Information Security Policy

This document is intended to establish the guidelines and provide directions related to information security within 2CLIX TECNOLOGIA EIRELI, as well as to ensure that employees and third parties understand their responsibilities and the importance of Information Security when handling information under the responsibility of 2CLIX TECNOLOGIA EIRELI.

This policy applies to the entire Information Security Management System (ISMS) and serves as a basis for all other security policies of the organization.

This document is PUBLIC and is available to all employees working for 2CLIX TECNOLOGIA EIRELI, as well as its suppliers and customers.

DEFINITIONS

  • Employee: an employee who works in any period, a temporary staff member, service provider or consultant who performs activities, either on-site or remotely, and has access to information and assets owned by, or under the custody of, 2CLIX TECNOLOGIA EIRELI.
  • Personal data: information related to an identified or identifiable natural person.
  • Sensitive personal data: personal data on racial or ethnic origin, religious belief, political opinion, membership in a trade union or organization of a religious, philosophical or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
  • Processing: any operation carried out with data within 2CLIX TECNOLOGIA EIRELI, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
  • Data subject: natural person to whom the personal data that is being processed refers.
  • Anonymized data: data relating to a data subject that cannot be identified, considering the use of reasonable and available technical means at the time of its processing.
  • Database: a structured set of personal data, established in one or more locations, in electronic or physical format.
  • Controller: natural or legal person, under public or private law, responsible for making decisions regarding data processing.
  • Processor: natural or legal person, under public or private law, who processes data on behalf of the controller.
  • Processing agents: the controller and the processor.
  • Privacy: fundamental right to control the exposure of information about oneself.
  • Confidentiality: guarantee that information will only be disclosed to persons duly authorized to access it.
  • Availability: guarantee that authorized users have access to information and corresponding information assets whenever necessary, within the periods and environments approved by the organization.
  • Integrity: principle that guarantees that information is not generated with errors, and that it is only modified by approved methods, ensuring it is not altered or corrupted by improper handling.
  • Information security: consists of the protection of primary assets (information and processes) and infrastructure and support assets, whether personal or corporate. Its basic principles are Confidentiality, Integrity and Availability.
  • Information Security Management System (ISMS): a set of internal controls, based on market best practices and, when necessary, in compliance with national or international standards, that an organization implements systematically to provide security in the use of its Primary Assets and Support and Infrastructure Assets.
  • Audit trail/Log: a chronological set of events and records used to evidence the performance of a system or activities performed by a user. They can be used to attempt to reconstruct past events, track activities, and identify and hold accountable those who performed the actions.
  • Backup / Restore: activity of moving or copying data to a media different from the original. It enables information recovery in case it becomes unavailable or its integrity is compromised.

INFORMATION SECURITY MANAGEMENT

Objectives

The purpose of publishing a policy on security awareness and acceptable use is not to impose restrictions that are contrary to the established culture of 2CLIX TECNOLOGIA EIRELI, but rather to bring into this culture the level of information security required by the market, reinforcing the commitment to protect all employees, partners and the company from illegal or harmful actions by individuals, whether conscious or unconscious. To this end, it must be emphasized that effective security is a team effort involving the participation and support of every employee of 2CLIX TECNOLOGIA EIRELI and its affiliates who handle information and/or information systems. Every computer user is responsible for knowing these policies and conducting their activities accordingly.

 

Information Security Requirements

 

This policy, as well as all other processes, policies and controls in the ISMS, must comply with the requirements of all interested parties:

  • Compliance with legal requirements related to data security;
  • Guarantee of physical and information security for Employees;
  • Guarantee of space and equipment necessary for employees to perform their activities;
  • Implementation of security controls and protocols required under contract;

Information Security Controls and Guidelines

The controls selected for Information Security and their status are described in document [SEG2CX01] Statement of Applicability. In addition, specific controls for risk mitigation and treatment are listed in document [SEG2CX03.3] Risk Treatment. Besides the specific controls, there are the general Security guidelines, which serve as the first guide to Information Security at 2CLIX TECNOLOGIA EIRELI:

  • Top Management of 2CLIX TECNOLOGIA EIRELI is committed to the implementation and continuous improvement of Information Security Management, aiming at the sustainability of its business and compliance with the necessary security and usage requirements;
  • Ensuring that information of customers, users and employees is protected with utmost priority;
  • It is essential that maintenance, physical and virtual protections, and the capacity of servers and databases be prioritized to maintain constant availability of the 2CLIX TECNOLOGIA EIRELI system services;
  • Technology and communication resources, such as the information made available by 2CLIX TECNOLOGIA EIRELI, must be used exclusively for the fulfillment of employees’ professional activities;
  • 2CLIX TECNOLOGIA EIRELI must ensure that employees’ workstations remain operational and capable of producing the necessary work to ensure system maintenance and the proper fulfillment of customer needs;
  • Physical and digital documents and contracts must be kept in a secure location and accessed only by authorized persons;
  • Ensuring that legal and regulatory requirements, assessments of support and infrastructure assets, events and Security and Technology risks are properly identified, communicated, handled and addressed in a timely manner, with appropriate analysis and formalization;
  • Demands, deployments and integrations requested in contracts must be implemented securely and within the established deadlines;
  • Access to 2CLIX TECNOLOGIA EIRELI information through personal or third-party Support and Infrastructure Assets must follow the same guidelines and maintain security mechanisms equivalent to those adopted by the organization;
  • 2CLIX TECNOLOGIA EIRELI must take all necessary measures to ensure that its employees are aware of and comply with the security policies in force. The managers and legal representatives of these companies will be objectively liable before 2CLIX TECNOLOGIA EIRELI or Third Parties for the acts or omissions of their respective employees in case of non-compliance with the Security Policies listed in the SEG2CX group documents;
  • Acknowledgment and acceptance of the Information Security Policies and other established Policies and Standards must be formalized by signing the Responsibility and Confidentiality Agreement at the time of contract signature;
  • Access to 2CLIX TECNOLOGIA EIRELI information assets and information will be granted according to each team’s need to perform its functions, and each team will receive only the access necessary and nothing more;
  • Access credentials are personal and non-transferable, and each employee must keep them confidential and secret;
  • Violations of the SGSI Security Policies’ controls and rules are subject to penalties and punishments provided by law and must be reported immediately to the Security team;
  • It is strictly forbidden to develop or use programs/mechanisms that may bypass or alter the operation of implemented internal controls;
  • Information under the responsibility of 2CLIX TECNOLOGIA EIRELI must not remain exposed or stored in any location where it may be accessible to unauthorized persons;
  • The execution of Business Continuity Plans will be ensured through periodic assessments, maintenance and testing, guaranteeing maximum protection of critical assets and processes;
  • 2CLIX TECNOLOGIA EIRELI must know, comply with and enforce its information security and usage guidelines.

Risk Management

Security and Technology Risk Management is set out in document [SEG2CX03] Risk Management and the results of the Risk Identification, Analysis and Treatment process are included in derivative documents [SEG2CX03.1], [SEG2CX03.2] and [SEG2CX03.3]. These four documents describe the entire risk maintenance process, including the criteria for risk assessment and acceptance, as well as the description of the metrics used to ensure that assessments are reproducible and comparable over time.

Business Continuity

The business continuity management process is described in [SEG2CX07.1] Business Continuity Plan. It defines the activities for creation, execution, testing and updating of the BCP in order to identify and mitigate the impacts caused by interruptions to critical business activities of 2CLIX TECNOLOGIA EIRELI and its assets.

Information Security Management

The structure of the Security team must be formal, and employees performing activities must have specific knowledge in this discipline. It is the responsibility of the Security team to lead initiatives and tactical and operational actions.

Strategic Information Security initiatives must be assessed and sponsored by an Information Security Committee, composed of a representative appointed by Management, the person responsible for Security and specialists, when necessary, and by representatives who have clearly defined managerial roles in the 2CLIX TECNOLOGIA EIRELI organizational chart. Currently, the ISC is composed of one representative from the Security team, one from the Projects team and one from Management.

Human Resources Management

The responsibilities of employees and third parties are described in [SEG2CX12] Human Resources Security Policy in order to ensure proper awareness, prevention of Security events and penalties according to the stages of employment or service contracts.

For Information Security, Human Resources management is built on the following requirements and objectives:

  • Security guidelines and responsibilities must be clearly communicated to employees during the selection and hiring process;
  • The professional and criminal history of candidates and third parties must be verified in accordance with laws, regulations and ethical standards;
  • Formal procedures for revoking and granting access rights must be applied in the process of employee termination, as well as in changes of position, roles and activities, whether at 2CLIX TECNOLOGIA EIRELI or at the company responsible for the employee;
  • All assets and information in the employee’s possession must be returned upon termination or at the end of contracts with third parties.

Information Handling and Classification

Ensuring that information under the responsibility of 2CLIX TECNOLOGIA EIRELI is handled correctly throughout its entire lifecycle. All assets must be identified, inventoried and classified (confidentiality and criticality) for proper management and identification of appropriate protection.

  • Public Information: any information that can be accessed by all employees, customers, service providers and the general public.
  • Internal Information: information that can only be accessed by employees. This information has a degree of confidentiality that may compromise the organization’s image.
  • Restricted Information: information that can only be accessed by users of the organization who are explicitly indicated by name or area to which they belong, and by the organization’s partners when necessary and under an NDA. Unauthorized disclosure of this information may cause financial, reputational or operational impact to the organization’s business or that of its customers.
  • Personal Data: any information that can be used to identify a natural person.
  • Sensitive Personal Data: data that contains specific personal information about the data subject, such as racial or ethnic origin, religious belief, political opinion, union membership or membership in an organization of a religious, philosophical or political nature, data concerning health or sex life, genetic or biometric data.

Access Credential Management

Requests and approvals for access at 2CLIX TECNOLOGIA EIRELI must follow formal processes described in document [SEG2CX09] Access Management, which defines password usage, control of granted or denied privileges, and the lifecycle of access updates and reviews.

Separation of duties must be applied to reduce opportunities for changes or misuse of information assets, whether accidental or deliberate.

Remote Work (Home Office)

VPN

Access to the company network via VPN provides a higher level of security for the internal network, as such access occurs through an encrypted network.

Password Policy

  • Use passwords of at least 8 alphanumeric characters, including special characters (@ # $ %) and a mix of uppercase and lowercase letters;
  • The same password must not be used for different purposes, for example, corporate systems, bank accounts, email, etc.;
  • The password must never be shared with anyone. If there is any suspicion regarding password security, it must be changed immediately;
  • Everything executed using a password is the responsibility of the “owner” of that access;
  • Passwords must not be written down or stored in unencrypted electronic files;
  • Passwords must not be based on personal information such as first name, family member names, date of birth, address, license plate number, company name, department name, nor consist of obvious keyboard combinations such as “abcdefgh”, “87654321”, among others;
  • Using a password manager software is recommended to generate strong passwords and store them securely.

Workstation Usage Policy

Each workstation has internal codes that allow it to be identified on the network, and each individual has their own workstation. This means that everything executed from a workstation is the responsibility of the employee responsible for it.

  • Do not install any type of software/hardware on company-provided devices without authorization from the technical or security team;
  • Keep only what is strictly necessary or personal on your workstation. All company-related data must be kept in Google Drive cloud storage or in Azure repositories;
  • Do not attempt to gain unauthorized access to another computer, server or network;
  • Do not access confidential information without explicit authorization from the owner;
  • Do not inspect or capture data traffic on the network;
  • Do not interrupt a service, servers or computer network by any illicit or unauthorized method;
  • Do not host pornography, racist material or any content that violates prevailing laws, morality, good customs or public order;
  • Do not use pirated software on company equipment.

Antivirus

  • Keep your antivirus and operating system up to date;
  • Report suspicious behavior on your system to the technical team;
  • Report conflicts between the antivirus and software necessary for performing your duties.

Physical and Environmental Security Management

Environments and perimeters where information under the responsibility of 2CLIX TECNOLOGIA EIRELI is accessed or stored must be protected with physical access controls, monitoring, employee identification and audit trails.

Backup/Restore

Backups of information and infrastructure and support assets must be performed, tested periodically and stored properly for periods determined in accordance with established guidelines and aligned with the Business Continuity requirements of 2CLIX TECNOLOGIA EIRELI.

Operations and Communications Management

  • Operational procedures must be documented, kept up to date and made available to employees;
  • Development, testing/homologation and production environments must be segregated to reduce the risk of unauthorized access to information or unauthorized changes to assets;
  • The use of information assets must be periodically monitored for future capacity and performance planning;
  • Resources must be planned properly to meet fluctuating capacity demands of assets;
  • Acceptance criteria for new systems, updates and new versions must be established and testing procedures applied before deployment in the live production environment;
  • Detection, prevention and protection controls against malicious code (viruses, malware, adware, ransomware and others), as well as awareness procedures, must be implemented;
  • Security aspects, service levels and requirements for managing all network services must be identified and mentioned in agreements and contracts;
  • Procedures must be documented for managing physical media to prevent exposure, alteration, removal, unauthorized destruction or interruption of business activities;
  • The process for destroying media and documents, when no longer needed, must be carried out securely as described in internal procedures;
  • Procedures must be documented for monitoring information assets and for periodic review of results;
  • Records of user, system and transaction activities (audit trails), exceptions and information security events must be recorded and stored appropriately for an agreed period to comply with regulations and standards, support potential future investigations and monitor access controls.

Acquisition, Development and Maintenance of Information Assets

  • Security requirements must be identified and adopted before development or assessment of an information asset;
  • The analysis of security specifications must be considered as a project phase and must be justified, agreed and documented;
  • The use of cryptographic controls to protect information assets must follow the required criteria and must be considered as part of the risk analysis and mitigation process, through the selection and implementation of controls;
  • The processes for generating, distributing, storing and revoking cryptographic keys must follow formal procedures.

Security Incident Management

Incident response procedures involving resources of 2CLIX TECNOLOGIA EIRELI and third parties must be defined and published with the objective of maintaining continuous improvement in processes related to security incident management.

Communication of security events and identified vulnerabilities in information assets of 2CLIX TECNOLOGIA EIRELI must follow formal procedures so that necessary corrections or actions can be applied in a timely manner.

Email and Communication Activities

The email account provided by 2CLIX TECNOLOGIA EIRELI is for professional use only, and the IT area is responsible for managing email usage. The user is responsible for all access, message content and use related to their email account.

The company may, at any time, monitor the receiving and sending of messages by its employees (employees and interns) and parties involved (except customers). It is forbidden to create, copy or forward messages or images that:

  • Contain defamatory statements or offensive language of any kind;
  • Are part of message chains, whether legal or illegal;
  • Forward advertisements or alert messages about any subject. In cases where the user believes it is beneficial to share the topic with 2CLIX TECNOLOGIA EIRELI, the suggestion must be sent to the Human Resources area, which will decide whether or not to publish it;
  • Disparage, demean or incite prejudice against certain groups, such as gender, race, sexual orientation, age, religion, nationality, place of birth or physical disability;
  • Contain pornographic, obscene or otherwise inappropriate content for a professional environment;
  • Are hostile or indirectly convey hostile messages; advocate or facilitate illegal activities; or may harm the image of 2CLIX TECNOLOGIA EIRELI, its partners and customers.
  • Alter the original content of messages and forward them without mentioning such alteration. Modifying the original content of messages without prior authorization may be deemed fraud and will be handled legally in accordance with applicable laws.

Internet Access

Once corporate accounts and access to the 2clix workstation are granted, employees may not access websites with the following content:

  • Pornography;
  • Racism;
  • Hacking;
  • Games;
  • Chat;
  • Webmail;
  • Instant Messenger;
  • Search for pirated software;
  • Social networking and relationship websites;
  • Others that the ISC may deem restricted.

Audit and Compliance

  • The use of information or information assets that may be subject to intellectual property rights, such as copyrights, patents or trademarks, must follow appropriate procedures to ensure lawful use;
  • Security procedures must be followed correctly to achieve compliance with 2CLIX TECNOLOGIA EIRELI Policies, Standards and Procedures, or with specific contractual clauses;
  • Controls implemented on information assets must be periodically reviewed to ensure compliance with the Information Security Policy documents;
  • Controls must be audited periodically to identify possible configuration deviations, unauthorized access attempts or access, and the assignment of privileges that diverge from roles and positions;
  • Audit tools and their results must be restricted to the responsible parties involved.

Exceptions

All exceptions must follow formal recording and authorization procedures. Under no circumstances may an exception nullify the original control, and any compensating controls used will be incorporated and treated as a new Security control.

Responsibilities

  • The person responsible for the Security team must ensure that the ISMS is implemented in accordance with the scope and controls defined in the information security documents;
  • The Security team is responsible for communicating and training other teams to adapt to and correctly use the security processes and controls adopted;
  • In conjunction with Management, the Security team must review documentation, processes and controls according to the cycles defined in their respective “Validity and document management” sections;
  • The person responsible for creating access credentials must inform employees when their access is created or changed, and is also responsible for removing employees’ access as needed;
  • All security incidents must be reported to the person responsible for the Security team;
  • Any incident or change in the scope of the type of data processing must be communicated to the interested party representing the data. This communication must be made by the Security Manager or the System Administrator;
  • The Security team must organize and deliver training for sharing and raising awareness among employees about the security policies and processes adopted by the organization;
  • It is the responsibility of every employee to know, comply with and enforce the information security guidelines of 2CLIX TECNOLOGIA EIRELI.

Policy Communication

Communication of the policy is the responsibility of the Security team, which must keep documents up to date in shared Google Drive repositories and on the Azure DevOps wiki, as well as organize training for all teams whenever necessary.

SUPPORT FOR ISMS IMPLEMENTATION

The Management team declares its support for the implementation of the ISMS and will work to reinforce the policies and processes in the culture of 2CLIX TECNOLOGIA EIRELI, as well as implement the necessary controls for the organization’s alignment with desired security standards.

PENALTIES

  • The use of another person’s devices and/or identification credentials constitutes a crime under the Brazilian Penal Code (art. 307 – false identity);
  • If a shared login is used by more than one employee, liability before 2CLIX TECNOLOGIA EIRELI and the law (civil and criminal) will fall on the users who use it. However, if knowledge or request for shared use by the manager is identified, the manager shall be held responsible;
  • The Security Committee will be responsible for judging employees who infringe the rules established herein.

VALIDITY AND DOCUMENT MANAGEMENT

This document becomes valid as of the date of its last approval and has a useful life of up to one year.

The Security team is responsible for reviewing, auditing and updating this document, and may bring forward the change process if necessary.

To ensure a clear and objective assessment, some factors will be used as evaluation criteria:

  • Number of incidents caused by unclear or uncertain security policy definitions;
  • Time wasted by employees in redundant or bureaucratic processes;
  • Trend in records of offenders of security processes;
  • Processes that are ineffective for their intended purpose;
  • Alignment with legal and contractual requirements.

Records of incidents involving the content of this document and other security processes of 2CLIX TECNOLOGIA EIRELI will be kept in a specific folder in the internal documents directory.

 

Newsletter

Turn customer service into results.

Get exclusive tips and content on quality monitoring, CX management, and service efficiency.

By clicking "Sign up", you confirm that you agree to our Terms & Conditions.

Scroll to Top