en
en

Information Security Policy

1. Objective

This information security policy's main objective is to document and protect information considered important for the continuity and maintenance of the organization's business objectives and is carried out with the aim of meeting the basic principles of information security, known by the acronym CID: confidentiality, integrity and availability.

2. Scope

All employees, suppliers, visitors, customers, people in general who exchange information with ART IT.

3. Definitions

This policy must be disclosed to all ART employees. It does not only cover computer systems, the concept must be applied to all aspects of protection related to technology, procedures and people.

4. Access to Information

4.1 Password Policy

The password, the most conventional form of user identification and access, is a personal and non-transferable resource that protects the employee's identity.

Below are rules that must be followed to create secure passwords:

  1. The password is the sole responsibility of the employee, its disclosure or loan is expressly prohibited, and must be immediately changed in the event of suspected disclosure;

  2. The initial password will only be provided to the employee, who must change it in order to have access to the systems;

  3. Sharing logins for system administration functions is prohibited;

  4. Passwords should not be written down;

  5. Sharing your password with third parties is prohibited;

  6. It is prohibited to use the password on third-party equipment;

  7. Passwords must meet the following prerequisites: a. Minimum length of eight characters; b. Have at least 3 characters of the following types: uppercase letters, lowercase letters, numbers and special characters; w. They must not be based on personal information that is easy to deduce (birthday, father's name, etc...); d. Passwords will need to be valid for 60 days; and. They cannot repeat previous passwords (last 3 passwords).

Employee access must be immediately canceled in the following situations: a. Employee termination; b. Change of employee role; w. When, for any reason, the employee's need for access to the system or information ceases.

For the aforementioned cancellations, the Human Resources area will be responsible for promptly informing the Infrastructure team about the employee's dismissals and change of role.

4.2 Email

  1. Email is one of the main communication tools. However, it is also one of the main routes for the dissemination of malware, viruses and SPAM, which is why there is a need to standardize its use. Corporate email is intended for professional purposes, related to employees' activities;

  2. E-mails sent or received from external addresses may be monitored in order to block spam, malware, viruses or other malicious content that violates the Information Security Policy;

  3. It is prohibited to send, with a corporate email address, messages with private announcements, advertisements, videos, photographs, music, chain messages, campaigns or promotions;

  4. It is prohibited to open files with unknown origins attached to electronic messages;

  5. It is prohibited to falsify addressing information, alter headers to hide the identity of senders and/or recipients;

  6. Produce, transmit or disseminate a message that: a. Contain electronic threats, such as: spam, phishing, mail bombing, mailware; b. Contain files with executable code: .exe, .cmd, .pif, .js, .hta, .src, .cpl, .reg, .dll, .inf, or any extension that represents a security risk; w. Aim to gain unauthorized access to another computer, server or network; d. Aims to disrupt a service, servers or computer network through any illegal or unauthorized method; and. Aim to circumvent any security system; f. Aim to secretly surveil or harass another employee; g. Aim to access confidential information without explicit authorization from the owner; h. Contains inappropriate, obscene or illegal content; i. Be slanderous, defamatory, degrading, infamous, offensive, violent, threatening, pornographic, among others; j. Include copyrighted material without the permission of the rights holder; k. Personal data of both ART IT employees and third parties.

The use of personal emails is acceptable, if used in moderation, if necessary and when: a. Do not contravene the rules established here; b. Do not negatively interfere with individual professional activities or those of other employees.

4.3 Network Access

Access to ART IT's internal network must be properly controlled to minimize the risks of unauthorized access and/or information unavailability. Therefore, certain rules must be established, as listed below:

  • Wireless Internet access must be obtained using a network username and password.

  • Visitors are prohibited from accessing ART IT's wireless network; a specific network will be provided for such access, which will not have connectivity with ART IT's local network.

  • The unauthorized use, copying, or distribution of software that has copyrights, trademarks, or patents is strictly prohibited.

  • Employees and visitors may not use ART IT's resources to download or distribute pirated software or data, an activity considered criminal under national legislation.

  • As a general rule, sexually explicit materials may not be displayed, stored, distributed, edited, printed, or recorded using any resource.

  • Digital documents of illicit conduct, such as advocacy of drug trafficking and pedophilia, are expressly prohibited and must not be accessed, displayed, stored, distributed, edited, printed, or recorded using any resource.

  • Employees and visitors may not use ART IT's resources to deliberately or inadvertently propagate any type of virus, worms, trojans, spam, or remote control programs of other computers.

  • Peer-to-peer software is not permitted.

  • Attempts to bypass network access controls, such as using anonymous proxies and firewall bypass strategies, are not permitted.

  • The use of vulnerability recognition applications, traffic analysis, or any other that may cause overload or harm the proper functioning and security of the internal network is not permitted, except in cases where the objective is to conduct security audits.

5. Information Classification

Information classification involves defining protection levels that each data must receive, ensuring that no data is improperly disclosed and that only authorized individuals have access to the information.

It must align with the definitions of the LGPD, which sets the standards for the collection, processing, protection, and publication of personal and sensitive data.

5.1. Responsibility and Principles of Information Classification

  • The information security manager is responsible for requesting the classification of information confidentiality from the employees to whom this authority has been delegated.

  • Information classification must consider:
    a. The need to protect information according to its importance and consequences if compromised;
    b. Legal regulations and requirements;
    c. Contractual obligations.

  • Information classification must exist regardless of format, location, and storage media.

  • Access grants to computing environments, network folders, network devices, and others that allow access to ART IT's information must have approval from their respective information managers.

  • Each area's respective information manager must periodically conduct a classification analysis process to assess whether the information remains at the same confidentiality level or if reclassification should be requested.

  • Employees' access rights to information must be periodically reviewed and updated by their respective information managers.

  • In cases where various differently classified information is combined, the resulting information must be classified adopting the highest level of restriction.

5.2. Classification Levels

Assigning a security level to a particular classification constitutes the pillar that will determine the minimum safeguards necessary to protect sensitive information and ensure the critical operational continuity of information processing capabilities.

  • Confidential: This is the highest security level within this standard. Confidential information is that which, if disclosed internally or externally, has the potential to cause significant financial or reputational damage to ART IT. Therefore, this classification includes all personal and sensitive data (defined as DP in ABNT NBR ISO/IEC 27701) described in the LGPD (LAW No. 13,709, OF AUGUST 14, 2018).

  • Confidential-DP: A subclassification of Confidential for personal and/or sensitive data (DP) to provide appropriate treatment and follow processes intended for DP, as per LGPD.

  • Restricted: This is the medium level of confidentiality. Strategic information that should be available only to previously authorized employees.

  • Internal Use: Represents a low level of confidentiality. Internal use information is that which cannot be disclosed outside ART IT but, if it happens, will not cause significant damage. The concern at this level is mainly related to the integrity of the information.

  • Public: Data that does not require sophisticated protection against leaks, as it can be publicly known.

5.3. Information Lifecycle

The information lifecycle corresponds to the stages experienced by information, evident when physical, technological, and human assets use the information, ensuring processes that support the organization's operation.

In this sense, the information lifecycle deserves attention, as it corresponds to situations where information is exposed to threats, risking its integrity. Thus, we can highlight four phases related to the lifecycle:

  1. Creation and Handling: When information is created and handled, whether flipping through papers, typing received information, or even using access passwords for authentication.

  2. Storage: When information is stored, whether in databases, paper notes, optical media, etc.

  3. Transport: When information is transported, whether by email, postal service, telephone, etc.

  4. Disposal: When information is no longer useful and must be discarded (e.g., placed in a trash bin, deleted from the database, etc.).

Considering the information lifecycle concerning disposal, the maximum access restriction periods should be observed, as described below:

  • Confidential Information: 30 years.

  • Confidential-DP Information: As per the Labor, Social Security, and FGTS Document Retention Table, available in ART IT's Personnel Department.

  • Restricted Information: 10 years.

  • Internal Use: As determined by the information manager.

  • Public Use: As determined by the information manager.

The classification level may change during the lifecycle, so that "confidential" information may later be considered "restricted," for example, provided that the delegated authority responsible so establishes, respecting the reclassification lifecycle.

5.4. Best Practices

  • Special attention is needed to prevent sensitive information from being mistakenly requested by the information manager as public classification, so criteria must be adopted to decide which information can be classified as public.

  • Confidential information must have its classification stamped.

  • Information that does not have explicit classification does not exempt the information manager from the responsibility to evaluate and request appropriate classification.

  • The use and access of produced or received information must be done according to its classification, assigning users the minimum permissions necessary to perform their activities.

  • The processing, storage, transmission, and elimination of information must be done according to its classification, in accordance with current legislation.

  • Information storage must consider logical and physical protection measures, according to its classification, so that information is accessed only by authorized users.

  • Information elimination must occur permanently, following determined procedures, which may include the use of paper shredders, hard disk degaussers, among other resources.

  • Information must be classified before being disclosed, under the risk of losing its confidential nature, if applicable.

6. Awareness and Training

The goal is for all employees to have an adequate level of security knowledge, as well as an appropriate sense of responsibility. The idea is to always encourage and motivate employees to care about security and privacy.

Specific training on information security and LGPD should be part of the corporate training schedule, maintaining control over how many employees participated in training, as new employees may join the company.

In addition to training, notices, reminders, or informative bulletins of best practices should be constantly used to reinforce the most important items.

The awareness calendar should be annual, defined at the beginning of the year, and disseminated throughout the company.

7. Business Continuity

The business continuity management process related to information security is implemented to minimize impacts and recover losses of information assets after a critical incident, returning operations to an acceptable level through a combination of requirements such as operations, key employees, critical process mapping, business impact analysis, and periodic disaster recovery tests.

This process will follow the provisions of ART IT's Business Continuity Policy and should consider at least the following scenarios for conducting business continuity tests:

  • Exploration of possible vulnerabilities that allow access, copying, and/or extraction of internal and/or confidential information and data from ART IT's logical environment.

  • Conducting intrusion tests on databases containing sensitive ART IT information.

  • Recovery time of access to backup information in case of loss of sensitive information (RTO).

  • Strategies for recovering sensitive information and relevant services.

  • Definition of the minimum amount of resources to be recovered in case of severe data loss failure (RPO).

8. Physical Access

All physical access to ART IT will be identified, electronically for employees and manually for visitors.

Cameras should be spread at strategic points, and recordings stored in the cloud, retaining images for a minimum of 2 months.

External suppliers must always be accompanied by an ART IT employee.

All ART IT production servers must be installed in the data center, which has access control for only previously authorized employees; only test servers may be physically installed on ART IT premises.

9. Incident Response Plan

The security and privacy incident response plan is essentially a process. It describes how ART IT will respond to emergency and exception situations. Due to the severity, the response must be quick and reliable, while preserving forensic evidence that can help prevent new incidents and meeting legal communication and transparency requirements. For the process to function and be established, prior and continuous preparation is a prerequisite, addressing the following items:

  • Formation of the Incident Response Team (IRT). This is a group of employees that must be designated through a Board Resolution, with access, skills, responsibilities, training, and key knowledge to respond to various types of incidents. The IRT must hold periodic meetings to define improvements to this plan, verify prerequisites, mechanisms, assignments, preparation needs, as well as dissemination and training for members and other employees. The Data Protection Officer (DPO) and at least one representative from the information security team must be part of this group.

  • Installation and dissemination of incident communication mechanisms. Forms of notification to ART IT when incidents occur must be created, made available, and published. Paragraph 1, Article 41, of Law 13709/2018, the LGPD, establishes: "The identity and contact information of the officer must be publicly disclosed, clearly and objectively, preferably on the controller's website." Therefore, the emails: dpo@artit.com.br and seguranca@artit.com.br must be disclosed.

9.1 Incident Response Process

  1. Start

    • A new incident is reported by an external person or not to ART IT or by a monitoring alarm, using one of the defined communication mechanisms. Notification is received by the IRT.

  2. Screening

    • The IRT must conduct a preliminary assessment, discarding null or clearly unfounded notifications, taking due care.

    • In the preliminary assessment, information about the allegedly impacted systems, their criticality, apparent damages, and the risk of the situation worsening if there is no immediate response should be sought.

    • According to the preliminary assessment, incidents that do not involve online systems and that surely do not present increased risks due to the lack of immediate action may be redirected to ART IT's regular procedures by the information security team and DPO, if the incident involves personal data.

2025 ART IT Intelligent Technology

Home

Cases

Contact

Information Security and Privacy Policy