1. OBJECTIVE
This document is an integral part of the Privacy Program and represents an essential strategic measure for NUTRIRE's operations. The continuous evolution of this system requires governance-endorsed initiatives aligned with strategic guidelines and applicable legislation. These initiatives cover the assessment of the Information Security environment's maturity, risk management, business continuity, user scope, and organizational growth, as specified in control 5.1, "Information security policies," of section 5, "Organizational controls," of ABNT NBR ISO/IEC 27002:2022.
The Information Security Policy (ISP) establishes corporate principles for Information Security within NUTRIRE, with the objective of protecting the confidentiality, integrity, and availability of information. All business areas are responsible for adjusting their processes in accordance with the requirements of this policy and the General Data Protection Law (LGPD).
To implement this policy, NUTRIRE adopts the following Information Security principles to protect all information security assets under its ownership or custody:
a) Confidentiality: Ensures that information is not accessible or disclosed to unauthorized or uncredentialed individuals, systems, bodies, or entities.
b) Integrity: Ensures that information contained in technological resources is not improperly altered or destroyed in an unauthorized manner, whether intentionally or accidentally.
c) Availability: Ensures that information is accessible and in conditions to be used by authorized users or custodians.
2. SCOPE
This Policy covers all of NUTRIRE's information assets, including personnel, physical infrastructure, data, systems, applications, devices, and networks. It applies to all employees, staff, contractors, partners, and third parties who access or process the organization's information, and to all physical facilities managed or used.
3. VALIDITY
This procedure will take effect immediately upon its approval. A review must be carried out within a period of up to 12 (twelve) months from its formal approval, in accordance with its version control, or whenever the Information Security and Privacy Committee (CSIP) or the Information Technology Coordinator deems it necessary.
4. TERMS AND DEFINITIONS
a) Senior Management: The highest level of leadership within the organization, responsible for establishing the strategic direction and objectives of Information Security and Privacy;
b) Asset: Anything that has value and needs to be adequately protected;
c) Backup: Safeguarding of information carried out through reproduction and/or copying of a file base for the purpose of recovery in the event of an incident or restoration need;
d) Collaborator: Employee, intern, service provider, outsourced employee, supplier, minor apprentice, or any other individual or organization that has a professional relationship, directly or indirectly, with the organization;
e) Personal Data Processing Officer: The person designated by the organization to act as a point of contact between NUTRIRE, data subjects, and the National Data Protection Authority (ANPD);
f) Information: A set of data that, whether processed or not, can be used for the production, transmission, and sharing of knowledge, contained in any medium, support, or format;
g) Risk: A combination of the probability of a threat materializing and its potential impacts;
h) Information Security: The preservation of the confidentiality, integrity, and availability of information. It aims to protect information from various types of threats to ensure business continuity, minimize business damage, maximize return on investments, and create new transaction opportunities;
i) Information and Communication Technology Resources: Encompass all technological means used to process, store, transmit, and access information, such as computers, networks, information systems, mobile devices, among others;
j) Violation: Any activity that disregards the rules established in normative documents;
k) General Personal Data Protection Law: According to its art. 1, the LGPD "This Law governs the processing of personal data, including in digital media, by a natural person or by a public or private legal entity, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person."
5. GENERAL PROVISIONS
The objectives of the Information Security Policy are:
a) To define principles and guidelines for the protection of information assets and knowledge generated or received;
b) To establish general information security guidelines, contributing to efficient risk management and limiting risks to acceptable levels, while preserving the principles of availability, integrity, reliability, and authenticity of information;
c) To determine competencies and responsibilities related to information security;
d) To guide the creation of standards for the effective implementation of information security;
e) To align information security actions with NUTRIRE's organizational planning strategies.
6. PRINCIPLES AND GUIDELINES
6.1 It is essential that all users are aware of and committed to the safe and appropriate use of NUTRIRE's information assets. Therefore, they must ensure compliance with this Policy, Management Procedures, Work Instructions, and applicable laws, when relevant.
6.2 All information produced, accessed, handled, stored, or discarded for the development of activities contracted by NUTRIRE, as well as other tangible and intangible assets provided, is the property of or under the exclusive responsibility and use of the organization. These resources must be used strictly for corporate purposes, with the aim of serving NUTRIRE's interests, and may not be disclosed or shared without authorization.
6.3 The use of personal technological resources to handle information belonging to or in the custody of NUTRIRE without authorization is prohibited. All data, regardless of its nature, must circulate exclusively in secure environments under NUTRIRE's control. Applications, especially those linked to social media and used on personal devices, must not contain confidential information, thus avoiding exposure to vulnerabilities that could result in incidents.
6.4 The use of social media to perform professional responsibilities on behalf of NUTRIRE must be restricted and previously authorized, being permitted only when essential and aligned with the organization's objectives, in accordance with the guidelines set out in this Policy. All activities in this context must be carried out exclusively through NUTRIRE's Information and Communication Technology (ICT) resources.
6.5 It is expressly prohibited to use, access, store, or disclose discriminatory, pornographic, malicious, obscene, offensive, or illegal material, or material that contradicts the principles established by NUTRIRE and applicable legislation.
6.6 NUTRIRE reserves the right to monitor or audit, without prior notice, the use of technological resources under its ownership or custody, as well as information stored on local disks, on the corporate network, and in corporate cloud storage services.
6.7 Any use of NUTRIRE's internal documents, software, industrial designs, trademarks, visual identity, or other present or future distinctive signs, in any medium, including the Internet and social media, must be previously and expressly authorized by NUTRIRE and aligned with its interests.
7. INFORMATION SECURITY MANAGEMENT
7.1 NUTRIRE's Privacy Program is constituted, at a minimum, by the following processes:
a) Privacy and personal data protection; b) Information processing; c) Physical and logical security of environments; d) Incident management in information security and personal data privacy; e) Asset management; f) Management of the use of information and communication technology (ICT) resources; g) Information backup; h) Access controls; i) Vulnerability management; j) Supplier assessment; k) Change management; l) Continuous improvement.
7.2 Information security controls must address, at a minimum, the following aspects:
a) Compliance with the guidelines set out in the LGPD and with the regulations and guidelines issued by the National Data Protection Authority (ANPD);
b) Classification of information according to its level of confidentiality and criticality, among other factors, to define appropriate security controls;
c) Protection of data against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing;
d) Acceptable use of information and use of storage media;
e) Entry and exit of information assets from NUTRIRE's facilities;
f) Security perimeters of all NUTRIRE units;
g) Access controls based on the principle of least privilege;
h) Identification, containment, eradication, recovery, and post-incident activity steps;
i) Criteria for communicating incidents to personal data subjects and the ANPD;
j) Security Incident Management Plan, considering different scenarios;
k) NUTRIRE's Asset Management Policy, covering asset protection, classification according to criticality, maintenance of an updated inventory including type, location, responsible party or custodian, and security status; acceptable use of assets, personal use being prohibited; mapping of vulnerabilities and threats, monitoring according to Information Security and privacy principles; and investigation in the event of suspected security and/or privacy breach;
l) Appropriate use of operational and communication resources provided by NUTRIRE, exclusively for professional purposes and in compliance with the organization's ethical and professional principles, avoiding unethical, discriminatory, or offensive behaviors or those that could compromise its reputation;
m) Rules for e-mail use, sending confidential information, software installation, and antivirus;
n) Rules for internet access, file download, restricted use to appropriate websites, and prohibition of unauthorized software installation;
o) Use of social media, disclosure of information, use of personal accounts for professional purposes, and interactions with strangers;
p) Rules for the use of cloud computing, selection of providers, data security, and compliance with applicable laws and regulations;
q) Access control rules, including the use of Multi-Factor Authentication (MFA), least-privilege-based authorization controls, segregation of duties, auditing, tracking, access verification, and the termination or removal of employees and partners who operate NUTRIRE's information assets;
r) Management of information security vulnerabilities, covering the analysis of environments, assets, and threats, adoption of a methodology to identify and document vulnerabilities and threats, including description, origin, potential impact, and probability, assessment to determine priorities and treatment, which may include mitigation with security controls or acceptance;
s) Change Management of information assets, based on risk assessment reports, with definition of roles and responsibilities for assessment, approval, implementation of changes, and creation of a formal process for requesting and documenting changes;
t) Careful adoption, continuous monitoring, and control of emerging technologies, such as Artificial Intelligence, ensuring their application occurs ethically, securely, and in compliance with security attributes and privacy principles.
7.2.1 NUTRIRE will conduct periodic internal information security assessments to ensure compliance with this Policy and other applicable requirements whenever necessary.
8. RESPONSIBILITIES
8.1 Senior Management
a) Provide the resources necessary to ensure the development and implementation of Information Security Management at NUTRIRE, ensuring that information security actions and decisions are treated with due relevance and priority;
b) Formalize and approve NUTRIRE's Information Security Policy, including its revisions and updates.
8.2 Information Security and Privacy Committee (CSIP)
a) Advise on the implementation of information security actions; b) Form working groups to address specific topics and propose targeted solutions in information security; c) Contribute to the development of the Information Security Policy and internal information security standards; d) Propose revisions to the Information Security Policy and internal security standards; e) Deliberate on internal information security standards; f) Evaluate actions proposed by the information technology manager.
8.3 Information Technology Coordinator
a) Coordinate the development of the Information Security Policy and other documented information security controls, observing applicable legislation and best practices on the subject; b) Advise Senior Management on the implementation of the Information Security Policy; c) Encourage training and professionalization actions for human resources on topics related to information security; d) Promote the dissemination of the policy and other documented information security controls to all users and service providers of NUTRIRE; e) Foster studies on new technologies and assess their possible impacts on information security; f) Propose the resources necessary for the execution of information security actions; g) Monitor the activities of the Security and Privacy Incident Response Team; h) Evaluate the results of audit work on information security management; i) Monitor the application of corrective and administrative actions in cases of information security violations.
8.4 Personal Data Processing Officer
a) Monitor compliance with the standards established in this policy regarding the protection and privacy of personal data; b) Direct responsible sectors to improve procedures related to the protection and security of personal data processing, establishing more protective guidelines when dealing with sensitive personal data; c) Stay updated on the technologies used by NUTRIRE in the protection and privacy of personal data, as well as suggest new technologies to the CSIP whenever deemed pertinent; d) Inform the CSIP whenever any current or potential security failure is identified in relation to the privacy, availability, and/or integrity of personal data; e) Maintain LGPD compliance plans updated in accordance with documented information security controls.
8.5 Collaborators
a) Actively protect NUTRIRE's confidential information, maintaining the confidentiality, integrity, and availability of data they have access to; b) Strictly follow this Policy, other documented information security controls, and the Privacy Program established by NUTRIRE; c) Immediately report any Information Security incidents, suspected violations, or inappropriate behaviors; d) Participate in Information Security and Privacy training and awareness activities to stay updated on best practices and emerging threats; e) Use only authorized information technology resources and not alter any security measures in their daily activities.
9. PROHIBITIONS
9.1 It is prohibited to use NUTRIRE's information and communication technology resources to access, store, or disclose material that is incompatible with the work environment, infringes copyright, or violates applicable legislation.
9.2 The use or installation of information technology resources that have not been approved or acquired by NUTRIRE is not permitted.
9.3 The disclosure to third parties of identification, authentication, and authorization mechanisms, such as accounts, passwords, or digital certificates, that are for personal and non-transferable use and provided to users, is prohibited.
9.4 It is prohibited to exploit identified vulnerabilities, which must be immediately communicated to departmental managers.
9.5 Reports of violations of this policy may be made to the Information Technology Coordinator through the following channel: marcelo.silva@nutrire.com.br.
9.6 Compliance with this Policy and its complementary regulations must be periodically assessed by NUTRIRE through compliance checks, aiming to ensure compliance with information security requirements and the responsibility and confidentiality clauses present in terms of responsibility, contracts, agreements, and related instruments.
9.7 Non-compliance with this policy or its related normative instruments subjects the offender to administrative sanctions in accordance with applicable legislation, without prejudice to civil and criminal liability, ensuring the right to due process and full defense.
9.8 This policy will be reviewed periodically, at least every four years, or more frequently as necessary, to reflect changes in NUTRIRE's environment, information security risks, and industry best practices.
10. VERSION CONTROL
This policy will be reviewed according to the criteria of item 3 "Validity," taking into account the date of its approval, in order to maintain its ongoing relevance and effectiveness.
DocumentVersionValidityResponsibleChange ControlISP1.012 monthsFranciele Monique CiprianiNone.
11. FINAL PROVISIONS
11.1 This document must be read and interpreted under Brazilian law, in the Portuguese language, together with the Standards, Policies, and Management Procedures applicable by NUTRIRE.
11.2 Omitted cases will be assessed by the Information Security and Privacy Committee (CSIP) for subsequent deliberation.
11.3 Any questions regarding this policy should be directed to the e-mail address franciele.cipriani@nutrire.com.br.
11.4 This policy takes effect on the date of its publication.
12. ANNEXES
No annexes.
13. COMPLEMENTARY DOCUMENTS
Personal Data Management Policy
This document establishes guidelines and procedures for the collection, use, storage, and protection of personal data within NUTRIRE, aiming to ensure compliance with applicable legislation, as well as to promote transparency and security of the information processed.
14. RECORDS
Statement on Senior Management's Commitment to Information Security
NUTRIRE's Senior Management must reinforce its institutional commitment to the security of information processed in its activities, through the publication of an official statement.
Publication of the Information Security Policy
NUTRIRE's Information Security Policy will be formally published, establishing the guidelines, responsibilities, and controls necessary to ensure the confidentiality, integrity, and availability of institutional information.