Understand the practices we use to protect your company's data and information. Our Security Policy reinforces our commitment to system integrity and reliability.
The Information Security Policy (PSI) aims to provide an understanding of procedures and processes
formal in order to mitigate weaknesses in the controls of systems and data accessed or produced by the company
and is based on the recommendations proposed by the ABNT NBR ISO/IEC 27001:2013 standards - Systems of
information security management - Requirements and ABNT NBR ISO/IEC 27002:2013 - Code of Practice for
information security controls and other relevant good practice recommendations.
It also aims to meet the requirements of the General Data Protection Law - LGDP, not limited to or
conflicting with what is stated in it.
Thus, the main objectives for proposing this PSI are the guarantees of the following principles:
• Confidentiality — Guarantee that access to information is obtained only by authorized persons.
• Integrity — Guarantee that the information is not tampered with, falsified, or stolen;
• Availability — Ensuring that information is available whenever requested by users
authorized even with involuntary, i.e. unintentional, system interruptions.
Its nature is one of public order, of the knowledge of all customers, employees, and suppliers that of
In some way they participate in the company's internal processes and must ensure, within their sphere of activity, the
correct application of the rules presented here in their entirety and remains mandatory at all times
of contractual duration, which may extend for later periods in specific cases, and it is not allowed to
no one alleges their ignorance.
It must be everyone's responsibility, based on habits, postures, responsibility, and constant care in
timing of the use of information assets. The use of information assets must always be compatible with
the ethics, confidentiality, legality and purpose of the activities performed by the user.
This PSI must be constantly reviewed in the light of all current legal aspects and information.
relevant add-ons, whether derived from practices and/or procedures, new threats or technologies, events
not considered, etc. and must necessarily reflect the business requirements and the guarantees that guide this
document.
Each of the applicable topics will consist of defining the scope, definitions of standards and good practices,
definition of procedures and their respective controls as follows:
1. Scope: defines the presentation and guidelines of the topics of this Policy.
2. Norms and good practices: specifies good practices for the correct application of the scope
3. Procedures and Controls: Defines procedures for enforcing practices and controls with
acceptable parameters for maintaining the scope
Due to the public nature of this document, items 2 and 3 are extensions of this document but restricted in scope to
related areas in order to guide the management of IT procedures.
Access: the act of entering, transiting, discovering or consulting information, as well as the possibility of using
information assets of an agency or entity;
Responsible Agent: collaborator responsible for leading and managing the Incident Treatment Team in
Information Security;
Threat: set of external factors or potential cause of an information security incident
unwanted, which may result in harm to a system or organization;
Activity: process or set of processes carried out by or on behalf of a body or entity that
produce or support one or more products or services;
Information Assets: the means of storage, transmission, and processing, the systems of
information, as well as the places where these media are located and the people who have access to them;
Information Security Steering Committee: permanent group of people responsible for
advise on the implementation of information security and communications actions, which monitor, establish
rules and deliberates on interests, among other matters
Control, Protection, or Countermeasure: way to manage risk, including policies, procedures,
organizational guidelines, practices, or structures, which may be of an administrative, technical, management, or nature
cool.
Information Asset Custodian: formally responsible for protecting one or more information assets,
applying the levels of security controls in accordance with information security requirements and
communications.
Disaster: sudden and unplanned event that causes loss to all or part of the organization and generates serious
impacts on your ability to deliver essential or critical services for a period of time longer than
objective recovery time;
Information Security Incident Handling: Act of receiving, analyzing, and responding to
notifications and activities related to computer security incidents;
Continuity Management: comprehensive management process that identifies potential threats to a
organization and the possible impacts on business operations, if threats materialize, what does it seek
the provision of a structure that develops organizational resilience capable of responding effectively and
safeguard the interests of stakeholders, the organization's reputation and brand, and its activities of
added value;
Information and Communications Security Risk Management: set of processes that allow
identify and implement the necessary protective measures to minimize or eliminate the risks they are at
subject your information assets and balance them with the operational and financial costs involved;
Information Manager: any collaborator or unit that, in the exercise of their competencies, is
responsible for the production of information or for the processing, even if temporary, of information from
property of an individual or legal entity handed over to Élin Duxus;
Information and Communications Security Manager: responsible for the security actions of
information and communications within the scope of Élin Duxus;
Security Incident: an occurrence indicated by a single or a series of security events of
unwanted or unexpected information, which is highly likely to compromise the operations of
business and threaten information security, (in accordance with ISO/IEC TR No. 18044:2004) - verify that
applicable);
Retention Period: period in which the backup will be available for on-time return or retrieval of
files at a certain point in the timeline.
Business Continuity Plan: plan consisting of a set of measures, rules, procedures and
information necessary for Élin Duxus to maintain its critical information assets and the continuity of
your critical activities in an alternative location at a pre-defined level, in the event of incidents;
Incident Management Plan: clearly defined and documented action plan, to be used
when an incident occurs that basically covers the main people, resources, services, and other actions that
are necessary to implement the incident management process;
Business Recovery Plan: plan consisting of a set of measures, rules, procedures and
information necessary for Élin Duxus to operationalize the return of critical activities to normality;
Risk Treatment Plan: process and implementation of information security actions and
communications to avoid, reduce, retain, or transfer a risk;
Business Continuity Management Program: continuous management and governance process supported
by top management, which receives appropriate resources to ensure that the necessary steps are being taken
in order to identify the impact of potential losses and maintain recovery strategies and plans, and ensure
the continued provision of products and services through critical analysis, testing, training and
maintenance;
Resource: it is a medium of any nature (human, physical, technological, financial, market image,
credibility, among others) that allows achieving what is proposed;
Resilience: resilience or capacity of an organization to withstand the effects of a disaster;
Retention: backups of periods (annual/monthly) that have already been consolidated and will no longer be in the environment of
application;
Information and Communications Security Risks: potential associated with the exploitation of one or more
vulnerabilities of an information asset or a group of such assets, on the part of one or more threats,
with a negative impact on the organization's business;
RPO (Recovery Point Objective): limits the return period in time and defines the maximum amount allowed
from data lost from a failed occurrence to the last valid backup.
RTO (Recovery Time Objective): are related to downtime and represent the amount of
time it takes to recover from an incident until operations are available to users.
Information and Communications Security: actions that aim to enable and ensure the availability,
integrity, confidentiality, and authenticity of the information;
Information Processing: reception, production, reproduction, use, access, transportation, transmission,
distribution, storage, elimination, and control of information, including sensitive information;
Audit Trails: system log files, which contain recordings of actions performed on the system,
in order to identify who or what caused something;
External User: any natural or legal person that makes use of information and that is not related
administratively to Élin Duxus;
Internal User: any natural person or internal unit that makes use of information and that is linked
administratively to Élin Duxus;
Users: internal and external users; collaborators, outsourced workers, consultants, auditors, and interns/
scholarship holders who obtained authorization from the person responsible for the interested area to access Information Assets.
The organizational structure for managing Information Security requirements consists of the following groups:
• Information Security Steering Committee
• People Managers
• Collaborators
• Infrastructure
The Information Security Steering Committee is responsible for:
• Propose improvements, changes, and adjustments to the PSI;
• Propose investments related to information security in order to minimize risks;
• Classification of information and level of access to information whenever necessary;
• Assess security incidents and propose corrective actions;
• Approve the Information Security Policy and its updates
• Board of Directors
• Leaders from related areas
• Legal Advice, when applicable
With regard to Information Security, it is up to people and/or process managers to:
• Have an exemplary stance in relation to information security, serving as a model of conduct for
collaborators under your management
• To inform, during the hiring and formalization of individual employment contracts, of responsibility
Compliance with the PSI
• Comply with and enforce this Policy, Regulations, and Information Security Procedures
• Require partners, service providers, and other external entities to sign the term of
confidentiality regarding the information to which they will have access
• Develop, with the support of the Infrastructure, the information security procedures related to your
areas, providing the necessary information and keeping them up to date
• Inform, whenever necessary, updates regarding processes and/or employee registrations to
that permissions can be granted or revoked as needed
• Make administrative decisions regarding breaches of the PSI
It will be the sole responsibility of employees, outsourced workers and other collaborators:
• Faithfully comply with Information Security Policy, Regulations, and Procedures
• Search for members of the SI Steering Committee for clarification of questions regarding the PSI
• Protect information against unauthorized access, disclosure, modification, or destruction
• Ensure that equipment and technological resources at your disposal are used only for
approved purposes
• Adequate disposal of documents according to their degree of classification
• Promptly report to the members of the Steering Committee any violation of this policy, its rules and
procedures.
The Infrastructure is responsible for:
• Define the rules for installing software and hardware;
• Approve personal equipment (smartphones and notebooks) for use on the network;
• Monitor access to information and technology assets (systems, databases, resources of
network), with reference to the Information Security Policy and Regulations;
• Keep up to date registration and control of all granted access releases, providing, at all times
that formally requested, the prompt suspension or amendment of such releases;
• Propose the methodologies and processes related to information security, risk assessment, analysis of
vulnerabilities, etc.;
• Critically analyze security incidents in conjunction with the Security Steering Committee of
Information;
• Maintain effective communication with the Information Security Steering Committee regarding potential threats and
new security measures;
• Seek alignment with the organization's guidelines.
It is the responsibility of the Leader of each area to establish criteria regarding the level of confidentiality of
information (reports and/or media) generated by your area according to the concepts below:
• Public Information: It is all information that can be accessed by users of the organization, clients,
suppliers, service providers and the general public.
• Internal Information: It is all information that can only be accessed by employees of the organization. Saint
information that has a degree of confidentiality that may compromise the organization's image.
• Confidential Information: It is all information that can be accessed by users of the organization and by
partners of the organization. Unauthorized disclosure of this information may have an impact (financial,
of image or operational) to the organization's business or to the partner's business.
• Restricted Information: It is all information that can be accessed only by users of the organization
explicitly indicated by name or by area to which it belongs. The unauthorized disclosure of this
information may cause serious damage to the business and/or compromise the business strategy of
organization. Every Manager/Supervisor must direct their subordinates not to circulate information and/
or media considered confidential and/or restricted, as well as not leaving reports on the printers, and
media in easily accessible places, always keeping in mind the concept of “clean table”, that is, at the end of
It's my job not to leave any confidential and/or restricted reports and/or media on your desks.
All processes/procedures for the proper functioning of all systems, as well as the
resource management is the responsibility of the Infrastructure.
It is also her responsibility to:
• Provide all necessary documentation for the installation, operation, and recovery of the systems for the use of
employees and clients.
• Information processing and treatment, both automatic and manual
• Monitor the correct use of resources and suggest corrections when necessary
Maintain protection solutions against logical security problems (viruses, unauthorized access, intrusions,
etc.), and Infrastructure is responsible for defining such protection solutions, considering the critical nature of the assets of
information involved and that is under your responsibility.
It will also be responsible for the definition of safety procedures for the implementation, maintenance,
updating, uninstalling, and recovering software, operating systems, SGDBs, to ensure that
these logical environments do not contain vulnerabilities that compromise information security, and it is up to
Information Security Committee and standardization.
The relevant documentation of the service and operation must include:
• Adopted safety criteria;
• Installation and configuration
• Information processing and treatment, both automatic and manual
• Copy procedures (backup)
• Operation scheduling requirements, including interdependencies with other systems
• Instructions for handling errors or other exceptional conditions, which may occur
• External support contacts in case of unexpected operational events
• Procedures for restarting and recovering in the event of a system failure
• Monitoring procedures
The entire backup process and maps, as well as retention periods, must be documented and audited.
How much:
1. Efficiency: backups occur automatically, whether daily, incremental, and synchronized with little
or no human intervention
2. Availability: Backups available whenever needed, with RTO and RPO times defined at
documentation
3. Security: all backups must be encrypted and password protected, regardless of
classification of information.
Services and servers, such as Internet pages, electronic mail, administrative systems, will be
configured to use authentication and encryption technologies to ensure integrity, secrecy, and
authenticity of the information.
Ensure that logical environments are restricted to your access by secure passwords or others
appropriate security mechanisms, except in situations where there are technical restrictions that prevent
will be reviewed by the Information Security Steering Committee.
The Infrastructure must ensure that all information systems comply with the following guidelines:
• Segregation of logical environments so that the production environment is separated from the others
• Production environments can only be accessed by internal users responsible for
deployment of information systems (Infrastructure)
• Databases in production environments will be accessed, whenever possible, through
information systems, or, if not possible, access must be made by a member of the team
responsible for the database with the authorization of an internal user at the managerial level of the area
applicant.
• Direct access must be registered in a way that allows the identification of what was modified and who was
responsible for the modification;
• Information systems that are transferred to the production environment must have their code
original source maintained by an internal source code repository management system;
• The source code of information systems must be managed by a specific control tool
of version. Access to the tool must be restricted through specific and registered access profiles
on audit trails. Version control must allow the identification of the person responsible for the inclusion/
deletion/alteration of the source code, as well as the recovery of recent versions;
• The computer system environment intended for the execution of the systems and the production environment is not
must be used for testing. The tests must be carried out in an appropriate and managed environment;
• The passage of programs and data to the production environment must be controlled in such a way as to ensure
the integrity and availability of that environment for execution
Internal users will have an email account on the Élin Duxus email service, which will have
a single ownership, determining responsibility for its use.
E-mail should not be used to commit illegal acts prohibited by law or by this guideline or regulations
supplementary documents that may be published - harmful to the rights and interests of Élin Duxus or third parties, or
that, in any way, may damage, disable, overload, or deteriorate information assets, as well
such as documents and files of any kind, for your use or for the use of third parties.
It is forbidden to send files or sensitive information/passwords that could compromise the security of
information, both at the origin and at the destination.
Files containing sensitive information must be zipped/encrypted and password protected. Vide
alternatives for file exchanges. The password in question must not be entered by e-mail. Use another means,
such as telephone, messenger.
Access to the company's internal systems will only be through VPN.
• For use of internal systems with non-public domain names, the VPN connection will provide the DNS
main, that is, all requests for names requested while the user is logged in to Élin
Duxus will be resolved internally.
• The use of any third-party tools, such as sharing systems of
files (Google Drive, Idrive, Dropbox, iCloud, etc.), P2P, FTP, etc. or communication systems of
videoconferencing, messenger's, Voip telephone systems, etc. to perform local functions
remote. For this purpose, use those available by the company, according to the documentation related to Home
Office.
If the remote location has Wi-Fi routers, the employee must pay attention to the misuse of the network
due to weak and/or shared passwords. It is recommended that:
• The Wi-Fi password is changed frequently
• Don't use/enable file sharing
All internal Élin Duxus systems must:
• Be controlled by access passwords, in accordance with the guidelines specified in the Passwords topic (below)
• Segregated by logical network distribution where applicable
• Access is provided according to the classification levels established in the Asset Management topic
Information Classification and hierarchical/functional position of the employee, defined by the Managers of
People.
All customer access systems hosted at Élin Duxus must:
• Be controlled by access passwords, in accordance with the guidelines specified in the Passwords topic (below)
• Because it is access via the internet, the systems must be provided with a Firewall as a line
from the front, with tools for detecting DDOS attacks, brute force, and others, as well as
limitation of IPs that can access the systems. The IPs in question must be reported to Élin Duxus
for configuring the firewall and proxies
• In the case of employees of client institutions that work under a Home Office scheme, such as
If it is a connection with dynamic IPs, the customer in question must provide a VPN connection for the
collaborator and use appropriate tools to divert connections to systems through this medium
with the access IP coming from the institution and not from the collaborator.
The password is a personal and non-transferable resource that protects the employee's identity. For all intents and purposes, it remains
It has now been clarified that the misuse of a third party's password is typified in the Brazilian Penal Code in art. 307
False Identity.
In order to guide the creation of secure passwords, the following rules are established:
• The password is the sole responsibility of the user and its disclosure is expressly prohibited or
loan, which must be immediately reported to the Infrastructure in case of suspicion of its
disclosure;
• The initial password will only be provided to the employee himself, in person. It cannot be provided by
telephone, instant communicator, or any other form that does not guarantee the employee's identity;
• Login sharing for system administration functions, access to systems of
management and controls, as well as for access to Élin Duxus' internal and administrative systems;
• Passwords should not be written down and left next to the computer (under the keyboard, pasted on the
monitor, etc.);
• The password must be changed every 6 months, following the precepts above.
The use of an application to manage the passwords of a team or collaborator can be adopted, from
that:
• The access password for this application follows all the security requirements contained in this document.
• Any problem such as improper access to the app, password leak, or any other action that
violates the integrity of the security of the systems must be immediately reported to the Infrastructure.
Infrastructure is designated as the responsibility for Information Security Incident Management,
enforcing the following guidelines:
• Raise risks and points of failure, information security weaknesses
• Document processes for incident responses to the risks raised
• Implement tools for monitoring, detecting, analyzing, and reporting incidents and events
• Record resolution activities for the reported incident, including those related to escalation,
controlled recovery and communication to relevant internal and external persons or parties
Business continuity must be implemented based on established disaster levels regarding
its impact on continuity itself, as well as information security, maintaining processes,
procedures and controls to ensure the required level of continuity during an adverse situation.
• Business Continuity is implemented to mitigate and respond to an interruption event
• The human resources responsible for responding to the incident are provided with authorities and competence
to manage an incident and ensure information security
Contingency environments must be monitored and tested for their:
• Availability
• Safety
• Integrity
• Response to the incident, according to documentation
Business continuity from a company management perspective is not the objective of this policy, but it must be
composed of:
• Business Continuity Policy: defines guidelines for the preparation of continuity plans for
business and business recovery.
• Business Continuity Plan: plan consisting of a set of measures, rules, procedures
and information necessary for Élin Duxus to maintain its critical information assets and
continuity of your critical activities in an alternative location at a previously defined level, in cases of
incidents;
• Business Recovery Plan: plan consisting of a set of measures, rules, procedures
and information necessary for Élin Duxus to operationalize the return of critical activities to
normality;
This PSI follows principles of good practice and relevant legislation, namely:
• LGPD
• ISO 2700 series
