1. OBJECTIVE
Define the guidelines that will guide the norms and standards that deal with the protection of information, covering its generation, use, storage, distribution, confidentiality, availability and integrity, regardless of the medium and location in which it is contained, based on current legislation, and in good information security practices.
2. RESPONSIBILITY
This Policy is the responsibility of the Homine Technology Department. Any changes to this Policy must be approved by the Homine Technology Department.
Senior management is committed to the continuous improvement of procedures related to information and cyber security.
This policy applies to all employees, suppliers and service providers who use or provide relevant technological services.
3. TARGET AUDIENCE
This Policy applies to all Homine divisions.
4. GENERAL GUIDELINES
A. Information Processing
Information in the custody of any area of Homine, even if it belongs to customers, employees or suppliers, must be protected against access by unauthorized persons.
Access, generation, use, classification, modification, distribution, transfer, storage and deletion of information must be carried out in accordance with the company's needs, and these processes must be properly documented. Homine areas (“areas”) reserve the right to consult and analyze information stored on its premises and in its equipment, as well as in pouches, envelopes, physical and electronic files, generated or received using its human and materials.
Only authorized resources should be used to ensure secure sharing of information when necessary.
The information must be stored for the time determined by the institution, legislation or current regulation, whichever is longer, and retrievable when necessary. The information storage location must be appropriate and protected against accidents and access by unauthorized persons.
B. Access to Information
The use of external communication networks (Internet, private networks, etc.) must be controlled through Servers Firewalls, Access Servers Internet, Servers AntiSpam, Antivirus tools and operating system policies that ensure that only the necessary resources are available for work, without risk to the operational environment.
External access to the organization's systems, when carried out by Technical Support Area personnel or service providers, must be controlled and restricted to the necessary services, maintaining usage trails and restricting themselves to the minimum necessary. The solution found for each case must be formalized and documented.
Additionally, when external access is carried out for the purpose of Home Office, the Safety Policy must be observed and followed Home Office available at intranet.
The sending of the organization's data, whether to meet business requirements or to enable the resolution of problems encountered, must be assessed based on the risks and the adoption of procedures that guarantee the control and integrity of the data, in addition to the legitimacy of the recipient of information. Whatever is agreed must be formalized and approved by the managers responsible for the information.
C. Application Systems
Application systems developed within the organization must be documented and controlled regarding changes or corrections made, with trails of what was done and safe storage of the font library. All information necessary for eventual reconstruction of applications must be included in their documentation.
Application systems developed outside the organization, owned by third parties (with license for use by the organization), must have the library of sources and additional resources (acquired libraries, components, etc.) under the custody of a suitable entity, by mutual agreement between the organization and the company providing the software. Such sources must always be updated and checked for validity and synchronization with the version in use in the production environment.
Misuse of systems, whether accidental or deliberate, must be combated by separating system administration functions from functions executing certain activities, or between areas of responsibility. Such segregation of functions aims to create controls to prevent fraud or collusion in the performance of critical system activities. Where it is impractical to implement segregation, other controls such as activity monitoring, audit trails and management monitoring must be considered.
To minimize the risk of system failures, prior planning and preparations must be made to ensure adequate availability and capacity of resources. For new systems, operational requirements must be documented and tested before acceptance and use. For systems already in use, projections of resource demand and future machine load must be made in order to reduce the risk of unavailability due to overload (Capacity Planning).
5. SPECIFIC GUIDELINES
A. Information Processing
For the set of information used by an application system, the Security and Contingency Steering Committee must designate two owners, directors of Homine, one of whom represents the operational area and the other from the business area.
The information owners are responsible for:
i. Appoint the information manager, who is responsible for proposing the rules for access to said information, and managing it operationally; It is
ii. Approve the rules for access to information, as proposed by the manager.
Each information manager will appoint a replacement manager, to be approved by the owners, who will perform his or her duties in the event of absence.
Each information manager and his replacement will receive a Login differentiated to perform this function, that is, configure the systems to meet the standards described below for processing information, as well as granting access to users.
- Standards for processing information
Clear rules must be defined to protect information against loss, alteration, access by unauthorized people, activity trail and logs and traceability, regardless of the medium in which it is stored (electronic, magnetic, printed, etc.).
The users (companies, areas, people, etc.) of the information must be clearly defined, the rights each person has to access it and the procedures to protect it from access by unauthorized persons, regardless of how it is available. All information must be used only for professional purposes, of exclusive interest to the company.
All relevant information must have at least one backup copy or another efficient procedure for prompt recovery in case of loss. No information should be accessed, disclosed or made available, under any pretext, without due authorization.
The transmission to third parties, by any means, as well as the dissemination, reproduction, copying, use or exploitation of knowledge, data and information owned by the Institutions, usable in their activities, is prohibited, without the prior and express authorization of the responsible Board, and of which employees become aware during the employment relationship, extending such prohibition to the period after the end of the employment contract, without prejudice to criminal actions applicable to the matter.
Users must adopt the practice of classifying information with the aim of providing appropriate treatment to the information in terms of its confidentiality. Guidance on information classification is available in MI/04/060 – Information Classification Policy.
- Recommendations for processing information
Anyone who incorrectly receives information must immediately contact the sender and alert them to the error. The information available on Internet They should only be accessed for the purpose of carrying out activities of exclusive interest to the company.
All information on paper, removable media or any other storage medium must be destroyed after use, or stored in such a way that it is not available to unauthorized persons.
Maintenance on equipment that stores information must be monitored by a representative from the area whenever this equipment is in use or logged in with the credential of the employee who needs the support. When sold, returned to the manufacturer, sent for maintenance or transferred to other users, the information contained therein must be destroyed before the equipment is released, in accordance with MI/04/017 – Disposal of Magnetic Information Storage Media.
Managers must determine the rules for access and distribution of information, considering the following items:
The. Risks inherent to information:
– Access by unauthorized persons;
-Improper alteration, use, classification, modification, distribution, transfer, storage or disposal;
– Unavailability.
B. Consequences:
– Fraud: Possibilities of harming Homine companies or third parties (customers, suppliers, etc.);
– Legal problems: Possibilities of generating losses, fines, penalties or embarrassment for Homine Institutions, Directors and Employees, other individuals or legal entities;
– Loss of business: Possibility of not realizing expected revenue or generating losses in businesses implemented or in the implementation phase;
– Damage to Homine’s image: Possibilities of damaging the image of Homine or its employees;
– Recovery problems: Possibilities of generating recovery costs for lost or damaged information.
B. Safety regarding People
This topic addresses human security and aims to reduce the risks of human error, theft, fraud or inappropriate use of Homine information and resources.
i. Identification of people
All people with access to systems and information, belonging to or in possession of Homine, must have a unique identification (Login). Exceptions must be duly documented and approved by the Security and Contingency Steering Committee.
ii. Declaration of Responsibility
It is a commitment of direct responsibility of the employee towards the information, equipment and other Homine properties entrusted to him, and must be read and signed upon admission.
This concept should also be used for service providers and customers:
– Service Providers: the declaration of responsibility must be one of the clauses of the contract
– Customers: the declaration of responsibility must be one of the clauses of the product subscription agreement – or equivalent document, if the customer is given a password to access the information.
The declaration of responsibility must be read and signed, within the accepted and approved formats in physical or electronic media, by all employees before being filed in the respective functional folder. The Human Resources Department must ensure that all employees have their responsibility declaration signed.
C. Logical Security of Computers, Networks and Application Systems
This item deals with access control to systems and information belonging to or in the possession of Homine.
Every application system defines a set of operations applicable to the information under its domain. Typically these operations are: query, inclusion, change, deletion, etc.
An access profile defines which operations can be performed by a certain class of users, using a certain type of information.
If the operations and their respective information involve amounts, limits may be created, which define the maximum amount involved in operations carried out by each class of users.
The rules for accessing information from an application system must include the definition of user profiles, jurisdictions and classes, as well as the operational processes to be used for their administration and control.
i. Standards for logical security of computers and networks:
Access to services and data must be controlled based on the requirements of each business, must be clearly defined and documented and all application systems must be aimed at implementing and maintaining these controls.
Each information manager is responsible for defining and keeping access profiles for their applications updated, aiming for the minimum access necessary to carry out activities as well as avoiding conflicts of interest.
ii. Administration of access to application systems:
The information must be analyzed by the respective information managers, in order to allow access rules to be defined, through profiles and jurisdictions.
Application systems must have resources that enable access management, through the profiles and authority defined by the respective information managers.
iii. User access administration:
There must be formal procedures that cover all activities linked to access management, from the creation of a new user, through the administration of privileges and passwords and including the deactivation of users, respecting MI/04/055 – Review of Physical Access, Systems and Directories
iv. Access control to computers and networks:
It must be ensured that computer users, whether or not connected to a network, do not compromise the security of any system or product. Access to computing services must always occur through a secure procedure, by which the user connects to a specific system or network, which must be planned to minimize opportunities for unauthorized access.
The production, approval and development environments must be segregated from each other, in order to prevent undue access.
v. Standards for controlling access to computers, networks and application systems:
An effective access control system must be used to authenticate users. The main features of this control are:
– Access to computers and networks must be password protected;
– Passwords can be changed by users in any environment (operational or application);
– Systems must be programmed to never display the password on the screen;
– Passwords must be individual and non-transferable. The password is for exclusive, personal and non-transferable use, and sharing is prohibited under any circumstances;
– Passwords should not be trivial and predictable;
– The types of characters used to form the password must be:
- Capital letters;
- Small letters;
- Numbers;
- Special signs or symbols (Ex:@#$%&*-+=“ ́`^~{ }[ ]/|\? !).
– Passwords must have a minimum length of 08 (eight) characters, with the use of at least three of the four types of characters defined above being mandatory, with the use of at least one special sign or symbol being mandatory;
– If any system defines an initial password, it must force the user to change it on first access;
– Password files must be encrypted and recorded separately from data files, in a restricted access environment;
saw. Monitoring use and access to application systems:
All application systems must:
– Detect unauthorized access attempts;
– Whenever there are risks that affect the business, audit trails must be recorded for future investigations, recording access data, such as: user identification, location, terminal or network station identification, date and time of access, identification of the application accessed and transactions executed; It is
– Issue access management reports (by user, application module and functions).
viii. Systems development process:
The systems developed must observe and follow good market practices on secure development in order to mitigate risks and vulnerabilities commonly exploited in the systems. Compliance with the process must be achieved through the adaptation of processes and/or the use of specific technologies for this type of purpose.
Additionally, Information Security is responsible for evaluating the need for security tests on any system, whether internal, exposed on the internet, hosted outside of Homine's technological infrastructure, developed internally or externally.
D. Security in Service Provider Access
This topic aims to establish controls over the organization's information processing resources during the execution of services by external contractors.
An assessment of the risks involved must be made to determine the security implications and necessary controls. Whatever is agreed must be explained in the signed contract.
The use of the provider's own equipment connected to the organization's network without due written authorization from the information security area, which must assess the need through technical justification, is prohibited. If necessary, they must be segregated into their own network and a “firewall” to control access.
If the provider uses software own equipment in the organization, documentation or a term of responsibility must be presented guaranteeing the right to use, which will be maintained as long as the software is installed.
E. Physical Computer Security
This topic is intended for users and administrators of computers connected or not to a network.
The objective is to ensure that areas establish, manage and use computers in a secure manner, and that appropriate measures are taken to respect the confidentiality, integrity and availability of information that is stored and manipulated through such equipment.
i. Standards for physical computer security:
Storage media considered removable media must have controlled access. When not in use, they must be locked, with access restricted to authorized people. Computers not connected to a network, and which contain important information for the company's business, must be installed in a structure that guarantees the physical security of this equipment, including systems that maintain electricity supply and data recovery.
Users connected to a network, and who deal with information important to the company's business, must keep this information stored on network servers.
ii. Responsibility for physical computer security:
Hands4IT is responsible for preparing and keeping the inventory of hardware It is software in the Headquarters, Agencies and Regional Buildings. The Property Security area is responsible for ensuring control over physical access to equipment.
F. Standards for Computer Installation
The installation standard for computers must meet all standards stipulated by the Conglomerate.by Homine.
The structure to maintain physical security must comply with Homine's general security standards and comply with the following specifications:
i. Living room:
– The dimensions of the location must be sufficient for the installation of
equipment;
– The layout of logic and power cables must be adequate so that
people can move freely;
– The air inlets (ventilation) of the equipment must not be obstructed; It is
– Equipment must be in firm locations that avoid shaking.
ii. Refrigeration and air quality:
– Air conditioning must be as specified by the manufacturer;
– The environment must be free from pollution by dust, gases or smoke in order to prevent pollution from penetrating the equipment, causing it to break down or processing failures.
- Electrical network:
– It is recommended that there be exclusive grounding for the equipment and that the power points are stabilized;
– For equipment considered critical, it is recommended to install a UPS (Uninterruptable Power Supply), an alternative power supply source that is automatically activated when there is a power outage;
– The equipment must be installed on an electrical network following the standards recommended by the manufacturers; It is
- Fire Equipment:
– There must be fire-fighting equipment suitable for electronic materials, such as CO2 extinguishers, and these must be in a visible, marked and unobstructed location, and be known to all employees; It is
– There must be adequate fire prevention equipment, such as smoke detectors and fire alarm, and there must be an efficient means of warning a fire fighting agency.
v. Lighting:
– Lighting must be adequate, avoiding direct sunlight on the equipment.
saw. Precautions regarding the availability of storage media:
– When removable storage media are sold, returned to the manufacturer or sent for maintenance, the information contained therein must be destroyed before leaving Homine's premises, as per MI/04/017 – Disposal of Magnetic Information Storage Media. It is important to highlight that on magnetic media it is not enough to erase the data, you must run a program that actually destroys it.
G. Physical Security of Network Servers
This item is intended for users of operating systems with network server characteristics.
The objective is to ensure that Homine manages and uses the various operating systems in a secure manner, and that appropriate measures are taken to guarantee the confidentiality of your data, the integrity and availability of equipment and storage media.
i. Standards for physical security of network servers:
Removable storage media must have controlled access. When not in use, they must be locked, with access restricted to authorized people.
File servers must be installed in an area that guarantees the physical security of this equipment, including systems that maintain electricity supply and data recovery.
ii. Responsibilities for the physical security of network servers:
The Local Administrator, when applicable, or the Hands4IT Production Area, in the case of the Headquarters Building, is responsible for:
– Develop and maintain the inventory of hardware It is software; It is
– Ensure physical access control to equipment.
H. Standards for Installing Network Servers
The installation standard for network servers must meet all standards stipulated by Homine.
The structure to maintain the physical security of network equipment must comply with the same specifications used for installing computers with the following additional specifications:
- Living room:
– Closed, but allowing an internal view of the room, with partitions up to the ceiling.
- Electrical network:
– On servers, use UPS equipment (approved by authorized technicians) with UPS; It is
– There must be exclusive grounding for the equipment and stabilization of electrical power points.
- Fire Equipment:
– In the case of server and/or telecommunications rooms, the use of automated fire-fighting devices, clean extinguishing agents such as gases and other resources specific to this type of environment should be considered.
- Precautions regarding the availability of storage media:
– Maintenance of removable media, carried out on site, must be monitored by the person responsible for the area.
I. Backup and Restore
This topic is aimed at users and local administrators of Homine companies, or the Production area of Hands4IT, aiming to manage and use IT resources in a secure manner, taking appropriate measures to guarantee alternative processing resources in the event of data loss, software or systems.
To develop a plan for backup should be considered the “backups” of the Operational, Contingency and Historical types.
Backup Operational: is the copy of strategic information that is part of the user's daily life and that is important to guarantee the continuity of their tasks. It is intended for instant recovery.
Backup Contingency: is a copy of sensitive information, software and systems vital to the continuity of Homine's business and must be stored in an external location. It is intended to enable recovery in catastrophic situations.
Backup History: is a copy of the information determined by legal requirements or internal regulations and must be stored in an external location.
- Backup/Restore Standards:
The preparation of the plan Backup/Restore should take into account the following aspects:
– Data update periods; It is
– Particularities of each Homine Area.
The information considered essential must be present in the routines of backups operational and contingency, taking into account the periodicity of data updating.
The information must be subject to the backups operational and contingency according to criteria defined by the user.
Copies of backup they must be stored in an appropriate and safe place, and protected against access by unauthorized persons.
A copy of the plan must be kept Backup/Restore together with backup contingency.
Tests must be carried out restore periodically, keeping evidence of the last test performed.
At least the last two versions of the backups operational and contingency. To the backups historical records, the number of versions will be determined by legal requirement or internal standard.
ii. Backup/Restore Plan – Content:
Coverage: List of files and directories to be copied in the process backup.
Frequency: Time interval after which the system is subjected to the backup.
Retention: Deadline by which the backups must be maintained.
Procedures: Description of the procedures backup.
Number of copies: Number of copies of backup, storage locations and means.
Identification of storage media: Storage media must be properly identified.
Record of the use of backup copies: The handling of storage media must be recorded and controlled. These records must be kept for 90 (ninety) days for future checks.
Maintenance of Backup copies: When the retention period is longer than that specified by the manufacturer for the use of the storage medium, a procedure must be adopted to rewrite the data on a new medium periodically.
J. Responsibilities regarding Backup/Restore
It is the responsibility of the local administrator or Production area to prepare, maintain and document the management plan. backups and guarantee the execution of its procedures.
K. Regular data storage and retrieval testing
Any and all storage media as well as recovery procedures must be regularly tested, ensuring their effectiveness. The frequency must be at least once per year, to be determined by the Security and Contingency area, considering the business risk level. Evidence of the success of the tests carried out must be maintained.
L. Piracy
This item is intended for all users and administrators of network servers or computers, including portable computers, whether or not connected to a network, and aims to ensure that appropriate measures are taken to prevent piracy of software within the facilities of Homine companies.
i. Anti-piracy rules:
The number of licenses software cannot be less than the amount of software installed, even for testing or training purposes, unless this situation is covered contractually.
Duplication is not allowed software owned by Homine except for backup purposes and even then, only by authorized persons. A license to use software Homine can only be installed on Homine computers.
It is not permitted to run or install any software (including software free and in the public domain), “screen saver“, “wallpapers” etc., that are not authorized for use on Homine.
All software demonstration must be accompanied by formal authorization from the owner company, indicating where it can be installed and for how long.
The use of software such as “shareware” It must only be done after obtaining registration with the author and after approval by Hands4IT.
- Responsibilities regarding piracy:
– Check if the software to be installed is original, providing it with the appropriate use licenses;
– If the installation was authorized by the Unit’s Administrative Officer, check whether the software was previously approved by Hands4IT; It is
– Implement mechanisms that make piracy difficult through any means.
M. Safe Use of Hardware It is Software
All portable equipment (notebooks, laptops, netbooks, ultrabooks, tablets and smartphones) that have data storage capacity, must follow the security principles contained in this policy. When this equipment contains information that cannot be made public, the data must be encrypted or access protected by a password.
The acquisition, reproduction, use and transfer of unauthorized copies of “software” or any programs and products, even those developed by Homine's technical areas or developed by third parties for the Conglomerate.
N. Access to Internet
A Internet covers various aspects and services (websites government services, service providers and others) that must be made available in a restricted manner or controlled according to business needs. The restriction on websites not related to the organization's business must be implemented, ensuring the effective use of the network Internet.
Access to Internet must be tracked in order to allow monitoring of misuse of technology (User name and address accessed are mandatory tracking information).
The user must restrict access to websites not yet blocked that could denigrate the organization's image (for example: pornography, pedophilia, racism, etc.) and that have no relation to the organization's business objectives (Webmail, games etc.). You must also communicate the email address of these websites to the Information Security area, which must immediately block it.
Access to Internet must be done through “Access Servers” protected by security systems firewall. When access is required using a second connection via modem or network wifi, the machine configuration must guarantee isolation from the company's normal service network, thus preventing contamination from being propagated. The security requirements of these particular machines must be respected (antivirus and firewall local). Specific cases like these must be approved by those responsible for the Information Security area.
O. Access to Electronic Mail
Homine provides its employees with the necessary technology to facilitate internal communication, communication with customers, suppliers and other groups that have a commercial relationship. It is the user's responsibility to use the technology appropriately, prudently, and in a manner compatible with the laws and principles applicable to business.
Email messages must be tracked to enable monitoring to identify misuse of technology.
Q. Business continuity plan
A business continuity plan must guarantee the recovery of Homine's critical processes when the environment or any resources are unavailable that make the development or operations of the business areas impossible.
It is the responsibility of each area involved in business development to develop, test and implement their contingency plans. Hands4IT's Security and Contingency area can guide you in the preparation of these items. Additionally, the plan must be reviewed and updated annually.
The definition of critical processes of a company or area must comply with criteria issued by the Directors responsible for the area/area.
i. Points to be observed in the business continuity plan:
When preparing a business continuity plan, the following points must be observed:
– Critical functions must be identified and defined;
– Draw up a strategy for the recovery of each critical function;
– Prioritize critical functions to organize their recovery;
– Identify the activities necessary to recover each function;
– Quantify the human and technical resources necessary to fulfill the plan;
– Document critical processes;
– Identify those responsible for the recovery of each process or function;
– Actions to reestablish normal operation; It is
– Identify resources backup (infrastructure, hardware, software, application systems and telecommunications).
ii. Periodic reviews of the business continuity plan:
The business continuity plan must undergo annual reviews in order to identify points that are in disagreement with the current situation. The following points must be observed:
– Change of suppliers or contractors;
– Change of addresses or telephone numbers;
– Changes in recovery priorities;
– Interdependence between systems and applications;
– Changes in functions and critical business processes;
– Changes in operational practices; It is
– Update the list of critical employees.
Q. Information Security Awareness Plan
An information security awareness plan must be designed and executed to achieve the following objective:
“Ensure that Information Security is not only known, but understood by all employees and collaborators, making them aware of best practices, minimum requirements, existing risks and responsibilities and what measures must be adopted when there are Security incidents in order to achieve better use and protection of information.”
The basic guidelines are:
– Development of a continuous training process covering all functional levels at Homine;
– Dissemination of various materials and alerts regarding Information Security to employees, collaborators and customers;
– Creation of procedures for measuring the level of knowledge of users in general;
– Organization of events that aim to strengthen awareness about various aspects of security in general; It is
– Periodic review of the plan, adapting actions to new needs, avoiding making it repetitive.
R. Incident Response Plan
It is the responsibility of the IT department to publish and review the cyber incident response plan. This plan must contain each step of each treatment from the identification of an incident. Its objective is to create a minimally necessary approach and conduct in the event of a cyber incident at the institution.