INFORMATION SECURITY POLICIES
PLEASE READ THESE DOCUMENTS CAREFULLY, CLICKING ON THE ICON TO OPEN THE TEXT.
DATA PROTECTION POLICY
RN is required to collect and use certain types of information about individuals or service users with respect to
the provision of RN services in order to continue our work. This personal information must
be collected and handled appropriately, whether they are collected on paper, stored in a database of
computer, or recorded on other material and there are safeguards to ensure this in LAW N⁰ 13,709, OF 14
1. Data Operator
RN is the data operator by law, which means that he “carries out the processing of personal data on behalf of the
controller” and undertakes to apply transparency, consent, control and security in its processes of
collection, storage and management of personal data.
RN may share data with other agencies, such as the local authority and other voluntary agencies.
The individual user/service will be made aware in most circumstances how and with whom their
information will be shared. There are circumstances where the law allows RN to disclose data (including
confidential data) without the consent of the data subject.
a) Enforcement of a legal right or authorized by the Secretary of State
b) Protect the vital interests of an individual/service user or other person
c) The individual user/service has already made the information public
d) Carrying out any legal proceedings, obtaining legal advice or defending any legal rights
e) Monitoring for equal opportunity purposes – i.e. race, disability or religion
f) Provide a confidential service where the consent of the individual user/service cannot be
obtained or where it is reasonable to proceed without consent: for example, where we would like to avoid
forcing stressed or sick people/service users to provide consent Signatures.
RN considers the legal and correct handling of personal information to be very important for successful work, and for maintaining the trust of those with whom we do business.
RN intends to ensure that personal information is treated legally and correctly.
To this end, RN will comply with data protection principles as detailed in the general data protection law.
Specifically, the principles require that personal information:
a) Shall be prosecuted fairly and lawfully and, in particular, shall not be prosecuted unless
specific conditions are met,
b) It must be obtained only for one or more of the purposes specified by law, and must not be processed
in any way inconsistent with that purpose or purposes,
c) It must be adequate, relevant and not excessive in relation to those purpose(s)
d) They must be accurate and, if necessary, kept up to date,
e) Should not be kept longer than necessary
f) They must be processed in accordance with the rights of data subjects under the law,
g) Must be kept secure by the data controller who takes appropriate technical and other measures
to prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to,
h) Shall not be transferred to a country or territory, unless that country or territory ensures
an adequate level of protection of the rights and freedoms of individual users/services in
Regarding the Treatment of Personal Information.
RN will, through proper management and strict application of criteria and controls:
• Fully observe the conditions regarding the fair collection and use of information
• Fulfill your legal obligations to specify the purposes for which the information is used
• Collect and process appropriate information, and only to the extent necessary to fulfill your operational needs or to comply with any legal requirements
• Ensuring the quality of the information used
• Ensuring that the rights of persons on whom information is held can be fully exercised by law. These include:
· The right to be informed that processing is taking place, the right to
access to your personal information the right to avoid processing in certain
· The right to correct, rectify, block or delete information that is considered to be inaccurate information.
• Take appropriate technical and organizational security measures to safeguard personal information
• Ensuring that personal information is not transferred abroad without safeguards
• Treat people fairly and reasonably regardless of their age, religion, disability, sex,
sexual orientation or ethnicity when dealing with requests for information
• Define clear procedures to respond to requests for information
3. Data collection and consent
Informed consent is when
• An individual/service user clearly understands why their information is needed, with
who it will be shared with, the possible consequences of them agreeing or refusing to use
• And then give your consent.
RN will ensure that data is collected within the limits set out in this policy. This applies to data
collected in person or by filling out a form.
When collecting data, RN will ensure that the individual/service user:
a) Understands clearly why the information is needed
b) Understand what will be used and what the consequences are if the individual user/service decides not to give
consent to processing
c) To the extent possible, give explicit consent, whether written or verbal, for the data
d) Is, as far as reasonably practicable, competent enough to give consent and has
given so freely without any coercion
e) Received sufficient information about why your data is needed and how it will be used
4. Data Storage
Information and records relating to users of the services will be stored securely and will only be
accessible to authorized staff and volunteers.
The information will be stored for only as long as is required or required by statute and will be discarded from
It is RN’s responsibility to ensure that all personal and company data are non-recoverable from
any computer system previously used within the organization, which was transmitted/sold to a
5. Data Access and Accuracy
All individuals/users of the Service have the right to access the information RN holds about them. RN
will also take reasonable steps to ensure that this information is kept up to date.
asking data subjects if there have been any changes. In addition, RN will ensure this:
• Has a data protection officer with specific responsibility for ensuring the
data protection compliance
• Everyone who processes personal information understands that they are contractually responsible for
follow good data protection practices
• Everyone who processes personal information is properly trained to do so
• Anyone wanting to ask questions about handling personal information knows what to do
• It will regularly review and audit the ways it maintains, manages and uses personal information
• All employees are aware that a violation of the rules and procedures identified in this
policy may lead to disciplinary action being taken against them
This policy will be updated as necessary to reflect best practices in data management,
security and control and to ensure compliance with any changes or amendments made to the general law of
data protection 2018.
In case of doubts or questions regarding this policy, please contact our management of
compliance via e-mail: firstname.lastname@example.org.
PSI - Information Security Policy
The Information Security Policy (“PSI”) aims to preserve the confidentiality, integrity and availability of
information used and managed in RN. In this policy we describe the proper conduct for use, handling,
control, protection and disposal of technology resources used in RN.
This policy covers all employees, visitors and service providers who may have access to the facilities.
of “RN” or its data and systems.
Technology environment, understood as: access to physical facilities, areas of confidentiality, data network,
internet and any systems used in our work environment.
They will only have access to information such as: files, confidentiality areas and RN systems,
employees who agree with this policy by registering the acceptance by signing in the “ACCEPTANCE OF
POLICY AND RULES” of the RN.
Although this term determines professional adherence to all RN’s internal policies and rules, it becomes
It is essential to read all other policies related to information security.
3. RN Responsibilities
• Inclusion in the annual budget of amounts related to investments in computing resources, including
acquisition and renewal of equipment, software and digital security requirements;
• Provide enough space on servers to store files and data from your systems;
• Provide enough space for the storage of a backup routine that includes all data
referring to the company’s processes and activities;
• Meet the needs of IT resources, in order to ensure the integrity, availability and
confidentiality of information in the technology environment;
• Meet IT needs related to the development and maintenance of a business plan
4. Confidentiality Policy
All employees must be aware of and ensure the confidentiality of relevant information and processes
And they must follow the guidelines for handling, treatment and non-disclosure of confidential information, without
5. Duty of Secrecy
For service providers and outsourced workers, the term of duty of secrecy begins in the service provision contract
and is reinforced at the beginning of activities.
All contracts must have a confidentiality agreement to protect RN information. It’s up to each
contracting manager to investigate or impose a confidentiality clause for each contract that he manages.
6. Clean desktop and screen policy
Ensure the security of information by maintaining the work environment in a way that does not generate exposure
excessive amount of information.
Follow the clean desk and screen policy as a routine in your daily life. Avoiding confidential, personal and
passwords in format, printed, in notes, drafts or post-it on the table or pasted on the computer. And if you use computer in public places, do not open personal or confidential information, but if so
necessary, use privacy protectors.
7. Recording and Filming Devices
Devices with recording, photography and filming functions can only be performed on RN premises
when authorized, and the reason for performing such functions must be clearly defined or form part of the
scope of work of the employee.
Recording, photography or filming is prohibited by visitors to RN facilities.
In important meetings that contain sensitive and highly confidential information, the use of
recording and photography is also prohibited. And a device recall procedure must be performed
Smartphones before the start of such meetings.
8. Wireless network access (Wi-Fi)
For internet access using “Wi-fi” wireless networks, consider the distinction and proper use according to the
connection type, being “GUEST” for visitors, “CORP” for RN notebooks and for corporate smartphones
9. Use of notebooks
Employees who have RN notebooks as a work tool must ensure the integrity of their
equipment. And they must continue to use them only for “commercial purposes” of interest to RN.
And they should only leave the RN’s premises carrying the device when authorized by their Manager, and carrying out the
registration required as per procedure for output with data storage devices.
Personal data, confidential or for internal use, can only be stored on the local disk if it is protected
10. Use of corporate cell phone
For employees who have a corporate cell phone provided by RN, consider some rules and measures
use of the equipment, the employee becomes responsible for the device and must ensure the physical integrity of the
device and the information it carries.
The corporate cell phone must only be used for “commercial purposes” of interest to RN. not being allowed to
installation of unauthorized applications.
In case of loss or theft of the device, the employee responsible for it must immediately inform the Manager
Administrative on the incident.
The e-mail service must be used only for “commercial purposes” of interest to RN. And employees must
follow and pay attention to the information security measures required by the usage policy.
When sending an email outside the company, the employee must consider the level of information and follow the
appropriate shipping procedures to do so.
Personal, confidential and highly confidential information cannot be sent in the body of the email, only
in password-protected attachments.
12. Classification of information
All unlabeled or unclassified digital files are defined as public information, therefore
All files and information created and managed in the RN data environment must be classified and
managed according to their rating level.
All RN files must follow some sort of classification label, which are:
Personal: Information collected and processed internally that contains: name, surname, address, telephone, email, CPF, RG or biometric data. Also having sensitive personal data, such as: racial origin, opinion
politics, sexual orientation and health information.
Protected: File for internal use. Ex. internal policies and procedures.
Confidential: Information that, when exposed externally, may result in financial, image and
or competitiveness of the business.
Highly Confidential: Information that, when exposed externally, could result in financial losses,
image, competitiveness of the business and affect the Contractor and Contracting Party.
Information classified as “Personal”, “Confidential” and “Highly Confidential” cannot be sent by email without being encrypted, protected by a password.
For more details on classification information, see the file classification policy
available in the internal network directory “POLICIES”.
13. Access to network directories
Access to RN data directories is configured by local domain permissions groups, and follows
rules defined by the top management of the RN. And they are based on information governance practices and rules of
relationship for the smooth running of the business as a whole.
These access rules are defined by the top management of RN and executed by the technical team responsible for
management of the technology environment.
To request new access or create a new directory, the employee must do so by email to the Manager
Administrative of the RN, and must place his superior in “Cc” for approval of the request.
14. Logins to access systems
The creation of logins to access the RN systems is made when the employee is hired, through
request of the Hiring Manager to the HR department.
Upon request of the contractor, HR forwards the need to create the logins to the IT executor. and the
IT executor is responsible for creating and delivering logins directly to the employee.
Access revisions and revocations follow the same rules for creating logins, they must be done in writing, and
records must be kept throughout the employee’s relationship with RN.
For terminated employees, the access credentials history must be kept for 1 year after their
And HR is responsible for keeping these records of access requests from all RN employees, because
it is responsible for requesting the creation and cancellation of logins.
15. Backup Policy
All RN files and systems have data backup and retention policies that follow best practices
of technology data governance. And so that all information is protected from loss
unexpected or accidental events, we have determined that no information is stored on the local disks of your PCs.
To restore a backup of a file, the employee may request the restoration of the same with the team
IT Execution Technician
16. Acceptable Use Policy (Software and Computers)
As a matter of digital security and copyright compliance, the software used and installed on
RN’s computers, notebooks and servers are inventoried and controlled via the system.
You are not allowed to install or update any software without the authorization and consent of
IT executive team
Computers and notebooks do not have administrative permissions to install, update or remove
of software, therefore, if any intervention is necessary, the IT technical team must be called.
To request new software, the employee must submit the request to the Administrative Manager of RN.
17. Disposal of IT Assets
As a matter of security for RN’s information, the disposal of IT assets should only be carried out following certain
technical actions, namely:
a) Write-off of the asset in the inventory and accounting system;
b) Destruction of data stored on disks, using specific WipeDisk tools to eliminate the
possibility of data recovery;
c) CPUs, notebooks and external drives (external HDs and USB sticks) must go through the WipeDisk process;
d) In cases of technology equipment donations, proceed with WipeDisk procedures,
inventory and equipment donation invoice.
18. Storage Devices and USB Communication Ports
Internal storage devices are the Hard Disks (HDs) or Solid State Drive (SSD) present internally
on computers, notebooks and servers.
External storage devices, on the other hand, are media that can be easily removed, such as: Pen drive, external HD,
memory card, CDs, DVDs, Backup Tapes and Floppy Disks.
For easy removal items (pen drive, external hard drive and memory cards) we apply some security controls
to avoid data leakage and malware infection in the technology environment.
Consider that the use of external storage devices is an information security risk as far as
concerns information leakage, therefore, information classified as “PERSONAL, CONFIDENTIAL and
HIGHLY CONFIDENTIAL can only be transferred by these means when they are encrypted.
Please consider the use of unencrypted external devices prohibited.
19. Secure password
Security rules are implemented to ensure the secure use of the set of logins and passwords of the
The password has a complex combination of letters, numbers, special characters, and capital and
The password must not contain part of the login name, and must be at least 9 characters long.
Every employee, upon receiving a password, must change it upon receipt.
O colaborador é responsável pelo seu login e senha, e jamais deve anotá-la ou compartilhá-la com terceiros. Do not
must use the same password for multiple systems, different use is recommended for each system or environment
20. Notification of incidents and abuses
For information security incidents, consider any systemic downtime or unavailability of resources
of IT that was not programmed. Examples: infection of devices by malware, unavailability of systems by
cyber attack, physical failure in some equipment, or even loss and theft of technology equipment.
Some abusive actions by employees can also generate risks and lead to unavailability
systems, examples: misuse of technology devices, sharing logins and passwords, circulating with assets
technology outside the company without proper precautions, etc.
For each systemic or information unavailability that occurs in the environment, RN must report to the senior management of
RN’s security, therefore, when witnessing any information security incident, immediately notify
by e-mail to email@example.com or by physical means with the technical team.
21. SGSI – Information security management system
The SGSI – information security management system is responsible for conducting and executing policies
required by the LGPD, here in RN.
Through the SGSI, the adherence and application of policies are evaluated, the implementation schedule and improvements are defined
security, the training schedule for employees is defined, and the budget necessary for the
RN’s IT management.
The ISMS is responsible for generating the necessary information for the compliance status inputs of
information security. The SGSI is formed by the Administrative Management of RN and the IT team.
22. Information Security Awareness Program
Based on the SGSI reports, the schedule of information security training, integration
of IT and recycling for all RN employees.
Training is based on ISO 27001 and 27002 policies and procedures, and each employee must
have in their curriculum the completion of all modules defined by the SGSI, in addition to annual refresher courses on
the most critical topics.
23. Warnings and Penalties
We inform all employees about possible warnings and penalties in cases of violation of any
of the rules described in this information security policy.
RN, through its internal policy and with the argued support of the SGSI-RN, may warn or apply any
disciplinary process when the employee violates any rule or internal policy.
For more details see “PLTI-008 – Warnings and Penalties”
24. Data Protection Policy
RN employees as data operators are responsible for processing data on behalf of
of the controllers “CONTRACTORS”. And they undertake to exercise the guidelines described in the LGPD. As well as
undertakes to exercise TRANSPARENCY, CONTROL, CONSENT and SECURITY throughout the
process of collecting, storing, processing and transferring personal information.
RN is committed to ensuring the PRIVACY of personal information and its respective owners, throughout
as long as the information is in your possession.
And undertakes to perform the proper DESCRATE of personal information, as soon as the
need to use them, or if requested by the owner of the information.
Every individual has the right to forget, correct or transfer their personal data, therefore, if requested, RN undertakes to perform the requested action.
25. Cryptographic Control Use Policy
In order to protect the data stored and processed by RN, it is mandatory to use the safemark,
encrypted data whenever data classified as “PERSONAL, CONFIDENTIAL and HIGHLY
CONFIDENTIAL” when stored in the computers local disk. This rule must be followed
indispensably, even if the information is stored temporarily.
Compliance with this policy is an obligation of all RN employees, and failure to comply with this policy
subject to the penalties described in our “Warnings and Penalties” policy.
PLTI-002 - Data Retention Policy
1. Data Retention Policy
Records retention and management is an important component of the company’s regulatory compliance process.
LGPD. Therefore, we have a need to store and manage information about general operations as part of
of day-to-day activities.
This policy provides general provisions for adherence to records and retention schedules and provides a
consistent policy regarding retention and operational records and data.
This policy applies to all RN employees involved in the collection, management and storage of
informational assets (written or electronic).
4. General Responsibilities
RN will establish record retention schedules to meet legal, statutory and
compliance, as well as the litigation needs, business processes and privacy concerns of
data. Storage requirements will be coordinated with Gestão RN and its respective IT Manager or
DPO, so that the necessary storage and records requirements can be met.
Retention periods are generally determined by the following assessment:
• State and federal regulatory, statutory, legal or general compliance requirements;
• Determining the electronic components of data collected, their purpose and applying the
retention appropriate to each class of data assets;
• Identifying other internal or external entities that collect, store, archive or
use RN information and records;
RN managers are responsible for executing the procedures and recording the notes referring to
retention and as described in this policy.
Specific procedures should specify retention time, filing rules, filing formats,
data and the permissible means of storage, access and encryption (if any).
5. Retention requirements
RN data managers or their subordinates must:
• Implement data retention and erasure guidelines that limit the time of
storage and retention of data to those that are necessary for legal requirements,
regulatory and business
• Ensuring that there are automatic or manual processes for the safe destruction of paper and
electronic records when no longer needed
• Follow specific retention requirements for sensitive data as established by
• Identify retention periods for log files and audit trails
• Define and enforce email retention requirements
• Determine procedures and personnel for handling litigation requests, public records, and
Different types of records require varying retention periods. In addition to describing how
time various types of information must be retained, retention procedures must
• Steps used to archive information and locations where that information is stored
• Proper destruction of electronically stored information after the period of
identified retention. Such measures must follow the requirements described in this policy.
• Procedures for chain of custody and handling of electronically stored and in
training when under litigation
In certain cases, individual departments may have unique record retention requirements
outside of documented groups. These must be documented as part of internal processes and
procedures communicated to the Administrative Manager of the RN. Such requirements may include
contractual obligations to customers or business contacts or data retention requirements for
maintain business operations.
In some cases, departments may need to retain information stored electronically
to a historical file.
During the appropriate retention period for electronic records, archived data may be
recovered. But this will require the following protocols:
• As new software and/or hardware is implemented, the support team will ensure
that new systems and file formats can read legacy data. This may require the
old data to be converted into new formats.
• Encrypted data must be recovered. And RN will implement procedures for
key management systems that ensure that encrypted data can be
encrypted when necessary.
When establishing record retention periods, the RN must count (in order of precedence):
• Federal guidelines, laws and statutes
• State guidelines, recommendations, rules and statutory requirements
• Any RN policy and procedure that improves federal retention periods and
6. Audit Controls and Management
Documented on-demand procedures and evidence of practice must be in place for this policy
Examples of effective organizational management, audit controls and employee practices include:
• Documented record retention and archiving schedules
• Automated file retention policy if possible, if adhering to the company’s operational processes
• Procedures and anecdotal evidence of data migrations to manage compatibility of
Electronic registration with latest systems
• Documented encryption and decryption strategies that enable record recovery
• Regular employee procedures and anecdotal documentation of asset management processes
records and archiving
• Direct observation of the organization and storage of archival records
7. Enforcement Strong,
Employees found in violation of policies may be subject to disciplinary action, up to and including
8. Standard retention RN
In a detailed analysis of the operational processes performed in the RN environment, we determined the
following rules for data purging in our data retention policy:
• Data are stored for the time in progress of the “Event” activity for which RN is contracted
• At the end of the “Event” for which RN was hired, the data will be kept for a maximum period of 60
days, in backup and with cryptographic control
• Any file that contains personal data and that does not comply with legal, state obligations
or federal agencies described in chapter 4 of this, will be automatically purged after 12 months, through
systemic retention policy.