Information Security and Privacy Policy

  1. OBJECTIVE

SB Sustainable Business establishes its Information Security and Privacy Policy, as an integral part of its corporate management system, in line with the best practices of the market, internationally accepted standards and pertinent Brazilian legislation, aiming to ensure adequate levels of protection to information and personal data operated by the organization, its clients and employees under its responsibility.

 

  1. PURPOSE

The purpose of this policy is to establish guidelines and standards for Information Security and Privacy that will enable SB Sustainable Business employees to adopt standards of secure behavior,

Provide guidance on the adoption of controls and processes to meet the requirements for Information Security and Privacy of Personal Data;

Safeguard SB Sustainable Business information, ensuring basic requirements of confidentiality, integrity and availability;

Preventing possible causes of incidents and legal liability for the institution and its employees, clients, suppliers, and partners;

Minimize the risk of financial loss, market share loss, customer confidence loss, or any other negative impact on SB Sustainable Business as a result of security breaches.

 

  1. POLICY

This policy applies to all employees, suppliers and partners of SB Sustainable Business, who have access to SB Sustainable Business' personal information and data and/or make use of computing resources comprised in the internal infrastructure.

 

3.1 it is the policy of SB Sustainable Business:

  • Elaborate, implement and fully follow information security policies, standards and procedures, ensuring that the basic requirements of confidentiality, integrity and availability of personal information and data operated at SB Sustainable Business are met by adopting controls against threats from both external and internal sources;
  • Make security policies, standards, and procedures available to all interested and authorized parties, such as employees, contractors, suppliers, and, where relevant, customers.
  • Ensure education and awareness of information security and data privacy practices adopted by SB Sustainable Business for Employees, contractors, suppliers and, where relevant, customers.
  • Fully comply with information security and personal data privacy requirements applicable or required by regulations, laws and/or contractual clauses;
  • Fully address information security and personal data privacy incidents by ensuring that they are properly recorded, classified, investigated, corrected, documented, and, when necessary, communicated to the appropriate authorities;
  • Ensure business continuity through the adoption, implementation, testing and continuous improvement of continuity and disaster recovery plans;
  • Continuously improve Information Security and Privacy Management by systematically defining and reviewing security objectives at all levels of the organization.

 

  1. ROLES AND RESPONSIBILITIES
    1. Information Security Responsibility - Board

The responsibility for the SGSIP lies with the Board, with the participation of at least one Chief Operating Officer, one Chief Information Technology Officer, and the head of the Controller's Office.

  1. It is the Board's responsibility:
  • Analyze, review and propose approval of policies and standards related to information security;
  • Ensure the availability of resources required for effective Information Security Management;
  • Ensure that information security and data privacy activities are performed in compliance with the PSIP;
  • Promote the dissemination of the PSIP and take the necessary actions to disseminate a culture of information security and privacy of personal data in the SB Sustainable Business environment.

 

  1. SANCTIONS AND PUNISHMENTS

Violations, even if by mere omission or unconsummated attempt, of this policy, as well as other safety norms and procedures, will be subject to penalties that include verbal warning, written warning, non-remunerated suspension, and dismissal for just cause for employees with labor contracts. As for legal entity and cooperated employees, it may imply in the immediate termination of the contract between the parties;

The application of sanctions and punishments will be carried out according to the analysis of the Information Security Management Committee, considering the seriousness of the infraction, the effect achieved, and the recurrence.

In the case of third-party contractors or service providers, the Board must analyze the occurrence and deliberate on the effectuation of sanctions and punishments as provided for in the contract;

In the case of violations that involve illegal activities, or that may result in damage to the Organization, the violator will be held responsible for the damages, and the pertinent legal measures will be applied.

 

  1. OMISSIVE CASES

The omitted cases will be evaluated by the Information Security Board for further deliberation.

The guidelines established in this policy and in the other security standards and procedures are not exhaustive due to the continuous technological evolution and the constant appearance of new threats. Thus, it is not an enumerative list, and it is the obligation of the user of SB Sustainable Business information to adopt, whenever possible, other security measures in addition to those foreseen herein, in order to ensure protection to personal information and data.

 

 

  1. HISTORY OF CHANGES

 

Date Review History
20/12/2022 01 Initial Approval