Establish clear and comprehensive guidelines for the appropriate use of Information Technology (IT) resources and to ensure the security, integrity, confidentiality, and availability of information in compliance with applicable legal and regulatory standards, including the Brazilian General Data Protection Law (LGPD \u2013 Law No. 13.709\/2018) and international frameworks.<\/p>\n
This policy applies to all employees, interns, third parties, service providers, suppliers, and partners who use information, IT assets, or technological resources made available by the organization, regardless of geographic location.<\/p>\n
The definitions applicable to this policy are consolidated in a single glossary (see Annex I), covering terms related to the LGPD, information security, IT assets, corporate systems, the internet, data networks, and printing.<\/p>\n
The organization maintains an information security governance program aligned with ISO 27001 and local legislation.<\/p>\n
A Data Protection Officer (DPO) is responsible for ensuring compliance with the LGPD and acting as the point of contact with authorities and data subjects.<\/p>\n
All personal data processing operations must be mapped, assessed, and documented.<\/p>\n
Information produced or held by the organization is the company\u2019s property and must be classified and protected. Access to information and resources must follow the principle of least privilege.<\/p>\n
The use of corporate resources may be monitored.<\/p>\n
Security incidents must be formally reported to the IT department.<\/p>\n
Limited personal use of resources is tolerated, provided it does not compromise security, performance, or the company\u2019s reputation.<\/p>\n
Credentials are personal and non-transferable.<\/p>\n
Passwords must have at least 8 characters, including uppercase, lowercase, numbers, and special characters.<\/p>\n
Multi-Factor Authentication (MFA) is mandatory for critical access.<\/p>\n
Passwords must be changed on first login and every 90 days.<\/p>\n
Reuse of the last 5 passwords is prohibited.<\/p>\n
After 3 invalid attempts, the account will be locked.<\/p>\n
7.1 IT Assets \u2013 Company property, intended for professional use only.<\/p>\n
7.2 Data Network \u2013 Access is granted through authentication; personal devices are prohibited.<\/p>\n
7.3 Internet \u2013 Corporate resource subject to monitoring; limited personal use tolerated.<\/p>\n
7.4 Printing \u2013 Limited to necessity; confidential documents must be retrieved immediately.<\/p>\n
7.5 Corporate Systems \u2013 Access through formal request; credentials are personal and nontransferable.<\/p>\n
This policy complies with the Brazilian General Data Protection Law (LGPD), similar in principles to the EU General Data Protection Regulation (GDPR).<\/p>\n
For LGPD purposes, ICC is the Data Controller, and RL Solucion acts as the Processor (third party).<\/p>\n
In case of a security incident, RL Solucion must notify ICC within 24 hours.<\/p>\n
Data processing must follow LGPD principles: purpose, adequacy, necessity, transparency, and security.<\/p>\n
Consent must be obtained when applicable.<\/p>\n
Data subjects have rights to access, correct, delete, and port their data.<\/p>\n
All access requests must be formalized.<\/p>\n
Accounts of terminated employees must be blocked immediately.<\/p>\n
Access monitoring and audits will be conducted periodically.<\/p>\n
Systems must be updated and protected with antivirus and firewall.<\/p>\n
VPN use is mandatory on public networks.<\/p>\n
Incidents or phishing suspicions must be reported immediately.<\/p>\n
The company maintains an incident response and business continuity plan.<\/p>\n
All employees must participate in periodic training on security and privacy.<\/p>\n
Awareness campaigns will reinforce the importance of information protection.<\/p>\n
Users \u2013 Comply with this policy and report incidents immediately.<\/p>\n
Managers \u2013 Ensure compliance and control access.<\/p>\n
IT Department \u2013 Manage assets, networks, and systems.<\/p>\n
HR \u2013 Ensure awareness and inform terminations.<\/p>\n
DPO \u2013 Ensure LGPD compliance and act as contact point.<\/p>\n
Noncompliance with this policy may result in disciplinary measures, contract termination, or legal action.<\/p>\n
This policy will be reviewed annually or as needed. Exceptions will be analyzed by ICC\u2019s IT department and Executive Board.<\/p>\n
Information must be classified as Public, Internal, Confidential, or Restricted, with specific controls for each level.<\/p>\n
Maintain processes for risk identification, assessment, and treatment; review risks periodically.<\/p>\n
Perform periodic backups, store copies securely, and test restoration regularly.<\/p>\n
Control access to critical areas; ensure climate control, fire protection, and redundant power; escort visitors.<\/p>\n
Keep confidential documents locked, lock workstations when away, and never write down passwords visibly.<\/p>\n
Enable encryption on corporate mobile devices; VPN mandatory; report losses immediately;<\/p>\n
BYOD allowed only with IT authorization.<\/p>\n
Follow secure coding practices; perform vulnerability testing and code review before production.<\/p>\n
Include confidentiality and data protection clauses in contracts; suppliers must comply with LGPD; conduct periodic assessments.<\/p>\n
RACI:
\nA \u2013 ICC IT
\n5R \u2013 RL Solucion
\nC \u2013 Legal\/DPO and Managers
\nI \u2013 Executive Board and Employees.<\/p>\n
Log all relevant activities; conduct periodic internal and external audits; evaluate compliance annually.<\/p>\n
Unaddressed cases will be analyzed by ICC\u2019s IT and Executive Board; exceptions cannot be delegated to third parties.<\/p>\n
Consolidation of definitions: personal data, sensitive data, data processing, consent, confidentiality, integrity, availability, authentication, credentials, user account, generic account, security incident, IT assets, information leakage, MFA, VPN, etc.<\/p>\n