed by both employees and the public.
4.4 Information labels
If the information IS NOT PUBLIC, it must be labeled at the time it is generated, stored or made available.
Information labeling is the responsibility of the information owner.
- Paper information: Use stamp or watermark;
- Information by e-mail: Labeled with the classification that is inherent to it;
- Digital information: Labeled with the classification inherent to it.
4.5 Data Asset Handling
Data handling must rely on rules according to the level of confidentiality. Information that needs restriction when being transmitted must be labeled as such.
5. Rules
The main objective of information security is to protect information systems against unauthorized users, against modifications, leaks and unauthorized access to data.
Following MOST company policies, the information may be contained in:
- Human Resources;
- On printed or written paper;
- Electronic documents;
- Internet;
- Cloud computing (cloud);
- Information Systems / Database;
- Verbal information;
- Email.
5.1 Those Responsible for the Rules and their Functioning
The preparation of the rules contained in this document is the responsibility of MOST’s IT Board, which must ensure full compliance with what was established by the relevant legislation on data protection in force and applicable to MOST.
This director will be responsible for updating and disclosing the rules, using clear, accessible language and at a level of detail compatible with the functions performed and the sensitivity of the information, along with the entire body of employees, directors, collaborators and partners of the company.
A digital copy must be forwarded to everyone, via email, and with a request for receipt and acknowledgment of the recipient.
The sectors responsible for compliance with regulations are:
- IT Board
- Director – Elaboration, updating and dissemination of standards;
- Infrastructure – Access control, asset monitoring and network management, and control and attribution of access data to Databases and Data Repositories.
- Human resources manager
- Carry out, in the process of admitting new resources, the following:
- Completion of the access registration model to be forwarded to the infrastructure coordinator;
- Provide for the generation of an identification badge and physical access to the MOST building and facilities, according to the contractor’s work sector;
- Perform, in the resource shutdown process, the following:
- Collect access badges;
- Communicate the disconnection of the resource to the infrastructure coordinator, for the withdrawal of all access permissions given to the disconnected resource.
- Carry out, in the process of admitting new resources, the following:
5.2 General Rules
a) The equipment used in the professional activity is provided by the MOST company and must be used ethically and in accordance with the established rules of conduct and security, in particular with the company’s Information Security Policy. To this end, the company reserves the right to control and monitor its contents and forms of use, via MAC address, since the purpose of all communication resources and equipment must be work.
b) The connectivity ports (USB, CDs, etc.) of all the company’s equipment are, by default, blocked. Exceptions will be handled by the IT Board.
w)Private/private equipment, such as computers or any portable devices that can store and/or process data, must not be used to store or process business-related information, nor must they be connected to the Organization’s networks.
d) The company’s internal communication resources include the use of the internet, corporate landlines and cell phones, as well as electronic mail, and must always be used ethically by employees.
e) It will be up to the IT Board to define which websites and social networks can be accessed by employees.
f)It will be up to the infrastructure sector to monitor unauthorized access to the network, and report it to the responsible manager, so that the appropriate measures can be taken.
g) All e-mails must be labeled according to the classification of the information inherent to it.
h) Downloading will only be allowed when it is strictly necessary for the employee’s work, who must request authorization via HELP DESK.
i) MOST’s work environments will be monitored by day/night cameras, with motion sensors, placed in strategic locations, and connected to an independent internet network, 24 hours a day, under the control and monitoring of the company’s managers.
5.3 User Rules
a) Executing all the rules defined in this Information Security Policy document during the period in which he is linked to the company;
b) The use of the identification and access control badge is mandatory for all employees, managers and visitors, while they are on the company’s premises, in a visible place;
c) Whenever possible, propose ideas and improvements that in some way may add new security measures to the entire company;
d) Every resource must immediately notify their superior of any incident that may occur, and that may jeopardize the security of the information, so that he/she can take the appropriate measures in relation to the problem;
It is)Not run programs, install equipment, store files or promote actions that may facilitate access by unauthorized users to the company’s corporate network;
f) Not run programs whose purpose is to decode passwords, monitor the network, read data from third parties, spread computer viruses, partially or completely destroy files or render services inoperative;
g) Prevent the use of your equipment by other people, while it is connected/logged in with your identification;
h) Always lock the equipment when leaving your workstation;
i) Change your passwords, whenever you suspect any compromise of your secrecy;
j)When the user needs access to the virtual machines contained in the Terminal Services, or access to files to which he does not have permission, he must request this access through the so-called HELP DESK system. The HELP DESK manager will direct the evaluation of the request to the responsible body and, if so, arrange for access to be granted;
k) It is strictly forbidden to disclose any information to people not connected to the activities of the MOST company, except when duly authorized by the company’s managers;
l) Changes to the company’s standard systems are not permitted;
m) Not to use any resources or equipment made available for purposes other than those necessary for the performance of its activity;
n)MOST directors, employees, agents and consultants (including lawyers, auditors and financial consultants) are responsible for compliance with the Confidential Information policies. All those who receive confidential information must keep and safeguard them confidentially, as well as limit their access, control any copies of documents, data and reproductions that may be extracted from them. None of the confidential information may be passed on to third parties without the written consent of the responsible managers at MOST. Any disclosure of Confidential Information must be in accordance with the terms and conditions set forth in this document. Confidential information may only be used for the purposes of carrying out the work, and they must be strictly guarded, and never revealed, except to those who eventually are also authorized to receive them. Any leakage or breach of confidentiality of information must be reported promptly to the responsible managers.
5.4 Clean “desk and screen” standards
No confidential information should be left in plain sight, whether on paper or on any device, electronic or otherwise. This rule has the main purpose of reducing the risk of fraud, violations, theft and even unauthorized access to information that may be obtained from documents, books, manuals, media, files and other sources of information that are being left in plain view.
a) Information must be protected and treated with a high degree of security and confidentiality;
b) Sensitive and/or confidential information should not be kept on employees’ desks. When not in use, they must be stored in the keyed drawers of each table, or in the absence of drawers, in the individual bins provided by MOST;
c) All telephone sets must be protected against unauthorized use;
d) When using a collective printer, collect the printed document immediately;
e) To avoid any damage to equipment and/or documents, do not have meals on work tables. Meals must be taken exclusively in the cafeteria;
f)Computer terminals must not be left “logged in” when there is no operator (user) near them, and must be protected by passwords and other controls when not in use.
5.5 Rules for Physical Access
Access to all MOST physical spaces is controlled by doors, whose opening is commanded by RFID badges or by placing individual passwords on the keyboard.
The protected sectors must have their doors closed.
The badges and passwords are compatible with the functions performed by each of their bearers and the sensitivity of the information contained and treated in each of the company’s spaces.
The determination of who accesses each of the environments is determined by the Director of IT.
Visitors and third parties must be attended to and contained in the reception area or meeting rooms. Only when duly authorized by the company’s managers, the visitor or third party may enter any internal area, and for that they must be carrying the visitor badge and permanently accompanied by a MOST employee/representative, who in turn will assume responsibility for risks to the security that may be caused by your companion(s).
5.6 Rules for Passwords
The password is the means by which the employee can validate his data to access the company’s systems, e-mails and profiles on the machines, and for that, they must comply with the following policies:
a) The new employee, when given the initial password, must change it, observing the following recommendations;
Use letters and numbers
- Mix uppercase and lowercase characters;
- Do not use passwords with repeated or sequential letters or numbers:
- Not using easily obtainable personal information, such as date of birth, first and last names, telephone numbers, and other easily identifiable data;
- Enter passwords quickly, taking care with third-party observation;
- Passwords must have a fixed length of 08 positions;
- Do not allow the reuse of the last registered password;
- Mandatory password re-entering every 15 minutes of inactivity at the workstation.
b) The infrastructure area will force the constant updating of passwords, always observing a maximum period of three months between them, or whenever it suspects any compromise of its secrecy;
c) Passwords are for personal use and non-transferable;
d) Be liable for the consequences of acts caused by the misuse of their passwords;
e) If a resource is disconnected from the company, the person responsible for the HR sector will send an email to the network manager requesting that his login and password be deactivated, updating the employee’s record in the company’s control systems, to verification purposes.
5.7 Infrastructure standards
a) It will be up to those responsible for the infrastructure department to monitor access to the network and its use, observing the following aspects:
- Control and monitoring of access/permissions
- Firewall Monitoring
- Server monitoring
- Software version monitoring
- traffic monitoring
- Assets used and shares
- Downloads made
- IP addresses
- Cloud services monitoring (AWS and Google GCP)
- Version 2.1 of 07/14/2020
b) Define and acquire tools for recording log records, whether for the internet or for the company’s internal systems;
c) Access to virtual machines (terminal services), will only be carried out upon evaluation and authorization by the infrastructure department;
d) The person responsible for the infrastructure will obtain the weekly internet access logs, and will send them to the IT director, weekly, for his/her knowledge and evaluation;
e) The Infrastructure Coordinator is responsible for constant monitoring (24 hours a day) of the use of cloud services (Cloud), for monitoring the development and support teams.
5.8 Rules for the use of support and development tools
a) It will be up to the IT Director to define the type of access that each member of the teams will have, and according to the specific functions of each one.
b) The Infrastructure coordinator will be responsible for controlling and assigning access data for the tools described below, as defined by the IT Director:
- Database Management Systems
- Internal systems (HELP DESK)
- data repository
- FTP
- Control of internal calls
- cloud services
6. Penalties
a) If the rules and policies described in this document are not complied with, the employee will be subject to punishment, in accordance with his employment relationship, and in accordance with the commitments assumed in the Term of Confidentiality and Responsibility signed by him on the date of his admission;
b) Expenses generated caused by non-compliance with the safety procedures mentioned in this manual, must be borne exclusively by the employee involved in the failure;
c) Violations of this MOST regulation, which may cause damage to the company’s image, its employees or customers, must be punished immediately, starting with a warning, and in more serious cases, dismissal from the company.
7. Risk Management
The procedures, controls and technologies to be used in risk management and incident response, in accordance with the security policy guidelines, are described in the “Contingency Plan” document.
This same document describes the practices adopted for corporate governance and management of cloud services, as well as the security back-up and information disposal policy.
8. Improvement Revisions
In the search for the improvement and evolution of the norms, this Information Security Policy will be systematically reviewed by the IT Board, together with the main actors and managers of the company.