- Objective
To establish information security concepts and guidelines, with a view to protecting CAF's and its customers' information. It is positioned as a strategic document to promote the safe use of CAF's information assets. Thus, it must be understood as a formal statement by the company about its commitment to the protection of information under its custody, and must be complied with by all employees and outsourced workers.
- Scope and Premises
This policy outlines comprehensive guidelines for the protection of information, ensuring the fundamental principles of confidentiality, integrity, and availability. Its scope encompasses the entirety of CAF's operations and establishes essential assumptions for the preservation of information security at all levels of the organization.
- Applicability
This Policy applies to all CAF areas and employees, regardless of their hierarchical level. Adherence to these guidelines is mandatory and reflects the Corporate Governance regarding Corporate Information Security issues at CAF.
- Definitions
Information Security: aims to preserve the properties of confidentiality, integrity, availability, not limited to computer systems, information, whether in electronic, physical or even verbally accessed, as well as storage systems.
- Guidelines
CAF is committed to complying with current applicable legislation. To guide its business activities effectively, it is essential to establish a structured and transparent Information Security Policy, promoting adherence and compliance.
5.1. Pillars of Information Security Information
Information security is characterized here by the preservation of the following pillars:
Confidentiality: CAF aims to ensure that access to information about the company, its customers, suppliers and third parties is obtained only by authorized persons and when access by fact is necessary.
Integrity: CAF aims to guarantee the accuracy and completeness of the information and its processing methods, as well as the integrity of customer data under its responsibility.
Availability: CAF aims to ensure that information is always available to professionals who actually have the necessary access to do so, and to ensure that data is available in accordance with the level of service agreement contracted by clients.
5.2. General Aspects
The information (in physical or logical format) and the technological environments used by users are the exclusive property of CAF and cannot be interpreted as for personal use.
Customer and third-party information must be treated ethically and confidentially, in accordance with current laws.
Customer and third-party information should only be used for the purposes for which they were authorized.
It is crucial that all employees, including third parties, are aware that the use of information and information systems may be monitored. The records obtained from this monitoring can be used as evidence in process investigations.
CAF maintains a commitment with the client to adopt the most adequate and available security techniques and means in relation to the security of data transferred, processed and/or stored in CAF's systems.
Employees must have a unique identification (physical and logical), personal and non-transferable, which is capable of qualifying them as responsible for their actions.
Only authorized professionals should have access to information about CAF and its clients.
Every process, whenever possible, during its life cycle, must guarantee the segregation of duties, through the articipation of more than one person or team.
Access must always obey the criterion of least privilege, in which users must have only the necessary permissions to perform their activities.
Confidential information such as passwords and/or any information that the professional has in his/her possession during the exercise of his/her position must always be kept secret, and its sharing is strictly prohibited.
Responsibilities regarding the guarantee of the information security pillars must be widely disclosed in CAF, firmly enforcing the application of the guidelines described herein.
This policy is supported by a set of regulations and procedures established by CAF.
The information must be used transparently and only for the purpose for which it was collected and/or for statistical uses without exposing the holders in an identifiable way or for other system characteristics available to the customer.
The CAF is committed to the continuous improvement of its approach to information security through the implementation, maintenance, and enhancement of its Information Security Management System in accordance with ISO/IEC 27001.
5.3. Access and Identity Management
The logical access of employees, including outsourced employees, must be controlled so that only the information necessary for the performance of their activities is available, upon formal approval.
The physical access of employees, including outsourced employees, and visitors to locations that have CAF technological resources must be controlled, upon formal approval.
5.4. Treatment of Information
To ensure adequate protection of CAF's information, there must be a method of classifying and labeling information according to the degree of confidentiality and criticality for CAF's business:
- Classification must follow the following labels: Restricted, Confidential, Internal or Public, thus considering the needs related to the business;
- All information must be adequately protected in compliance with CAF's information security guidelines throughout its life cycle, which includes: generation, handling, storage, transport and disposal;
- The information must be used transparently and only for the purpose for which it was collected and/or for statistical uses without exposing customers or third parties in an identifiable way or for other system features available to the customer itself.
5.5. Management of Information Security Risks, Objectives and Incidents
Risks must be identified through an established process for the Assessment of Information Security Risks that affect the business and/or its strategies, aligned with the business context in order to preserve and adequately protect the CAF.
Information Security incidents must be analyzed, treated, recorded, monitored and reported to the requester.
5.6. Awareness Training
CAF must carry out training on a regular and periodic basis on Information Security awareness and the actions must have different formats and cover different audiences, which may be, but not limited to: On-site or Regular Training, Distance Learning and Engineering Campaigns Social and Phishing Simulations.
5.7. Information Asset Management
CAF information assets must be recorded in a centralized inventory whenever applicable. This inventory includes the following details for each asset: asset description, asset owner, control process/tool, approximate quantity (records, licenses, users, units), and information classification according to the "Information Classification Policy." The responsibility for maintaining and updating the inventory lies with the Cybersecurity team, with support from the asset owners.
- Responsibilities
6.1 All employees, including outsourced employees:
- To faithfully comply with CAF's Policy, Rules and Information Security Procedures;
- Carry out the mandatory training provided by CAF;
- Protect information against access, modification, destruction or disclosure not authorized by CAF;
- Ensure that the technological resources, information and systems at its disposal are used only for the purposes approved by CAF;
- Comply with the laws and regulations that regulate intellectual property and unfair competition;
- Not discuss confidential work matters in public environments or in exposed areas (planes, transportation, restaurants, social gatherings, etc.), including issuing comments and opinions on blogs and social networks;
- Do not share your CAF Systems access credentials with third parties, including other employees, except in case of need for support by the Security/IT team;
- Immediately report any breach or violation of this Policy to the Information Security area via email: [email protected], as well as report any Information Security incidents.
6.2 Information Security
- Provide broad dissemination and review of the Information Security Policy, Rules and Procedures for all employees and outsourced employees;
- Promote information security awareness actions for all employees;
- Propose and manage projects and initiatives related to the management of CAF's information security;
- Administer and monitor the systems and controls applied under the management of the Information Security area of CAF and its clients;
- Propose and manage projects and initiatives related to information security management to CAF's clients.
6.3 Facilities
- Managing physical access to CAF's premises.
6.4 Privacy and DPO
- Guiding CAF on the adoption of best practices in accordance with data protection laws;
- Monitor and propose solutions to mitigate risks related to privacy;
- Educate employees on data protection best practices;
- To be the point of communication between CAF, data subjects and government authorities.
6.5 Compliance
- Review and validate the Policies, verifying that they are in accordance with the legislation in force;
- Communicate any legislative changes that require adjustments to the Information Security Policies;
- Support other teams, especially the Ethics Team, in handling cases of non-compliance with Information Security Policies, including in proposing legal measures, when applicable;
- Support other areas in the adoption of containment measures in case of incidents of misuse of data.
- Exceptions
Employees who need to obtain an exception to this Policy must submit a detailed explanation of the request with the approval of their leader for review, documentation and approval by the Information Security Team and company management. Requests must be made by opening a ticket with the Information Security department.
When authorized by the Security Team, the acts performed in exception to the provisions of this Policy and its Support Documents, the user may be held responsible, if the practice of acts that may cause damage to CAF, its customers or third parties is verified.
- Penalties
In the event of non-compliance with the rules established in this Policy by employees or third parties, the sanctions described in CAF's Code of Ethics/Conduct will be applied. The severity of the sanctions will be determined according to the degree of gravity of the conduct practiced by the employee.
- Final Provisions
The Information Security department must oversee compliance with this Policy, referring any eventual cases to the board. In situations of doubts related to this policy, it is recommended to contact the Information Security department via email at [email protected].
- References
The following documents are integral to this Information Security Policy for legal purposes and must be equally observed:
- Code of Conduct & Ethics;
- Equipment Use Policy;
- General Data Protection Law (LGPD) – Law No. 13,709/2018;
- Information Classification Policy;
- Information Security Risk Acceptance Term;
- International Standard ISO/IEC 27001:2022;
- Manual of Procedures for Secure Data and Sensitive Information Disposal;
- Personal Data Breach Procedure and Information Security Incident Management;
- Standard for Secure Disposal of Sensitive Information.
- Versions
CAF ownership document.