ST IT Cloud SECURITY Policy

1. Introduction
This document includes the ST IT Cloud information security policy shared with all professionals, service providers and business partners.

This document consists of a set of guidelines that value and define the proper use of information, enabling safe, reliable and integrity IT environments.

Everyone's commitment to knowing and living this policy is extremely important for us to achieve a standard of excellence in safety management, enabling the evolution of our business in an increasingly transparent and safe way.

The adoption of policies, rules and procedures aimed at ensuring information security should be one of the Compliance priorities, reducing the risk of failures, damages and/or losses that could compromise the organization's image and objectives.

Information can exist and be manipulated in different ways, that is, through electronic files, electronic messages, internet, databases, in print, verbally, in audio and video media, etc.

As a principle, information security should cover three basic aspects, highlighted below:

Confidentiality: only people duly authorized by the company should have access to the information.
Integrity: only changes, deletions and additions authorized by the company should be made to the information.
Availability: the information must be available to authorized persons whenever necessary or demanded.
Information must be properly managed and protected against theft, fraud, eavesdropping and unintentional loss, accidents and other threats.

In general, the success of the Information Security Policy adopted by ST IT Cloud depends on the combination of several elements, among them, the organizational structure of the company, the rules and procedures related to information security and the way in which they are implemented. and monitored, the technological systems used, the control mechanisms developed, as well as the behavior of directors, service providers, associates and partners.

2. Purpose of the company
The company's main objective is to generate value for its customers and to be a reference in innovative solutions. For this purpose, we have the best Partners and a Certified and qualified Team based on leadership principles.

3. Information Security Processes
3.1. Information Security and Compliance Committee (CSIC)

This committee shall be made up of Directors with the attribution of approving the Information Security Policy guidelines, as well as changing them according to the needs of the Organization and its customers.

Therefore, reviewing and maintaining this policy is the responsibility of the committee. The periodicity of the review will be annual or carried out when necessary.

Assignments:

Propose adjustments, enhancements and modifications to this Policy;
Propose improvements and approve Information Security Standards;
Define the classification of information owned and/or held in custody by ST IT Cloud based on the information classification policy;
Analyze cases of violation of this Policy and the Information Security Rules, communicate to the Executive Board, when necessary;
Coordinate the actions of the Interdepartmental Committees, enabling possible adjustments to the action plan;
Ensure the successful implementation of the Information Security Management Model considering current and future challenges;
Hold periodic meetings when requested, approve and propose adjustments related to improving the information security of the ST IT Cloud;
Meetings must be held every six months and may be called more frequently or extraordinarily, whenever necessary.

3.2. Information security
Responsible for managing all Information Security fronts at ST IT Cloud. Its mission is to establish and use a methodology to evaluate, implement and monitor the guidelines for protecting information assets in order to guarantee the continuity of the business and services of the ST IT Cloud.

Assignments:

Enable, control the implementation and disseminate, in a corporate manner, the Information Security Policy, Rules and Standards for all professionals, architecture and processes relevant to Information Security;
Elaborate, participate and propose to the Information Security Committee the architecture and processes relevant to Information Security;
Support and disseminate the Information Security culture;
Support internal and eventually external auditors;
Develop and disseminate Information Security rules and procedures, as well as keep them always up to date;
Develop and implement Information Security support projects;
Define and Implement the logical access architecture to Information Security software with support from the Technology area;
Provide technical support to regional customers/partners on Information Security aspects. These regional administrations are technically subordinated to the Corporate Information Security area;
Ensure, at the software level, logical access control to computational resources with the support of technical areas, monitoring the entire security environment;
Ensuring that all procedures and logical access controls to IT resources meet the integrity, reliability and confidentiality requirements of data and information, as well as the continuity of business operations;
Ensure the adequacy, effectiveness and efficiency of the Technologies employed and the logical security operations such as (hardware, software, encryption techniques, firewalls, authenticators, antivirus and other relevant resources) and physical security (biometric access, etc.), with the support of Technology area;
Ensure the definition of nomenclatures and access identifier (ID) standards, logins and logons by the Technology area;
Analyze the risks related to the security of ST IT Data's information and present reports on such risks;
Carry out vulnerability analysis work, in order to ensure the security level of information systems and other environments in which they store, process or transmit the information held in custody by the ST IT Cloud;
Request information from other areas of ST IT Data and carry out security tests and assessments, in order to verify compliance and adherence to the Information Security Policy, whenever necessary.

3.3. Information Owner

The information owner can be a director or a manager responsible for the ST IT Cloud system or process, responsible for establishing information security guidelines in the Organization. The granting, maintenance, review and cancellation of access authorizations to a certain set of information belonging to ST IT Data or under its custody involves the Technology area and the owner of the information.

Assignments:

Elaborate, for all information under its responsibility, a matrix that relates positions and functions of the ST IT Cloud to the granted access authorizations;
Authorize the release of access to information under its responsibility, observing the matrix of positions and functions, the Policy, Rules and Information Security Procedures of ST IT Cloud;
Keep an updated record and control of all access releases granted, determining, whenever necessary, the prompt suspension or alteration of such releases;
Reassess, whenever necessary, the access releases granted, canceling those that are no longer necessary;
Analyze and provide the access control reports provided by the Technology area, with the aim of identifying deviations in relation to the Information Security Policy, Rules and Procedures, taking the necessary corrective actions;
Participate in the investigation of security incidents related to the information under your responsibility;
Participate, whenever called, in the meetings of the Information Security and Compliance Committee, providing the requested clarifications.

3.4. Human Resources

Assignments:

Collect the signature of the Term of Adoption of the Information Security Policy from all service providers (third parties, interns, temporary workers, CLT's, associates, partners and others);
Collect the signature of the Term of Secrecy and Confidentiality (NDA) from employees and interns, filing it in the respective records;
Indicate, according to the NDA, that there is an assignment of intellectual property and non-competition.
Collect the signature of the Secrecy and Confidentiality Term specific for professionals in the Technology area;
Communicate to the Technology team the existence of new employees;
Promptly inform the IT (Access Control) team of all terminations, leave and changes in the company's staff.

3.5. PSI Disclosure Process
The Information Security Policy must be known to all employees, interns, service providers, associates and partners of the organization, therefore it must be widely disclosed, including and mainly to new service providers.

Dissemination methods:

Corporate meetings;
Awareness lectures;
ST IT Cloud public website;
Since the Information Security Policy of ST IT Cloud is known to all, it cannot be admissible for service providers to claim ignorance of the rules established therein.

4. Guidelines
Below are the guidelines of the Information Security Policy of the ST IT Cloud, which constitute the main pillars of the Information Security Management of the ST IT Cloud, guiding the elaboration of the Norms and procedures.

4.1. Laws and Regulations

The Information Security and Compliance Committee is responsible for:

Keep the ST IT Cloud areas informed about any legal and/or regulatory changes that imply responsibility and/or actions involving information security management;
Include, in the analysis and preparation of contracts, whenever necessary, specific clauses related to information security, with the aim of protecting the interests of ST IT Cloud;
Evaluate, when requested, the Information Security Rules and Procedures prepared by the different areas of ST IT Cloud.

4.2. Information Classification
The Committee, represented by its members, is designated as the owner of the information held in custody by ST IT Cloud, with responsibility for managing its security throughout the information's life cycle.

The Committee must classify the Information held by ST IT Cloud using one of the following levels of Information Classifications:

Confidential: Information that, if disclosed to unauthorized persons, could have a significant impact on the legal or regulatory obligations, financial condition or reputation of ST IT Cloud or its customers. Authentication data such as: passwords, PINs, private encryption keys, information about or belonging to customers and employees, Information that the Information Security Committee determines has the potential to provide a competitive advantage or have a significant impact on ST IT Data revealed to unauthorized persons. The “Need to Know” principle will be used for this information, in which it will only be provided by the owner of the information to professionals who must have access to it in order to carry out their activity.
Internal: Information that is normally shared within ST IT Data, is not intended for distribution outside the ST IT Cloud and is not classified as RESTRICTED or CONFIDENTIAL.
Public: Information that is freely available outside the ST IT Cloud or is intended for public use by the Corporate Committee. Each manager for the risk management of the processes under his responsibility must follow this policy through practices and procedures established at ST IT Cloud and in his area.
Based on the risk management process, the classification of information, and the classification of the infrastructure that supports it, each manager must specify the requirements for information protection and must implement sufficient controls to ensure the specified protection.

4.3. Identification and Authentication

All ST IT Cloud Technology platforms must authenticate the login identity (including other systems accessing these platforms) before initiating a session or transaction, unless the service provider has access rights limited to reading classified data INTERNAL or PUBLIC.

All access must have an identity and be identified for each Technology platform by:

An unshared (Iogin) ID.
An authentication method that allows access identification, for example: unique (static) or dynamic password, private key, biometric data or another authentication mechanism approved by the Corporate Committee.
Every service provider is responsible for all activity associated with your login and identity or in your custody.
Service providers should adhere to the following practices for protecting static passwords:
They can never be shared or presented to third parties.
They can never be presented/written in plain text (with the exception of pre-expired passwords, used in the initial password process).
A documented process shall be implemented to ensure that all static passwords are changed periodically and that IDs (Iogin) are disabled after a defined period of inactivity, commensurate with the level of risk, the classification of the information and the classification of the corresponding infrastructure. With the approval of the Corporate Committee, this requirement can be replaced by a periodical clarification process for service providers regarding the need to change passwords to guarantee the effectiveness of this authentication method.

4.4. Confidentiality and Integrity

Managers must inform everyone at ST IT Cloud, customers and suppliers, service providers in general of information systems and processes that all information stored, transmitted or handled by these processes and systems is the property of ST IT Cloud , its customers or licensed by third parties. Whenever permitted by law, ST IT Cloud reserves the right to review and monitor this information for administrative, security or legal purposes.

ST IT Cloud confidential information, regardless of the media or environment where it is being kept, must be protected against unauthorized access and with due approvals. This standard applies to, but is not limited to, the following types of media or environment on which information is contained, recorded, or stored: cards, CD, DVD, hard copy, magnetic disk, magnetic tape, thumb drive, microfilm, disk optics, documents in general, processing equipment, network, Internet, etc.

For adequate protection of the information held by ST IT Cloud, which is being handled at workstations, whenever the service provider is absent from the environment, particularly outside working hours, it is his responsibility to block the workstation, request and use the resources provided by ST IT Cloud to protect information from unauthorized access. For adequate protection of information held in custody by ST IT Cloud, which is being handled on portable equipment (notebooks), all service providers must comply with the requirements defined by the specific standard.

Information classified as RESTRICTED or CONFIDENTIAL, when it is no longer useful to ST IT Cloud or its customers, considering the retention periods established by law, regulation or contract, must be destroyed according to the defined procedures.

Each manager must ensure that Third Parties (customers or suppliers) adequately protect the information held by ST IT Cloud to which they have access:

Monitoring Third Parties that store, process, manage or access ST IT Cloud information (except information classified as INTERNAL or PUBLIC) or have a connection to ST IT Cloud network resources, so that they comply with the standards defined herein.
Performing information security assessments on Third Parties in accordance with procedures approved by the Corporate Committee.
Formalizing NDA – “Non Disclosure Agreement” confidentiality agreements or equivalent provisions, approved by the legal department of ST IT Data, with Third Parties that store, process, manage or access information held in custody by ST IT Cloud (except information classified as PUBLIC).

4.5. Adoption of Safe Behavior
It is essential for the protection and safeguarding of information that professionals adopt a safe and consistent behavior with the objective of protecting ST IT Data's information, with emphasis on the following items:

Partners, professionals and service providers must assume a proactive and engaged attitude with regard to the protection of ST IT Data's information;
Everyone at ST IT Data must understand the external threats that can affect the security of the company's information, such as computer viruses, interception of electronic messages, telephone tapping, etc., as well as fraud aimed at stealing access passwords to information systems;
Any type of access to ST IT Data's information that is not explicitly authorized is prohibited;
Confidential work matters should not be discussed in public environments or in exposed areas (airplanes, restaurants, social gatherings, elevators, taxis, coworking spaces, etc.);
Access passwords are personal and non-transferable, and cannot be shared, disclosed to third parties (including professionals from the company itself), written down on paper or in a visible or unprotected access system;
Only software approved by the IT team at ST IT Data can be installed on workstations, which must be done, exclusively, by the Technology team at ST IT Data, respecting legal licensing issues;
The policy for internet and e-mail use must be strictly followed;
Files of unknown origin should never be opened and/or executed;
Printed documents and files containing confidential information must be properly stored and protected;
Any kind of doubt about the Information Security Policy and its Rules must be immediately clarified with the Corporate Security area;
All information security standards must be strictly followed. Unforeseen cases must be immediately submitted for analysis and validation to the Corporate Security area.

4.6. Information Security Risk Assessment

The Corporate Information Security area must systematically assess the risks related to the information security of ST IT Data.

Risk analysis should act as a guidance tool for the Corporate Information Security Committee, mainly with regard to:

Identification of the main risks to which ST IT Data's information is exposed;
Prioritization of actions aimed at mitigating the identified risks, such as the implementation of new controls, creation of new rules and procedures, reformulation of systems, etc. The scope of the information security risk analysis/assessment can be the entire organization, parts of the organization, a specific information system, components of a specific system, etc.
Quarterly risk identification and analysis planning, with the possibility of changing the analysis cycle as defined by the Information Security Committee.
Implementation of tools for risk identification and compliance.

4.7. Management of Access to Information Systems and Other Environments

All access to information and logical and physical environments of ST IT Data must be controlled, in order to guarantee access only to people authorized by the respective owner of the information. The access control policy must be documented and formalized through Rules and Procedures that include, at least, the following items:

Formal procedure for granting and canceling authorization to access information systems;
Proof of authorization of the owner of the information;
Use of individualized identifiers (ID/Login), in order to ensure the responsibility of each service provider for their actions;
Verification that the level of access granted is appropriate for the purpose of the business and that it is consistent with the Information Security Policy, the Rules and Procedures;
Immediate removal of authorizations given to service providers who are removed or disconnected from the company, or who have changed functions;
Periodic review process of granted authorizations;
Policy for assignment, maintenance and use of passwords.

4.8. Monitoring and Control

The equipment, systems, information and services used by service providers are the property of ST IT Data and cannot be interpreted as personal use.

All ST IT Data professionals must be aware that the use of ST IT Data's information and information systems can be monitored, and that the records thus obtained can be used to detect violations of the Policy, the Norms and Procedures of Information Security and, as the case may be, serve as evidence in administrative and/or legal proceedings.

4.9. Information Security Training and Awareness

Each manager must ensure that everyone from ST IT Data and suppliers, when starting a relationship with ST IT Data or when they have a significant change in job responsibility, receive training on aspects of information security related to their function within 30 days of start of work.

Managers must ensure that all ST IT Data professionals and suppliers receive annual awareness material approved by the Corporate Committee on Information Security.

4.10. Security Management Products and Services
Intrusion detection systems and other information security products and services can only be contracted if approved by the Corporate Information Security Committee.

All system alarms associated with Information Security and generated security events are logged and archived on a daily basis.

When a Security Event occurs, the Information Security Committee must be activated through the process and procedure defined by the Information Security area.

IT area controls must ensure that all IP connections to Third Parties are protected by firewalls managed by Technology and Operations or at least submitted to the Security and Compliance Department.

Date of last update/revision: 01/10/2021