Security Policy
The Information Security Policy of Ubiquity constitutes a common basis for all Departments, allowing the adoption of organizational security standards, effective practices in Information Security Management, and providing confidence in relationships with third parties and Ubiquity.
The Information Security Policy aims to apply to the Management System the international standard ISO/IEC 27001, community standards, and specific national legislation and recommendations in the field of Information Security.
The Management team of Ubiquity commits to:
- Adopting and maintaining all applicable legal requirements in the context of Information Security;
- Ensuring the conditions for continuous improvement of the system through monitoring and periodic reviews of components related to Information Security.
This document describes the general principles that should be applied by each Department of Ubiquity to the information assets they manage and is structured as follows:
- Scope
- Information Value
- Importance of Information Security
- Guidelines for Information Security Management
- Information Security Management System Model
- Detailed Information Security Policies
- Organization and Responsibilities in Information Security
- Maintenance and Communication of Security Policies and Procedures
1. Scope
The Information Security Policy applies to all employees, external consultants, interns, temporary consultants, service providers, and other stakeholders who participate in Information processing.
It should be noted that any misuse of: company equipment, personal equipment connected to company resources, the company’s network, email system, or any other information processing applications or company resources – as well as the use of these for illicit purposes – has the potential to expose the company to serious consequences. This includes actions such as unauthorized access to computer systems, data, or assets, introduction of viruses, theft/disclosure of company secrets/other confidential information, and theft or illegal processing of personal data.
Employees and other providers who deliberately violate this or other policies are subject to disciplinary/legal action, which may include termination of their contractual relationship and reporting to the judicial authorities of situations indicating the commission of a crime.
2. Value of Information
Information can take various forms (be printed or written on paper, stored electronically, transmitted by mail or electronic means, among others) and should be adequately protected, regardless of its medium, use, or support. Information security should be adjusted according to its importance and value. Information security should be adjusted according to its importance and value.
Preserving the confidentiality, integrity, and availability of information depends on a systematic approach to risk in order to minimize incidents that compromise its security.
Access to information is a central aspect of Ubiquity’s operations, and the efficiency of the service provided to its clients depends on the availability of information systems and infrastructure. Therefore, security in the processing and transmission of information is vital to maintaining its efficiency.
Any service interruption, leakage of information to unauthorized entities, or unauthorized modification of data can lead to a loss of trust and/or violate obligations to clients, partners, or other legal and regulatory obligations in force.
The shift from classic processing systems – based on closed computer centers – to various forms of distributed data processing in open and heterogeneous client/server environments brings additional risks that need to be managed, as relevant information and the applications that handle it continuously increase, along with their use in difficult-to-control locations.
To achieve its objectives in information security, Ubiquity’s Departments depend on the correct operation of its information and communications systems. However, this is only possible with the continuous identification of risks to which Ubiquity’s assets are exposed, as well as the implementation of controls and security mechanisms aimed at their correct and controlled use.
t is the responsibility of all Ubiquity employees (as well as other parties identified within the scope of this policy) to proactively contribute to the protection of information, including when sharing sensitive information, even verbally. Similarly, it is their responsibility to report any threats, realized or unrealized, that may have any impact on the availability, integrity, or confidentiality of information.
3. Importance of Information Security
The information managed by Ubiquity, its supporting processes, systems, applications, and networks are valuable assets to the organization. Any loss of confidentiality, integrity, and/or availability can lead to a loss of credibility for the services provided by Ubiquity.
Therefore, Information Security should be applied at all stages of the information life cycle. Control of the operations of collection/insertion, processing, storage, transfer, relationship, search, and destruction of information are as important as the functionality of an application. The maintenance of a high level of quality and security must be ensured permanently and in a balanced manner, preventing the materialization of inherent risks, with the aim of mitigating/limiting the potential damage caused by the exploitation of vulnerabilities and security incidents, ensuring that the business operates as expected over time.
Information Security should be a fundamental assumption for the success of the services provided by Ubiquity, and therefore, it is the responsibility of all employees, suppliers, partners, or other entities that have access to information at any given time.
Threats to Information Security are constantly evolving, which requires the continuous adaptation of security measures to keep pace with technological, legislative, and/or social changes. Security measures should be technically and economically viable and should not unduly limit the productivity and efficiency of Ubiquity. Residual risks should be known to Management and Managers with operational responsibilities for associated assets.
4. Guidelines for Information Security Management
The information managed by Ubiquity considers the following aspects:
- People Management: Information Security applies to all Ubiquity employees in all Departments, transversally, with specific responsibilities assigned to certain roles;
- Risk Management: All systems (existing or planned) must have an appropriate level of security relative to the risk that Ubiquity is willing to assume. Risk analysis should reflect technical concerns in a perceptible way;
- Definition of Responsibilities: The responsibility for the quality, access, use, and safeguarding of information contained in systems lies with their managers. It is up to Ubiquity to define the standards and procedures that implement the levels of information security defined by the information owners and monitor their effectiveness;
- Security Rules: There must be security policies that define the objectives to be achieved by all information systems, regardless of their environment;
- Security Procedures: These should be as detailed as possible and clearly define how to achieve the desired level of security and what human involvement is required in maintaining information systems, leaving nothing to chance
Ubiquity ensures that it does not intend to implement, authorize, or establish any remote monitoring of systems or instruments (open or hidden) concerning employees’ opinions, habits, or activities – which is strictly prohibited.
This policy aims only to create means to verify whether professional and/or personal resources are being used correctly for organizational and productive needs, workplace safety, protection of the company’s assets, and the company’s security (and, in particular, its network and information systems).
5. Information Security Management System Model
The Ubiquity ISMS model is based on the following three pillars:
- Confidentiality: Ensuring that information is accessible only to authorized persons and processes;
- Integrity: Safeguarding the accuracy of information and processing methods;
- Availability: Ensuring that authorized users and processes have access to information whenever necessary.
All existing information security mechanisms at Ubiquity aim at the confidentiality, integrity, and/or availability of information and should be regulated by a normative body consisting of detailed policies, processes, and information security procedures, structured as follows: