INFORMATION SECURITY POLICY

December 08, 2022

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

1 PURPOSE

The purpose of this Policy is to set out concepts of and guidelines for information security management in order to protect B3 S.A. - Brasil, Bolsa, Balcão, its customers and the public at large.

2 SCOPE

This Policy applies to all administrators, employees, interns, suppliers, service providers and partners of B3 S.A. - Brasil, Bolsa, Balcão, and its subsidiaries

and affiliates abroad, B3 Bank, BSM Market Supervision, Cetip Info Tecnologia S.A., B3 Social, and other associations (Company).

  1. REFERENCES
    • The Company's Code of Conduct and Ethics;
    • The Company's Corporate Risk Management Policy;
    • The Company's Business Continuity Policy;
    • The Company's Information Technology Policy;
    • Brazilian Association of Technical Standards (ABNT) Standard NBR ISO/IEC 27002:2005;
    • Committee on Payments and Market Infrastructures (CPMI) and
      International Organization of Securities Commissions (IOSCO)'s
      Guidance on Cyber Resilience for Financial Market Infrastructures; and.
    • National Institute of Standards and Technology Framework (NIST)
  3. CONCEPTS

As addressed in this Policy, information security shall preserve the following concepts:

3

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

  • Confidentiality: Guarantees that access to information is only provided to authorized staff members during the required time period;
  • Availability: Guarantees that access to information is made available to authorized staff members whenever necessary; and
  • Integrity: Guarantees that information is complete, accurate and not unduly modified or destroyed, without permission or by accident, during its life cycle.

5 GUIDELINES

Information is a valuable and utterly important asset for the Company and fundamental to its business success, therefore requiring adequate protection.

Information security consists in the implementation of measures to protect ownership, confidentiality, availability and integrity of information in any format, physical or digital, from existing risks or threats, so at to prevent it from being improperly or illegally used, or used in disagreement with internal policies and processes. To this end, guidelines shall be followed as listed below.

5.1 Information ownership, monitoring and classification

All information produced (in physical or digital format) by the Company's staff covered by this Policy, including information made available to the Company by and under permission of third parties, is the sole property of the Company and shall be used exclusively to meet its business objectives.

All the Company's equipment, means of communication and systems are subject to monitoring, and any personal data processed through any such equipment, means of communication and systems or provided to the Company will also be

4

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

subject to monitoring. The Company's staff covered by this Policy are cognizant of this control.

A method is also designed to classify information based on its level of confidentiality and criticality to the Company's business.

All information shall be assigned to owners, who then become formally responsible for authorizing access to information under their responsibility.

Information must be properly protected and Company's information security guidelines, includes: creation, access, handling, storage, disposal.

labeled, in compliance with the throughout its life cycle, which reproduction, transportation and

5.2 Identity and access

Access to the Company's information and technological environments shall be controlled, according to their classification, and periodically reviewed, so as to ensure that access is made available only to staff members with the authority and clearance required to perform their activities.

5.3 Disposal of information

Information must be disposed of in such a manner as to make it impossible to reconstruct it, as appropriate to the physical or digital format in which the relevant information was made available. Information disposal shall comply with minimum

5

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

legal or regulatory storage duration and the needs of the business or of the relevant area, whichever is later.

5.4 Suppliers and external parties

Contracts signed with service providers that have access to the Company's information, systems and/or environments shall include clauses ensuring compliance with information security rules and penalties for noncompliance.

5.5 Business continuity

The Company's business continuity management establishes and maintains a strategic and operational framework designed to manage and respond to interruptions in the processes that support its business activities. This framework is governed by the Business Continuity and Crisis Management Policy.

6 RESPONSIBILITIES

6.1 Staff covered by this Policy

  • Comply with the Company's information security rules;
  • Protect information from unauthorized access, modification, destruction or disclosure;
  • Assure that the technological resources, information and systems available to them are used only for business purposes;
  • Comply with the laws and regulations that govern intellectual property;
  • Refrain from discussing, referring to or sharing confidential information in public environments and exposed areas (airplanes, public transport,

6

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

restaurants, social meetings, etc.), including from posting comments and opinions to blogs and social media;

    • Refrain from sharing confidential information of any kind; and
    • Immediately report to Information Security any noncompliance with or violation of this Policy and/or its rules and procedures.
  2. Managers
    • Enhance security practices and processes and access to systems, guiding their teams through the relevant issues.
  4. Cyber Security Department
    • Promotes a broad dissemination of the Information Security Policy and Rules;
    • Promotes information security awareness activities addressed to employees, interns and service providers;
    • Proposes measures to enhance information security efforts; and
    • Establishes rules and procedures associated with information security tooling, covering information ownership and use, identity and access management, and response to information security incidents.
  6. Purchasing and Contracts Department
    • Assures that all contracts signed with service providers having access to the Company's information, systems and/or environments include clauses

7

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

to ensure compliance with the Information Security Policy and Rules, and also penalties for noncompliance.

6.5 Board of Directors

  • Approves this Security Information Policy, as well as its reviews.

7 FINAL PROVISIONS

The above provisions apply to the entire Company upon publication of this Policy.

8 CHANGE LOG

Effective: As of December 08, 2022.

1st draft: February 16, 2009.

Areas responsible for this document:

Responsible for

Area

Drafting

Governance and Security Risks

Governance and Integrated Management Department

Revision

Legal Department

Corporate Governance and Nomination Committee

Approval

Cyber Security Internal Committee Board of

Directors

Acknowledgment

Executive Board

8

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

INFORMATION SECURITY POLICY

Updates:

Version

Changed section

Reason

Date

01

First draft

N/A

February 16,

2009

01.1

Miscellaneous

First Policy review

August 10,

2009

01.2

Miscellaneous

Inclusion of Scope; update of area

December 27,

nomenclature; revision of Policy application

2010

02

Miscellaneous

Expansion of Guidelines; Definitions

March 8, 2011

substituted for glossary; removal of rules

03

Miscellaneous

General revision focusing on corporate

May 15, 2013

guidelines for information security

Inclusion of Concepts and incident

04

Miscellaneous

management; simplification of Guidelines

May 6, 2014

and Responsibilities

05

Miscellaneous

Adjustment to Company's new name:

May 12, 2017

B3 S.A. - Brasil, Bolsa, Balcão

New structure for sections and removal of

similar rules

Inclusion of clauses ensuring compliance

with Information Security Rules in contracts

signed with suppliers and external parties

Attribution of responsibilities to the

06

Miscellaneous

Administration, Supplies and Property

June 1, 2018

Department

Determination of disposal of information to

prevent reconstruction, respecting legal

and regulatory storage duration

Reassessment of overlapping points with

the Information Technology Policy

Scope and

Adjustment to new governance of the

07

Company's subsidiaries and affiliates

August 17, 2020

formatting

Alignment with new template

08

References and

Inclusion of the National Institute of Standards

April 12, 2021

formatting

and Technology Framework

Update of the area name to Cyber

09

Responsibilities

Security Department

December 08,

Inclusion of the Board of Directors'

2022

responsibility

9

INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

B3 SA Brasil Bolsa Balcao published this content on 08 December 2023 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 08 December 2023 20:36:23 UTC.