KALIMO TÊXTIL LTDA. INFORMATION SECURITY POLICY.
The main objective of this policy is to establish principles, responsibilities and guidelines that enable Kalimo employees to adopt the highest standards of conduct, for the purpose of preventing, detecting and remediating risks related to information security, data protection and privacy.
This policy applies to all users of information and who perform data processing, directly or indirectly, regardless of their bond and/or relationship, by any means, physical or digital, or in the country where the data are located, as long as they are aimed at for the supply of goods and services by Kalimo to individuals located in the national territory.
Information Security: aims to preserve the properties of confidentiality, integrity, availability, not limited to computer systems, electronic information and/or storage systems.
Public information: are those that do not require access restrictions and are freely published.
Internal information: these are restricted to Kalimo’s employees, and should only be used to achieve their goals and needs. It is information that, if publicly disclosed, will have an undesirable and immeasurable impact on the business. Examples of internal information are: number of customers, internal goals, billing, strategic plans, employee or customer information, and internal policies/practices.
Confidential information: are those that have the highest level of restriction of access to information. It is only available to those who need access to perform their functions. This is information that could compromise Kalimo’s business if accessed by unauthorized individuals.
Information: means Public Information, Inside Information and Confidential Information when mentioned together.
User(s): Any employee, regardless of the relationship, or third party with access to Kalimo’s information and information assets.
Information Assets: Any device owned by Kalimo that contains data and information, such as, but not limited to, workstations, servers, email, chats, mobile devices, hard drives, flash drives, memory card printers, etc.
Information Systems: is the expression used to describe a system, whether automated, manual, which encompasses people, machines and/or organized methods to collect, process, transmit and disseminate data that represent information for the user and/or customer.
- PRINCIPLES OF INFORMATION SECURITY Information Security is characterized by the preservation of the following pillars:
● Confidentiality: aims to ensure that access to company and customer information is obtained only by authorized persons who need access to perform their duties.
● Integrity: aims to ensure that the information and processing methods are accurate and complete and the methods of their processing.
● Availability: aims to ensure that information is always available to authorized professionals who need access to perform their duties.
5.1 General Aspects The Information (in physical or digital format) and the technological environments used by the Users are exclusive property of Kalimo, and cannot be interpreted as for personal use. All content and Information produced in the Information Assets are property of Kalimo and may be subject to monitoring, without prior notice, not granting the User any privacy right. Monitoring records can serve as evidence for legal purposes and enforcement of disciplinary measures. The Information must only be used for the purposes for which it was authorized and collected. Every User must have an identification badge, personal and non-transferable, whose access will be parameterized to areas that may circulate, as well as making mandatory use of it on Kalimo’s premises. Only Authorized Users may have access to Kalimo Information; Every process, whenever possible, during its life cycle, must guarantee the segregation of functions; Information must be used transparently and only for the purpose for which it was collected. When necessary, the use of data for statistical purposes, these being anonymized, without the possibility of identifying individuals; Kalimo must ensure the continuous, systemic and effective management of the measures adopted to protect personal data and the rights of its holders, allowing support for sensitive and critical operations, providing support for critical business operations and minimizing identified risks and their possible impacts on the organization .
5.2. Classification and processing of information All information must be classified according to the degree of confidentiality and criticality for Kalimo’s business. The classification must follow the following labels: public, internal or confidential; It is up to the author of the file to classify the level of protection, according to the type of information contained therein; It is up to the operational manager of the area responsible for the document to ensure the correct classification of the information; All unclassified information should be considered internal; Information must be protected throughout its life cycle, which includes: generation, handling, storage, shipping and disposal.
5.3. Management of Information Security Risks and Incidents Risks must be identified through an established process to assess Information Security risks that affect the business and/or its strategies, aligned with the business context in order to adequately preserve and protect Kalimo. Information Security incidents must be analyzed, classified, treated, recorded and reported to the requester and the manager of the impacted process or system. If an incident is classified as critical and with a risk of high impact to Kalimo’s business, it must be analyzed by the Information Security Manager and, when applicable, notified to the Board of Directors; Every security incident must be used as a basis for implementing new or modifying existing controls; Strategic assets that support Kalimo’s business must be considered in the Contingency and Business Continuity Plan.
5.4 Use of Corporate Email @kalimo.com.br The electronic mail provided by Kalimo is an instrument of internal and external communication for carrying out the company’s business. Messages must be written in professional language, must not compromise Kalimo’s image, must not be contrary to current legislation or to the ethical principles contained in Kalimo’s code of conduct. Therefore, Users are prohibited from using Kalimo’s corporate email to: Send unsolicited messages to multiple recipients, unless related to the institution’s legitimate use; Send e-mail using your department’s address, someone else’s Username, or unauthorized e-mail; Disclose sensitive and/or unauthorized information; Falsify and/or tamper with email content, such as hiding the identity of senders and/or recipients; Improperly accessing Information that may cause harm to anyone; For any purpose unrelated to Kalimo’s activities and business; and For illicit purposes, with inappropriate content and that violates good market practices and social coexistence.
5.5. Data Sharing All data must be stored on network servers, and authorization to access them must be provided by the server, with access restriction to each area, delimited by the IT team, which is oriented to periodically analyze all existing shares in the stations work and ensure that data considered confidential and/or internal is not stored on the network; Sharing Information through mobile devices such as pen drivers and others is not allowed in the company. Sharing is only allowed over the network and corporate email.
5.6. Illegal Software Kalimo respects copyright and only makes use of duly licensed in its Information Assets; The use of illegal software (without proper licensing) on Kalimo is strictly prohibited. In this way, all software must go through the IT area for approval and authorization of the program, before any acquisition and installation by Users; Periodically, the IT area will check the data on the servers and/or on the Users’ computers, in order to guarantee the correct application of this guideline. If unauthorized software are found, they must be removed from computers and Users subject to sanctions and penalties.
5.7. Permissions and passwords Every User to access data on the Kalimo network must have a login and password previously registered by the IT area. Who must provide the data regarding the User’s rights is his/her immediate superior, who must send a request to the IT department; The IT area will register and inform the new User what their first password will be, which must be changed immediately after the first login, and every 180 (one hundred and eighty) days. For security, the IT area recommends that passwords always have a minimum security criterion so that they are not easily copied and cannot be repeated; When there is a need for access for external Users, whether temporary or not, the access permission must be blocked as soon as they have finished their work and/or renewed, with justification; Logical access to Kalimo’s information assets must be properly controlled, restricted to Users with formal authorization and who need access to perform their activities. The accesses must always obey the criterion of least privilege, in which the Users must have only the necessary permissions for the execution of their activities; Every access account and password is personal and non-transferable. In this way, the User is fully responsible for its safe and conscientious use; and The use of another person’s identification devices and/or passwords constitutes a crime typified in the Brazilian Penal Code.
5.8. Backup All Kalimo data must be protected through systematic Backup routines; and Backup copies of the integrated system and network servers are the responsibility of the IT area and must be carried out daily by robots. At the end of each month, a backup copy must also be made with the month’s closing data, which will be saved on tape.
5.9. File backups on desktops It is not Kalimo’s policy to store data on individual desktops, however, there are some tax area software that do not allow network storage. In this case, the backup will be the responsibility of the User, for the purposes of guaranteeing Information Security, with the support of the IT area; and If it does not fit into the above situation, the Information must be saved on the network, which has all the protections appropriate to Kalimo’s risk profile and backup routines.
5.10. Antivirus use Every file on media coming from an external entity of Kalimo must be scanned by an antivirus software; Every file received / obtained through the Internet environment must be scanned by an antivirus software; All workstations must have an antivirus installed. The antivirus update will be automatic, scheduled by the IT area, via the network; and The User may not, under any circumstances, disable the antivirus software installed on the workstations or install antivirus versions on their own in the Information Assets.
5.11. Awareness Trainings The IT area must promote periodic programs for the awareness of the entire organization regarding Information security; The Information Security awareness program is mandatory for all Users, the first being carried out at the time of integration and, subsequently, every 12 (twelve) months.
5.12. Privacy and Data Protection Guidelines All Users are obliged to: Assure the holder, whenever he has the right, of self-determination about the processing of his personal data, except in cases where the applicable law specifically allows the processing of personal data without the consent of the holder; Ensuring that the reasons for the processing of personal data are adequate and necessary, transparent and in compliance with the applicable privacy and data protection regulation and in accordance with a permitted legal basis; Inform, in a transparent, real and adapted way to the circumstances, the processing of personal data to the holder, prior to the initial or proposed treatment; Minimize the processing of data strictly to what is necessary, collecting the smallest number and volume of data for the intended purpose and specified, explicit and legitimate objectives; Store and process personal data only for the time necessary to fulfill the legitimate purposes and, subsequently, adopt measures of anonymization, elimination or disposal; Block access to personal data and no further processing when the stated purposes expire, but retention of personal data is required by data protection regulations; Ensure the accuracy, quality and integrity of the personal data processed, except in cases where there is a legal basis for keeping them out of date; Notify holders when significant changes occur in the treatment of their personal data; Guarantee to holders the exercise of their rights, whenever possible, such as access, review, sharing and portability of personal data; Keep records of the process and data treatment, as well as mapping and sharing data with third parties; Treat violations in the processing of personal data, ensuring adequate measures for the recording, classification, investigation and documentation of incidents; Ensuring that, in the event of a data breach, all interested parties will be notified, in accordance with the requirements and deadlines provided for in current legislation; Ensure the existence of a person responsible for documenting, implementing and communicating policies, procedures and practices related to privacy and data protection; Adopt preventive, technical and administrative security measures aimed at protecting personal data; Keep policies, rules and procedures available and accessible to necessary stakeholders and Users; Promote Users’ awareness of policies and best practices related to privacy and data protection in the Kalimo environment; Ensure non-discrimination in the processing of personal data and/or for illicit and/or abusive purposes; Keep the work table clean, without visible corporate documents, to prevent data from being distorted; and Restrict access to physical files to only those people who have the need and purpose of using such information.
- ENVIRONMENT MONITORING AND AUDIT
To ensure compliance with the guidelines contained in this policy, Kalimo may make use of any monitoring and auditing tool, routine and methodology, without prior notice, at its sole discretion, at any time, without the Users having any right to privacy or opposition to the practices adopted, which aim at the effectiveness of Information Security and risk prevention and materialization of contingencies.
- ETHICS, CONDUCT AND INFORMATION SECURITY COMMITTEE
Compliance with this policy will be the responsibility of the Ethics, Conduct and Information Security Committee, which must:
Analyze occurrences of violations of the terms of this policy;
Request inquiries on equipment and systems to the IT area;
Direct the occurrences to the responsible Managers/Leaders so that the necessary measures are taken.
Analyze, create, review and approve policies and rules regarding the protection of personal data and privacy;
Ensure and make efforts to ensure the availability of resources to effectively manage the protection of personal data and privacy;
Ensure that the processing of personal data is carried out in accordance with existing and applicable personal data protection policies, rules and regulations;
Promote the dissemination of Policies and rules for the protection of personal data and privacy and disseminate knowledge and culture related to the topic in the Kalimo environment through events, awareness-raising actions and training.
The Ethics, Conduct and Information Security Committee will have the participation of at least one representative from the administration, a senior member from the areas of Information Technology, Information Security, People Management, Data Protection Officer, Legal, Compliance, Marketing, Projects and Products.
- FINAL PROVISIONS
This policy was approved by the Board of Directors on 07/31/2020 and enters into force on the date of its disclosure, upon publication on the website www.kalimo.com.br/contact/legalinformation
All Users, as well as people with whom Kalimo maintains a business relationship, must be aware of its content and fully comply with it.
Non-compliance by Users may result in the application of the penalties provided for in the applicable legislation, as the case may be.
Any breaches, suspicions, reports, violations of the terms of this policy must be made through the channel www.kalimo.com.br/contact/legalinformation
Reports in good faith will not be retaliated against by Kalimo.