Summary

1. Introduction
2. Information Security and Privacy
3. Asset Management
4. Access Management
5. Physical and Environmental Security
6. Operational Safety
7. Risk Management
8. Clean Screen
9. Event and Incident Management
10. Information security in project management
11. Change Management
12. Business Continuity Management

1. Introduction

The purpose of this high-level Policy is to define the purpose, direction, principles, and basic rules for information security management and to ensure that information is adequately protected.
It defines the rules for the use of cryptographic controls, as well as the rules for the use of cryptographic keys, to protect the confidentiality, integrity, authenticity, and non-repudiation of information.
It also defines the rules for preventing unauthorized access to information in workplaces, as well as shared facilities and equipment.
This policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS scope document.

2. Information Security and Privacy

TM  Tecnologia  is committed to implementing an Information Security and Privacy Management System, meeting all applicable requirements of ISO 27001 and ISO 27701, compatible with the organization’s context.
This commitment is applied by all employees, leaders, and board members, focusing not only on system implementation but also on continuous improvement, which aims to maintain and promote ongoing preventive and corrective actions based on data analysis, indicators, nonconformities, and internal audits.
TM  Tecnologia  guarantees the security and privacy of information in its custody, which is handled or stored in the media over which  TM Tecnologia  has full administrative, physical, logical, and legal control.
Data handling is carried out in accordance with specific internal standards or as defined in this policy.

3. Asset Management

TM Tecnologia ‘s assets   must be used primarily for the company’s interests and business.
Assets containing confidential information must be recorded, stored, protected, and, depending on the need, disposed of in a controlled manner, in accordance with applicable legislation.

4. Access Management

Logical access to computer systems provided by  TM Tecnologia  must be identified and controlled, observing the principles of information integrity, confidentiality, and availability, ensuring the traceability and effectiveness of authorized access.
Passwords for access to  TM Tecnologia ‘s information assets/services or computing resources  are personal and non-transferable, and it is the user’s duty to ensure their safekeeping and confidentiality.

5. Physical and Environmental Security

Access to  TM Tecnologia ‘s facilities  must be controlled. Passwords and badges are personal and non-transferable, and cannot be shared.
All employees, partners, and suppliers are responsible for the information and data stored at their workstations (desk and computer) and must ensure their security.
Remote work is authorized by the company’s senior management. Access authorization must be authorized by the area manager, as defined in the “Physical and Environmental Security” procedure.
All laptops and cell phones provided by  TM Tecnologia  must be registered and configured with a unique identification, security standards, and a user responsible for their use, as defined in the “Physical and Environmental Security” procedure.
The use of employee or partner mobile devices (BYOD) is authorized by the company’s senior management. Access authorization must be authorized by the area manager, informing which resources or corporate data will be accessed by the device, as defined in the “

6. Operational Safety

Communications: 

• The email and cell phone numbers provided to employees and service providers must be used only for professional activities strictly in the interest of  TM Tecnologia . Alerts are generated when an email containing a virus (MALWARE) is received, and employees receive guidance alarms.
• Audits are carried out on the email boxes and other resources made available by  TM Tecnologia  of any employee without prior notice when possible breaches of information security are identified.

Operations: 

• Employees must take a proactive stance regarding the protection of information and must be alert to external threats, as well as fraud, information theft, and improper access to information systems under the responsibility of  TM Tecnologia.

   

• Data considered confidential or restricted must be stored in network folders, and sharing of folders on personal devices is not permitted.
• All data considered essential to the objectives of  TM Tecnologia  must be protected through systematic and documented backup routines and must be subjected to periodic recovery tests.
• Internet access granted to employees and partners using the internal network must be used primarily for the interests and business of  TM Tecnologia

   

• The use of the Internet for private interests must be carried out carefully, not exceeding the limits of reasonableness and the principles established by  TM Tecnologia

   

• TM  Tecnologia  may carry out proactive monitoring and control, with the aim of detecting anomalous information processing activities and violations of information security policy, standards or procedures, maintaining the confidentiality of the process and the information obtained.

Systems Acquisition, Development and Maintenance: 

• Only approved products and software can be used in the  TM Tecnologia environment.

   

• Software developed by  TM Tecnologia must include security measures, for example: vulnerability testing, authentication testing, session control and code injection.

Technical Vulnerabilities and Malware: 

• TM  Tecnologia  carries out periodic monitoring to map technical vulnerabilities and possible malware
• TM  Tecnologia  uses antivirus software on all corporate servers, workstations and gateways

Encryption: 

• TM  Tecnologia  uses encryption solutions depending on legal and contractual obligations

7. Risk Management

TM Tecnologia  conducts actions to identify and classify the organization’s Information Security risks by mapping vulnerabilities, threats, impact and probability of occurrence, as well as adopting controls for mitigation and contingency.

8. Clean Screen

All professionals, employees and partners are responsible for the information stored at their workstations (desk, computer and mobile devices) and must ensure its security, not leaving confidential information accessible to others.

9. Event and Incident Management

Any TM Tecnologia professional   can identify observed or suspected information security vulnerabilities in the systems or services in which they are working.

10. Information security in project management

TM  Tecnologia  guarantees effective and efficient controls in projects and operations.

11. Change Management

TM  Tecnologia  monitors planned changes, analyzing their consequences and taking action to mitigate any adverse effects.

12. Business Continuity Management

TM  Tecnologia  has a business continuity plan, with actions and responsibilities to minimize the impacts resulting from incidents, including the implementation of risk mitigation and contingency measures.