Information Security Policy
- 1. Objective
- 2. Reference documents
- 3. Definitions
- 3.1. Scope
- 3.2. Information security
- 3.3. ISMS
- 4. Description
- 4.1. Responsibilities
- 4.2. Main areas of the Information Security Management System
- 4.3. Security objective
- 4.4. People
- 4.5. Suppliers and third parties
- 4.6. Assets
- 4.7. Processes
- 4.8. Risk
- 4.9. Information
- 4.10. Systems and Applications
- 4.11. Violation of ISMS Policies and Guidelines
- 4.12. Audit
- General provisions
1. Objective
To provide guidance and support for information security in accordance with business requirements and the relevant laws and regulations, thus contributing to the organization’s financial sustainability.
2. Reference documents
- Algar Group Code of Conduct;
- Logical Access Control Policy;
- Logistics Center Procedure;
- ISO 20000-1:2018;
- ISO 27001:2022;
- Law 13.709/18 – General Personal Data Protection Law (LGPD).
3. Definitions
3.1. Scope
This “Security Policy” maintains the integrity of service provision at all Algar Tech units in accordance with company strategies, current legislation and contractual requirements. The guidelines established here must be followed by all associates, service providers, suppliers, interns, contractors, partners, and customers who use Algar Tech information.
Note 01
Exceptions only when approved by the Board of Directors.
3.2. Information security
These are continuous efforts to protect information assets against various types of threats to ensure business continuity, minimize risk to the organization, helping Algar Tech to fulfill its mission;
It is obtained from the implementation of control objectives and adequate controls to ensure that the organization’s business and security objectives are met.
3.3. ISMS
Information Security Management System.
4. Description
4.1. Responsibilities
Algar Tech, through its presidency and board of directors, affirms its commitment to information security, laws and regulations applicable to the business, based on this “Information Security Policy”.
4.2. Main areas of the Information Security Management System
- Presidency;
- Information Technology;
- Infrastructure;
- Human Resources;
- Operations.
4.3. Security objective
To guarantee the applicability of information security rules, policies and procedures, reflected in the organization’s business.
4.4. People
Algar Tech Associates
a) All associates, young apprentices, interns, service providers, suppliers, contractors, visitors, partners, startups and customers in the Algar Tech environment must be aware of the Algar Group’s Code of Conduct and Information Security Awareness training and be consistent with them.
b) Every associate must sign the “”Confidentiality Agreement”” upon admission or whenever requested by the company.
c) All associates are prohibited from misusing company and/or client information, transmitting it to competitors, using it for their own benefit and/or storing files and e-mails improperly.
d) Algar Tech may automatically receive and store information about the activities of anyone using its resources, including IP address, user, applications, screen/page and conversation carried out within or through the company.
e) Any authentication ID (user and password) on the corporate network or in applications provided by Algar Tech is personal and non-transferable and each user will be responsible for its storage and use.
f) At the end of the employment and/or contractual relationship of associates and/or service providers, Algar Tech will disable all authentication IDs used during the provision of services.
4.5. Suppliers and third parties
a) All creation, invention and development of ideas, processes, systems, products and services carried out during the provision of services at Algar Tech must be transferred to Algar Tech.
b) It is forbidden for any service provider to improperly use company and customer information, transmit it to competitors, use it for their own benefit and/or store files and e-mails improperly.
c) Upon receiving access to any Algar Tech resource, the service provider will be subject to the organization’s internal policies and guidelines and to all the criteria established in the confidentiality clauses available in the service agreement signed at the time of hiring.
d) At the end of the contractual relationship, the person responsible for the Algar Tech service providers’ contract must ensure that the authentication IDs used during the work are duly disabled.
4.6. Assets
a) All associates, young apprentices, interns, service providers, suppliers, contractors, visitors, partners, startups and customers in the Algar Tech environment are responsible for ensuring the proper functioning and integrity of any resource provided by the company to carry out its activities and, when applicable, must sign a resource use commitment term.
b) Any Algar Tech product or equipment that needs to be transported must be safely accommodated, thus ensuring its physical and logical integrity when applicable.
c) Personal computers are not allowed on the corporate network. Except for exceptions previously authorized by the information security area.
d) Access via mobile devices (smartphones, cell phones, tablets, etc.) will be allowed through Algar Tech – Executive Wi-Fi, which only allows the use of applications required for this type of device. In these cases, the only person responsible for ensuring the operation of these assets is the member who owns the equipment.
e) All entry, movement and exit of assets from Algar Tech units must comply with the company’s internal procedures.
4.7. Processes
a) The company must map all business-critical processes and carry out a risk assessment with controls and treatments. These must be known, approved and accepted by the management body.
b) The mapping of critical processes must be reviewed whenever changes with an impact occur in the environment.
4.8. Risk
a) The company must define and apply an information security risk assessment process for existing processes and technologies and its results must be comparable and reproducible, making up the Corporate Risk Map.
b) The risk assessment must be able to identify the vulnerabilities, threats, impacts and acceptable risk levels for assets, people, information, systems, application and mapping of the main business processes in accordance with the company’s strategies, current legislation and contractual requirements.
c) The risk assessment must be reviewed at least once every year, or whenever changes of impact occur in the environment.
4.9. Information
a) Access to information of Algar Tech or its customers in its business and computing environment is restricted and will be made available only to formally authorized persons.
b) All confidentiality clauses agreed with customers in relation to their information must be respected by Algar Tech associates or third parties who may have access to this information.
c) It is expressly forbidden for any user who does not have formal authorization to use, access to any systems and applications or even the simple attempt to access.
d) Any and all information generated within Algar Tech or on its behalf, which is the result of the work of associates, suppliers or service providers is Algar Tech’s right and only Algar Tech can determine its destination and purpose.
e) All creation, invention and development of ideas, processes, systems, products and services, created within the scope of work or the responsibilities and mission of the associate’s function or position in the company, must be transferred to Algar Tech.
f) It is forbidden to disclose any information about the company or its clients to others who do not belong to the same work group, in public media (including photos/filming on social networks) or internal media, without prior authorization or being bound by the Responsibility and Confidentiality Agreement, except for exceptions provided for in the contract.
g) Information generated within the organization must be stored in a backup process with a guaranteed restore in a secure location validated by the competent team.
h) The use of USB sticks, external hard drives or any other type of removable device for transporting or storing data is not permitted. Exceptions must be formally authorized by the information security department.
i) At the end of the contractual relationship with the client or service provider, all information stored on Algar Tech equipment must be deleted or passed on to the same when provided for in the contract.
j) At the end of the employment and/or contractual relationship, associates and/or service providers who may have permission to access equipment or storage media must eliminate any physical and/or logical traces of information generated or acquired within Algar Tech.
4.10. Systems and Applications
a) All software installed on machines owned by or at the service of Algar Tech must have a license for use previously acquired, and the user area must register a request with the Service Desk for installation, authorization and use.
b) The installation of shareware, freeware or equivalent software that is not included in the list of approved solutions will not be permitted.
c) All security updates and corrections must be deployed in accordance with the rules of each application and approved by the security and information technology team. d) All equipment (servers, desktops, notebooks, among others) that allows the installation of antivirus software must have it installed and updated online, and the user cannot disable or uninstall it.
e) All antivirus software must guarantee the blocking of viruses, worms, spyware or any other new attack technology.
f) All e-mail and Internet access must be monitored and protected with antivirus and firewall rules.
g) Algar Tech’s corporate e-mail must only be used to deal with matters related to the company, and the information stored or transmitted is the property of the organization, and it is up to the user to ensure its correct classification and treatment in accordance with the Procedure – Information Classification and Labeling.
h) The use of corporate e-mail for personal purposes, registration on shopping sites and other forms is not permitted.
i) No access to the systems and applications of Algar Tech or its clients may be shared, and the associate who owns the user is solely responsible for maintaining the confidentiality of their login passwords, network user, internet, work files and other Algar Tech applications.
j) The use of Instant Messaging tools that have not been approved by the security and technology team is forbidden, with exceptions, when their effective use in the activities performed by the associate or client is proven.
k) The transfer of files by any Instant Messaging tool and file sharing is prohibited, except for authorized exceptions and/or approved and authorized tools.
4.11. Violation of ISMS Policies and Guidelines
a) Security breaches must be reported to the Information Security area via the Service Desk. Any violation or deviation must be investigated in order to determine the necessary measures to correct the failure or restructure processes. The following are considered security breaches
- Illegal use of software;
- Introduction (intentional or not) of computer viruses;
- Sharing of sensitive business information;
- Sharing personal data;
- Undue exposure of data related to contracts and clients;
- Breach of confidentiality of confidential information and/or sensitive data;
- Disclosure of client information and contracted operations;
- Sharing of Adult, discriminatory, offensive, defamatory, abusive, pornographic, obscene, violent content and any others that may cause, incite or promote attitudes that imply a violation of privacy, intellectual and industrial property;
- Other violations provided for in the Algar Group Code of Conduct, the Algar Group Information Security Policy and current legislation.
b) The security principles established in this policy are fully adhered to by Algar Tech’s presidency and board of directors and must be observed by all when carrying out their duties.
c) Failure to comply with the guidelines of this policy or other policies and guidelines of the organization are subject to Action Plans and Application of Disciplinary Management.
4.12. Audit
a) All associates, as well as third parties using Algar Tech’s technological environment, are subject to network, telephony and application usage audits.
b) Auditing and monitoring procedures will be carried out periodically by the information security area or a contracted company, with the aim of observing compliance by users with the guidelines established in this policy and with a view to managing network performance.
c) If there is evidence of activities that may compromise the security of the network, the information security area will be allowed to audit and monitor the activities of a user, in addition to inspecting their files and access records, in the interest of Algar Tech, and the fact will be immediately communicated to Senior Management.
General provisions
This Information Security Policy is subject to regular changes to ensure that it is up to date in accordance with applicable legislation.
