Information Security Policy

Last updated: May 6, 2024

1. Introduction

JohnCode is committed to protecting its information assets and ensuring the confidentiality, integrity, and availability of data under its responsibility. This policy defines the principles, guidelines, and requirements for the adequate protection of company and customer information.

This policy applies to all employees, contractors, consultants, suppliers, and business partners who have access to JohnCode's data and systems.

2. Information Security Objectives

Our information security policy has the following objectives:

  • Protect information against unauthorized access
  • Ensure that information is not improperly modified
  • Guarantee that information is available when needed
  • Comply with applicable legal and regulatory requirements
  • Ensure business operations continuity
  • Minimize damage caused by security incidents

3. Access Management

We implement rigorous access control measures based on the principle of least privilege:

  • Each user receives only the privileges necessary for their job functions
  • Strong and multi-factor authentication for access to critical systems
  • Periodic review of access rights
  • Defined procedures for provisioning and deprovisioning access
  • Strong password policy and secure credential management

4. Network Security

Our network infrastructure is designed and configured to protect data and systems against threats:

  • Network segregation through firewalls and VLANs
  • Intrusion prevention and detection systems
  • Continuous traffic monitoring
  • Encryption for sensitive communications
  • Protection against malware and network attacks

5. Information Classification and Handling

All information is classified according to its level of sensitivity:

  • Public: Information that can be disclosed externally
  • Internal: Information for use within the organization
  • Confidential: Sensitive information with restricted access
  • Restricted: Highly sensitive information with rigorous controls

Each classification level has specific requirements for handling, storage, and disposal.

6. Data Encryption

We use encryption to protect sensitive data:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest for confidential and restricted information
  • Secure management of cryptographic keys

7. Endpoint Security

All devices used to access JohnCode systems and data must follow security requirements:

  • Updated antivirus/antimalware software
  • Operating systems and applications updated with security patches
  • Secure configurations based on security benchmarks
  • Automatic screen lock after inactivity
  • Disk encryption for mobile devices

8. Incident Response

We maintain a structured process to respond to security incidents:

  • Designated incident response team
  • Communication channels for reporting incidents
  • Incident classification and prioritization procedures
  • Defined processes for containment, eradication, and recovery
  • Post-incident analysis to identify improvements
  • Notification to affected parties as required by law

9. Compliance

We continuously monitor and evaluate our compliance with:

  • Applicable laws and regulations (e.g., LGPD)
  • Contractual obligations
  • Information security standards and frameworks
  • Internal policies and procedures

We conduct periodic audits to verify the effectiveness of implemented security controls.

10. Awareness and Training

We ensure that all employees and relevant third parties are aware of their security responsibilities:

  • Information security awareness program
  • Role-specific training
  • Regular communications about threats and best practices
  • Clear instructions on security procedures

11. Business Continuity

We maintain business continuity plans to ensure recovery of critical operations in case of disruptive events:

  • Business impact analysis to identify critical processes
  • Data backup and recovery strategies
  • Contingency plans for different scenarios
  • Periodic testing of recovery plans
  • Detailed documentation of emergency procedures

12. Responsibilities

Information security responsibility is shared:

  • Management: Approve policies and provide necessary resources
  • Information Security Officer: Develop, implement, and monitor controls
  • Managers: Ensure their team follows security policies
  • All employees: Comply with security policies and report incidents
  • Third parties: Adhere to contractual information security requirements

13. Policy Review

This policy will be reviewed annually or when significant changes occur:

  • Legal or regulatory changes
  • Significant changes to infrastructure or operations
  • After serious security incidents
  • Based on audit recommendations