Establish clear and comprehensive guidelines for the appropriate use of Information Technology (IT) resources and to ensure the security, integrity, confidentiality, and availability of information in compliance with applicable legal and regulatory standards, including the Brazilian General Data Protection Law (LGPD – Law No. 13.709/2018) and international frameworks.
This policy applies to all employees, interns, third parties, service providers, suppliers, and partners who use information, IT assets, or technological resources made available by the organization, regardless of geographic location.
The definitions applicable to this policy are consolidated in a single glossary (see Annex I), covering terms related to the LGPD, information security, IT assets, corporate systems, the internet, data networks, and printing.
The organization maintains an information security governance program aligned with ISO 27001 and local legislation.
A Data Protection Officer (DPO) is responsible for ensuring compliance with the LGPD and acting as the point of contact with authorities and data subjects.
All personal data processing operations must be mapped, assessed, and documented.
Information produced or held by the organization is the company’s property and must be classified and protected. Access to information and resources must follow the principle of least privilege.
The use of corporate resources may be monitored.
Security incidents must be formally reported to the IT department.
Limited personal use of resources is tolerated, provided it does not compromise security, performance, or the company’s reputation.
Credentials are personal and non-transferable.
Passwords must have at least 8 characters, including uppercase, lowercase, numbers, and special characters.
Multi-Factor Authentication (MFA) is mandatory for critical access.
Passwords must be changed on first login and every 90 days.
Reuse of the last 5 passwords is prohibited.
After 3 invalid attempts, the account will be locked.
7.1 IT Assets – Company property, intended for professional use only.
7.2 Data Network – Access is granted through authentication; personal devices are prohibited.
7.3 Internet – Corporate resource subject to monitoring; limited personal use tolerated.
7.4 Printing – Limited to necessity; confidential documents must be retrieved immediately.
7.5 Corporate Systems – Access through formal request; credentials are personal and nontransferable.
This policy complies with the Brazilian General Data Protection Law (LGPD), similar in principles to the EU General Data Protection Regulation (GDPR).
For LGPD purposes, ICC is the Data Controller, and RL Solucion acts as the Processor (third party).
In case of a security incident, RL Solucion must notify ICC within 24 hours.
Data processing must follow LGPD principles: purpose, adequacy, necessity, transparency, and security.
Consent must be obtained when applicable.
Data subjects have rights to access, correct, delete, and port their data.
All access requests must be formalized.
Accounts of terminated employees must be blocked immediately.
Access monitoring and audits will be conducted periodically.
Systems must be updated and protected with antivirus and firewall.
VPN use is mandatory on public networks.
Incidents or phishing suspicions must be reported immediately.
The company maintains an incident response and business continuity plan.
All employees must participate in periodic training on security and privacy.
Awareness campaigns will reinforce the importance of information protection.
Users – Comply with this policy and report incidents immediately.
Managers – Ensure compliance and control access.
IT Department – Manage assets, networks, and systems.
HR – Ensure awareness and inform terminations.
DPO – Ensure LGPD compliance and act as contact point.
Noncompliance with this policy may result in disciplinary measures, contract termination, or legal action.
This policy will be reviewed annually or as needed. Exceptions will be analyzed by ICC’s IT department and Executive Board.
Information must be classified as Public, Internal, Confidential, or Restricted, with specific controls for each level.
Maintain processes for risk identification, assessment, and treatment; review risks periodically.
Perform periodic backups, store copies securely, and test restoration regularly.
Control access to critical areas; ensure climate control, fire protection, and redundant power; escort visitors.
Keep confidential documents locked, lock workstations when away, and never write down passwords visibly.
Enable encryption on corporate mobile devices; VPN mandatory; report losses immediately;
BYOD allowed only with IT authorization.
Follow secure coding practices; perform vulnerability testing and code review before production.
Include confidentiality and data protection clauses in contracts; suppliers must comply with LGPD; conduct periodic assessments.
RACI:
A – ICC IT
5R – RL Solucion
C – Legal/DPO and Managers
I – Executive Board and Employees.
Log all relevant activities; conduct periodic internal and external audits; evaluate compliance annually.
Unaddressed cases will be analyzed by ICC’s IT and Executive Board; exceptions cannot be delegated to third parties.
Consolidation of definitions: personal data, sensitive data, data processing, consent, confidentiality, integrity, availability, authentication, credentials, user account, generic account, security incident, IT assets, information leakage, MFA, VPN, etc.
Document Control
Version: 1.0
Issue Date: October 2025
Responsible Area: ICC Brazil IT
Classification: Internal, External
Approval: Executive Board and Data Protection Officer (DPO) – ICC Brazil