Information Security Policy for Suppliers
The Information Security and Privacy Policy for suppliers has basic guidelines ensuring:
1. Objective
Guiding and presenting guidelines in the relationship with suppliers and partners, in order to ensure the security of information and mitigate the risks associated with access by suppliers to the assets and facilities of AlmavivA do Brasil Group.
2. Field of application
The guidelines established in this policy apply to all suppliers that perform services that have a direct impact on business or on issues related to Information Security and Privacy.
3. References
▪ PSI-001 - Information Security Policy - Internal ▪ PSI-002 - Information Security Policy - External
▪ NBR ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection - Requirements
▪ NBR ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls
▪ NBR ISO/IEC 27701:2019 – Security techniques for information privacy management – Requirements and guidelines
▪ Law nº 13.709/2018 – LGPD (General Law for the Protection of Personal Data).
4. Definitions
Not applicable
5. Responsibilities
The Information Security and Privacy area is responsible for:
▪ Defining and keeping guidelines up-to-date and available
▪ Conducting risk assessment
▪ Carrying out audits, when applicable.
Responsibility for all Suppliers:
▪ Following all guidelines defined in this policy and other applicable policies.
6. Guidelines
▪ Access to AlmavivA do Brasil Group's information assets can only be done under controlled and monitored conditions. The granting of physical and logical access will follow the premises established by the established information security policies, not allowing third parties to access confidential information without proper authorization
▪ The guidelines, programs, codes of conduct, internal rules and policies established by AlmavivA do Brasil Group must be fully complied with
▪ Service providers must ensure, at least, that all of their employees associated with the service provided are aware of and undertake to comply with what is described in this policy. AlmavivA Group may request, at any time, evidence of the disclosure process of this information
▪ Controls must be applied to processes, products and services in order to ensure that all specified requirements, service level agreements and agreed contractual obligations are fulfilled
▪ Good practices to ensure risk management should be adopted and monitored throughout the supply chain
▪ Legal and regulatory requirements, when applicable, must be met and monitored
▪ It is mandatory to protect and preserve the information assets of AlmavivA Group, to ensure the confidentiality, integrity and availability of information
▪ All agreements for the preservation of confidentiality, intellectual property and the secrecy of information accessed before, during and after the provision of services must be respected and complied with
▪ The contract manager must be notified when identifying any risks or incidents that may impact the security and privacy of information
▪ Documents and records that demonstrate and demonstrate compliance with the requirements defined in the contract and the guidelines established in the internal policies of AlmavivA do Brasil Group must be presented whenever necessary
▪ When using AlmavivA Group's assets and facilities, the necessary care must be taken to preserve the assets. It is everyone's duty to ensure the protection of assets and adopt habits that avoid waste in general
▪ When identifying risks, incidents and non-conformities, corrective and preventive actions must be adopted, in order to eliminate the root cause and provide adequate treatment of associated risks
▪ When necessary, audits, inspections and assessments can be carried out by AlmavivA Group to ensure that all requirements for information security are being met. The results of inspections and evaluations, as well as recommendations for improvements, will be recorded and forwarded to the supplier for action
▪ Service providers must respect and comply with all measures, procedures and instructions for recording and controlling physical and logical access established by AlmavivA do Brasil Group
▪ Whenever necessary, service providers will provide AlmavivA do Brasil Group with a list of people, their profile description, functions and responsibilities associated with the service provided, communicating all eventual changes made regarding the relationship with the Company (admission, dismissal, replacement or alteration of functions or positions)
▪ Service providers must ensure that all of their employees have adequate instruction and are duly trained to perform the service provided, whether specifically in relation to the fields that correspond to the actions associated with the provision of the service or with reference to information security and the privacy
▪ Ensure that information assets are only used for purposes approved by AlmavivA do Brasil Group, subject to monitoring, traceability and auditing
▪ The supplier may only subcontract if the contract allows it, and must disclose to AlmavivA do Brasil Group any use or alteration of subcontractors to process personal data, before use
▪ Service providers must have a Contingency Plan to guarantee the continuity of contracted services, with the same quality and within the agreed deadlines, with AlmavivA do Brasil Group
▪ When applicable, service providers must have a Backup Policy as well as restoration and monitoring procedures.
7. Final provisions
Any need for action in disagreement with the rules established in the Information Security Policy, the Privacy Policy and its complementary policies must be directed to Information Security for risk analysis, registration, and submission for consideration by the competent authority and/or Information Security and Privacy Committee.
Information Security and Privacy Policy for Suppliers
Know your main rights
Confirmation and Access: Confirm if there are one or more activities performed by AlmavivA do Brasil that use your personal information, in addition to being able to obtain a copy of your personal data and other information related to you.
Correction: Correction of incomplete, incorrect or outdated data, so that we can have correct and accurate information about you.
Note: If you are an employee of AlmavivA do Brasil, to correct your data, please Contact HR.
Anonimization, Blocking or Deletion: You may request AlmavivA do Brasil to anonymize, block or delete your data if they are unnecessary for the purpose of processing, excessive for the pursuit of the objective or the activity is in disagreement with the stated purposes or the treatment is not justifiable by law. If you no longer wish to have your personal data processed by AlmavivA do Brasil, you can request the deletion of your information from our database.
Please remember: data necessary to comply with a legal (contractual) or regulatory obligation or for legitimate processing purposes cannot be deleted.
Portability: Request the sharing of your data provided to AlmavivA do Brasil, that is, the portability of your data, to another service or product provider.
Information sharing: Information about public and private entities with which AlmavivA do Brasil shares the use of its data.
Note: this information, for employees, is available in the Internal Privacy Notice, available on the Employee Portal > Rules of Conduct > Regulations.
Withdrawal of Consent and Related Information: Your consent may be revoked at any time by express manifestation. You can also request information about the possibility of not providing your consent and what the consequences would be for your relationship with AlmavivA do Brasil.
Automated decision review: Right to request review of decisions taken solely on the basis of automated processing of your data and that affect your interests.
To communicate one of the above requests:
Data Subject Rights
Information Security Policy
1. Objective
Establish guidelines to ensure the security of corporate information, seeking a balance between performance and reliability, aiming at the continuity of AlmavivA do Brasil Group's businesses, based on the following items:
▪ Alignment of the strategic objectives of Information Security and Privacy with the companies' business objectives
▪ Reduction of impacts resulting from Information Security events
▪ Identification of the main information security and privacy risks applicable to the business
▪ Dissemination of information security and privacy standards and guidelines to all professionals of AlmavivA do Brasil, Group applicable third parties and anyone related to the expansion of AlmavivA do Brasil Group businesses.
Presidency, Executive Board and the Information Security and Privacy Committee are committed to an effective management of Information Security in AlmavivA do Brasil Group. In this way, they adopt all appropriate measures to ensure that this policy is properly communicated, understood and followed at all levels of the organization.
Periodic reviews will be carried out to ensure their continued relevance and adequacy to the Company's needs.
2. Field of application
This policy applies to all users of information from AlmavivA do Brasil Group, including any individual or organization that owns or has had a link with AlmavivA, such as employees, former employees, service providers, former service providers, collaborators, former employees, who had, have or will have access to AlmavivA's information and/or made, make or will make use of computational resources included in the infrastructure of AlmavivA Group in Brazil.
3. References
▪ NBR ISO/IEC 27001:2022 – Information security, cyber security and privacy protection — Information security management systems — Requirements
▪ NBR ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls
▪ NBR ISO/IEC 27701:2019 – Security techniques – Extension of ABNT NBR ISO/IEC 27002 for information privacy management – Requirements and guidelines
▪ AlmavivA do Brasil Group Privacy Policy.
4. Definitions
▪ Information Security (IS): Protection against unauthorized use or access to information, as well as protection against denial of service to authorized users, while preserving the integrity and confidentiality of that information. IS is not confined to computer systems, nor to information in electronic form. It applies to all aspects of protecting information or data in any form. The level of protection must, in any situation, correspond to the value of that information and the damage that could result from its improper use. SI also covers all the infrastructure that allows its use, such as processes, systems, services, technologies and others.
▪ Privacy: Data Privacy is the right to manage how your personal information is collected and used.
5. Responsibilities
The Executive Board is responsible for:
▪ Promote and approve the activities of the Information Security and Privacy Management System
The Information Security and Privacy Committee is responsible for:
▪ Conduct a periodic assessment on Information Security
▪ Ensure the availability of the necessary resources for effective information security management
▪ Disseminate the Information Security and Privacy culture
▪ Align the strategic objectives of Information Security and Privacy with the business objectives of AlmavivA do Brasil Group
▪ Support and approve continuous improvement activities of the Information Security and Privacy Management System
▪ Decide on the application of sanctions when non-compliance with this policy and other policies established by the Information Security and Privacy area is observed.
Employees, Third Parties, Suppliers and other relevant interested parties are responsible for:
▪ Comply with the guidelines of this policy and other policies established by the Information Security and Privacy area
▪ Ensure the security of company information, informing the Information Security and Privacy area of any perceived abnormalities.
The Information Security and Privacy area is responsible for:
▪ Establish information security and privacy guidelines
▪ Make relevant stakeholders aware of information security
▪ Identify and report risks related to information security and privacy
▪ Establish controls to mitigate risks
▪ Maintain and continuously improve the information security management system.
6. Guidelines
6.1 General guidelines
This policy demonstrates our ability and integrity in dealing with all interested parties.
Therefore, this policy ensures that:
▪ Information is protected from unauthorized access
▪ Information confidentiality is maintained
▪ Information is not disclosed to unauthorized entities through deliberate or careless actions
▪ Information integrity is maintained to prevent unauthorized modifications
▪ Information is available to authorized users when needed
▪ Whenever there are legal, regulatory, normative or contractual changes that impact the business of AlmavivA do Brasil Group, a critical analysis is carried out so that adjustments, if necessary, are carried out
▪ Each individual has adequate knowledge of the management, operational and technical controls that help protect AlmavivA do Brasil Group's information technology resources and assets
▪ Goals and objectives are disclosed to the stakeholders involved, so that each individual has an adequate understanding of their role and responsibility in relation to information security and privacy and the mission of AlmavivA do Brasil Group
▪ Policies, procedures and practices are communicated to the parties involved in AlmavivA do Brasil Group.
6.2 Regulations
AlmavivA do Brasil Group and the interested parties involved undertake to fully comply with the information security and privacy requirements applicable or required by regulations, statutes, laws and/or contractual clauses.
6.3 Risks and threats
All information and associated assets must be periodically evaluated and the respective risks to AlmavivA do Brasil Group's business must be mapped. Risks and threats inherent to information security and privacy must be addressed through the implementation of specific controls and must be periodically reassessed.
The acceptance of residual risks must be approved by the manager and periodically reassessed.
6.4 Suppliers
AlmavivA do Brasil Group has a risk assessment process for critical suppliers.
This methodology aims to detect, assess and manage risks in services or products provided by suppliers that may directly impact the business of AlmavivA do Brasil Group.
All third parties must undertake to act in accordance with the Information Security Policy, and it is imperative that the contract signed between the companies has a clause that ensures the confidentiality of information and adherence to the Information Security Policy.
6.5 Audits
Audits are periodically carried out to ensure the effectiveness of the Information Security and Privacy Management System and its controls, as well as guarantee its effective implementation and maintenance.
6.6 Business continuity
Business continuity plans are produced, maintained and tested in line with management expectations.
6.7 Classification information
The information classification process established by AlmavivA do Brasil Group aims to protect information against disclosure. To this end, any and all types of information created and/or stored within the company's facilities must be classified by one of the following options:
▪ Public
▪ Internal
▪ Restricted
▪ Confidential.
6.8 Training and awareness
AlmavivA do Brasil Group has a communications and training program for all employees and appropriate stakeholders.
6.9 Incident handling
Security incidents that occur at AlmavivA do Brasil Group must be reported to the Information Security area through the company's official channels, e-mail for Information Security and Privacy: [email protected], especially in cases of unavailability of systems and leakage of customer information.
An Information Security Incident is any Information Security event that has an impact on AlmavivA do Brasil Group, leading to the need for response and recovery. Incidents of Information Security and Privacy are considered to be occurrences of the following nature:
▪ Loss, robbery or theft of equipment containing corporate information
▪ System malfunction or overload due to internal or external attacks
▪ Unauthorized use or access to information systems
▪ Non-compliance with Information Security and Privacy policies and guidelines
▪ Deviation of Information Security controls implemented at AlmavivA
▪ Violation of access to critical areas containing corporate information or systems.
Incidents must be prioritized according to the recorded impact and criticality classification. In this way, it is possible to decide when it is necessary to activate the incident response group, which, in turn, will decide on the activation of the business continuity plan.
6.10 Information security in project management
Information Security is a participatory part of the preparation and delivery of any project, special or not, that changes the standard of the infrastructure of the environment of Almaviva do Brasil Group.
Being responsible for evaluating the requested requirements or needs, if they are in accordance with the objectives and guidelines of Information Security and are being followed in all phases of the projects.
Information security is responsible for assessing and identifying risks and proposing the best solution to meet the objectives of Information Security and Privacy and the objectives of the project and/or business.
6.11 Secure development of systems
Secure development is a requirement to build a secure service, architecture, software and system at AlmavivA do Brasil Group. For this, the following aspects must be considered at a minimum:
▪ Separation of development, test and production environments
▪ Security in the software development lifecycle
▪ Safety requirements in the specification and design phase
▪ Security checkpoints in projects
▪ Secure repositories for source code and configuration
▪ Security in version control
▪ Required application security knowledge and training
▪ Ability of developers to prevent, find and fix vulnerabilities.
For systems testing, select, protect and manage information, considering:
▪ Do not copy sensitive information into the system's development and test environments unless equivalent controls are provided for the development and test systems
▪ Protect sensitive information by removal or masking if used for testing.
If the development is outsourced, the guarantee that the supplier is in accordance with the rules of AlmavivA do Brasil Group for safe development must be analyzed.
6.12 Security in communications
All communications between the technological environments of Grupo AlmavivA do Brasil and relevant interested parties must use encrypted communication channels, using ciphers and algorithms that are known to be safe.
6.13 Backup copies
Copies of information, software and systems configuration must be kept and regularly tested in accordance with specific policies on backup, allowing recovery of data or systems if necessary.
To prevent data leakage, measures such as encryption, access control and physical protection of the storage media should be used, when applicable.
6.14 Protection and privacy of personal data
All existing processes at AlmavivA do Brasil Group that involve the processing of personal data in any database must follow the guidelines established in the Privacy Policy.
6.15 Critical analysis of information security
Annually, or whenever there is a significant change in the business model, a formal process of critical analysis of the information security policy must be carried out.
6.16 Continuous improvement
The continuous improvement of the Information Security and Privacy Management System is a commitment of everyone in AlmavivA do Brasil Group and stakeholders.
7. Final provisions
Any need for action in disagreement with the rules established in the Information Security Policy and the Privacy Policy and their complementary policies must be directed to Information Security for risk analysis, registration, and submission for consideration by the competent authority and/or Information Security and Privacy Committee.
Employees who make improper or unauthorized use of company resources, violate security controls, or in any way act in disagreement with the terms of this policy, are subject to the application of legally prescribed disciplinary measures, with the possibility of criminal, civil and/or civil liability. or administrative, in the form of the legislation in force.
