The Information Security and Data Protection Policy of GRUPO I CAN applies to all employees, service providers (self-employed), suppliers, systems and services, including works performed externally or by third parties, that use the processing environment of the Company, or access to information belonging to GRUPO I CAN.
Each and every user of the Company's computer resources is responsible for protecting the security and integrity of information and computer equipment, whether at GRUPO I CAN facilities, in external service, or at home office work.
A violation of this security policy is any act that:
- Expose the Company to actual or potential monetary loss through compromise of data/or information security or loss of equipment.
- Involve disclosure of confidential data, copyright, trades, patents, or unauthorized use of corporate data.
- It involves the use of data for unlawful purposes, which may include the violation of any law, regulation or any other governmental device.
Purpose of the Information Security Policy:
Ensuring the availability, integrity, confidentiality, legality, authenticity and auditability of the information necessary to carry out the business of GRUPO I CAN.
We seek ISO 27001 and the FPNQ excellence criteria as a reference.
It is the duty of everyone within the I CAN GROUP:
Consider information as an asset of the organization, one of the critical resources for carrying out the business, which is of great value to GRUPO I CAN and must always be treated professionally.
01 - CLASSIFICATION OF INFORMATION
It is the responsibility of each area to use the criteria related to the level of confidentiality of the information (reports and/or media) generated by its area according to the table below:
1 - Public
2 - Internal
3 - Confidential
4 - Restricted
Concepts:
Public Information: It is all information that can be accessed by users of the organization, customers, suppliers, service providers and the general public.
Internal Information: It is all information that can only be accessed by employees of the organization. It is information that has a degree of confidentiality that can compromise the image of the organization.
Confidential Information: It is all information that can be accessed by users of the organization and by partners of the organization. Unauthorized disclosure of this information may have an impact (financial, image or operational) on the organization's business or the partner's business.
Restricted Information: It is all information that can be accessed only by users of the organization explicitly indicated by the name or area to which it belongs. Unauthorized disclosure of this information can cause serious damage to the business and/or compromise the organization's business strategy.
Every Manager/Supervisor must guide his/her team not to circulate information and/or media considered confidential and/or restricted, as well as not to leave reports on the printers, and media in easily accessible places, always keeping in mind the “clean table” concept, that is, when finishing the work, do not leave any reports and/or confidential and/or restricted media on your desks.
02 - PERSONAL DATA OF EMPLOYEES
GRUPO I CAN undertakes not to intentionally accumulate or maintain Employee Personal Data other than those relevant to the conduct of its business.
All Employee Personal Data will be considered confidential data. Personal Data of Employees under the responsibility of GRUPO I CAN will not be used for purposes other than those for which they were collected.
Employee Personal Data will not be transferred to third parties, except when required by our business, and provided that such third parties maintain the confidentiality of said data, including, in this case, the list of electronic addresses (emails) used by GROUP employees. I CAN.
03 - ILLEGAL PROGRAMS
It is strictly prohibited to use illegal programs (PIRATES) in GRUPO I CAN. Users may not, under any circumstances, install this type of “software” (program) on the Company's equipment.
Periodically, the Information Technology Sector will check the data on the servers and/or on the users' computers, in order to guarantee the correct application of this guideline.
04 - PERMISSIONS AND PASSWORDS
When there is a need to register a new user to use the Company's "network", systems or IT equipment, the new user's home sector must communicate this need to the IT sector, by means of a memorandum or e-mail, informing what kind of routines and programs the new user will have access to and which ones will be restricted. Informática will register and inform the new user what their first password will be, which must be changed every 45 (forty-five) days.
For security, Informática recommends that passwords always have a minimum of 8 (eight) alphanumeric characters.
All users responsible for the electronic approval of documents (example: purchase orders, requests, etc.) powers).
Database access profiles are defined in 08 and regarding the use of e-mail in item 13.
05 - FOLDER AND DATA SHARING
Users are obliged to periodically review all existing shares on their workstations and ensure that data considered confidential and/or restricted are not available to unauthorized access.
06 - BACKUP OF THE INTEGRATED SYSTEM AND NETWORK SERVERS
Backup copies of the integrated system (Cansystem Platform) and network servers are the responsibility of Informática and must be made daily.
The Cansystem Platform data is stored on a contracted server that also performs a monthly data backup.
07 - INTELLECTUAL PROPERTY
GRUPO I CAN owns all the designs, creations or procedures developed by any employee during the course of their employment relationship or the provision of services as self-employed to GRUPO I CAN.
08 - USE OF THE WEB ENVIRONMENT (Internet)
Access to the Internet will be authorized for users who need it for the performance of their professional activities at GRUPO I CAN. Sites that do not contain information that add professional and/or business knowledge should not be accessed.
The use of the Internet will be monitored by the Information Technology Sector, including through “logs” (files generated on the server) that inform which user is connected, the time they used the Internet and which page they accessed.
The definition of the employees who will be allowed to use (browse) the Internet is the responsibility of the Company's Management, based on the recommendation of the IT Supervisor.
It is not allowed to install programs from the Internet on GRUPO I CAN's microcomputers, without express consent from the IT sector, except for programs offered by federal, state and/or municipal public bodies.
Users must ensure that they are not taking actions that could infringe on third party copyrights, trademarks, license to use or patents.
When browsing the Internet, viewing, downloading, copying or any other type of access to websites is prohibited:
From radio stations;
Pornographic or sex-related content;
That advocate illegal activities;
That belittle, belittle or incite prejudice to certain classes;
That promote participation in discussion rooms on matters not related to GRUPO I CAN's business;
That promote public discussion about the business of A GRUPO I CAN, unless authorized by the Board of Directors;
That enable the distribution of “Confidential” level information.
That allow the transfer (downloads) of illegal files and/or programs.
In contracts with employees or self-employed service providers, the issue of internet use that is not granted by the I CAN Group will be provided.
09 - USE OF ELECTRONIC MAIL - ("e-mail")
The electronic mail provided by GRUPO I CAN is an instrument of internal and external communication for carrying out the business of GRUPO I CAN.
Messages must be written in professional language, must not compromise the image of GRUPO I CAN, cannot be contrary to current legislation or to the ethical principles of GRUPO I CAN.
The use of electronic mail is personal and the user is responsible for all messages sent by his address.
It is strictly prohibited to send messages that:
Contain defamatory statements and offensive language;
May cause harm to other people;
Be hostile and unhelpful;
Are related to “chains”, pornographic content or equivalent;
May harm the organization's image;
May harm the image of other companies;
Be inconsistent with the policies of GRUPO I CAN.
To include a new user in the electronic mail, the respective Management must make a formal request to the Information Technology Sector, which will arrange the inclusion of the same.
The use of “e-mail” must be judicious, preventing the system from becoming congested.
In case of congestion in the electronic mail system, the Information Technology Sector will audit the mail server and/or users' workstations, in order to identify the reason that caused the same.
The use of free e-mails (released on some websites) on GRUPO I CAN computers will not be allowed.
The Information Technology Sector may, in order to prevent the entry of viruses into GRUPO I CAN, block the receipt of e-mails from free websites.
The IT Sector is responsible for the performance of the corporate email provider.
10 - NEEDS FOR NEW SYSTEMS, APPLICATIONS AND/OR EQUIPMENT
The IT Sector is responsible for applying the Policy of GRUPO I CAN in relation to the definition of purchase and replacement of “software” and “hardware”, corporate e-mail, e-mail marketing, data storage companies.
Any need for new programs (“software”) or new information technology equipment (hardware), etc., must be forwarded a proposal to the Board of the I CAN Group by the person responsible for the Information Technology Sector.
The purchase or development of “software” or “hardware” directly by users is not allowed.
11 - USE OF PERSONAL COMPUTERS (LAP TOP) OWNED BY GROUP I CAN
Users who are entitled to use personal computers (laptop or notebook), or any other computing equipment owned by GRUPO I CAN, must be aware that:
Information technology resources, made available to users, aim to
carrying out professional activities.
The protection of the computing resource for individual use is the responsibility of the user.
It is the responsibility of each user to ensure the integrity of the equipment, the confidentiality and availability of the information contained therein.
The user must not change the configuration of the received equipment.
Some precautions to be observed:
Off work:
Always keep the equipment with you;
Attention in hotel halls, airports, planes, taxi and etc.
When transporting the equipment in a car, always use the trunk or a non-visible place;
Be careful when transporting the equipment on the street.
in case of theft
Register the occurrence at a police station;
Inform your immediate superior and the Information Technology Sector;
Send a copy of the incident to the Information Technology Sector.
The Office Professional package was acquired by Grupo I CAN and installed on notebooks. This equipment is considered an asset (patrimonial asset).
Upon receiving the equipment, the employee or self-employed service provider must sign a Term of Custody.
12 - RESPONSIBILITIES OF MANAGERS/SUPERVISORS
Managers and supervisors are responsible for defining their employees' access rights to the Company's systems and information, and it is up to them to verify that they are accessing exactly the routines compatible with their respective functions, using and properly maintaining the equipment, and maintaining backup copies of your individual files as set out in this policy.
The Information Technology Sector will carry out periodic audits of users' access to information, verifying:
What kind of information the user can access;
Who is authorized to access a certain routine and/or information;
Who accessed a certain routine and information;
Who authorized the user to have access permission to a certain routine or information;
What information or routine a particular user accessed;
Anyone who tried to access any routine or information without being authorized.
13 - TELECOMMUNICATION SYSTEM
Control of use, granting of permissions and application of restrictions in relation to GRUPO I CAN telephone extensions, as well as the use of any virtual extensions installed on computers, is the responsibility of the IT sector, in accordance with the definitions of the Board of GRUPO I CAN.
The supply of cell phones and chips will be subject to Board approval.
Upon receiving the equipment or chip, the employee or independent service provider must sign a Term of Custody.
At the end of each month, for control purposes, reports will be sent informing each management how much was spent by each branch or by chip.
14 - USE OF ANTI-VIRUS
All media files coming from an external entity of GRUPO I CAN must be scanned by an antivirus program.
Every file received / obtained through the Internet environment must be scanned by an antivirus program. All workstations must have an antivirus installed. The antivirus update will be automatic, scheduled by the IT department, via the network.
The user cannot, under any circumstances, disable the antivirus program installed on the workstations.
15 - PENALTIES
Failure to comply with this Information Security Policy implies serious misconduct and may result in the following actions: formal warning, suspension, termination of employment, other disciplinary action and/or civil or criminal proceedings.