4. Guidelines
4.1. The assumptionsThis policy has been drawn up on the basis of the Resolution of the NATIONAL monetary council in the 4.658/2018, and the Resolution of the Central Bank of Brazil, In the 85/2021, which deals with the politics of cyber security, and the requirements for the procurement of the services, storage and processing of the data, and cloud computing, to be followed by payment institutions authorised to operate by the Central Bank of Brazil.
4.2. The structure of the AreaIt is aligned with the strategies that built IT, and the best practices for Information Security, an analysis was made of the many standard features that you would meet the requirements of the protection of the information of the company.
They were elected to the NBR ISO IEC 27001 and 27002, as well as the PCI standards and the requirements of the Central bank, with the aim of implementing not only are the controls for the technology, but also controls the process, thus ensuring the system of governance in the implementation of the Safety Management System
the Stregu, inc.
The organizational structure is assembled, it reflects the selection of controls in the management of the security, and it is based on the results of the Risk Assessment, the guidelines of the shareholders in the diagnosis, in the culture of the Stregu inc. and applicable law.
The Information Security team is on a run that is allocated within the structure of the Technology in the Stregu, inc., under the nomenclature of Security, as seen in the chart below.
4.2.1. The implementation and Operation of the Information Security field
Based on the System of Management of Information Security, Stregu inc.:
4.2.1.1. Lay down a treatment plan for you for the risk you identify the appropriate action to be taken by the management, resources and responsibilities, and priorities for the management of the risks relating to the safety and security of the information;
4.2.1.2. Implement a plan for the handling of audit points, which are the responsibility of the area in order to meet the objectives of the control are identified;
4.2.1.3. Implement all the controls that are selected to meet the objectives of the test;
4.2.1.4. It defines how to measure the effectiveness of the controls, or the controls selected and specified how these measurements are used to evaluate the effectiveness of the controls in order to make the results more comparable and reproducible;
4.2.1.5. It defines the scope and boundaries of the area and the processes that are involved in accordance with the characteristics of the business, the organization, the location of the assets and technologies, including details of and justification for any exclusions to the scope of the controls
4.2.1.6. Implement technology to identify attempts and breaches of the security of the information, either successful or unsuccessful, in addition to the security incident;and
4.2.1.7. It contributes to the technology and processes in order to detect the event the security of your information and to prevent the incident to the security of the information is for the use of the indicators.
4.2.1.8. Done every six months, and a critical analysis of the effectiveness of the controls, by means of the Committee on the Safety of your personal data, to ensure that the scope remains appropriate, and that the improvements in the process for operational risk management are identified and implemented;
4.2.1.9. It manages all the operations of the Security of the Information;
4.2.1.10. It manages all the features of the technology is in its custody; and
4.2.1.11. It implements Policies, Standards, and Procedures, and other controls, you will be able to provide the early detection, security information and event, and the response to information security incidents.
The Stregu inc., it establishes, implements, operates, monitors, and analyzes critically, maintaining and continually improving the System of Information Security Management (ISMS) that is documented in the context of the activities of the global business environment and the risks to which it is subject.
4.3. Roles and ResponsibilitiesThe roles and responsibilities that are related to this privacy Policy are set forth below.
4.3.1. The security of your Information
4.3.1.1. Defensive Security Team
Responsible for the monitoring of threats, and behaviour as abnormal, as well as the access to the data. Researches, analyzes, and responds to cyber incidents in the environment Stregu, inc. Managing the SOC (Security Operations Center), which monitors the environment 24x7x365, and then analyzes the alerts and information security, and is distributed to the teams concerned. Define, document, and distribute the response procedures, and escalation of security incidents in order to ensure all scenarios are
dealt with in an efficient manner.
4.3.1.2. Websites Team
It ensures that all the security requirements needed to protect the mission and business processes of the organization are adequately addressed in all aspects of the architecture, systems approach, including reference models, architectures, segment, and according to the best practices of safety and security.
4.3.1.3. It's The Corp Team
The officer responsible for support to the end-user experience, from technical support to our guidelines on the use of the tools that are used in the Stregu, inc.
4.3.1.4. Identity & Access Management
Responsible for the life cycle, the number of all the employees and other third parties, as well as for the compliance with the best practices. Administer user accounts, including additions, deletions, and modifications. Controlling access to systems and data, by means of the appropriate profiles.
4.3.1.5. ADVISORY TEAM
Conducts assessments, regulations, and techniques to the control of the security on a corporate level, management of the risks that are associated with the points of the audit, projects, regulatory compliance and the adequacy of the law and the management of the safety measures and promoting the continuous improvement of process and design. Define, document, and distribute security policies and procedures.
4.3.2. The administrators and Staff of the
It is the duty of the directors and employees of the Stregu inc.:
4.3.2.1. To notice and to ensure compliance with this Policy, but be aware, formally of the guidelines and, if necessary, to fire the person in charge of the security of information, to think about the situations that involve conflict with this privacy Policy, or upon the occurrence of situations in which it describes;
4.3.2.2. To comply with applicable laws and regulations that govern all aspects of intellectual property rights and use of data as a safeguard for the protection of sensitive data (personal data and sensitive financial, including credit card information, policy, and protected by the law of the Stregu inc. and / or data that are under their responsibility for the treatment;
4.3.2.3. Reporting to the Information Security team in a timely manner in any event, I suspect that it might compromise the environment of the Stregu inc., or up to a violation of the Policy, the Information Security and Cybersecurity;
4.3.2.4. To suggest, to recommend, and to verify the implementation of best practices for security in all of the cases in which they are responsible;
4.3.2.5. Use it responsibly, and for the sake of the work in a professional, ethical, and legal framework of the information technology assets;
4.3.2.6. To protect your information from unauthorized access, alteration, or destruction of, or unauthorized disclosure;
4.3.2.7. To understand the role of information security in their daily activities and to participate in the awareness-raising programme.
4.3.3. The director is Responsible for the Security of your Information
It is the duty of the managing Director are responsible for the Security of your Information:
4.3.3.1. Comply with and ensure compliance with the guidelines of this Policy is in line with the Resolution of the NATIONAL monetary council in the 4.658/2018, and the Resolution of the Central Bank of Brazil, In the 85/2021, as well as other internal rules, correlates, and their updates; and
4.3.3.2. To meet and fulfill all the demands of the regulatory bodies is related to the Security of this Information.
4.3.4. The Compliance and Security of your Information
It is the duty of the Compliance officer and the Security of Information, to carry out the update of the internal rules relating to the Safety of your Information to ensure compliance with all applicable laws and regulations that apply to you.
4.3.5. The Executive committee and the Committee of the Security of your Information
It is the duty of the Executive Committee and of the Committee of Safety, the Information in the Stregu inc. to ensure the protection of your data from the card, and in compliance with the Program, the PCI DSS standards, providing you with all the resources needed for the workforce.
In cases where there may be a need to contact the authorities (for example, in the case of a suspicion that a law has been broken, there will be a resolution of the Committee of Safety for the Information to set up your in charge of managing all the activities of the communication.
Both of the Committees referred to above are guidelines set forth in the by-laws of the Committee on Security of the Information that is available to the employees of the Stregu inc. in the corporate repository of the internal rules.
The presentation materials to the Committee, as well as the models that match, shall be allocated to the team in Compliance, in advance, for the organization of the meeting and the distribution of material resources to its members and any other guests.
4.4. Active Safety InformationTo ensure the safety and security of the information on the following principles should be adhered to and taken into account in decision-making:
4.4.1. Confidentiality – ensuring that information is accessible only to those authorized.
4.4.2. Integrity – ensuring that the information that you are of integrity throughout the lifecycle of creating, processing, and disposal.
4.4.3. Availability – ensuring that information is available to you whenever you need in the performance of business processes.
Shall be considered active for all of the information that is generated or developed by the business, which may be present in a variety of ways, such as files, devices, external media, documents, printed matter, and of systems, mobile devices, database, and chat.
Regardless of the form, shared, or stored on the information assets are to be used only for the purpose of duly authorized, and are subject to monitoring and audit.
All asset information is the property of the Stregu inc., should have a responsible and duly marked in accordance with the criteria laid down, and properly protected from any risks or threats that could compromise your business.
4.5 in. General GuidelinesWith regard to cyber security, the Stregu inc. has the following general guidelines:
4.5.1. The protection of your data against unauthorized access, as well as modification, destruction, or unauthorised disclosure;
4.5.2. The proper classification of the information, and to ensure the continuity of the processing thereof, in accordance with the criteria and principles as stated in the specific rules;
4.5.3. The assurance that your systems and data, which are under the responsibility of and are properly protected and are to be used only for the fulfillment of our duties;
4.5.4. Their zeal for the integrity of the infrastructure on which they are stored, handled, and processed the data, in accordance with the measures necessary to prevent a threat of logic, such as viruses, malware, or other defects that could lead to access, manipulation or unauthorized access to the data is restricted and confidential.
4.5.5. The maintenance and management of the anti-virus software, firewall and other security software are installed and up to date, and the maintenance of the software installed in the environment.
4.5.6. Compliance to laws and regulations that regulate the activities carried out by the Stregu, inc.
In order to comply with the guidelines listed above, the Stregu inc. has the goal of cyber security to prevent, detect, and reduce the vulnerability to a security incident related to the environment of cyber-crime.
With regards to the safety measures, the Stregu inc. shall adopt the procedures and controls in place to reduce the vulnerability of the incident, and to meet the learning objectives of cyber security. These include:
i. Authentication, encryption, and the prevention and detection of intrusion;
ii. the Prevention of the leakage of information, and conduct regular tests and scans to identify vulnerabilities. protection from malicious software, the establishment of mechanisms for tracking, access control and segmentation of the network computers, and store the backup copies of your data and information,
according to the normative in force;
iii. Applies to all procedures, and controls as those mentioned above, including the development of information systems, insurance, and the development of new technologies that are employed in the work of the Stregu, inc.
iv. it Has controls, including those focused on the traceability of information, all of which seek to ensure the safety and security of your sensitive information.
y-Control, monitor, restrict access to the information assets of the minor's permission and privileges as possible.
vi. Contribute to the mitigation of risks to the business, and the computer system according to the Policy for the Management of Operational Risk.
vii. Holds the record, an analysis of the causes and impact, as well as to control the effects of an incident that is relevant to the activities of the Stregu, inc., which covers including the information received from the companies which provide the services to any third party.
viii. shall draw up an inventory of the scenarios of crises, cyber-related security incidents accounted for in the testing of the continuity of the services provided tests once a year to ensure the efficiency of the process, as well as producing an annual report on the response to the incident in the technological environment of the Stregu inc.;
ix. Sorts of security incidents according to their relevance according to the classification of the information involved, and the impact on the continuity of the business in the Stregu inc.;
x. Perform a periodic assessment of the companies that provide the service that you carry out the processing of information that is relevant to your Stregu inc., with the aim of monitoring the level of maturity of their security controls for both the prevention and the treatment of the incident;
xi. Own criteria for the classification of the quality and relevance of services to process and store your data and cloud computing, in this country and around the world.
xii. it Adopts the process of business continuity management according to the Corporate Policy for the Continuity of the Business.
xiii. Sets out the rules and standards in order to ensure that your information receives an adequate level of protection as to their significance. All the information that it has an owner, it has to be graded and receive the necessary controls to ensure the confidentiality of this match the best practices of the market and the regulations in force.
xiv. to prevent, identify, report, and respond to incidents and crises, from the safety-relating to the technical environment of the Stregu inc., and which may result in the impairment of the central pillars of the security of the information, or you can bring reputational risk, financial or operational.
xv. Adopt mechanisms for the dissemination of the culture of information security and cybersecurity at the company, including the implementation of the programme of the training required for the staff, the provision of information to end users about the precautions for the use of the products or services offered, and a commitment to the highest level of management with the continuous improvement of the procedures related to information security and cyber.
xvi. it has adopted initiatives to share information on incidents that are relevant across the membership of the forums for the discussion and sharing of the platform for REFORM.
4.6. The commitment of the top managementThe commitment of senior Management and with the effectiveness of, and to the continuous improvement of the Policy, procedures, and controls related to information security and cybersecurity are seen through the ever-changing and improving the governance of the shares on the posts mentioned above, and the availability of resources that are compatible with the complexity of the Stregu, inc., review and approval of Policies and Procedures, among others.
4.7. Training and Awareness-raisingThe Programme of Training and Awareness of Information Security is to be established and managed by the staff of the Advisory committee. An annual calendar is set up with all the hot topics that will be covered and may be adopted in accordance with the different forms of training and awareness-raising, such as, for example:
● It Online on the platform of awareness of a current
● Live and Online on the platform of communication in the current, allowing you to interact with the participants.
● Test phishing emails sent to the e-mail addresses of the Members of the team;
● Provide specific training to meet the needs of the Members of the team;
● Communicated with tips and materials to raise awareness communicated to team Members through the official channels of communication.
The evidence for the participation and recognition of the content that is assessed by means of a questionnaire, or some other appropriate method.
The evidence of the implementation of the Programme of Training and Awareness-raising on the Security of the Information that is stored by the Security of the Information on the site is protected.
4.8 in. Records and InformationAll the information related to incidents of information security and cybersecurity are of a confidential nature, and must not, under any circumstances, be disclosed by the parties involved.
All of the documents related to the investigation, including the collection of evidence must be retained for a minimum period of ten (10) years.
4.9 in. General provisionsThe Information Security team to maintain their Policies, Procedures, and other relevant data are documented, formally in the corporate repository of the internal rules.
It is the role of the person responsible for the document to perform the update to the regulations of at least one (1) time of the year, following a corporate directive of the work is established at the time of reporting.
The document must adhere to the classification specified below:
POL. Introduction: it should be classified as those of all the documents that contain the guidelines are comprehensive, and the rules of the forum.
PRODUCTION Procedures: is to be classified as a Procedure, all of the documents that contain the instructions for detailed information about a specific process.
Other documents: Documents that do not fall within the categories of Policies and Procedures (for example, forms, diagrams, charts, etc.) must comply with a code from existing, to be established at the time of the action plan, as needed.
The following documents must be available to all of the company shall be referred to the time of the Advisory committee for review, which, in turn, will forward to the team's Compliance officer for approval and disclosure of the platforms in the enterprise that are used at the time.
Since the documents are relevant only to the Information Security team should be sent only at the time of the Advisory committee for review and cataloging.
4.10 in. The management of the Consequences ofAll of the team Members, suppliers, partners, and clients to observe any deviations from the guidelines in this policy are required to report the fact that, through the Channel of Ethical Stregu, inc.
The failure to comply with the guidelines of this Policy will result in the enforcement of the liability of the parties involved, depending on the severity of the breach, which may include liability, administrative, civil or criminal, disciplinary procedures and penalties in the consolidated Labor Laws (CLT).
4.11. Compliance with the PolicyIn addition to the evaluation of the effectiveness of this Policy is carried out by a team of Information Security, the security mechanisms should be evaluated periodically by the internal audit department of the Stregu inc., and for the audits carried out by the entities that govern the activities of the Stregu, inc.
4.12. Contact with specific GroupsWith the aim of expanding the knowledge on the best practices and stay up to date with the relevant information about the Security of Information, we have established a contact with the groups of experts on the subject.
The contact of the supplier of the Safety of the data can be viewed via the links below.
CERT OF US:
The center for Study and Treatment of computer Security Incidents in Brazil.
http://www.cert.br/CVE-Mitre
Registration, classification, and disclosure of the vulnerabilities in the technical
https://cve.mitre.org/4.13. The term of the PolicyThis Policy will be reviewed annually, or as often as you need to for your convenience. It is under the jurisdiction of the Committee on the Safety of your Information and to the Board of Directors of the company, the approval of any changes to this Policy, whenever you need it.
This Policy is effective as of the date of approval by the Board of Directors, and to revoke any documentation to the contrary.