top of page
ns-cor-fundo-preto-horizontal.png

> Information Security Policy

Home

Information Security Policy

Objective

 

This document establishes the rules and principles of the Information and Cybersecurity Policy, which must guide the actions of NicolaSec’s partners. This is a summarized version for public disclosure of the Internal Policy.

Information Security Principles

Information security encompasses three basic pillars, highlighted in the following principles:

  • Confidentiality: Ensures that information is accessible only to authorized individuals and only for the necessary period.

  • Availability: Ensures that information is available to authorized individuals whenever required by business processes or NicolaSec clients.

  • Integrity: Ensures that information is complete and intact, and has not been modified or destroyed in an unauthorized or accidental manner during its lifecycle.

Policy Scope

This document is based on the fundamental information and cybersecurity principles of NicolaSec, whose scope covers the following requirements:

  • Information classification and use

  • Logical access

  • Network security

  • Backup copies

  • Logs and audit trails

  • Media devices and controls

  • Equipment use

  • Clean desk and clean screen

  • Virus protection and mitigation

  • Internet and email use

  • Encryption

  • Social networks

  • Vulnerability management

  • Information and cybersecurity incidents

  • Risk management

  • Business Continuity Plan

  • Incident Response and Action Plan

General Guidelines

At NicolaSec, Information and Cybersecurity is a collective responsibility, especially for:

  1. Employees and partners;

  2. Data Privacy: NicolaSec’s information, as well as that of clients and the general public, is handled in accordance with current regulations and must never be accessed or processed by individuals not authorized by the company.

The guidelines that govern the interpretation and implementation of the Policy are: confidentiality, integrity, compliance, and availability.

The guidelines expressed in this Policy apply to all information relevant to NicolaSec that is under its direct management or under the custody of third parties.

The information managed is used solely for the purposes defined by NicolaSec, and at no time or under any circumstance may this information be appropriated or used for personal benefit.

All NicolaSec employees and partners must be aware of this Policy and receive annual and appropriate training to handle business information.

The information generated and handled within NicolaSec is subject to classifications that define the level of protection and care each type of data must receive.

Employees must classify the information assets according to the type:

  • Public Information

  • Internal Use Information

  • Restricted Use Information

  • Confidential Information

Information classified as internal, restricted, or confidential must not be disclosed in public internet environments, social networks, forums, discussion groups, or similar.

Information generated by NicolaSec is exclusive intellectual property and must not be used for personal purposes nor shared with others, even if such information was obtained, inferred, or developed by the Employee within their work environment.

The use of information systems, corporate network, servers, and databases occurs through the identification of an individual access credential, which is confidential and must not be disclosed under any circumstances, not even to other Employees.

Confidential information must not be left exposed on desks or in cabinets, and drawers must be locked when not in use. If Employees leave their desks, they must lock their workstations.

NicolaSec’s Information and Cybersecurity incidents are recorded, their root cause and impact are analyzed, and criticality factors are defined so that they can later be reported to the Board and properly monitored by Employees.

NicolaSec will ensure business continuity in the event of incidents that may compromise the normal operation of its activities. To this end, it will use its Business Continuity Plan (BCP), which is periodically reviewed with a continuous improvement objective.

NicolaSec has a rigorous security process regarding physical access, and physical and logical assets, in accordance with market best practices.

Partners are required to maintain the same level of rigor in protecting physical and logical assets, formalized in our contracts that govern service delivery.

Applicable Regulations:

  • NBR ISO/IEC 27001:2013 – Information Security Management Systems

  • NBR ISO/IEC 27002:2013 – Code of Practice for Information Security Controls

  • NBR ISO/IEC 27005:2019 – Information Security Risk Management

  • Civil Rights Framework for the Internet (Marco Civil da Internet) – Law No. 12,965, of April 23, 2014 – Laws No. 12,735 and 12,737

  • General Data Protection Law (LGPD) – Law No. 13.709, of August 14, 2018

bottom of page