Information Security Policy

Review History

Version: Date of Review: History: 
1 06/03/2013 Document creation
2 06/08/2015  Inclusion of items: Scope (II) and Complementary Documentation (III). Update of items: Concepts and Acronyms (IV), Responsibilities (V) and Consequence Management (VII)
3 07/07/2017 Updating the concept of Information Security (item IV, Concepts and Acronyms) and the term “in network directories” by “digital” in item 1.2 of the VI. Guidelines.

 

I. Purpose
Establish guidelines that allow the Company to safeguard its information assets, guide the definition of specific rules and procedures for Information Security, as well as the implementation of controls and processes.

II. Scope
All Management (officers, statutory or not, members of the Board of Directors, members of the Fiscal Council, members of the Advisory Committees and other managers) and employees of Cielo S.A. and Servinet Serviços Ltda.

III. Complementary Documentation

  • Cielo’s Code of Ethical Conduct
  • PCI-Data Security Standard
  • ABNT NBR ISO 27001 – Information Security
  • Circular Letter No. 3681/13 issued by Brazilian Central Bank
  • In-company rules are updated by areas involved.

IV. Concepts and Acronyms

  • INFORMATION SECURITY: Set of concepts, techniques and strategies, which aim at protecting Cielo’s information assets. In order to ensure this objective, the information security works based on the following pillars:
    – Confidentiality: Guarantee that information only will be accessible to authorized persons;
    – Integrity: Guarantee that information, stored or in transit, will not suffer any unauthorized alteration, whether intentional or not;
    – Availability: Guarantee that information will be available whenever necessary.
  • Stakeholders: All relevant public with interests related to the Company, as well as individuals or entities assuming any type of direct or indirect risk towards the company. Amongst others we point out: shareholders, investors, employees, society, customers, suppliers, creditors, governments and regulatory agencies, competitors, press, professional associations and entities, users of electronic means of payment and non-governmental organizations.

V. Responsibilities

  • Management and Employees: Observe and ensure the compliance with this Policy, and when deemed necessary, to prompt the Prevention and Security Executive Board for consultation on situations involving conflict with this Policy or by means of occurrence of the situations described therein. It is indispensable that each person understands the role played by information security in his/her daily activities and participates in awareness programs.
  • Prevention and Security Executive Board: Comply with the guidelines set forth herein, keep it updated so that to ensure that any changes in Cielo’s directions are incorporated thereto and clarify doubts related to its content and application.

VI. Guidelines

1.1. All information generated or developed for business is considered Cielo’s information assets.
1.2. Information assets may be present in several forms, such as: digital files, equipment, external media, printed documents, mobile devices, databank and conversations.
1.3. Regardless of the form presented, shared or stored, information shall be only used for its duly authorized purpose, being subject to monitoring and audit.
1.4. It shall be ensured that every information asset owned by Cielo has a person in charge, it is duly classified and properly protected from any risks and threats which may compromise business.

VII. Consequence Management
Employees, suppliers or other stakeholders who observe any deviations to the guidelines of this Policy, may report the fact to the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), and may identify themselves or not.
Internally, the failure to comply with the guidelines of this Policy envisages the application of measures to charge the agents who do not comply with this Policy according to related seriousness of such non-compliance.

IX. Miscellaneous
It shall be incumbent upon the Company’s Board of Directors to amend this Policy whenever it deems necessary.

This Policy shall take effect on the date of its approval by the Board of Directors and revokes any rules and procedures contrary thereto.