Information Security Policy
Last updated: July 2022.
Information Classification: Open to the public.
Definition
This document describes the Senior Group's guidelines on Information Security Policy, whose rules and procedures are confidential and published internally. These guidelines indicate the acceptable use of the institution's information assets based on the principles of confidentiality, integrity, and availability.
Target Audience
Senior Group, Third Parties, Service Providers, Clients, Partners, and Channels.
Objective
- Establish Information Security guidelines and policies that enable Senior's employees to adopt security behavior standards that are appropriate to their goals and needs;
- Guide employees in adopting controls and processes to meet Information Security requirements;
- Train Senior employees in preventing, detecting, and responding to Information Security incidents;
- Prevent possible causes of Information Security incidents;
- Safeguard Senior's information and technological assets, ensuring confidentiality, integrity, and availability requirements;
- Minimize the risks of financial loss, customer confidence, or any other negative impact on Senior's business due to security breaches.
Responsibilities
The Senior Group's Information Security Policy addresses the general responsibilities of the institution, its employees, third parties, and Senior Management.
Information Security Awareness and Training
The Senior Group establishes continuous education guidelines to cultivate good security practices for everyday use by employees for both professional and personal purposes. The Policy addresses procedures used in the institution's awareness program, such as training and internal newsletters.
Information Security Risk Management
The Information Security area is responsible for cyber risk management. This process identifies the security requirements related to the institution's needs. Cyber risk management is continuous and defines internal and external contexts for assessment, as well as treating identified risks so that they are reduced to acceptable levels.
Password Management
The Senior Group follows best practices for password usage, including requiring complex passwords and avoiding the reuse of previous passwords.
Passwords must meet minimum character requirements, lock out after unsuccessful attempts, and be changed periodically.
Asset Management
The Senior Group has its information assets identified, updated, and categorized, with their respective owners responsible for the acceptable use of the assets, according to the internal policy.
Information Protection and Classification
The Senior Group establishes guidelines for classifying, handling, and labeling the company's information assets. The internal document outlines guidelines for classifying information and describing its categories, procedures for handling and disposing of information, rules for data leakage prevention, policies for data copying and restoration (backup and restore), as well as guidelines for encryption.
Acceptable Use of Technology Resources
The Senior Group's technology resources must be used in a professional, ethical, and legal manner, as defined in the applicable terms of responsibility. The Information Security Policy addresses the definition of technological resources, as well as the rules that Senior's employees and third parties must follow.
Identity and Access Management
The Senior Group establishes general guidelines for access to assets and information systems. The entire access management is under the responsibility of the Information Technology area and is based on the principle of the need for access to information to carry out the employee's work activities.
The Policy defines guidelines such as:
- Business Area Access Profiles;
- Employee Admission or Area Transfer Process;
- Employee Termination Process;
- Third-party, Guests and Temporary Access;
- Database access;
- Remote Access;
- Physical Access;
- Access Review;
- Password Parameterization;
- Multiple Factor Authentication.
Cryptography
Senior's information assets are adequately encrypted to ensure protection throughout the information lifecycle, following the security standards of regulatory bodies.
Software Development
The Senior Group develops its applications following internal procedures, documents, and work instructions, following information security practices aligned with the internal Security Policy.
Production environments are segregated from other environments and accessed by previously authorized users or approved tools.
All systems or applications acquired from third parties must follow the guidelines defined in the Information Security Policy and be duly approved.
Protection Against Malware
Senior defines guidelines and uses market-leading tools to protect against malicious code (malware) threats. In addition, the Senior Group has security solutions based on AI (Artificial Intelligence) to identify, detect and immediately respond to threats.
Security Monitoring
The Information Security Policy addresses security monitoring, describing the necessary aspects for identifying potential threats. The Senior Group employs effective practices, procedures, and processes to monitor security-related activities.
Remote working
The Senior Group sets requirements for remote working, such as the use of a Virtual Private Network (VPN).
Vulnerability and Compliance Management
The Senior Group implements vulnerability and compliance management processes so that the following guidelines are set:
- Vulnerability Management;
- Compliance Management;
- Periodic Security Testing;
- Security Corrections (Patch Management).
Backup
The Senior Group adopts Backup and Disaster Recovery solutions to protect its data against loss of information.
Periodic tests are carried out to guarantee the integrity of information, check the effectiveness of processes, and establish improvements.
Security Incident Response
The Senior Group establishes guidelines for preventing, responding to and appropriately dealing with security incidents that are impacting or may impact the institution's information assets/services or technological resources.
In this topic, the Policy covers the responsibilities of the departments in preventing and responding to incidents.
In addition, the Policy describes rules for prioritization and severity regarding possible incidents, procedures for defining authorities, and guidelines for preparing business continuity test scenarios.
It should also be noted that the Senior Group has an Incident Response Plan, which contains the methodology and guidelines for dealing with cyber security incidents.
Business Continuity Management
The Senior Group runs business continuity management with solutions, strategies, and procedures to be carried out during possible contingency scenarios in line with the institution's purpose and strategic goals. To this end, Senior has a Business Continuity Plan (BCP) that meets the functions defined in internal documents.
Third-party management
The Senior Group establishes guidelines for third-party professionals on its premises or for contracting third-party services.
The Senior Group has additional due diligence rules for relevant third parties—those that store or process critical data in a technological infrastructure not owned by Senior.
Mobile Device Security
The Senior Group establishes guidelines for the safe use of mobile devices, as well as the duties of the departments responsible for monitoring them.
Network Security
The Senior Group has security tools capable of detecting and responding to intrusion attempts in its environment. In this topic, the Policy also covers rules about the corporate and public wireless networks.
Personal Data Privacy
The Senior Group guarantees that personal data is not processed for unlawful or abusive purposes and upholds the fundamental right to privacy under the LGPD - General Personal Data Protection Law (Law No. 13,709 of August 14, 2018).
Sanctions and Punishments
The Information Security department continuously monitors the technological environment using various methods to ensure compliance and adherence to this Policy. In the event of a breach of the rules set out therein, as well as the other Information Security rules and procedures, even if by omission or unconsummated attempt, such a breach may be classified as an Information Security incident, which are subject to penalties.
Other sanctions and penalties for non-compliance with Information Security rules are described in the Internal Policy.