Information Security and Cyber Security Policy
See the full policy
The pillars of the Inter Group's Information and Cyber Security policy adhere to the Institution's values and are present in the performance of all employees' duties. Its premises are:
To protect information and information technology assets against unauthorized access, modification, destruction, or disclosure;
To ensure the continuity of processing critical business information;
To comply with laws and regulations governing aspects of intellectual property and to meet laws and regulations governing Grupo Inter's activities and its market;
To establish mechanisms for managing cyber risks.
The INFORMATION SECURITY AND DATA GOVERNANCE area is responsible for maintaining, updating and disseminating the Information and Cybersecurity Policy, the rules and procedures that derive from it. This Policy applies to all administrators, collaborators, third parties and others involved in Inter Group's activities.
Principles
Our vision on Information Security and Cybernetics is based on the following principles:
Confidentiality
Only the user of the information, who is duly authorized by the Information Manager, must have access to the Information respecting the pre-defined segregation of functions criteria;
Integrity
Only the user of the information, who is duly authorized by the Information Manager, must have access to the Information respecting the pre-defined segregation of functions criteria;
Availability
It must ensure that the Information is always available to the Information User;
Authenticity
It guarantees the identity of who is sending the Information, that is, it generates the non-repudiation that occurs when there is a guarantee that the sender cannot evade the authorship of the message (irreversibility)
Coverage in Computing Systems and Assets
The premises defined in the policy are applicable to all data processing computing environments of Grupo Inter, extending, but not limited to, all servers, databases, operating systems, hardware, software, network devices, telephony, mobile devices , in addition to third-party environments that are physically or logically integrated or connected to Inter Group environments and its technology park.
Grupo Inter bases its actions on good practices in the national and international market, namely:
- ISO 27002 – Policies for information security;
- ISO 27701 – Information Privacy Management;
- CIS – Center for Internet Security.
Responsibilities
Our internal information security controls are assigned across the following dimensions:
- Inventory and Control of Hardware Assets;
- Inventory and Control of Software Assets;
- Continuous Vulnerability Management;
- Controlled Use of Administrative Privileges;
- Secure Hardware and Software Configurations;
- Maintenance, Monitoring, and Analysis of Audit Logs;
- Email and Web Browser Protections;
- Defenses against Malware;
- Limitation and Control of Network Ports, Protocols, and Services;
- Data Recovery Resources;
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches;
- Border Defense;
- Data Protection;
- Controlled Access based on the 'need-to-know' concept;
- Wireless Access Control;
- Monitoring and Account Control;
- Implementing an Awareness and Security Training Program;
- Application Software Security;
- Incident Management and Response;
- Penetration Testing and Incident Response Team Exercises;
- Information Disposal;
- Business Continuity Management;
Compliance
If Grupo Inter identifies non-adherent conduct or non-compliance with established guidelines, the appropriate administrative and/or legal measures will be taken.