Information Security Policy

OBJECTIVE
To guarantee the availability, integrity, confidentiality, legality, authenticity and auditability of the information necessary for the conduct of FOURTRUST’s business.

SCOPE
Applies to all administrators, employees, interns, service providers, systems and services, including work performed externally or by third parties, who use the processing environment, or with access to information belonging to FOURTRUST or ITS CLIENTS.

Each and every user of the company’s computing resources has the responsibility to protect the security and integrity of information and computer equipment.

CONCEPTS
Information security is characterized here by the preservation of the following concepts:

Confidentiality: Ensures that information is accessible only by authorized persons, for the necessary period;

Availability: Ensures that information is available to authorized persons whenever necessary;

Integrity: Ensures that the information is complete and integral and that it has not been modified or destroyed in an unauthorized or accidental manner during its life cycle.

DEFINITIONS
Information: result of the processing and organization of data (electronic or physical) or records of a system. Information Assets: set of information, stored in such a way that it can be identified and recognized as valuable to the company.

Information systems: in general, these are computer systems used by the company to support its operations.

Segregation of duties: consists of the separation between the functions of authorization, approval of operations, execution, control and accounting, in such a way that no employee, intern or service provider holds powers and duties that are at odds with this principle.

Information Security Management Group: group composed of FOURTRUST administrators with the objective of evaluating the information security strategy and guidelines followed by the company.

INFORMATION CLASSIFICATION
All information produced in the development of the company’s activities must be classified according to the confidentiality levels below:

Public: This is all information that can be accessed by the organization’s users, customers, suppliers, service providers and the general public. For example: information available on the FOURTRUST website or published in the FOURTRUST em Foco magazine. Internal: This is all information that can only be accessed by employees of the organization. This is information that has a degree of confidentiality that could compromise the organization’s image. Example: weekly bulletin.

Confidential: This is all information that can be accessed by users of the organization and by specifically authorized partners of the organization. Unauthorized disclosure of this information may cause an impact (financial, image or operational) to the organization”s business or the partner’s business. Example: commercial proposals.

Restricted: This is all information that can only be accessed by users of the organization explicitly indicated by name or by the area to which they belong. Unauthorized disclosure of this information can cause serious damage to the business and/or compromise the organization’s business strategy. Example: payroll data is restricted to access only by the HR department.

RESPONSIBILITIES
In general, it is the responsibility of all administrators, employees, interns and service providers to:
– Faithfully comply with the FOURTRUST Information Security Policy;
– Protect information against unauthorized access, modification, destruction or disclosure by FOURTRUST;
– Ensure that the technological resources, information and systems at its disposal are used only for the purposes approved by FOURTRUST;
– Comply with the laws and regulations that regulate intellectual property;
– Do not discuss confidential work matters in public environments or exposed areas (planes, transport, restaurants, social gatherings, etc.), including issuing comments and opinions on blogs and social networks;
– Do not share confidential information of any kind;
– Immediately report to the Information Security Management area any non-compliance or violation of this Policy and/or its Rules and Procedures.

It is the duty of everyone within FOURTRUST:
• To consider information as an asset of the organization, one of the critical resources for conducting business, which has great value to FOURTRUST and must always be treated professionally.
• It is the responsibility of the Manager/Supervisor of each area to classify the information (reports, documents, models, procedures, spreadsheets) generated by their area in accordance with the level of confidentiality established in this document.

Good practices include:
• Blocking access to the computer whenever you leave your desk, even for a few minutes;
• Keeping desks organized and documents with confidential information locked when you are not using them.

FOURTRUST Information Security Management Group

Mission
To be the manager of the security process and protect the organization’s information, catalyzing, coordinating, developing and/or implementing actions for this purpose.

Team:
Carlos Paiva and Rodrigo Medri

GENERAL GUIDELINES

EMPLOYEE PERSONAL DATA
FOURTRUST undertakes not to intentionally accumulate or maintain employee personal data other than that which is relevant to the conduct of its business. All employee personal data will be considered confidential.

Personal data of employees under the responsibility of FOURTRUST will not be used for purposes other than those for which they were collected. Personal data of employees will not be transferred to third parties, except when required by our business, and provided that such third parties maintain the confidentiality of said data.

ILLEGAL SOFTWARE
The use of illegal software (pirated software) is strictly prohibited at FOURTRUST. Users may not, under any circumstances, install this type of software on the company’s equipment.

Periodically, the FOURTRUST Information Security Management Group will carry out checks on the data on the servers and/or on the users’ computers, aiming to ensure the correct application of this guideline.

EMPLOYEE ADMISSION/DISMISSAL
FOURTRUST’s HR department must inform FOURTRUST’s Information Security Management Group of any and all temporary and/or intern movements, and employee admission/dismissals, so that they can be registered or deregistered in the company’s systems. HR must ask the department responsible for hiring which systems and work file repositories the new employee should have access to. This information must be recorded and forwarded to the Information Security Management Group using the “Form for granting and revoking access to FOURTRUST’s computing resources”. FOURTRUST’s Information Security Management Group will register the new user and inform the new user of their first password, which must be changed by the user upon their first access.

In the event of termination, the HR department must communicate the fact on the same date to the Information Security Management Group, using the “Form for granting and revoking access to FOURTRUST computing resources” so that all granted accesses are revoked.

It is the responsibility of the HR department to inform and obtain the necessary signatures of agreement from new hires regarding FOURTRUST’s Information Security Policy.

GRANTING AND REVOCING ACCESS
When there is a need to grant or revoke access to FOURTRUST’s systems, work file repositories and/or IT equipment, the requesting sector will communicate this need to the FOURTRUST Information Security Management Group, copying HR, using the “Form for granting and revoking access to FOURTRUST’s computing resources”.

PASSWORD POLICY
We recommend that passwords always have at least 8 (eight) alphanumeric characters, containing at least one capital letter and one special character.

We recommend that users also change passwords every 3 months, and that they do not repeat passwords set in the last 12 months.

Whenever a user is terminated from the organization, all their passwords and access are revoked on the same day.

WORKING FILES
Working files, considered essential data for business development, are kept on FOURTRUST’s file servers in a system that allows the control, comparison and management of different versions, called SVN.

Access is via a client application of the versioning system approved by the FOURTRUST Information Security Management Group.

Examples of work files are:
• Billing spreadsheet;
• Invoices;
• Commercial proposals;
• Technical analysis reports;
• Measurement spreadsheets;
• System documentation used as input for analysis and measurement work.

Access to SVN outside FOURTRUST premises is blocked and prohibited, unless done via VPN, with due permission from the Information Security Management Group.

INDIVIDUAL FILES
Individual files are those created, copied or developed by users that are not an integral part of the deliverable product of their work, whether internal or for clients. Some examples are: drafts or reminders, calculation memories, messages, diagrams or technical instructions. The users themselves are responsible for backing up these files.

Users are not permitted to use or store the types of files listed below on their workstations:
• Programs not licensed or approved for use by FOURTRUST;
• Music, films, series, TV programs;
• Videos not related to professional activity;
• Pornographic or sex-related content.

SHARING FOLDERS AND DATA
Sharing work folders and files whose content is classified as CONFIDENTIAL or RESTRICTED information is prohibited through the following:
• Google Talk, WhatsApp, Viber or any other instant messaging communicator;
• Sharing Windows folders;
• Bluetooth;
• Copying via pen drive or any other removable device;
• Google Drive, Dropbox, iCloud, OneDrive or any other virtual drive.

If there is a need to share data between users (internal and/or external), the Pydio system must be used, available at https://transfer.FOURTRUSTcs.com.br

BACKUP COPIES, RECOVERY AND INTEGRITY OF SYSTEMS AND THEIR DATABASES
Backup copies of systems, work file repositories, databases and configurations of equipment and network servers are the exclusive responsibility of the Information Security Management Group.

INTERNET USE
Internet use will be monitored by the Information Security Management Group, through the use of a navigation registration system that informs which user is connected, the time they used the Internet and which page they accessed.

The definition of employees who will be allowed to use (browse) restricted websites, such as social networks, is the responsibility of the company’s management, based on a request from its Manager/Supervisor.

Users must ensure that they are not performing actions that may infringe third party copyrights, trademarks, licenses of use or patents.

When browsing the Internet, it is prohibited to view, transfer (downloads), copy or any other type of access to websites:
• radio stations (*);
• Online games;
• Pornographic or sex-related content;
• That defend illegal activities;
• That belittle, depreciate or incite prejudice against certain classes;
• That promote participation in discussion rooms on matters related to FOURTRUST’s business, which do not contain information that adds professional knowledge and/or for the business should not be accessed.

Any access to social networks that is not related to the company’s area of interest is not permitted and, therefore, is subject to punishment.

*Access to radio stations or Spotify is only permitted for use via cell phone, through a connection established on the “FOURTRUST_Guest” Wi-Fi network.

USE OF ELECTRONIC MAIL – (“e-mail”)
The electronic mail provided by FOURTRUST is an internal and external communication tool for conducting the company’s business.

Messages must be written in professional language, must not compromise the image of FOURTRUST, cannot be contrary to current legislation or the ethical principles established in the “Code of Ethics and Conduct”.

The use of electronic mail is and the user is responsible for every message sent from his/her address.

It is not permitted to register personal contacts in instant messaging systems (when using the professional account @FOURTRUST.com.br); and not even the use of personal accounts.

It is strictly forbidden to send messages that:
• Contain defamatory statements and offensive language;
• May cause harm to other people;
• Are hostile; • Are related to “chain letters”, pornographic content or equivalent;
• May harm the image of FOURTRUST and/or other companies;
• Are inconsistent with the policies established in the FOURTRUST “Code of Ethics and Conduct”.

The use of free e-mail (Yahoo!, Hotmail, etc.) on FOURTRUST computers will not be permitted.

The Information Security Management Group may, in order to prevent viruses from entering FOURTRUST computers, block the receipt of emails from free emails.

NEEDS FOR NEW SYSTEMS, APPLICATIONS AND/OR EQUIPMENT
The Information Security Management Group is responsible for defining the purchase, replacement and installation of any and all “software” and “hardware”.

Any need for new software or hardware must be discussed with those responsible for the Information Security Management Group. The purchase or development of software directly by users is not permitted.

USE OF COMPANY-OWNED EQUIPMENT
Users who are in possession of any equipment (desktop, notebook, cell phone or tablet) owned by FOURTRUST must be aware that:
• The information technology resources made available to users are intended for the performance of professional activities;
• The protection of the computing resource for individual use is the responsibility of the user;
• It is the responsibility of each user to ensure the integrity of the equipment, the confidentiality and availability of the information contained therein;
• The user must not change the configuration of the equipment received;
• The user must not install or remove any program from the equipment received. Nor must the user change the configuration of any previously installed program.

Outside of work:
• Keep the equipment with you at all times;
• Be careful in hotel lobbies, airports, airplanes, taxis, etc.
• When transporting the equipment in a car, always use the trunk or a place that is not visible;
• Be careful when transporting the equipment on the street.

In case of theft:
• Report the incident at a police station;
• Report the incident as quickly as possible to your immediate superior and the Information Security Management Group;
• Send a copy of the incident report to HR.

RESPONSIBILITIES OF MANAGERS/SUPERVISORS
Managers and supervisors are responsible for defining their subordinates’ access rights to the company’s systems and information, and are responsible for verifying that they are accessing exactly the systems and data areas compatible with their respective functions, using and maintaining the equipment properly, and keeping backup copies of their individual files, as established in this policy.

The Information Security Management Group will periodically audit users’ access to information, verifying:
• What type of information the user can access;
• Who is authorized to access a given system and/or information;
• Who accessed a given system and information;
• Who authorized the user to have permission to access a given system or information;
• What information or system a given user accessed;
• Who attempted to access any system or information without authorization.

TELECOMMUNICATIONS SYSTEM
Controlling use, granting permissions and applying restrictions in relation to FOURTRUST telephone extensions, as well as the use of any virtual extensions installed on computers, is the responsibility of the Information Security Management Group, in accordance with the company’s management definitions.

USE OF ANTIVIRUS
Every file obtained via the Internet or received from an entity external to FOURTRUST must be checked by an antivirus program.

All workstations have antivirus software installed. Its update will be automatic, scheduled by the Information Security Management Group, via the network.

The user cannot, under any circumstances, disable the antivirus program installed on the workstations.

VIOLATION OF SECURITY POLICY
Is any act that:
Exposes the company to an actual or potential monetary loss through the compromise of data or information security or the loss of equipment;

Involve the disclosure of confidential data, copyrights, trades, patents or unauthorized use of corporate data; Involve the use of data for illicit purposes, which may include the violation of any law, regulation or any other government provision.

PENALTIES
Failure to comply with this Information Security Policy constitutes serious misconduct and may result in the following actions: formal warning, suspension, termination of employment contract, other disciplinary action and/or civil or criminal proceedings.

Validity
The provisions of this document shall come into force on the date of publication of the notice announcing it.

Cases
Work With Us
Privacy Policy
Linkedin Instagram
Services
SAP Services
SAP Solutions
About
About Fourtrust
Our Leadership
Our History
Mission, Vision and Values
Contact
[email protected]
(27) 99835-5788

Av. Rio Branco, 1383
Praia do Canto, Vitória
ES, Zip Code: 29055-643

Talk to Us!

By using this website you accept the use of cookies to optimize your browsing experience. Privacy Policy

OK