The Information Security and Cyber Security Policy aims to formalize Singulare’s Information Security and Cyber Security concepts and guidelines, which aim to protect information assets efficiently and effectively, in a safe and transparent way, guaranteeing confidentiality, integrity and availability of information.
The target audience are the Bodies that make up the national financial system, financial institutions and other institutions authorized to operate by the Central Bank of Brazil, class entities, general public, especially customers and partners, administrators, managers, employees, providers or suppliers of services, interns and external users of information owned/held by Singulare.
The Information Security area maintains the security of information assets, providing tools that allow the application of the best security practices in the physical or logical environment, as well as the traceability of these assets, in order to guarantee confidentiality, protection and integrity in the life of personal data
and information, from its reception, production, registration, classification, control, access, handling, reproduction, transmission, storage and disposal in order to prevent, detect and reduce vulnerability to cyber-attacks;
The Information Security principles are as follows:
Confidentiality: Ensures that information is not available or disclosed to individuals, entities or applications without authorization. In other words, it guarantees the protection of personally given information in confidence and protection against unauthorized disclosure.
Integrity: It guarantees that the information is kept in its original state, protecting it in the transmission, that is, that it has not been altered in an improper, unauthorized, accidental or intentional way.
Availability: Ensures that information, if eligible, is available to be accessed when needed.
All information and/or personal data for corporate use must be classified according to the content of the content, relevance of external knowledge, intrinsic elements of the document and degree of secrecy for the company’s business, using the classifications below:
CONFIDENTIAL: It is the highest degree of secrecy, applied to information of a strategic nature and which must be handled by a restricted group of users. Unauthorized access to this information can have critical consequences for the business, causing strategic damage to the company’s image.
INTERN USE: It is specific information for internal use, with exclusive and unrestricted circulation within the company. This information may be available to all employees and service providers and should only be used for SINGULARE’s activities. This information, even when freely circulating within the company, must not be disclosed to external entities, including, when necessary, the signing of confidentiality agreements or formal authorization previously evaluated by the authority responsible for the information or document in question.
PUBLIC: Are information of free circulation and public domain. This type of information does not require security controls or restrictions for its access or storage, and can be transported inside and outside the company, without impacting information security, this classification must not contain sensitive personal data.
For the purposes of this policy, a security incident is defined as any adverse event, resulting from the action of a threat that exploits one or more vulnerabilities, related to the security of an asset that may impair any Information Security principles.
Information Security incidents are identified and recorded for monitoring the institution’s action plans and analysis of vulnerabilities.
Singulare also reinforces that the choice of passwords must be carried out by employees or service providers, as well as storage and handling, which must follow good practices, as a means of guaranteeing the security of information assets, each employee/service provider is responsible for the correct use of your passwords.
According to Resolution 4.893/2021, of the National Monetary Council, for the contracting of data processing and storage and cloud computing services, SINGULARE ensures compliance with the rules provided for in the regulations in force.
Access to Singulare’s logical and physical environment is done through controls and is revoked or suspended when no longer used, in a way that guarantees access only to authorized persons (employees, service providers, customers and visitors) and in accordance with activities performed, thus avoiding possible theft, robbery and loss of information.
Singulare has management tools for the active monitoring of internal and external information traffic, being able to have an auditable function in processes that depend on constant information exchange with external suppliers and customers, focusing on the data treatment process before and after the sending the information.
Aiming at the identification, protection and prevention of identified and evaluated risks, Singulare adopts, through the Information Security area, standardized routines for the prevention and protection of the relevant processes and assets of said institutions, as provided for in the internal standard, carrying out vulnerability analyses, intrusion tests and other specific assessments that certify compliance with security requirements and previously established responsibilities.
SINGULARE has and maintains a program for training, reviewing and updating regulations that aims to ensure that all technical and legal safety requirements implemented are met and in compliance with current legislation, also including the periodic review of action plans, including their adherence to initiatives to share information on cybernetic incidents with other financial institutions and/or class entities where there are forums for dealing with the topic.
Information security and cyber security issues must be addressed to the Director responsible for the Cyber Security Policy, in accordance with current regulations applicable to the topic.
Singulare also declares that this represents a summary of the Information Security and Cyber Security Policy, approved by the Board of Executive Directors, whose last review, with changes, took place in April 2022.