{"id":5924,"date":"2024-09-03T17:43:55","date_gmt":"2024-09-03T20:43:55","guid":{"rendered":"https:\/\/fourtrust.com.br\/?page_id=5924"},"modified":"2025-02-06T13:04:51","modified_gmt":"2025-02-06T16:04:51","slug":"information-security-policy","status":"publish","type":"page","link":"https:\/\/fourtrust.com.br\/en\/information-security-policy\/","title":{"rendered":"Information Security Policy"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\n \n<\/svg>\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t

Information Security Policy<\/h1>\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

OBJECTIVE<\/strong>
To guarantee the availability, integrity, confidentiality, legality, authenticity and auditability of the information necessary for the conduct of FOURTRUST’s business.<\/p>\n

SCOPE<\/strong>
Applies to all administrators, employees, interns, service providers, systems and services, including work performed externally or by third parties, who use the processing environment, or with access to information belonging to FOURTRUST or ITS CLIENTS.<\/p>\n

Each and every user of the company’s computing resources has the responsibility to protect the security and integrity of information and computer equipment.<\/p>\n

CONCEPTS<\/strong>
Information security is characterized here by the preservation of the following concepts:<\/p>\n

Confidentiality: Ensures that information is accessible only by authorized persons, for the necessary period;<\/p>\n

Availability: Ensures that information is available to authorized persons whenever necessary;<\/p>\n

Integrity: Ensures that the information is complete and integral and that it has not been modified or destroyed in an unauthorized or accidental manner during its life cycle.<\/p>\n

DEFINITIONS<\/strong>
Information: result of the processing and organization of data (electronic or physical) or records of a system. Information Assets: set of information, stored in such a way that it can be identified and recognized as valuable to the company.<\/p>\n

Information systems: in general, these are computer systems used by the company to support its operations.<\/p>\n

Segregation of duties: consists of the separation between the functions of authorization, approval of operations, execution, control and accounting, in such a way that no employee, intern or service provider holds powers and duties that are at odds with this principle.<\/p>\n

Information Security Management Group: group composed of FOURTRUST administrators with the objective of evaluating the information security strategy and guidelines followed by the company.<\/p>\n

INFORMATION CLASSIFICATION<\/strong>
All information produced in the development of the company’s activities must be classified according to the confidentiality levels below:<\/p>\n

Public: This is all information that can be accessed by the organization’s users, customers, suppliers, service providers and the general public. For example: information available on the FOURTRUST website or published in the FOURTRUST em Foco magazine. Internal: This is all information that can only be accessed by employees of the organization. This is information that has a degree of confidentiality that could compromise the organization’s image. Example: weekly bulletin. <\/p>\n

Confidential: This is all information that can be accessed by users of the organization and by specifically authorized partners of the organization. Unauthorized disclosure of this information may cause an impact (financial, image or operational) to the organization”s business or the partner’s business. Example: commercial proposals. <\/p>\n

Restricted: This is all information that can only be accessed by users of the organization explicitly indicated by name or by the area to which they belong. Unauthorized disclosure of this information can cause serious damage to the business and\/or compromise the organization’s business strategy. Example: payroll data is restricted to access only by the HR department. <\/p>\n

RESPONSIBILITIES<\/strong>
In general, it is the responsibility of all administrators, employees, interns and service providers to:
– Faithfully comply with the FOURTRUST Information Security Policy;
– Protect information against unauthorized access, modification, destruction or disclosure by FOURTRUST;
– Ensure that the technological resources, information and systems at its disposal are used only for the purposes approved by FOURTRUST;
– Comply with the laws and regulations that regulate intellectual property;
– Do not discuss confidential work matters in public environments or exposed areas (planes, transport, restaurants, social gatherings, etc.), including issuing comments and opinions on blogs and social networks;
– Do not share confidential information of any kind;
– Immediately report to the Information Security Management area any non-compliance or violation of this Policy and\/or its Rules and Procedures.<\/p>\n

It is the duty of everyone within FOURTRUST:
\u2022 To consider information as an asset of the organization, one of the critical resources for conducting business, which has great value to FOURTRUST and must always be treated professionally.
\u2022 It is the responsibility of the Manager\/Supervisor of each area to classify the information (reports, documents, models, procedures, spreadsheets) generated by their area in accordance with the level of confidentiality established in this document.<\/p>\n

Good practices include:
\u2022 Blocking access to the computer whenever you leave your desk, even for a few minutes;
\u2022 Keeping desks organized and documents with confidential information locked when you are not using them.<\/p>\n

FOURTRUST Information Security Management Group<\/strong><\/p>\n

Mission
To be the manager of the security process and protect the organization’s information, catalyzing, coordinating, developing and\/or implementing actions for this purpose.<\/p>\n

Team:
Carlos Paiva and Rodrigo Medri<\/p>\n<\/p>\n

GENERAL GUIDELINES<\/strong><\/p>\n

EMPLOYEE PERSONAL DATA<\/strong>
FOURTRUST undertakes not to intentionally accumulate or maintain employee personal data other than that which is relevant to the conduct of its business. All employee personal data will be considered confidential. <\/p>\n

Personal data of employees under the responsibility of FOURTRUST will not be used for purposes other than those for which they were collected. Personal data of employees will not be transferred to third parties, except when required by our business, and provided that such third parties maintain the confidentiality of said data. <\/p>\n

ILLEGAL SOFTWARE<\/strong>
The use of illegal software (pirated software) is strictly prohibited at FOURTRUST. Users may not, under any circumstances, install this type of software on the company’s equipment. <\/p>\n

Periodically, the FOURTRUST Information Security Management Group will carry out checks on the data on the servers and\/or on the users’ computers, aiming to ensure the correct application of this guideline.<\/p>\n

EMPLOYEE ADMISSION\/DISMISSAL<\/strong>
FOURTRUST’s HR department must inform FOURTRUST’s Information Security Management Group of any and all temporary and\/or intern movements, and employee admission\/dismissals, so that they can be registered or deregistered in the company’s systems. HR must ask the department responsible for hiring which systems and work file repositories the new employee should have access to. This information must be recorded and forwarded to the Information Security Management Group using the \u201cForm for granting and revoking access to FOURTRUST’s computing resources\u201d. FOURTRUST’s Information Security Management Group will register the new user and inform the new user of their first password, which must be changed by the user upon their first access. <\/p>\n

In the event of termination, the HR department must communicate the fact on the same date to the Information Security Management Group, using the \u201cForm for granting and revoking access to FOURTRUST computing resources\u201d so that all granted accesses are revoked.<\/p>\n

It is the responsibility of the HR department to inform and obtain the necessary signatures of agreement from new hires regarding FOURTRUST’s Information Security Policy.<\/p>\n

GRANTING AND REVOCING ACCESS<\/strong>
When there is a need to grant or revoke access to FOURTRUST’s systems, work file repositories and\/or IT equipment, the requesting sector will communicate this need to the FOURTRUST Information Security Management Group, copying HR, using the \u201cForm for granting and revoking access to FOURTRUST’s computing resources\u201d.<\/p>\n

PASSWORD POLICY<\/strong>
We recommend that passwords always have at least 8 (eight) alphanumeric characters, containing at least one capital letter and one special character.<\/p>\n

We recommend that users also change passwords every 3 months, and that they do not repeat passwords set in the last 12 months.<\/p>\n

Whenever a user is terminated from the organization, all their passwords and access are revoked on the same day.<\/p>\n

WORKING FILES<\/strong>
Working files, considered essential data for business development, are kept on FOURTRUST’s file servers in a system that allows the control, comparison and management of different versions, called SVN.<\/p>\n

Access is via a client application of the versioning system approved by the FOURTRUST Information Security Management Group.<\/p>\n

Examples of work files are:
\u2022 Billing spreadsheet;
\u2022 Invoices;
\u2022 Commercial proposals;
\u2022 Technical analysis reports;
\u2022 Measurement spreadsheets;
\u2022 System documentation used as input for analysis and measurement work.<\/p>\n

Access to SVN outside FOURTRUST premises is blocked and prohibited, unless done via VPN, with due permission from the Information Security Management Group.<\/p>\n

INDIVIDUAL FILES<\/strong>
Individual files are those created, copied or developed by users that are not an integral part of the deliverable product of their work, whether internal or for clients. Some examples are: drafts or reminders, calculation memories, messages, diagrams or technical instructions. The users themselves are responsible for backing up these files. <\/p>\n

Users are not permitted to use or store the types of files listed below on their workstations:
\u2022 Programs not licensed or approved for use by FOURTRUST;
\u2022 Music, films, series, TV programs;
\u2022 Videos not related to professional activity;
\u2022 Pornographic or sex-related content.<\/p>\n

SHARING FOLDERS AND DATA<\/strong>
Sharing work folders and files whose content is classified as CONFIDENTIAL or RESTRICTED information is prohibited through the following:
\u2022 Google Talk, WhatsApp, Viber or any other instant messaging communicator;
\u2022 Sharing Windows folders;
\u2022 Bluetooth;
\u2022 Copying via pen drive or any other removable device;
\u2022 Google Drive, Dropbox, iCloud, OneDrive or any other virtual drive.<\/p>\n

If there is a need to share data between users (internal and\/or external), the Pydio system must be used, available at https:\/\/transfer.FOURTRUSTcs.com.br<\/p>\n

BACKUP COPIES, RECOVERY AND INTEGRITY OF SYSTEMS AND<\/strong> THEIR DATABASES<\/strong>
Backup copies of systems, work file repositories, databases and configurations of equipment and network servers are the exclusive responsibility of the Information Security Management Group.<\/p>\n

INTERNET USE<\/strong>
Internet use will be monitored by the Information Security Management Group, through the use of a navigation registration system that informs which user is connected, the time they used the Internet and which page they accessed.<\/p>\n

The definition of employees who will be allowed to use (browse) restricted websites, such as social networks, is the responsibility of the company’s management, based on a request from its Manager\/Supervisor.<\/p>\n

Users must ensure that they are not performing actions that may infringe third party copyrights, trademarks, licenses of use or patents.<\/p>\n

When browsing the Internet, it is prohibited to view, transfer (downloads), copy or any other type of access to websites:
\u2022 radio stations (*);
\u2022 Online games;
\u2022 Pornographic or sex-related content;
\u2022 That defend illegal activities;
\u2022 That belittle, depreciate or incite prejudice against certain classes;
\u2022 That promote participation in discussion rooms on matters related to FOURTRUST’s business, which do not contain information that adds professional knowledge and\/or for the business should not be accessed.<\/p>\n

Any access to social networks that is not related to the company’s area of interest is not permitted and, therefore, is subject to punishment.<\/p>\n

*Access to radio stations or Spotify is only permitted for use via cell phone, through a connection established on the \u201cFOURTRUST_Guest\u201d Wi-Fi network.<\/p>\n

USE OF ELECTRONIC MAIL<\/strong> \u2013 (\u201ce-mail\u201d)
The electronic mail provided by FOURTRUST is an internal and external communication tool for conducting the company\u2019s business.<\/p>\n

Messages must be written in professional language, must not compromise the image of FOURTRUST, cannot be contrary to current legislation or the ethical principles established in the \u201cCode of Ethics and Conduct\u201d.<\/p>\n

The use of electronic mail is and the user is responsible for every message sent from his\/her address.<\/p>\n

It is not permitted to register personal contacts in instant messaging systems (when using the professional account @FOURTRUST.com.br); and not even the use of personal accounts.<\/p>\n

It is strictly forbidden to send messages that:
\u2022 Contain defamatory statements and offensive language;
\u2022 May cause harm to other people;
\u2022 Are hostile; \u2022 Are related to \u201cchain letters\u201d, pornographic content or equivalent;
\u2022 May harm the image of FOURTRUST and\/or other companies;
\u2022 Are inconsistent with the policies established in the FOURTRUST \u201cCode of Ethics and Conduct\u201d.<\/p>\n

The use of free e-mail (Yahoo!, Hotmail, etc.) on FOURTRUST computers will not be permitted.<\/p>\n

The Information Security Management Group may, in order to prevent viruses from entering FOURTRUST computers, block the receipt of emails from free emails.<\/p>\n

NEEDS FOR NEW SYSTEMS, APPLICATIONS AND\/OR EQUIPMENT<\/strong>
The Information Security Management Group is responsible for defining the purchase, replacement and installation of any and all \u201csoftware\u201d and \u201chardware\u201d.<\/p>\n

Any need for new software or hardware must be discussed with those responsible for the Information Security Management Group. The purchase or development of software directly by users is not permitted. <\/p>\n

USE OF COMPANY-OWNED EQUIPMENT<\/strong>
Users who are in possession of any equipment (desktop, notebook, cell phone or tablet) owned by FOURTRUST must be aware that:
\u2022 The information technology resources made available to users are intended for the performance of professional activities;
\u2022 The protection of the computing resource for individual use is the responsibility of the user;
\u2022 It is the responsibility of each user to ensure the integrity of the equipment, the confidentiality and availability of the information contained therein;
\u2022 The user must not change the configuration of the equipment received;
\u2022 The user must not install or remove any program from the equipment received. Nor must the user change the configuration of any previously installed program. <\/p>\n

Outside of work:
\u2022 Keep the equipment with you at all times;
\u2022 Be careful in hotel lobbies, airports, airplanes, taxis, etc.
\u2022 When transporting the equipment in a car, always use the trunk or a place that is not visible;
\u2022 Be careful when transporting the equipment on the street.<\/p>\n

In case of theft:
\u2022 Report the incident at a police station;
\u2022 Report the incident as quickly as possible to your immediate superior and the Information Security Management Group;
\u2022 Send a copy of the incident report to HR.<\/p>\n

RESPONSIBILITIES OF MANAGERS\/SUPERVISORS<\/strong>
Managers and supervisors are responsible for defining their subordinates’ access rights to the company’s systems and information, and are responsible for verifying that they are accessing exactly the systems and data areas compatible with their respective functions, using and maintaining the equipment properly, and keeping backup copies of their individual files, as established in this policy.<\/p>\n

The Information Security Management Group will periodically audit users’ access to information, verifying:
\u2022 What type of information the user can access;
\u2022 Who is authorized to access a given system and\/or information;
\u2022 Who accessed a given system and information;
\u2022 Who authorized the user to have permission to access a given system or information;
\u2022 What information or system a given user accessed;
\u2022 Who attempted to access any system or information without authorization.<\/p>\n

TELECOMMUNICATIONS SYSTEM<\/strong>
Controlling use, granting permissions and applying restrictions in relation to FOURTRUST telephone extensions, as well as the use of any virtual extensions installed on computers, is the responsibility of the Information Security Management Group, in accordance with the company’s management definitions.<\/p>\n

USE OF ANTIVIRUS<\/strong>
Every file obtained via the Internet or received from an entity external to FOURTRUST must be checked by an antivirus program.<\/p>\n

All workstations have antivirus software installed. Its update will be automatic, scheduled by the Information Security Management Group, via the network. <\/p>\n

The user cannot, under any circumstances, disable the antivirus program installed on the workstations.<\/p>\n

VIOLATION OF SECURITY POLICY<\/strong>
Is any act that:
Exposes the company to an actual or potential monetary loss through the compromise of data or information security or the loss of equipment;<\/p>\n

Involve the disclosure of confidential data, copyrights, trades, patents or unauthorized use of corporate data; Involve the use of data for illicit purposes, which may include the violation of any law, regulation or any other government provision.<\/p>\n

PENALTIES<\/strong>
Failure to comply with this Information Security Policy constitutes serious misconduct and may result in the following actions: formal warning, suspension, termination of employment contract, other disciplinary action and\/or civil or criminal proceedings.<\/p>\n

Validity<\/strong>
The provisions of this document shall come into force on the date of publication of the notice announcing it.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Information Security Policy OBJECTIVETo guarantee the availability, integrity, confidentiality, legality, authenticity and auditability of the information necessary for the conduct of FOURTRUST’s business. SCOPEApplies to all administrators, employees, interns, service providers, systems and services, including work performed externally or by third parties, who use the processing environment, or with access to information belonging to FOURTRUST […]<\/p>\n","protected":false},"author":4,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5924","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/pages\/5924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/comments?post=5924"}],"version-history":[{"count":0,"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/pages\/5924\/revisions"}],"wp:attachment":[{"href":"https:\/\/fourtrust.com.br\/en\/wp-json\/wp\/v2\/media?parent=5924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}