Limpar Busca
Privacy Guide

External Security Policy

We follow the best governance practices to ensure security and trust in all our relationships.

1. Objective

This External Information Security Policy aims to:

  • Ensure transparency to customers about the Information Security activities carried out by LUMIS;
  • Guide suppliers regarding the minimum level of Information Security required in handling information related to LUMIS;
  • Establish guidelines for the creation, transmission, processing, use, storage, retrieval, and disposal of information, preserving them according to the following principles:
    • Integrity: keep information accurate, complete, and unaltered;
    • Confidentiality: restricted access to authorized people, entities, or processes;
    • Availability: ensure that authorized users access information whenever necessary.

LUMIS adopts a continuous process of identifying, analyzing, evaluating, treating, and reducing risks to an acceptable level.

2. Reference Documents

  • NBR ISO/IEC 27002:2013
  • NBR ISO/IEC 27701:2019
  • CIS Controls V8.0
  • NIST 800-53
  • General Data Protection Law (Law No. 13.709/2018)

3. Definitions

  • Employees: outsourced service providers and employees;
  • Virus: malicious software that spreads by inserting copies of itself;
  • Ransomware: program that encrypts data and demands ransom;
  • Phishing: sending fake links to obtain confidential information;
  • Incident: event that affects confidentiality, integrity, or availability, causing damage;
  • Suppliers: individuals or entities involved in the product or service chain;
  • Information Processing: any operation performed with personal data (collection, storage, transmission, etc.).

4. Policy for Information Transfer

  • Confidentiality clauses in contracts ensure the protection of information.
  • Communication (web, email, phone) should be cautious and use tools approved by IT.
  • Corporate emails should only be used for LUMIS activities.
  • Personal data transmitted over public networks must be encrypted and controlled to ensure secure delivery.

5. Access Control Policy

  • Collaborators of suppliers with access to LUMIS data must sign confidentiality obligations.
  • Procedures must exist for registration, cancellation, and recovery of compromised accesses.
  • Maintain an updated record of authorized users/profiles.
  • Personal data outside LUMIS must be encrypted and accessible only to authorized personnel.

6. Supplier Policy

  • Hiring based on LUMIS needs and technical/professional criteria.
  • Quotation or competition process for better cost, time, and quality.
  • Prohibition of business with suppliers of doubtful reputation or who violate the Code of Ethics.
  • Hiring with personal or corporate ties requires authorization from the Compliance Committee.

7. Backup Policy

  • Periodic backups of information assets for recovery, continuity, and legal compliance.
  • Restoration tests conducted according to business strategy.
  • Suppliers must ensure protection, continuity, and restoration after incidents.
  • LUMIS must know the location, retention time, and deletion procedure of supplier backups.

8. Policy for Awareness, Education, and Training

All employees must be aware and trained in information security, with an annual plan to:

“Ensure that information security is known and understood by all, guiding about best practices, risks, and responsibilities.”

9. Policy for Legal and Contractual Compliance

Legislative, regulatory, and contractual requirements must be identified, documented, and updated, with clear responsibilities for compliance.

10. Software Development Policy

  • Use of formal process and methodology in a secure development environment.
  • Software change control through change management process.

11. Record and Monitoring Policy

Suppliers must define criteria for event logging, protection of these records, and prohibition of unauthorized deletion.

12. Incident Response Plan

Suppliers cooperate in security incidents, conducting critical analysis to identify personal data breaches and support LUMIS in investigations.

13. Conclusion

The LUMIS Information Security team has adopted these policies to protect the information assets necessary for the business. Security is the responsibility of all employees and suppliers, being part of LUMIS's internal culture.

Date of last update: September 13, 2023