Security policy

Security policy

This information security policy establishes the guidelines and procedures to protect Devops Technologies' information assets, ensuring the confidentiality, integrity and availability of information, as well as compliance with applicable laws and regulations.

1. Objective

This policy aims to:

• Protect Devops Technologies information from unauthorized access, misuse, disclosure, alteration or destruction.
• Ensure business continuity and minimize damage caused by security incidents.
• Promote awareness and responsibility of all users in relation to information security.
• To comply with the legal and regulatory obligations related to data protection.

2. Scope

This policy applies to all information assets of Devops Technologies, including but not limited to:

• Data stored in databases, servers, workstations and mobile devices.
• Information transmitted through communication networks.
• Printed documents and removable media.
• Software and hardware systems used to process and store information.
• All users who access, process or store Devops Technologies information, including employees, contractors, partners and visitors.

3. Principles of Information Security

Information security at https://www. Devops. srv.br will be governed by the following principles:

• Confidentiality: ensure that the information is accessible only to authorised persons.
• Integrity: Ensure that the information is accurate, complete and not changed without authorisation.
• Availability: Ensure that information and systems are accessible when necessary for authorized users.
• Authenticity: Ensure the identity of users, processes or devices.
• No Repudiation: Ensure that the actions performed cannot be denied by the author.

4. Liabilities

• Administration: High administration is responsible for approving and supporting the implementation of this policy by allocating the resources needed to ensure information security.
• IT Team: The IT team is responsible for implementing and maintaining technical security measures, managing access to systems and conducting security monitoring.
• Information Owners: Information owners are responsible for classifying their data, defining access levels and ensuring its integrity.
• All Users: All users are responsible for following this policy and reporting any identified security incidents or vulnerabilities.

5. Security Controls

The following security controls will be implemented to protect information assets:

• Access Controls:
  
  • Implementation of strong and complex password policies.
  • Use multifactor authentication whenever possible.
  • Access control based on function and need of knowledge (Least Privilege).
  • Periodic review and repeal of user accesses.
  • Automatic lock of accounts after multiple login attempts failures.
• Network Security:
  
  • Implementation of firewalls to control network traffic.
  • Use of intrusion detection and prevention systems (IDS/IPS).
  • Network segmentation to isolate critical systems.
  • Use of private virtual networks (VPNs) for secure remote access.
  • Implementation of secure communication protocols (HTTPS, SSH).
• Systems and Applications Security:
  
  • Regular application of security patches in operating systems and applications.
  • Implementation of safe development practices.
  • Conducting vulnerability tests and security analysis in applications.
  • Protection against malware (viruses, worms, ransomware, etc.) on endpoints and servers.
  • Implementation of regular backups and restoration tests.
• Data Protection:
  
  • Classification of information according to its level of sensitivity.
  • Implementation of appropriate protection measures for each classification level.
  • Use encryption to protect data at rest and in transit, where appropriate.
  • Implementation of safe information retention and disposal policies.
  • Controls to prevent data loss and leakage (DLP).
• Security Physics:
  
  • Physical access controls to the facilities and server rooms.
  • Surveillance by security cameras and alarms.
  • Clean table policies and clean screen.
  • Fire protection and other environmental threats.
• Awareness and Training:
  
  • Performing periodic training on information security for all users.
  • Dissemination of information on threats and best security practices.
  • Promoting a culture of security throughout the organization.
• Security Incident Management:
  
  • Implementation of a security incident response plan.
  • Definition of procedures for the identification, containment, eradication and recovery of incidents.
  • Clear communication channels to report security incidents.
  • Postincident analysis to identify the causes and implement improvements.
• Business Continuity and Disaster Recovery:
  
  • Development and maintenance of a business continuity plan (PCN) and a disaster recovery plan (PRD).
  • Regular testing of plans to ensure their effectiveness.
• Legal and Regulatory Compliance:
  
  • Monitoring and compliance with LGPD data protection laws and regulations.
  • Implementation of controls to ensure compliance.
  • conducting periodic security audits.

6. Policy Violations

Any violation of this information security policy could result in disciplinary action, in accordance with the company's internal policies and applicable legislation.

7. Review and Update of Policy

This policy will be reviewed and updated periodically, or whenever necessary, to reflect changes in business requirements, technologies and security threats. The latest version of the policy will always be available to all users.

8. Contact

In case of doubt or to report security incidents, contact the information security team via the following channel: helpdesk@devops. srv.br or 19 2534 2018.

This policy is a living document and its accession is fundamental to the security of information from Devops Technologies. By following these guidelines, we contribute to a safer and more reliable digital environment.