The protection in the treatment of business partner information and personal data under ISQe's responsibility, in a manner consistent with professional, ethical, legal, regulatory and contractual requirements, is one of the highest priorities of the Company and something that is considered fundamental for its success. The loss or theft of information or personal data can have serious legal, financial and/or reputational consequences, and ISQe is committed to safeguarding the privacy, confidentiality, integrity and availability of your information or that of business partners, whether this is find in physical, digital or intellectual support.
In this way, ISQe has the principles of the privacy and information security policy, to ensure that it can prove at any time the existence of the adequate level of protection, to ensure that:
- The information is protected against unauthorized access.
- The confidentiality of the information ensures that it is only accessible by people and processes duly authorized for the purpose.
- The integrity of the information is maintained through the accuracy of the information and the processing methods.
- All applicable laws and regulations are respected.
- Information security when in business continuity is appropriate, maintained and tested regularly;
- Any breaches of information security detected or under suspicion are investigated by the areas with competence for that purpose;
- All its business partners are aware, at all times, of the rules and principles relating to the protection and processing of personal data (transparency);
- Personal data are processed lawfully and impartially (lawfulness and loyalty);
- Personal data are collected and processed for specific, explicit and legitimate purposes (purpose limitation) and kept only for the necessary period (retention limitation);
- Personal data are adequate, relevant and limited to what is necessary taking into account the purposes for which they are processed (data minimization);
- Personal data are accurate and, where necessary, rectified and updated (accuracy).
To this end, ISQe maintains an Integrated Privacy and Information Security Management System (PISMS) comprising this policy and other related documented information, which is designed to maintain, review and continuously improve the privacy and security of information, based on an assessment and treatment of existing risks and ensuring compliance with the Continuous Improvement Cycle presented in the ISQe Governance Model.
Objectives of the Integrated Privacy and Information Security Management System
The main objectives of the PISMS:
- Provide information security, in accordance with the relevant business requirements, laws and regulations;
- Manage the organization's assets while maintaining appropriate protection responsibilities.
- Ensure that the information receives an adequate level of protection, according to its importance to the organization;
- Ensure the access of authorized users and prevent unauthorized access to systems and services;
- Prevent unauthorized physical access, damage and interference in the organization's information and information processing resources;
- Prevent the exploitation of technical vulnerabilities;
- Ensure that information security is designed and implemented within the life cycle of the development of information systems;
- Ensure a consistent and effective approach to the management of information security incidents, including the communication of events and security weaknesses;
- Ensure the continuity of information security in the organization's business continuity management systems;
- Contribute to a culture of information security, in a logic of continuous improvement;
- Ensuring that data processing is done in a lawful, fair and transparent manner;
- Ensure that data is accurate and updated whenever necessary;
- Ensure that the retention period for personal data is the minimum in accordance with legal or business continuity requirements;
- Ensure that personal data are processed in a way that maintains its integrity and confidentiality.