This Information Security Policy (ISP) establishes the guidelines and requirements to protect CONVERSYS' information against all threats, internal or external, deliberate or accidental, guaranteeing business continuity, minimizing risks and maximizing the return on investments and business opportunities.
This policy applies to all employees, suppliers, contractors and other interested parties who have access to CONVERSYS information and information systems, covering all forms of information, including digital, physical and verbal.
To ensure clarity and facilitate the understanding of this policy, we present the following terms and definitions:
CONVERSYS' senior management is committed to the implementation, maintenance and continuous improvement of the Information Security Management System (ISMS), ensuring the appropriate allocation of resources and the regular review of this policy.
CONVERSYS adopts the principles of confidentiality, integrity and availability as fundamental to information security management, seeking to protect information from unauthorized access, ensure the accuracy of information and guarantee the availability of information when necessary.
Commitment to the ISMS: Ensuring the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS.
Resource allocation: Provide sufficient resources for information security, including personnel, technology and finance.
Policy definition: Approve the information security policy and any significant changes to it.
Leadership of the ISMS: Acting as the focal point for information security management within the organization.
Development of Policies and Procedures: Develop, implement and maintain information security policies and procedures in line with organizational objectives.
Awareness and Training: Coordinate information security training and awareness programs for all employees.
Implementation of controls: Implementing and maintaining technical security controls in accordance with the guidelines established by the CISO and information security policies.
Monitoring and Evaluation: Monitor and evaluate the effectiveness of information security controls and report any deficiencies or incidents to the CISO.
Implementation of the ISMS: Ensuring that information security policies and procedures are implemented and followed within their respective departments.
Risk Management: Identify and manage information security risks related to your department's activities.
Compliance with Policies: Follow all information security policies and procedures relevant to their activities.
Incident reporting: Report any suspected information security incident in accordance with established procedures.
Classification and Protection: Classify information according to the organization's classification policy and ensure adequate protection according to the classification level.
Access Review: Periodically reviewing access to the information under their responsibility to ensure that it is appropriate.
Purpose and Appropriate Use: CONVERSYS' information assets, including networks, devices, applications and data, must be used exclusively for professional and business purposes, as authorized by the company. Any use for personal purposes, without proper authorization, is strictly prohibited.
User responsibilityUsers are responsible for any activity carried out using their credentials and must ensure the security and confidentiality of their passwords and devices.
Data Security: It is mandatory to follow all information security policies and procedures to protect data from unauthorized access, disclosure, alteration, destruction or misuse.
Software and Applications: Software should only be installed on company devices with the approval of the IT team. Users should not install unlicensed, pirated or untrustworthy software to avoid security risks.
Internet access: Internet access must be done responsibly and ethically. Sites that contain offensive, dangerous or illegal material or that violate company policies are strictly prohibited.
Electronic Communication: Electronic communications must be used in a professional manner. Sensitive or confidential information should be shared securely and preferably encrypted
Monitoring and Compliance: Users should be aware that activities carried out on CONVERSYS systems and networks can be monitored to ensure compliance with acceptable use policies.
CONVERSYS' Clean Screen and Clean Desk policy aims to reduce the risk of sensitive or confidential information being accidentally exposed. These practices are essential for maintaining information security in the workplace, whether in the office or remotely. Below, we detail the recommended practices:
Automatic locking: Configure your devices to lock automatically after a period of inactivity. This minimizes the risk of information exposure if you walk away from the device.
Closure of Sessions: Always end active sessions in applications and web services when they are not in use, especially on shared or public devices.
Screen saver: Use screen savers that hide the contents of the screen when the device is locked.
Checking the environment: Before leaving your workstation or ending a video call, make sure that no sensitive information is visible on the screen to others.
Documents and Notes: Keep printed documents, notes and sensitive materials in locked cabinets or drawers when not in use. Don't leave these materials on the table when you're away.
Mobile Devices and Storage Media: Store mobile devices, flash drives, external disks and any other storage media in a safe, locked place when not in use.
Cleaning up at the end of the day: At the end of the day, make sure your desk is clear of any material containing sensitive information. This includes cleaning whiteboards used in meetings or brainstormings.
Safe disposal: Use paper shredders or secure collection points to dispose of sensitive documents. Never dispose of sensitive documents intact in ordinary waste garbage cans.
Sensitive impressions: Sensitive or confidential information, when printed, should be removed from the printer immediately.
Information storage: Conversys information should be stored 100% in the cloud, even when the user is in the home office.
Management of corporate equipment: All equipment must be linked to the MDM Platform (Intune) which manages the devices.
All information will be classified according to its value, legal requirements, sensitivity and criticality for CONVERSYS. This classification will determine the level of protection and the applicable security measures.
Confidentiality labels are used to classify e-mail messages, documents, websites and much more.
Classification levels have been defined:
Public (lower): Public document open to unrestricted submission.
Sensitive: Sensitive data pertaining to projects, finances, etc. Can be shared with due precautions.
Internal: It should not be shared outside the company.
Restricted: Internal information, restricted by group or area. It must not be shared outside the company without proper authorization. For documents, it is necessary to define an access group.
Confidential (highest) - has 2 options:
All Conversys: Confidential information. It must not be shared outside the company without the authorization of the board of directors.
Determined: Confidential information restricted to a group. For documents, select groups with access permission.
Access to information and information systems will be granted on a least privilege and need-to-know basis, in order to minimize the risks of unauthorized access.
All employees and stakeholders are responsible for immediately reporting any suspected information security incident. CONVERSYS has an established incident management process to effectively respond to, investigate and remedy such incidents.
CONVERSYS maintains business continuity plans that include recovery strategies to ensure the continued availability of critical information and systems.
CONVERSYS undertakes to comply with all laws, regulations and contractual requirements applicable to information security, including the protection of personal data and intellectual property.
This ISP will be reviewed annually and after any significant events that may affect the ISMS, to ensure its continuity, suitability and effectiveness.
CONVERSYS promotes regular information security awareness, education and training programs to ensure that all employees and stakeholders are aware of their responsibilities.
Information security risk management is an ongoing process at CONVERSYS, involving the identification, analysis and treatment of risks to ensure that they remain within acceptable levels.
This policy is effective immediately and is binding on all parties mentioned. Everyone is encouraged to familiarize themselves with this policy and integrate the principles of information security into their daily activities to protect CONVERSYS information.
