Information Security and Cybersecurity Policy
|Version:||Date of Review:||History:|
|2||11/13/2014||Given that there were no changes, the document has been revalidated for another two years by the Internal Control Officer, Mr. Eduardo Magalhães, therefore, no new version will be created.|
|6/26/2015||Inclusion of the following items: Scope (II), Additional Documentation (III) and Miscellaneous (VIIIs);
Update of the following items: Concepts and Acronyms (IV), Responsibilities (V) and Consequence Management (VII).
|3||7/7/2017||Update of the following items: II. Scope; III. Additional Documentation, IV. Concepts and Acronyms and subitems 1.2 and 1.4 of VI. Guidelines.|
|4||10/29/2019||Update of the Policy title to “Information Security and Cybersecurity”;
Amendment to items I. Purpose, II. Scope, III. Guidelines (sub-items 1.1, 1.2, 1.3 and 1.4), V. Responsibilities, VI. Additional Documents, VII.
Concepts and Acronyms, and VIII. Miscellaneous;
Inclusion in item III. Guidelines of sub-items 1, 1.1.1, 1.1.2, 1.1.3, 2, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.10.1, 2.10.2, 2.10.3 and 2.11
|5||5/14/2020||Amendment to the following items: II. Scope; III. Principles, Rules and Procedures – subitems 1.1.4,1.4, 2., 2.1, 2.2; V. Responsibilities; VI Additional Documentation; and VII. Concepts and Acronyms.
Inclusion of subitems 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.1, 2.2.2., 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16 to item III. Principles, Rules and Procedures.
Exclusion of subitems 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.11. from item III. Principles, Rules and Procedures
Establish guidelines that enable Cielo S.A. (“Cielo” or “Company”) to safeguard its information assets, guide the definition of specific Information Security and Cybersecurity standards and procedures, and implement controls and procedures to reduce the Company’s vulnerability to incidents.
All members of the Management (officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council and employees of the companies Cielo S.A., Servinet Serviços Ltda., Braspag Tecnologia em Pagamentos Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter “Cielo” or “Company”.
All of the Company’s Subsidiaries must establish their directives based on the guidance set forth in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding Affiliated Companies, the Company’s representatives working in the management of Affiliated Companies should make efforts to set their directives based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
III. Principles, Rules and Procedures
1. Regarding information security, Cielo
1.1. In order to guarantee information security, the Company carries out its activities based on the following pillars:
1.1.1. Confidentiality: ensure that information will only be accessible to authorized persons;
1.1.2. Integrity: ensure that information, stored or in transit, will not undergo any unauthorized change, whether intentional or not;
1.1.3. Availability: ensure that information will be available whenever necessary.
1.2. It considers that information assets is all information generated or developed for the business, and may be presented as digital files, equipment, external media, printed documents, systems, mobile devices, databases and conversations.
1.3. It determines that regardless of the form they are presented, shared or stored, information assets must be used only for the purpose duly authorized, being subject to monitoring and auditing.
1.4. It establishes that all information assets of the Company are under responsibility of those properly classified according to the criteria established in a specific rule and are properly protected from any risks and threats that may compromise the business.
2. General Cybersecurity Guidelines:
2.1. With regard to cybersecurity, Cielo provides the following general guidelines:
2.1.1. Safeguard data protection against unauthorized access, as well as against unauthorized modifications, destruction or disclosure;
2.1.2. Properly classify information and guarantee the continuity of its processing, according to the criteria and principles provided for in the internal regulations in force on the matter;
2.1.3. Ensure that systems and data under its responsibility are properly protected and used only for the fulfillment of its duties;
2.1.4. Ensure the integrity of the technological infrastructure in which data are stored, processed or otherwise treated, adopting the necessary measures to prevent logical threats, such as viruses, harmful programs or other failures that may lead to unauthorized access, manipulation or use of internal and confidential data, through: (i) the maintenance of installed and updated antivirus and firewall software and (ii) the maintenance of computer programs installed in the environment, among others; and
2.1.5 Comply with the laws and rules that regulate Cielo’s activities.
2.2. In order to comply with the guidelines listed above:
2.2.1. Cielo’s cybersecurity purpose is to prevent, detect and reduce vulnerability to incidents related to the cyber environment.
2.2.2. With regard to security measures, Cielo adopts procedures and controls to reduce the Company’s vulnerability to incidents and meet cybersecurity objectives, including: authentication, encryption, intrusion prevention and detection, prevention of information leakage, periodic testing and scanning to detect vulnerability, protection against malicious software, implementation of traceability mechanisms, access controls and segmentation of the computer network and the maintenance of backup copies of data and information, according to current internal regulations.
2.2.3. It The Company controls, monitors and restricts access to information assets granting permission and privileges to the fewest people possible, pursuant to specific internal rules:
2.2.4. Cielo implements the procedures and controls mentioned above, including in the development of secure information systems and adoption of new technologies used in its activities;
2.2.5. The Company has specific controls, including those aimed at information traceability, which seek to ensure the security of sensitive information.
2.2.6. Cielo carries out the registration, analysis of cause and impact, as well as the control of the outcome of incidents that are relevant to the Company’s activities, which include information received from companies providing services to third parties.
2.2.7. The Company prepares inventories of cyber crisis scenarios related to security incidents taken into consideration in continuity tests of payment services provided and annually tests them to ensure the effectiveness of the processes, and prepares an annual incident response report in its technological environment.
2.2.8. Cielo classifies security incidents according to their relevance and to (i) the classification of the information involved; and (ii) the impact on the Company’s business continuity, described in specific internal rules.
2.2.9. Cielo periodically assesses service provider companies that carry out the treatment of information relevant to the Company in order to monitor the maturity level of their security controls for the prevention and proper handling of incidents.
2.2.10. The Company has criteria for classifying the relevance of data processing and storage and cloud computing services, in Brazil or abroad, according to internal procedures.
2.2.11. Prior to contracting relevant data processing and storage and cloud computing services, the Company adopts the procedures provided for in article 12 of Circular Letter 3909/18.
2.2.12. Cielo adopts a business continuity management process related to information security and cybersecurity, as described in specific internal regulations.
2.2.13. It establishes rules and standards to ensure that information receives the appropriate level of protection regarding its relevance, in accordance with internal regulations. All information has an owner, is mandatorily classified and receives the appropriate controls that guarantee its confidentiality, in accordance with good market practices and regulations in force.
2.2.14. The Company carries out actions to prevent, identify, record and respond to security incidents and crises that involve Cielo’s technological environment and which may compromise the pillars of information security or generate image, financial or operational impact. The definition of relevance of incidents in the technological environment follows a corporate risk standard established in specific regulation.
2.2.15. It adopts mechanisms to disseminate the information security and cybersecurity culture at the Company, including:
220.127.116.11. The implementation of an annual training program for employees.
18.104.22.168. The supply of information to end users on precautions in the use of products and services offered; and
22.214.171.124. Senior management’s commitment to the continuous improvement of procedures related to information security and cybersecurity.
2.2.16. Cielo adopts initiatives to share information about relevant incidents through membership in discussion forums.
IV. Consequence Management
Employees, suppliers or other stakeholders who become aware of any non-compliance with the guidelines of this Policy may report it to the Ethics Channel (https://canaldeetica.com.br/cielo or 0800 775 0808), either anonymously or not.
Internally, those who do not comply with the guidelines of this Policy will be subject to accountability measures based on the seriousness of such non-compliance.
- Management and Employees: Comply and ensure compliance with this Policy and, when necessary, contact the Vice-Presidency for Technology and Projects to get information on situations that relate to conflict with this Policy or with situations described herein. It is essential that each person understands the role of information security in their daily activities and participates in awareness programs.
- Vice-Presidency of Technology and Projects: Comply with the guidelines established in this Policy and annually update it in order to ensure that any changes in Cielo’s direction be included into it and clarify any doubts regarding its content and application.
VI. Additional Documents
- Cielo’s Code of Ethical Conduct
- Action and Incident Response Plan
- PCI-Data Security Standard
- ABNT NBR ISO 27001 – Information Security
- BACEN Circular Letter 3909/18
- Internal standards and procedures constantly improved, approved by the competent levels and made available to all employees.
VII. Concepts and Acronyms
- Information Security: Set of concepts, techniques and strategies that aim to protect Cielo’s information assets.
- Cybersecurity: Set of technologies, processes and practices designed to protect networks, computers, systems and data from attacks, damages or unauthorized access.
- Stakeholders: Relevant public with interests relevant to the Company, as well as persons or entities that take some type of risk, direct or indirect, before the society. These include, among others, shareholders, investors, employees, society, customers, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic payment methods and non-profit organizations.
- Affiliates: companies in which the Company holds at least a ten percent (10%) interest on their share capital, without, however, controlling them, as per article 243, paragraph 1 of Brazilian Corporate Law.
- Subsidiaries: companies in which the Company, directly or indirectly, holds rights as a partner or shareholder that permanently ensure its preponderance in social resolutions and the power to elect the majority of managers, as per article 243, paragraph 2 of Brazilian Corporate Law.
- Customers: commercial establishments accredited to the Cielo System.
- Data and/or Information: all data referring to the activities carried out by Cielo in the performance of its corporate purpose, including data from Customers, personal or not, and classified according to the specific internal rule on the matter.
- Incidents: Any occurrence that actually or potentially compromises the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits or that constitutes violation or imminent threat of a breach of security policies, security procedures or acceptable usage policies.
- Service Provider: individual or legal entity, duly hired by Cielo to provide: (i) technology services; (ii) storage or any form of data and information treatment services; or (iii) who may have access, because of the scope of their contract, to confidential data, as classified in this Policy.
- Cyber Risks: risks arising from cyberattacks, originating from malware, social engineering techniques, invasions, network attacks (DDoS and Botnets), external fraud, among others, that may expose Cielo’s data, networks and systems, causing financial damage and/or significant reputation damage, which may impair the continuity of Cielo’s activities.
The Company’s Board of Directors is responsible for amending this Policy whenever necessary.
This Policy will become effective as of its date of approval by the Board of Directors and revokes any documents, unless otherwise stated.