{"id":5886,"date":"2023-11-10T07:29:08","date_gmt":"2023-11-10T10:29:08","guid":{"rendered":"https:\/\/homine.tech\/?page_id=5886"},"modified":"2023-11-10T07:29:08","modified_gmt":"2023-11-10T10:29:08","slug":"politica-de-seguranca-da-informacao","status":"publish","type":"page","link":"https:\/\/homine.tech\/en\/politica-de-seguranca-da-informacao\/","title":{"rendered":"Information Security Policy"},"content":{"rendered":"<p><strong>1. OBJECTIVE<\/strong><\/p>\n\n\n\n<p>Define the guidelines that will guide the norms and standards that deal with the protection of information, covering its generation, use, storage, distribution, confidentiality, availability and integrity, regardless of the medium and location in which it is contained, based on current legislation, and in good information security practices.<\/p>\n\n\n\n<p><strong>2. RESPONSIBILITY<\/strong><\/p>\n\n\n\n<p>This Policy is the responsibility of the Homine Technology Department. Any changes to this Policy must be approved by the Homine Technology Department.<\/p>\n\n\n\n<p>Senior management is committed to the continuous improvement of procedures related to information and cyber security.<\/p>\n\n\n\n<p>This policy applies to all employees, suppliers and service providers who use or provide relevant technological services.<\/p>\n\n\n\n<p><strong>3. TARGET AUDIENCE<\/strong><\/p>\n\n\n\n<p>This Policy applies to all Homine divisions.<\/p>\n\n\n\n<p><strong>4. GENERAL GUIDELINES<\/strong><\/p>\n\n\n\n<p><strong>A. Information Processing<\/strong><\/p>\n\n\n\n<p>Information in the custody of any area of Homine, even if it belongs to customers, employees or suppliers, must be protected against access by unauthorized persons.<\/p>\n\n\n\n<p>Access, generation, use, classification, modification, distribution, transfer, storage and deletion of information must be carried out in accordance with the company&#039;s needs, and these processes must be properly documented. Homine areas (\u201careas\u201d) reserve the right to consult and analyze information stored on its premises and in its equipment, as well as in pouches, envelopes, physical and electronic files, generated or received using its human and materials.<\/p>\n\n\n\n<p>Only authorized resources should be used to ensure secure sharing of information when necessary.<\/p>\n\n\n\n<p>The information must be stored for the time determined by the institution, legislation or current regulation, whichever is longer, and retrievable when necessary. The information storage location must be appropriate and protected against accidents and access by unauthorized persons.<\/p>\n\n\n\n<p><strong>B. Access to Information<\/strong><\/p>\n\n\n\n<p>The use of external communication networks (<em>Internet, <\/em>private networks, etc.) must be controlled through Servers <em>Firewalls<\/em>, Access Servers <em>Internet<\/em>, Servers <em>AntiSpam<\/em>, Antivirus tools and operating system policies that ensure that only the necessary resources are available for work, without risk to the operational environment.<\/p>\n\n\n\n<p>External access to the organization&#039;s systems, when carried out by Technical Support Area personnel or service providers, must be controlled and restricted to the necessary services, maintaining usage trails and restricting themselves to the minimum necessary. The solution found for each case must be formalized and documented.<\/p>\n\n\n\n<p>Additionally, when external access is carried out for the purpose of <em>Home Office<\/em>, the Safety Policy must be observed and followed <em>Home Office <\/em>available at <em>intranet<\/em>.<\/p>\n\n\n\n<p>The sending of the organization&#039;s data, whether to meet business requirements or to enable the resolution of problems encountered, must be assessed based on the risks and the adoption of procedures that guarantee the control and integrity of the data, in addition to the legitimacy of the recipient of information. Whatever is agreed must be formalized and approved by the managers responsible for the information.<\/p>\n\n\n\n<p><strong>C. Application Systems<\/strong><\/p>\n\n\n\n<p>Application systems developed within the organization must be documented and controlled regarding changes or corrections made, with trails of what was done and safe storage of the font library. All information necessary for eventual reconstruction of applications must be included in their documentation.<\/p>\n\n\n\n<p>Application systems developed outside the organization, owned by third parties (with license for use by the organization), must have the library of sources and additional resources (acquired libraries, components, etc.) under the custody of a suitable entity, by mutual agreement between the organization and the company providing the <em>software<\/em>. Such sources must always be updated and checked for validity and synchronization with the version in use in the production environment.<\/p>\n\n\n\n<p>Misuse of systems, whether accidental or deliberate, must be combated by separating system administration functions from functions executing certain activities, or between areas of responsibility. Such segregation of functions aims to create controls to prevent fraud or collusion in the performance of critical system activities. Where it is impractical to implement segregation, other controls such as activity monitoring, audit trails and management monitoring must be considered.<\/p>\n\n\n\n<p>To minimize the risk of system failures, prior planning and preparations must be made to ensure adequate availability and capacity of resources. For new systems, operational requirements must be documented and tested before acceptance and use. For systems already in use, projections of resource demand and future machine load must be made in order to reduce the risk of unavailability due to overload (<em>Capacity Planning<\/em>).<\/p>\n\n\n\n<p><strong>5. SPECIFIC GUIDELINES<\/strong><\/p>\n\n\n\n<p><strong>A. Information Processing<\/strong><\/p>\n\n\n\n<p>For the set of information used by an application system, the Security and Contingency Steering Committee must designate two owners, directors of Homine, one of whom represents the operational area and the other from the business area.<\/p>\n\n\n\n<p>The information owners are responsible for:<\/p>\n\n\n\n<p><em>i. <\/em>Appoint the information manager, who is responsible for proposing the rules for access to said information, and managing it operationally; It is<\/p>\n\n\n\n<p><em>ii. <\/em>Approve the rules for access to information, as proposed by the manager.<br>Each information manager will appoint a replacement manager, to be approved by the owners, who will perform his or her duties in the event of absence.<\/p>\n\n\n\n<p>Each information manager and his replacement will receive a <em>Login <\/em>differentiated to perform this function, that is, configure the systems to meet the standards described below for processing information, as well as granting access to users.<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li><em><\/em><em>Standards for processing information<\/em><\/li>\n<\/ol>\n\n\n\n<p>Clear rules must be defined to protect information against loss, alteration, access by unauthorized people, activity trail and logs and traceability, regardless of the medium in which it is stored (electronic, magnetic, printed, etc.).<\/p>\n\n\n\n<p>The users (companies, areas, people, etc.) of the information must be clearly defined, the rights each person has to access it and the procedures to protect it from access by unauthorized persons, regardless of how it is available. All information must be used only for professional purposes, of exclusive interest to the company.<\/p>\n\n\n\n<p>All relevant information must have at least one backup copy or another efficient procedure for prompt recovery in case of loss. No information should be accessed, disclosed or made available, under any pretext, without due authorization.<\/p>\n\n\n\n<p>The transmission to third parties, by any means, as well as the dissemination, reproduction, copying, use or exploitation of knowledge, data and information owned by the Institutions, usable in their activities, is prohibited, without the prior and express authorization of the responsible Board, and of which employees become aware during the employment relationship, extending such prohibition to the period after the end of the employment contract, without prejudice to criminal actions applicable to the matter.<\/p>\n\n\n\n<p>Users must adopt the practice of classifying information with the aim of providing appropriate treatment to the information in terms of its confidentiality. Guidance on information classification is available in MI\/04\/060 \u2013 Information Classification Policy.<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li><em><\/em><em>Recommendations for processing information<\/em><\/li>\n<\/ol>\n\n\n\n<p>Anyone who incorrectly receives information must immediately contact the sender and alert them to the error. The information available on <em>Internet <\/em>They should only be accessed for the purpose of carrying out activities of exclusive interest to the company.<\/p>\n\n\n\n<p>All information on paper, removable media or any other storage medium must be destroyed after use, or stored in such a way that it is not available to unauthorized persons.<\/p>\n\n\n\n<p>Maintenance on equipment that stores information must be monitored by a representative from the area whenever this equipment is in use or logged in with the credential of the employee who needs the support. When sold, returned to the manufacturer, sent for maintenance or transferred to other users, the information contained therein must be destroyed before the equipment is released, in accordance with MI\/04\/017 \u2013 Disposal of Magnetic Information Storage Media.<\/p>\n\n\n\n<p>Managers must determine the rules for access and distribution of information, considering the following items:<\/p>\n\n\n\n<p>The. Risks inherent to information:<\/p>\n\n\n\n<p>\u2013 Access by unauthorized persons;<\/p>\n\n\n\n<p>-Improper alteration, use, classification, modification, distribution, transfer, storage or disposal;<\/p>\n\n\n\n<p>\u2013 Unavailability.<\/p>\n\n\n\n<p>B. Consequences:<\/p>\n\n\n\n<p><br>\u2013 Fraud: Possibilities of harming Homine companies or third parties (customers, suppliers, etc.);<\/p>\n\n\n\n<p><br>\u2013 Legal problems: Possibilities of generating losses, fines, penalties or embarrassment for Homine Institutions, Directors and Employees, other individuals or legal entities;<\/p>\n\n\n\n<p><br>\u2013 Loss of business: Possibility of not realizing expected revenue or generating losses in businesses implemented or in the implementation phase;<\/p>\n\n\n\n<p>\u2013 Damage to Homine\u2019s image: Possibilities of damaging the image of Homine or its employees;<\/p>\n\n\n\n<p><br>\u2013 Recovery problems: Possibilities of generating recovery costs for lost or damaged information.<\/p>\n\n\n\n<p><strong>B. Safety regarding People<\/strong><\/p>\n\n\n\n<p>This topic addresses human security and aims to reduce the risks of human error, theft, fraud or inappropriate use of Homine information and resources.<\/p>\n\n\n\n<p><em>i. Identification of people<\/em><\/p>\n\n\n\n<p>All people with access to systems and information, belonging to or in possession of Homine, must have a unique identification (<em>Login<\/em>). Exceptions must be duly documented and approved by the Security and Contingency Steering Committee.<\/p>\n\n\n\n<p><em>ii. Declaration of Responsibility<\/em><\/p>\n\n\n\n<p>It is a commitment of direct responsibility of the employee towards the information, equipment and other Homine properties entrusted to him, and must be read and signed upon admission.<\/p>\n\n\n\n<p><br>This concept should also be used for service providers and customers:<\/p>\n\n\n\n<p>\u2013 Service Providers: the declaration of responsibility must be one of the clauses of the contract<\/p>\n\n\n\n<p>\u2013 Customers: the declaration of responsibility must be one of the clauses of the product subscription agreement \u2013 or equivalent document, if the customer is given a password to access the information.<\/p>\n\n\n\n<p>The declaration of responsibility must be read and signed, within the accepted and approved formats in physical or electronic media, by all employees before being filed in the respective functional folder. The Human Resources Department must ensure that all employees have their responsibility declaration signed.<\/p>\n\n\n\n<p><strong>C. Logical Security of Computers, Networks and Application Systems<\/strong><\/p>\n\n\n\n<p>This item deals with access control to systems and information belonging to or in the possession of Homine.<\/p>\n\n\n\n<p>Every application system defines a set of operations applicable to the information under its domain. Typically these operations are: query, inclusion, change, deletion, etc.<\/p>\n\n\n\n<p>An access profile defines which operations can be performed by a certain class of users, using a certain type of information.<\/p>\n\n\n\n<p>If the operations and their respective information involve amounts, limits may be created, which define the maximum amount involved in operations carried out by each class of users.<\/p>\n\n\n\n<p>The rules for accessing information from an application system must include the definition of user profiles, jurisdictions and classes, as well as the operational processes to be used for their administration and control.<\/p>\n\n\n\n<p><em>i. Standards for logical security of computers and networks:<\/em><\/p>\n\n\n\n<p>Access to services and data must be controlled based on the requirements of each business, must be clearly defined and documented and all application systems must be aimed at implementing and maintaining these controls.<\/p>\n\n\n\n<p>Each information manager is responsible for defining and keeping access profiles for their applications updated, aiming for the minimum access necessary to carry out activities as well as avoiding conflicts of interest.<\/p>\n\n\n\n<p><em>ii. Administration of access to application systems:<\/em><\/p>\n\n\n\n<p>The information must be analyzed by the respective information managers, in order to allow access rules to be defined, through profiles and jurisdictions.<br>Application systems must have resources that enable access management, through the profiles and authority defined by the respective information managers.<\/p>\n\n\n\n<p><em>iii. User access administration:<\/em><\/p>\n\n\n\n<p>There must be formal procedures that cover all activities linked to access management, from the creation of a new user, through the administration of privileges and passwords and including the deactivation of users, respecting MI\/04\/055 \u2013 Review of Physical Access, Systems and Directories<\/p>\n\n\n\n<p><em>iv. Access control to computers and networks:<\/em><\/p>\n\n\n\n<p>It must be ensured that computer users, whether or not connected to a network, do not compromise the security of any system or product. Access to computing services must always occur through a secure procedure, by which the user connects to a specific system or network, which must be planned to minimize opportunities for unauthorized access.<\/p>\n\n\n\n<p>The production, approval and development environments must be segregated from each other, in order to prevent undue access.<\/p>\n\n\n\n<p><em>v. Standards for controlling access to computers, networks and application systems:<\/em><\/p>\n\n\n\n<p>An effective access control system must be used to authenticate users. The main features of this control are:<\/p>\n\n\n\n<p>\u2013 Access to computers and networks must be password protected;<\/p>\n\n\n\n<p>\u2013 Passwords can be changed by users in any environment (operational or application);<\/p>\n\n\n\n<p>\u2013 Systems must be programmed to never display the password on the screen;<\/p>\n\n\n\n<p>\u2013 Passwords must be individual and non-transferable. The password is for exclusive, personal and non-transferable use, and sharing is prohibited under any circumstances;<\/p>\n\n\n\n<p>\u2013 Passwords should not be trivial and predictable;<\/p>\n\n\n\n<p>\u2013 The types of characters used to form the password must be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Capital letters;<\/li>\n\n\n\n<li>Small letters;<\/li>\n\n\n\n<li>Numbers;<\/li>\n\n\n\n<li>Special signs or symbols (Ex:@#$%&amp;*-+=\u201c \u0301`^~{ }[ ]\/|\\? !).<\/li>\n<\/ul>\n\n\n\n<p>\u2013 Passwords must have a minimum length of 08 (eight) characters, with the use of at least three of the four types of characters defined above being mandatory, with the use of at least one special sign or symbol being mandatory;<\/p>\n\n\n\n<p>\u2013 If any system defines an initial password, it must force the user to change it on first access;<\/p>\n\n\n\n<p>\u2013 Password files must be encrypted and recorded separately from data files, in a restricted access environment;<\/p>\n\n\n\n<p><em>saw. Monitoring use and access to application systems:<\/em><\/p>\n\n\n\n<p>All application systems must:<\/p>\n\n\n\n<p>\u2013 Detect unauthorized access attempts;<\/p>\n\n\n\n<p>\u2013 Whenever there are risks that affect the business, audit trails must be recorded for future investigations, recording access data, such as: user identification, location, terminal or network station identification, date and time of access, identification of the application accessed and transactions executed; It is<\/p>\n\n\n\n<p>\u2013 Issue access management reports (by user, application module and functions).<\/p>\n\n\n\n<p><em>viii. Systems development process:<\/em><\/p>\n\n\n\n<p>The systems developed must observe and follow good market practices on secure development in order to mitigate risks and vulnerabilities commonly exploited in the systems. Compliance with the process must be achieved through the adaptation of processes and\/or the use of specific technologies for this type of purpose.<\/p>\n\n\n\n<p>Additionally, Information Security is responsible for evaluating the need for security tests on any system, whether internal, exposed on the internet, hosted outside of Homine&#039;s technological infrastructure, developed internally or externally.<\/p>\n\n\n\n<p><strong>D. Security in Service Provider Access<\/strong><\/p>\n\n\n\n<p>This topic aims to establish controls over the organization&#039;s information processing resources during the execution of services by external contractors.<\/p>\n\n\n\n<p>An assessment of the risks involved must be made to determine the security implications and necessary controls. Whatever is agreed must be explained in the signed contract.<\/p>\n\n\n\n<p>The use of the provider&#039;s own equipment connected to the organization&#039;s network without due written authorization from the information security area, which must assess the need through technical justification, is prohibited. If necessary, they must be segregated into their own network and a <em>\u201cfirewall\u201d <\/em>to control access.<\/p>\n\n\n\n<p>If the provider uses <em>software <\/em>own equipment in the organization, documentation or a term of responsibility must be presented guaranteeing the right to use, which will be maintained as long as the <em>software <\/em>is installed.<\/p>\n\n\n\n<p><strong>E. Physical Computer Security<\/strong><\/p>\n\n\n\n<p>This topic is intended for users and administrators of computers connected or not to a network.<\/p>\n\n\n\n<p>The objective is to ensure that areas establish, manage and use computers in a secure manner, and that appropriate measures are taken to respect the confidentiality, integrity and availability of information that is stored and manipulated through such equipment.<\/p>\n\n\n\n<p><em>i. Standards for physical computer security:<\/em><\/p>\n\n\n\n<p>Storage media considered removable media must have controlled access. When not in use, they must be locked, with access restricted to authorized people. Computers not connected to a network, and which contain important information for the company&#039;s business, must be installed in a structure that guarantees the physical security of this equipment, including systems that maintain electricity supply and data recovery.<\/p>\n\n\n\n<p>Users connected to a network, and who deal with information important to the company&#039;s business, must keep this information stored on network servers.<\/p>\n\n\n\n<p><em>ii. Responsibility for physical computer security:<\/em><\/p>\n\n\n\n<p>Hands4IT is responsible for preparing and keeping the inventory of <em>hardware <\/em>It is <em>software <\/em>in the Headquarters, Agencies and Regional Buildings. The Property Security area is responsible for ensuring control over physical access to equipment.<\/p>\n\n\n\n<p><strong>F. Standards for Computer Installation<\/strong><\/p>\n\n\n\n<p>The installation standard for computers must meet all standards stipulated by the Conglomerate.by Homine.<\/p>\n\n\n\n<p>The structure to maintain physical security must comply with Homine&#039;s general security standards and comply with the following specifications:<\/p>\n\n\n\n<p><em>i. <\/em>Living room:<\/p>\n\n\n\n<p>\u2013 The dimensions of the location must be sufficient for the installation of<\/p>\n\n\n\n<p>equipment;<\/p>\n\n\n\n<p>\u2013 The layout of logic and power cables must be adequate so that<\/p>\n\n\n\n<p>people can move freely;<\/p>\n\n\n\n<p>\u2013 The air inlets (ventilation) of the equipment must not be obstructed; It is<\/p>\n\n\n\n<p>\u2013 Equipment must be in firm locations that avoid shaking.<\/p>\n\n\n\n<p><em>ii. <\/em>Refrigeration and air quality:<\/p>\n\n\n\n<p>\u2013 Air conditioning must be as specified by the manufacturer;<\/p>\n\n\n\n<p>\u2013 The environment must be free from pollution by dust, gases or smoke in order to prevent pollution from penetrating the equipment, causing it to break down or processing failures.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\" style=\"list-style-type:lower-roman\">\n<li>Electrical network:<\/li>\n<\/ol>\n\n\n\n<p>\u2013 It is recommended that there be exclusive grounding for the equipment and that the power points are stabilized;<\/p>\n\n\n\n<p>\u2013 For equipment considered critical, it is recommended to install a UPS (Uninterruptable Power Supply), an alternative power supply source that is automatically activated when there is a power outage;<\/p>\n\n\n\n<p>\u2013 The equipment must be installed on an electrical network following the standards recommended by the manufacturers; It is<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\" style=\"list-style-type:lower-roman\">\n<li>Fire Equipment:<\/li>\n<\/ol>\n\n\n\n<p>\u2013 There must be fire-fighting equipment suitable for electronic materials, such as CO2 extinguishers, and these must be in a visible, marked and unobstructed location, and be known to all employees; It is<\/p>\n\n\n\n<p>\u2013 There must be adequate fire prevention equipment, such as smoke detectors and fire alarm, and there must be an efficient means of warning a fire fighting agency.<\/p>\n\n\n\n<p><em>v. <\/em><em>Lighting: <\/em><em><\/em><\/p>\n\n\n\n<p>\u2013 Lighting must be adequate, avoiding direct sunlight on the equipment.<\/p>\n\n\n\n<p><em>saw. <\/em>Precautions regarding the availability of storage media:<\/p>\n\n\n\n<p><br>\u2013 When removable storage media are sold, returned to the manufacturer or sent for maintenance, the information contained therein must be destroyed before leaving Homine&#039;s premises, as per MI\/04\/017 \u2013 Disposal of Magnetic Information Storage Media. It is important to highlight that on magnetic media it is not enough to erase the data, you must run a program that actually destroys it.<\/p>\n\n\n\n<p><strong>G. Physical Security of Network Servers<\/strong><\/p>\n\n\n\n<p>This item is intended for users of operating systems with network server characteristics.<\/p>\n\n\n\n<p>The objective is to ensure that Homine manages and uses the various operating systems in a secure manner, and that appropriate measures are taken to guarantee the confidentiality of your data, the integrity and availability of equipment and storage media.<\/p>\n\n\n\n<p><em>i. Standards for physical security of network servers:<\/em><\/p>\n\n\n\n<p>Removable storage media must have controlled access. When not in use, they must be locked, with access restricted to authorized people.<br>File servers must be installed in an area that guarantees the physical security of this equipment, including systems that maintain electricity supply and data recovery.<\/p>\n\n\n\n<p><em>ii. Responsibilities for the physical security of network servers:<\/em><\/p>\n\n\n\n<p>The Local Administrator, when applicable, or the Hands4IT Production Area, in the case of the Headquarters Building, is responsible for:<\/p>\n\n\n\n<p>\u2013 Develop and maintain the inventory of <em>hardware <\/em>It is <em>software<\/em>; It is<\/p>\n\n\n\n<p>\u2013 Ensure physical access control to equipment.<\/p>\n\n\n\n<p><strong>H. Standards for Installing Network Servers<\/strong><\/p>\n\n\n\n<p>The installation standard for network servers must meet all standards stipulated by Homine.<\/p>\n\n\n\n<p>The structure to maintain the physical security of network equipment must comply with the same specifications used for installing computers with the following additional specifications:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li><em><\/em>Living room:<\/li>\n<\/ol>\n\n\n\n<p><br>\u2013 Closed, but allowing an internal view of the room, with partitions up to the ceiling.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\" style=\"list-style-type:lower-roman\">\n<li><em>Electrical network: <\/em><em><\/em><\/li>\n<\/ol>\n\n\n\n<p><em>\u2013 On servers, use UPS equipment (approved by authorized technicians) with <\/em><em>UPS; It is<\/em><\/p>\n\n\n\n<p><em>\u2013 There must be exclusive grounding for the equipment and stabilization of electrical power points. <\/em><em><\/em><\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\" style=\"list-style-type:lower-roman\">\n<li><em>Fire Equipment: <\/em><em><\/em><\/li>\n<\/ol>\n\n\n\n<p>\u2013 In the case of server and\/or telecommunications rooms, the use of automated fire-fighting devices, clean extinguishing agents such as gases and other resources specific to this type of environment should be considered.<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li>Precautions regarding the availability of storage media:<\/li>\n<\/ol>\n\n\n\n<p><br>\u2013 Maintenance of removable media, carried out on site, must be monitored by the person responsible for the area.<\/p>\n\n\n\n<p><strong>I. Backup and Restore<\/strong><\/p>\n\n\n\n<p>This topic is aimed at users and local administrators of Homine companies, or the Production area of Hands4IT, aiming to manage and use IT resources in a secure manner, taking appropriate measures to guarantee alternative processing resources in the event of data loss, <em>software <\/em>or systems.<\/p>\n\n\n\n<p>To develop a plan for <em>backup <\/em>should be considered the \u201c<em>backups<\/em>\u201d of the Operational, Contingency and Historical types.<\/p>\n\n\n\n<p><em>Backup <\/em>Operational: is the copy of strategic information that is part of the user&#039;s daily life and that is important to guarantee the continuity of their tasks. It is intended for instant recovery.<\/p>\n\n\n\n<p><em>Backup <\/em>Contingency: is a copy of sensitive information, software and systems vital to the continuity of Homine&#039;s business and must be stored in an external location. It is intended to enable recovery in catastrophic situations.<\/p>\n\n\n\n<p><em>Backup <\/em>History: is a copy of the information determined by legal requirements or internal regulations and must be stored in an external location.<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li><em><\/em><em>Backup\/Restore Standards:<\/em><\/li>\n<\/ol>\n\n\n\n<p>The preparation of the plan <em>Backup\/Restore <\/em>should take into account the following aspects:<\/p>\n\n\n\n<p>\u2013 Data update periods; It is<\/p>\n\n\n\n<p>\u2013 Particularities of each Homine Area.<\/p>\n\n\n\n<p><br>The information considered essential must be present in the routines of <em>backups <\/em>operational and contingency, taking into account the periodicity of data updating.<\/p>\n\n\n\n<p>The information must be subject to the <em>backups <\/em>operational and contingency according to criteria defined by the user.<\/p>\n\n\n\n<p>Copies of <em>backup <\/em>they must be stored in an appropriate and safe place, and protected against access by unauthorized persons.<\/p>\n\n\n\n<p>A copy of the plan must be kept <em>Backup\/Restore <\/em>together with <em>backup <\/em>contingency.<\/p>\n\n\n\n<p>Tests must be carried out <em>restore <\/em>periodically, keeping evidence of the last test performed.<\/p>\n\n\n\n<p>At least the last two versions of the <em>backups <\/em>operational and contingency. To the <em>backups <\/em>historical records, the number of versions will be determined by legal requirement or internal standard.<\/p>\n\n\n\n<p><em>ii. Backup\/Restore Plan \u2013 Content:<\/em><\/p>\n\n\n\n<p><em>Coverage: <\/em>List of files and directories to be copied in the process <em>backup<\/em>.<br><em>Frequency: <\/em>Time interval after which the system is subjected to the <em>backup<\/em>.<\/p>\n\n\n\n<p><em>Retention: <\/em>Deadline by which the <em>backups <\/em>must be maintained.<br><em>Procedures: <\/em>Description of the procedures <em>backup<\/em>.<\/p>\n\n\n\n<p><br><em>Number of copies: <\/em>Number of copies of <em>backup<\/em>, storage locations and means.<br><em>Identification of storage media: <\/em>Storage media must be properly identified.<\/p>\n\n\n\n<p><em>Record of the use of backup copies: <\/em>The handling of storage media must be recorded and controlled. These records must be kept for 90 (ninety) days for future checks.<\/p>\n\n\n\n<p><em>Maintenance of Backup copies: <\/em>When the retention period is longer than that specified by the manufacturer for the use of the storage medium, a procedure must be adopted to rewrite the data on a new medium periodically. <em><\/em><\/p>\n\n\n\n<p><strong>J. Responsibilities regarding <em>Backup\/Restore<\/em><\/strong><\/p>\n\n\n\n<p><strong><em><br><\/em><\/strong>It is the responsibility of the local administrator or Production area to prepare, maintain and document the management plan. <em>backups <\/em>and guarantee the execution of its procedures.<\/p>\n\n\n\n<p><strong>K. Regular data storage and retrieval testing<\/strong><\/p>\n\n\n\n<p>Any and all storage media as well as recovery procedures must be regularly tested, ensuring their effectiveness. The frequency must be at least once per year, to be determined by the Security and Contingency area, considering the business risk level. Evidence of the success of the tests carried out must be maintained.<\/p>\n\n\n\n<p><strong>L. Piracy<\/strong><\/p>\n\n\n\n<p>This item is intended for all users and administrators of network servers or computers, including portable computers, whether or not connected to a network, and aims to ensure that appropriate measures are taken to prevent piracy of <em>software <\/em>within the facilities of Homine companies.<\/p>\n\n\n\n<p><em>i. Anti-piracy rules:<\/em><\/p>\n\n\n\n<p>The number of licenses <em>software <\/em>cannot be less than the amount of software installed, even for testing or training purposes, unless this situation is covered contractually.<\/p>\n\n\n\n<p>Duplication is not allowed <em>software <\/em>owned by Homine except for backup purposes and even then, only by authorized persons. A license to use <em>software <\/em>Homine can only be installed on Homine computers.<\/p>\n\n\n\n<p>It is not permitted to run or install any <em>software <\/em>(including <em>software <\/em>free and in the public domain), \u201c<em>screen saver<\/em>\u201c, \u201cwallpapers\u201d etc., that are not authorized for use on Homine.<\/p>\n\n\n\n<p>All <em>software <\/em>demonstration must be accompanied by formal authorization from the owner company, indicating where it can be installed and for how long.<br>The use of software such as <em>\u201cshareware\u201d <\/em>It must only be done after obtaining registration with the author and after approval by Hands4IT.<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:lower-roman\">\n<li><em><\/em><em>Responsibilities regarding piracy:<\/em><\/li>\n<\/ol>\n\n\n\n<p>\u2013 Check if the <em>software <\/em>to be installed is original, providing it with the appropriate use licenses;<\/p>\n\n\n\n<p>\u2013 If the installation was authorized by the Unit\u2019s Administrative Officer, check whether the <em>software <\/em>was previously approved by Hands4IT; It is<\/p>\n\n\n\n<p>\u2013 Implement mechanisms that make piracy difficult through any means.<\/p>\n\n\n\n<p><strong>M. Safe Use of <em>Hardware <\/em>It is <em>Software<\/em><\/strong><\/p>\n\n\n\n<p>All portable equipment (<em>notebooks, laptops, netbooks, ultrabooks, tablets and smartphones<\/em>) that have data storage capacity, must follow the security principles contained in this policy. When this equipment contains information that cannot be made public, the data must be encrypted or access protected by a password.<\/p>\n\n\n\n<p>The acquisition, reproduction, use and transfer of unauthorized copies of <em>\u201csoftware\u201d <\/em>or any programs and products, even those developed by Homine&#039;s technical areas or developed by third parties for the Conglomerate.<\/p>\n\n\n\n<p><strong><em>N. <\/em><\/strong><strong>Access to <em>Internet<\/em><\/strong><\/p>\n\n\n\n<p>A <em>Internet <\/em>covers various aspects and services <em>(websites <\/em>government services, service providers and others) that must be made available in a restricted manner or controlled according to business needs. The restriction on <em>websites <\/em>not related to the organization&#039;s business must be implemented, ensuring the effective use of the network <em>Internet<\/em>.<\/p>\n\n\n\n<p>Access to <em>Internet <\/em>must be tracked in order to allow monitoring of misuse of technology (User name and address accessed are mandatory tracking information).<\/p>\n\n\n\n<p>The user must restrict access to <em>websites <\/em>not yet blocked that could denigrate the organization&#039;s image (for example: pornography, pedophilia, racism, etc.) and that have no relation to the organization&#039;s business objectives (<em>Webmail<\/em>, games etc.). You must also communicate the email address of these <em>websites <\/em>to the Information Security area, which must immediately block it.<\/p>\n\n\n\n<p>Access to <em>Internet <\/em>must be done through \u201cAccess Servers\u201d protected by security systems <em>firewall<\/em>. When access is required using a second connection via <em>modem <\/em>or network <em>wifi<\/em>, the machine configuration must guarantee isolation from the company&#039;s normal service network, thus preventing contamination from being propagated. The security requirements of these particular machines must be respected (antivirus and <em>firewall <\/em>local). Specific cases like these must be approved by those responsible for the Information Security area.<\/p>\n\n\n\n<p><strong>O. Access to Electronic Mail<\/strong><\/p>\n\n\n\n<p>Homine provides its employees with the necessary technology to facilitate internal communication, communication with customers, suppliers and other groups that have a commercial relationship. It is the user&#039;s responsibility to use the technology appropriately, prudently, and in a manner compatible with the laws and principles applicable to business.<\/p>\n\n\n\n<p>Email messages must be tracked to enable monitoring to identify misuse of technology.<\/p>\n\n\n\n<p><strong>Q. Business continuity plan<\/strong><\/p>\n\n\n\n<p>A business continuity plan must guarantee the recovery of Homine&#039;s critical processes when the environment or any resources are unavailable that make the development or operations of the business areas impossible.<\/p>\n\n\n\n<p>It is the responsibility of each area involved in business development to develop, test and implement their contingency plans. Hands4IT&#039;s Security and Contingency area can guide you in the preparation of these items. Additionally, the plan must be reviewed and updated annually.<\/p>\n\n\n\n<p>The definition of critical processes of a company or area must comply with criteria issued by the Directors responsible for the area\/area.<\/p>\n\n\n\n<p><em>i. Points to be observed in the business continuity plan:<\/em><\/p>\n\n\n\n<p>When preparing a business continuity plan, the following points must be observed:<\/p>\n\n\n\n<p>\u2013 Critical functions must be identified and defined;<\/p>\n\n\n\n<p>\u2013 Draw up a strategy for the recovery of each critical function;<\/p>\n\n\n\n<p>\u2013 Prioritize critical functions to organize their recovery;<\/p>\n\n\n\n<p>\u2013 Identify the activities necessary to recover each function;<\/p>\n\n\n\n<p>\u2013 Quantify the human and technical resources necessary to fulfill the plan;<\/p>\n\n\n\n<p>\u2013 Document critical processes;<\/p>\n\n\n\n<p>\u2013 Identify those responsible for the recovery of each process or function;<\/p>\n\n\n\n<p>\u2013 Actions to reestablish normal operation; It is<\/p>\n\n\n\n<p>\u2013 Identify resources <em>backup <\/em>(infrastructure, <em>hardware<\/em>, <em>software, <\/em>application systems and telecommunications).<\/p>\n\n\n\n<p><em>ii. Periodic reviews of the business continuity plan:<\/em><\/p>\n\n\n\n<p>The business continuity plan must undergo annual reviews in order to identify points that are in disagreement with the current situation. The following points must be observed:<\/p>\n\n\n\n<p>\u2013 Change of suppliers or contractors;<\/p>\n\n\n\n<p>\u2013 Change of addresses or telephone numbers;<\/p>\n\n\n\n<p>\u2013 Changes in recovery priorities;<\/p>\n\n\n\n<p>\u2013 Interdependence between systems and applications;<\/p>\n\n\n\n<p>\u2013 Changes in functions and critical business processes;<\/p>\n\n\n\n<p>\u2013 Changes in operational practices; It is<\/p>\n\n\n\n<p>\u2013 Update the list of critical employees.<\/p>\n\n\n\n<p><strong>Q. Information Security Awareness Plan<\/strong><\/p>\n\n\n\n<p>An information security awareness plan must be designed and executed to achieve the following objective:<\/p>\n\n\n\n<p>\u201cEnsure that Information Security is not only known, but understood by all employees and collaborators, making them aware of best practices, minimum requirements, existing risks and responsibilities and what measures must be adopted when there are Security incidents in order to achieve better use and protection of information.\u201d<\/p>\n\n\n\n<p><em>The basic guidelines are:<\/em><\/p>\n\n\n\n<p>\u2013 Development of a continuous training process covering all functional levels at Homine;<\/p>\n\n\n\n<p>\u2013 Dissemination of various materials and alerts regarding Information Security to employees, collaborators and customers;<\/p>\n\n\n\n<p>\u2013 Creation of procedures for measuring the level of knowledge of users in general;<\/p>\n\n\n\n<p>\u2013 Organization of events that aim to strengthen awareness about various aspects of security in general; It is<\/p>\n\n\n\n<p>\u2013 Periodic review of the plan, adapting actions to new needs, avoiding making it repetitive.<\/p>\n\n\n\n<p><strong>R. Incident Response Plan<\/strong><\/p>\n\n\n\n<p>It is the responsibility of the IT department to publish and review the cyber incident response plan. This plan must contain each step of each treatment from the identification of an incident. Its objective is to create a minimally necessary approach and conduct in the event of a cyber incident at the institution.<\/p>","protected":false},"excerpt":{"rendered":"<p>1. OBJECTIVE Define the guidelines that will guide the norms and standards that deal with the protection of information, covering its generation, use, storage, distribution, confidentiality, availability and<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5886","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/pages\/5886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/comments?post=5886"}],"version-history":[{"count":1,"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/pages\/5886\/revisions"}],"predecessor-version":[{"id":5887,"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/pages\/5886\/revisions\/5887"}],"wp:attachment":[{"href":"https:\/\/homine.tech\/en\/wp-json\/wp\/v2\/media?parent=5886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}