This Information Security Policy ("ISP") aims to establish rules, controls and responsibilities regarding the treatment of information performed by COSTA & LEMOS SOCIEDADE DE ADVOGADOS ("Firm"), in compliance with the requirements of the Brazilian data protection legislation, including, without limitation, Law No. 13,709/2018 - Data Protection General Law ("LGPD").
This ISP shall be strictly observed by all partners, employees, interns, service providers, consultants, and correspondents of the Firm.
All access to data, whether stored on physical or computer media, must be controlled, in order to ensure access only to authorized persons. Authorizations must be reviewed, confirmed and registered continuously by the partners.
The Firm's data and information systems must be protected against threats and unauthorized actions, accidental or otherwise, in order to reduce risks and ensure their integrity, secrecy and availability.
It is not allowed to run programs with the purpose of decoding passwords, monitoring networks, reading third-party data, spreading computer viruses, partially or totally destroying files, or making services unavailable.
It is not allowed to execute programs, install equipment, store files or promote actions that may facilitate the access of unauthorized users to the data stored by the Firm.
Only licensed software may be used by the Firm's partners, employees, interns and consultants. The Firm respects the copyrights of the software it uses, and recognizes that it must pay fair value for the software, and monitors any misuse of unlicensed programs.
It is not permitted to send confidential information to unknown external unprotected e-mails. In such cases, a password must be applied to the file containing the data.
The use of electronic mail for sending and receiving professional e-mails should only occur through the Firm's electronic mail.
The use of electronic mail for sending messages that may compromise the Firm's image before its clients and the community in general, or that may cause moral and financial damage to the Firm, is prohibited.
In the event of receiving links or attached files from unknown senders or with suspicious characteristics, they may only be opened or accessed after prior analysis by a specialist in the area of Information Security.
It is forbidden to use e-mail to send spam (messages with advertising content), as well as to send chain e-mails (referring to missing children, etc.).
Workstations, including portable equipment and physical documents, must be protected from damage or loss, as well as from improper access, use or exposure.
Workstation access must be terminated at the end of the workday by turning off the computer and other equipment.
When leaving their desks, all partners, employees, interns, service providers, consultants, and correspondents who are on the Firm's premises must lock their workstations (desktops or notebooks) with a password.
Confidential or corporate information, or information whose disclosure may cause damage to the Firm and/or its clients or third-party service providers, suppliers or partners in general, must only be used in equipment with appropriate controls.
When traveling by car, it is recommended that notebooks be placed in the trunk or in an inconspicuous location.
Notebook should be placed in discreet backpacks or briefcases, rather than in conventional briefcases. It is not recommended that the notebook computer be placed in airport trolleys, nor that it be checked in with the luggage.
In public places (such as hotel reception, restaurants and airports), it is recommended to keep the notebook near and always in sight, avoiding distance from the equipment.
In hotels, whenever possible, we recommend keeping the notebook in the apartment safe. It is essential to evaluate if, on short trips, it is really necessary to take your laptop with you.
For laptops, tablets and cell phones, it is always recommended to use a screen lock with a password.
It is forbidden to use public or unknown connection networks to connect mobile devices that store data processed by the Firm.
No confidential information shall be left on view, whether on paper or on any devices, electronic or otherwise.
When using a collective printer, the printed document must be collected immediately.
The confidential document should never be used as a draft, and should be destroyed immediately upon disposal.
Confidential matters should not be discussed or commented upon, names or dealings, inside or outside the work environment, in public places, or close to visitors, either on the phone or with a colleague, relative or supplier.
All professionals are required, upon joining the Firm, to sign the confidentiality and non-disclosure agreement, assuming their commitment to the information handled by the Firm.
When a partner, employee, intern or consultant ceases to be a partner, employee, intern or consultant, the corporate e-mail is deactivated, and the commitments assumed both through the confidentiality agreement, and through this ISP, must be maintained, even after termination.
In case of termination of employment or contract, for any reason, the involved party must return all confidential information generated and handled as a result of the activity, or issue a statement stating that he/she destroyed it.
All products resulting from the work of partners, employees, trainees, service providers, consultants or correspondents, carried out in the context of the relationship with the Firm, belong to the Firm.
A backup copy of all data stored by the Firm shall be kept updated on a quarterly basis.
It is recommended to use cloud storage tools (Dropbox, One Drive, Google Cloud, etc.) for the documents produced by the Firm. In this case, a full and true copy of all content stored in the cloud should be kept in an external hard drive, kept at the Firm's headquarters.
Partners, employees, interns and consultants of the Firm must manage their recorded files, excluding unnecessary files.
It is forbidden to access sites with inappropriate content.
The use of 3G modem is not allowed considering the susceptibility of illegal access occurring through this type of connection.
In case it is necessary to transport files through removable media (External HD or PenDrive) and the necessary authorization is granted, it is recommended that the files be deleted immediately after use, in order to avoid leakage of sensitive information.
Only partners are duly authorized to speak on behalf of the Firm for the media: Blogs, Twitter, Facebook, LinkedIn or Discussion Groups (forums, newsgroups and the like).
The following guidelines must be observed when work for the Firm is being performed in Home Office:
Security violations must be immediately reported to the partners of the Firm, who will analyze and investigate the occurrence, determining the necessary measures, with a view to correcting the failure or restructuring the processes, in order to resolve the issue and minimize its effects.
This Policy shall become effective as of August 1, 2019 and is valid indefinitely, and may be revised and amended at any time.
