Information Security Policy

About the Information Security Policy (PSI)

The Information Security Policy, also referred to as PSI, is the document that guides and establishes the corporate guidelines of Acol Consultoria & Sistemas for the protection of information assets and the prevention of legal liability for all users. It must, therefore, be complied with and applied in all areas of the institution.
This PSI is based on the recommendations proposed by the ABNT NBR ISO/IEC 27002:2005 standard, recognized worldwide as a code of practice for information security management, as well as being in accordance with the laws in force in our country.
With the intention of increasing the security of the technological infrastructure aimed at corporate use, it was developed with a view to providing guidance for the use of the information technology assets made available.



Establish guidelines that allow Acol Consultoria & Sistemas employees and clients to follow standards of behavior related to information security that are appropriate to the business needs and legal protection of the company and individual.
Guide the definition of specific information security standards and procedures, as well as the implementation of controls and processes to comply with them.
Preserve Acol Consultoria & Sistemas information regarding:

      • Integrity: guarantee that information is maintained in its original state, aiming to protect it, during storage or transmission, against undue, intentional or accidental changes.
      • Confidentiality: guarantee that access to information is obtained only by authorized people.
      • Availability: ensuring that authorized users gain access to information and corresponding assets whenever necessary.


PSI applications

The guidelines established here must be followed by all employees, as well as service providers, and apply to information in any medium or support.
This policy informs each employee that the company's environments, systems, computers and networks may be monitored and recorded, with prior information, as provided for in Brazilian laws.
It is also the obligation of each employee to stay up to date with this PSI and related procedures and standards, seeking guidance from their manager or DTS whenever they are not absolutely sure about the acquisition, use and/or disposal of information.


PSI Principles

All information produced or received by employees as a result of the professional activity contracted by Acol Consultoria & Sistemas belongs to the aforementioned institution. Exceptions must be explicit and formalized in a contract between the parties.
Computer and communication equipment, systems and information are used by employees to carry out professional activities. Personal use of resources is permitted as long as it does not harm the performance of systems and services.
Acol Consultoria & Sistemas, through DTS, will be able to record all use of systems and services, aiming to guarantee the availability and security of the information used.


PSI Requirements

For uniformity of information, the PSI must be communicated to all Acol Consultoria & Sistemas employees so that the policy is complied with inside and outside the company. Both the PSI and the standards must be reviewed and updated periodically, whenever any relevant fact or event motivates their early review.
All Acol Consultoria & Sistemas contracts must include an annex to a Confidentiality Agreement or Confidentiality Clause, as an essential condition for access to the information assets made available by the institution to be granted.
Responsibility in relation to information security must be communicated at the employee hiring stage. All employees must be instructed on safety procedures, as well as the correct use of assets, in order to reduce possible risks.
They must sign a liability waiver.
Any incident that affects information security must be initially reported to DTS and, if it deems necessary, it must subsequently forward it for analysis.
A contingency plan and the continuity of main systems and services must be implemented and tested at least annually, aiming to reduce the risk of loss of confidentiality, integrity and availability of information assets.
All information security requirements, including the need for contingency plans, must be identified in the scope survey phase of a project or system, and justified, agreed, documented, implemented and tested during the execution phase.
Appropriate controls, audit trails or activity records must be created and instituted at all points and systems where the institution deems necessary to reduce the risks of its information assets, such as workstations, notebooks, access to the internet, electronic mail, systems developed by Acol Consultoria & Sistemas or by third parties.
Production environments must be segregated and tightly controlled, ensuring the necessary isolation in relation to development, testing and approval environments.
Acol Consultoria & Sistemas is exempt from any and all liability arising from the improper, negligent or reckless use of resources and services granted to its employees, reserving the right to analyze data and evidence to obtain evidence to be used in investigative processes , as well as adopting the appropriate legal measures.
This PSI will be implemented at Acol Consultoria & Sistemas through specific procedures, mandatory for all employees, regardless of hierarchical level or function in the company, as well as employment relationship or service provision.

Failure to comply with the requirements set out in this PSI and the Information Security Standards will result in a violation of the institution's internal rules and will subject the user to applicable administrative and legal measures.


Specific Responsibilities

1 – Employees in General
A collaborator is understood to be any natural person, contracted as a CLT or providing a service through a legal entity or not, who carries out any activity inside or outside the institution.
Respect this Information Security Policy.
Respect the Privacy and Personal Data Protection Policy of Acol Consultoria & Sistemas, in order to guarantee the security and inviolability of personal data.
Respect all LGPD standards.
Respond for non-compliance with Personal Data processing procedures.
Responsible for the custody and protection of the computing resources made available for work;
Respond for the exclusive and non-transferable use of your access passwords;
Activate your protection and 2-factor authentication passwords to access the Acol Consultoria & Sistemas environment, under the guidance of DTS.
Seek knowledge necessary for the correct use of hardware and software resources.
Promptly report to the IT area any fact or threat to the security of resources, such as security breaches, fragility, malfunctions, presence of viruses, etc.
Be liable for any loss or damage caused to Acol Consultoria & Sistemas or third parties, as a result of non-compliance with the guidelines and standards referred to herein.


2 – Employees under Exception Regime (Temporary)
They must understand the risks associated with their special condition and strictly comply with what is set out in item “1 – Employees in General”.
The concession may be revoked at any time if it is found that the business reason justification no longer compensates for the risk related to the exception regime or if the employee who received it is not complying with the defined conditions.


3 – People and/or Process managers
Support and ensure compliance with this Policy, serving as a model of conduct for employees under its management Assign to employees, during the hiring and formalization of individual employment, service provision or partnership contracts, the responsibility for compliance with the Acol PSI
Consulting & Systems.
Require employees to sign the Term of Commitment and Acknowledgment, assuming the duty to follow the established standards, as well as committing to maintain secrecy and confidentiality, even when disconnected, regarding all information assets of Acol Consultoria & Sistemas.
Before granting access to the institution's information, require the signature of the Confidentiality Agreement from casual employees and service providers who are not covered by an existing contract, for example, during the survey phase for presenting commercial proposals.
Adapt the standards, processes, procedures and systems under your responsibility to comply with this PSI.
Assign, during the hiring and formalization of individual CLT employment, service provision or partnership contracts, the responsibility for complying with the Policy.
Authorize access and define the user profile with DTS.
Authorize changes to the user profile with DTS.


4 – From the Development and Support Division
Test the effectiveness of the controls used and inform managers of residual risks.
Segregate administrative and operational functions in order to restrict the powers of each individual to the minimum necessary and eliminate, or at least reduce, the existence of people who can delete the logs and audit trails of their own actions.
Ensure special security for systems with public access, storing evidence that allows traceability for audit or investigation purposes.
Generate and maintain audit trails with sufficient level of detail to track possible failures and fraud. For trails generated and/or maintained electronically, implement integrity controls to make them legally valid as evidence.
Implement controls that generate auditable records for the removal and transportation of media of information held by IT, in environments fully controlled by IT.
Ensure that vulnerabilities or weaknesses are not introduced into the company's production environment during change processes, code auditing and contractual protection being ideal for control and accountability in the case of third-party use.
Carry out periodic audits of technical configurations and risk analysis.
Ensure that change processes do not allow vulnerabilities or weaknesses in the production environment. Ensure that generic access to production applications is not used, always opt for nominal users.


5 – Technology and Support Division

Configure the equipment, tools and systems granted to employees with all the necessary controls to comply with the security requirements established by this PSI. Assign each account or access device to computers, systems, databases and any other information asset to a responsible person identifiable as a natural person, where:

      • Plan, implement, provide and monitor the storage, processing and transmission capacity necessary to guarantee the security required by the business areas.
      • Individual employee users (logins) will be the responsibility of the employee.
      • Third-party users (logins) will be the responsibility of the contracting area manager.
      • Continuously protect all company information assets against malicious code, and ensure that all new assets only enter the production environment after they are free from malicious code.
      • malicious and/or unwanted code.
      • Monitor the IT environment, generating indicators and histories of:
      • use of the installed capacity of the network and equipment;
      • response time when accessing the internet and critical systems of Acol Consultoria &Sistemas.
      • periods of unavailability in access to the internet and critical systems of Acol Consultoria & Sistemas.
      • security incidents (viruses, trojans, theft, unauthorized access, and so on)
      • activity of all employees when accessing external networks, including the internet

(for example: websites visited, emails received/sent, uploading/downloading files, among others)
Ensure, as quickly as possible, with a formal request, the blocking of user access due to dismissal from the company, incident, investigation or other situation that requires action
restrictive for the purpose of safeguarding the company's assets.
Carry out, at any time, physical inspection of the machines you own.


6 – Cybersecurity Management
The Cybersecurity Management will be responsible for managing the use of technologies necessary for the smooth running of Acol Consultoria & Sistemas' business and preventive actions. Also formalize an Information Security team to plan and execute preventive actions to deal with incidents, in order to guarantee a higher level of security.
The Cybersecurity Management is responsible for:
Present updates to the PSI and Information Security Standards for approval and subsequent publication.
Propose specific methodologies and processes for Information Security, such as risk assessment.
Propose and support initiatives aimed at the security of Acol Consultoria & Sistemas’ information assets.
Promote the awareness of employees, service providers, interns and the like regarding the relevance of Information Security for the activities of Acol Consultoria & Sistemas through campaigns, lectures, training, among other means.
Support the evaluation and adequacy of specific Information Security controls for new systems or services.
Develop specific standards and rules in accordance with the Personal Data Protection Law.
Promote the adequacy of the technical and infrastructure resources necessary to comply with the Personal Data Protection Law.
Indicate the person responsible for Personal Data Protection.
Propose investments related to Information Security with the aim of maximizing risk reduction.
Evaluate security incidents and propose corrective actions.
Deliberate on issues related to Personal Data Protection.


Personal Data Protection

Acol Consultoria & Sistemas, in compliance with and respect for the General Personal Data Protection Law, must guarantee the availability, integrity and confidentiality of personal data, throughout its life cycle, with this category of data being treated permanently as confidential data.
All processing of personal data must be linked to a specific purpose, informed to the holder and duly linked to one or more legal bases provided for in articles 7 and 11 of the General Personal Data Protection Law, paying attention to the principles of necessity, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability.
Details of the requirements and rules for processing personal data will be made available in a specific standard, and all employees and service providers must be aware of and aware of the topic and the respective standard.
Any and all changes or creation of systems, services or products that involve processing of personal data must apply “Privacy by Design / Privacy by design”.
In addition to the principles mentioned, Acol Consultoria & Sistemas must prepare a response plan to the breach of personal data, prepare the Impact Report whenever necessary, use an anonymization and pseudonymization process whenever necessary, record personal data processing operations, use encryption protocols in the transmission and storage of personal data



Identification – Login and Password

Login and password systems protect the user's identity, avoiding and preventing one person from impersonating another. Brazilian Penal Code art. 307 – false identity. If there is a login shared by more than one employee, the responsibility will lie with the users who use it. If the manager's request for shared use is identified, he must be held responsible. Users must have a password of variable length, having at least 8 (eight) alphanumeric characters, using special characters (@ # $ %).
It is the responsibility of each user to remember their own password, as well as to protect and safeguard the identification devices assigned to them. Passwords must not be written down or stored in electronic files (Word, Excel, etc.), must not be based on personal information, such as one's name, family members, birth, address, vehicle license plate, company name, and or not they must consist of obvious keyboard combinations, such as “abcdefgh”, “123456”, among others.
Users must change their password if they suspect it has been broken by third parties, or every 4 months or their access will be automatically blocked. Login and Password must be immediately blocked when they become unnecessary. Attempted violations and fraud of access passwords, encryption or biometric identification, if identified, will be subject to disciplinary action.


Computational Resources

The IT resources allocated by Acol Consultoria & Sistemas to its users are intended exclusively for work-related activities, and their use for personal purposes is prohibited. Acol Consultoria & Sistemas employees are prohibited from using privately owned technology equipment, such as computers, tablets, notebooks, netbooks and similar items on company premises. User intervention for physical or logical maintenance, installation, uninstallation, configuration or modification, as well as the transfer and/or dissemination of any software, programs or computer instructions to third parties (piracy) is prohibited. Any computer in disuse must be sent to DTS for information removal, disposal or reuse.



Acol Consultoria & Sistemas, through the Technology and Support Division, provides corporate antivirus software installed for all users.
The antivirus is automatically updated on the user's workstation whenever a new version is made available by the manufacturer through the server application.
Acol Consultoria & Sistemas DTS does not recommend that the user remove or change the antivirus settings in order not to compromise the security that the software manufacturer provides. Periodic checks of the hard disk, HD and workstation are programmed to run automatically periodically according to DTS definitions in the server application.

File Storage

All files contained on network servers or users' workstations must be of exclusive interest to Acol Consultoria & Sistemas.
The creation of personal folders and files on network servers is prohibited.
The creation of departmental folders on network servers must reflect the organizational structure of Acol Consultoria & Sistemas and be requested by the person in charge of DTS.
Access to departmental folders on network servers requires authorization from the manager and DTS to control each user's access.
All files that are not of interest to Acol Consultoria & Sistemas must be excluded from the equipment to avoid future problems with audits.
The storage of files on network servers or workstations of Acol Consultoria & Sistemas users must comply with LGPD standards and the guidelines of this Policy.


Pirated Software

The software approved and installed on computers and network servers is the exclusive property of Acol Consultoria & Sistemas, and full or even partial copies are prohibited.
as well as the installation of pirated software.
Piracy is considered a crime and pirated software causes both material and functional losses in addition to denigrating the Institution's image. For this reason, they are strictly prohibited.
The installation of unauthorized software (“Piracy”) constitutes a crime against intellectual property, in accordance with Law 9,609 of 02/19/98, and the offender is subject to imprisonment and a fine.


Email and Instant Messaging

The use of e-mails, electronic mails or instant messages in a way that is contrary to the law, morals, good customs, public order or that infringes the intellectual or industrial property rights belonging to third parties is prohibited. The content and use of e-mails, electronic mails or instant messages must be of an exclusively professional nature. Instant messaging services are only permitted for users authorized by the Acol Consultoria & Sistemas hierarchy. Safeguarding the attached content is the sole responsibility of the user, with Acol Consultoria & Sistemas being exempt from such obligation.
The use of email and instant messaging software not approved by DTS is prohibited. Their use is the user's responsibility and may pose risks to information security in addition to complicating technical support. Any mass communications, advertisements, newsletters, images, etc. must be previously approved by DTS, so as not to be treated as Spam or compromise the functioning of email systems. Messages received from unknown sources must be viewed in advance and immediately deleted, without reading their content, to avoid contamination by viruses and other risks. Improper use of the e-mail is the sole responsibility of the user, who may be held responsible for any damages caused.
Messages transmitted under the domain of Acol Consultoria & Sistemas may be audited, upon request, as defined by the Superior Labor Court (TST). Therefore, private use is prohibited. Under no circumstances will Acol Consultoria & Sistemas be held responsible to any users or third parties for the loss of messages and/or their content. The fact that an employee responds to an email outside office hours will not constitute overtime. For this to occur, Acol Consultoria & Sistemas must have required, in the request formally sent by email, that a task be carried out outside working hours.


Omitted Cases

Before carrying out actions that may present a potential risk to Acol Consultoria & Sistemas' information and systems, the user must consult this Policy and the Privacy and Personal Data Protection Policy, in order to make sure that the activity is lawful. and safe. Unforeseen cases, questions about information security or the use of the software must be forwarded to DTS.
Special situations and/or requests for exceptions to this Policy must be evaluated by the Board for deliberation, under penalty of violating the rules and applying the penalties provided for in the “Compliance” Item.



The user must be aware of and follow the recommendations of this Policy, interpreting the classification assigned to information and Data, and ensuring that they receive appropriate treatment. The misuse of technology resources characterizes an information security incident and may result in the application of legal and/or administrative sanctions, depending on the severity and impact of the incident for Acol Consultoria & Sistemas. Violations of the provisions established in this Policy, duly investigated, may result in:
• In the application of sanctions provided for in labor legislation;
• In applying the sanctions provided for in the LGPD;
• In applying the sanctions provided for in the contract to service providers and interns;
• In the application of applicable legal procedures.