The protection in the treatment of business partner information and personal data under ISQe's responsibility, in a manner consistent with professional, ethical, legal, regulatory and contractual requirements, is one of the highest priorities of the Company and something that is considered fundamental for its success. The loss or theft of information or personal data can have serious legal, financial and/or reputational consequences, and ISQe is committed to safeguarding the privacy, confidentiality, integrity and availability of your information or that of business partners, whether this is find in physical, digital or intellectual support.
In this way, ISQe has the principles of the privacy and information security policy, to ensure that it can prove at any time the existence of the adequate level of protection, to ensure that:
- The information is protected against unauthorized access.
- The confidentiality of the information ensures that it is only accessible by people and processes duly authorized for the purpose.
- The integrity of the information is maintained through the accuracy of the information and the processing methods.
- All applicable laws and regulations are respected.
- Information security when in business continuity is appropriate, maintained and tested regularly;
- Any breaches of information security detected or under suspicion are investigated by the areas with competence for that purpose;
- All its business partners are aware, at all times, of the rules and principles relating to the protection and processing of personal data (transparency);
- Personal data are processed lawfully and impartially (lawfulness and loyalty);
- Personal data are collected and processed for specific, explicit and legitimate purposes (purpose limitation) and kept only for the necessary period (retention limitation);
- Personal data are adequate, relevant and limited to what is necessary taking into account the purposes for which they are processed (data minimization);
- Personal data are accurate and, where necessary, rectified and updated (accuracy).
To this end, ISQe maintains an Integrated Privacy and Information Security Management System (PISMS) comprising this policy and other related documented information, which is designed to maintain, review and continuously improve the privacy and security of information, based on an assessment and treatment of existing risks and ensuring compliance with the Continuous Improvement Cycle presented in the ISQe Governance Model.
Objectives of the Integrated Privacy and Information Security Management System
The main objectives of the PISMS:
- Provide information security, in accordance with the relevant business requirements, laws and regulations;
- Manage the organization's assets while maintaining appropriate protection responsibilities.
- Ensure that the information receives an adequate level of protection, according to its importance to the organization;
- Ensure the access of authorized users and prevent unauthorized access to systems and services;
- Prevent unauthorized physical access, damage and interference in the organization's information and information processing resources;
- Prevent the exploitation of technical vulnerabilities;
- Ensure that information security is designed and implemented within the life cycle of the development of information systems;
- Ensure a consistent and effective approach to the management of information security incidents, including the communication of events and security weaknesses;
- Ensure the continuity of information security in the organization's business continuity management systems;
- Contribute to a culture of information security, in a logic of continuous improvement;
- Ensuring that data processing is done in a lawful, fair and transparent manner;
- Ensure that data is accurate and updated whenever necessary;
- Ensure that the retention period for personal data is the minimum in accordance with legal or business continuity requirements;
- Ensure that personal data are processed in a way that maintains its integrity and confidentiality.
In the context of the PISMS, the highest body of the company is its Managing Director, who will be responsible for:
- Ensure that the PISMS is part and is embedded in all business processes and adopted by the overall management structure;
- Maintain formally operational an Privacy and Information Security Committee, with responsibility for planning, guiding, defining, monitoring and controlling initiatives to information security and for monitoring its performance;
- Maintain formally appointed a Chief Information Security Officer who will be the privileged interlocutor within the organization and to manage PISMS activities
- Maintain formally appointed a Data Protection Officer (DPO) - Responsible for Data Protection, who will be the privileged interlocutor with the other structures of the organization in the management activities of the PISMS within the scope of data privacy.
All Department Coordinators must be aware of the need for business and support processes to be in compliance with the organization's privacy and information security policies, as well as the obligation to implement, in their areas, the initiatives that are necessary for this.
All employees, as well as third parties, who in any way may interact with information from business partners, employees and ISQe itself, are obliged to comply with and enforce all privacy and information security standards, and must promptly report to CISO or DPO any event that may cause, or that has caused, a breach of privacy or information security via email to email@example.com.
Employees, as well as third parties, may be held disciplinarily or legally liable in case of non-compliance with privacy and information security policies and standards established by ISQe.
The Privacy and Information Security Policy is periodically revised to ensure that it remains appropriate for ISQe and its customers, being communicated and made available to all employees.