INFORMATION SECURITY POLICY
December 08, 2022
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
TABLE OF CONTENTS | ||
2
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
1 PURPOSE
The purpose of this Policy is to set out concepts of and guidelines for information security management in order to protect B3 S.A. - Brasil, Bolsa, Balcão, its customers and the public at large.
2 SCOPE
This Policy applies to all administrators, employees, interns, suppliers, service providers and partners of B3 S.A. - Brasil, Bolsa, Balcão, and its subsidiaries
and affiliates abroad, B3 Bank, BSM Market Supervision, Cetip Info Tecnologia S.A., B3 Social, and other associations (Company).
- REFERENCES
- The Company's Code of Conduct and Ethics;
- The Company's Corporate Risk Management Policy;
- The Company's Business Continuity Policy;
- The Company's Information Technology Policy;
- Brazilian Association of Technical Standards (ABNT) Standard NBR ISO/IEC 27002:2005;
-
Committee on Payments and Market Infrastructures (CPMI) and
International Organization of Securities Commissions (IOSCO)'s
Guidance on Cyber Resilience for Financial Market Infrastructures; and. - National Institute of Standards and Technology Framework (NIST)
- CONCEPTS
As addressed in this Policy, information security shall preserve the following concepts:
3
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
- Confidentiality: Guarantees that access to information is only provided to authorized staff members during the required time period;
- Availability: Guarantees that access to information is made available to authorized staff members whenever necessary; and
- Integrity: Guarantees that information is complete, accurate and not unduly modified or destroyed, without permission or by accident, during its life cycle.
5 GUIDELINES
Information is a valuable and utterly important asset for the Company and fundamental to its business success, therefore requiring adequate protection.
Information security consists in the implementation of measures to protect ownership, confidentiality, availability and integrity of information in any format, physical or digital, from existing risks or threats, so at to prevent it from being improperly or illegally used, or used in disagreement with internal policies and processes. To this end, guidelines shall be followed as listed below.
5.1 Information ownership, monitoring and classification
All information produced (in physical or digital format) by the Company's staff covered by this Policy, including information made available to the Company by and under permission of third parties, is the sole property of the Company and shall be used exclusively to meet its business objectives.
All the Company's equipment, means of communication and systems are subject to monitoring, and any personal data processed through any such equipment, means of communication and systems or provided to the Company will also be
4
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
subject to monitoring. The Company's staff covered by this Policy are cognizant of this control.
A method is also designed to classify information based on its level of confidentiality and criticality to the Company's business.
All information shall be assigned to owners, who then become formally responsible for authorizing access to information under their responsibility.
Information must be properly protected and Company's information security guidelines, includes: creation, access, handling, storage, disposal.
labeled, in compliance with the throughout its life cycle, which reproduction, transportation and
5.2 Identity and access
Access to the Company's information and technological environments shall be controlled, according to their classification, and periodically reviewed, so as to ensure that access is made available only to staff members with the authority and clearance required to perform their activities.
5.3 Disposal of information
Information must be disposed of in such a manner as to make it impossible to reconstruct it, as appropriate to the physical or digital format in which the relevant information was made available. Information disposal shall comply with minimum
5
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
legal or regulatory storage duration and the needs of the business or of the relevant area, whichever is later.
5.4 Suppliers and external parties
Contracts signed with service providers that have access to the Company's information, systems and/or environments shall include clauses ensuring compliance with information security rules and penalties for noncompliance.
5.5 Business continuity
The Company's business continuity management establishes and maintains a strategic and operational framework designed to manage and respond to interruptions in the processes that support its business activities. This framework is governed by the Business Continuity and Crisis Management Policy.
6 RESPONSIBILITIES
6.1 Staff covered by this Policy
- Comply with the Company's information security rules;
- Protect information from unauthorized access, modification, destruction or disclosure;
- Assure that the technological resources, information and systems available to them are used only for business purposes;
- Comply with the laws and regulations that govern intellectual property;
- Refrain from discussing, referring to or sharing confidential information in public environments and exposed areas (airplanes, public transport,
6
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
restaurants, social meetings, etc.), including from posting comments and opinions to blogs and social media;
- Refrain from sharing confidential information of any kind; and
- Immediately report to Information Security any noncompliance with or violation of this Policy and/or its rules and procedures.
- Managers
- Enhance security practices and processes and access to systems, guiding their teams through the relevant issues.
- Cyber Security Department
- Promotes a broad dissemination of the Information Security Policy and Rules;
- Promotes information security awareness activities addressed to employees, interns and service providers;
- Proposes measures to enhance information security efforts; and
- Establishes rules and procedures associated with information security tooling, covering information ownership and use, identity and access management, and response to information security incidents.
- Purchasing and Contracts Department
- Assures that all contracts signed with service providers having access to the Company's information, systems and/or environments include clauses
7
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
to ensure compliance with the Information Security Policy and Rules, and also penalties for noncompliance.
6.5 Board of Directors
- Approves this Security Information Policy, as well as its reviews.
7 FINAL PROVISIONS
The above provisions apply to the entire Company upon publication of this Policy.
8 CHANGE LOG
Effective: As of December 08, 2022.
1st draft: February 16, 2009.
Areas responsible for this document:
Responsible for | Area |
Drafting | Governance and Security Risks |
Governance and Integrated Management Department | |
Revision | Legal Department |
Corporate Governance and Nomination Committee | |
Approval | Cyber Security Internal Committee Board of |
Directors | |
Acknowledgment | Executive Board |
8
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
INFORMATION SECURITY POLICY
Updates:
Version | Changed section | Reason | Date |
01 | First draft | N/A | February 16, |
2009 | |||
01.1 | Miscellaneous | First Policy review | August 10, |
2009 | |||
01.2 | Miscellaneous | Inclusion of Scope; update of area | December 27, |
nomenclature; revision of Policy application | 2010 | ||
02 | Miscellaneous | Expansion of Guidelines; Definitions | March 8, 2011 |
substituted for glossary; removal of rules | |||
03 | Miscellaneous | General revision focusing on corporate | May 15, 2013 |
guidelines for information security | |||
Inclusion of Concepts and incident | |||
04 | Miscellaneous | management; simplification of Guidelines | May 6, 2014 |
and Responsibilities | |||
05 | Miscellaneous | Adjustment to Company's new name: | May 12, 2017 |
B3 S.A. - Brasil, Bolsa, Balcão | |||
New structure for sections and removal of | |||
similar rules | |||
Inclusion of clauses ensuring compliance | |||
with Information Security Rules in contracts | |||
signed with suppliers and external parties | |||
Attribution of responsibilities to the | |||
06 | Miscellaneous | Administration, Supplies and Property | June 1, 2018 |
Department | |||
Determination of disposal of information to | |||
prevent reconstruction, respecting legal | |||
and regulatory storage duration | |||
Reassessment of overlapping points with | |||
the Information Technology Policy | |||
Scope and | Adjustment to new governance of the | ||
07 | Company's subsidiaries and affiliates | August 17, 2020 | |
formatting | |||
Alignment with new template | |||
08 | References and | Inclusion of the National Institute of Standards | April 12, 2021 |
formatting | and Technology Framework | ||
Update of the area name to Cyber | |||
09 | Responsibilities | Security Department | December 08, |
Inclusion of the Board of Directors' | 2022 | ||
responsibility |
9
INFORMAÇÃO PÚBLICA - PUBLIC INFORMATION
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
B3 SA Brasil Bolsa Balcao published this content on 08 December 2023 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 08 December 2023 20:36:23 UTC.