Alltax logo
Request a Demo

All Tax Information Security

Policy and Guidelines

Introduction

Information is an asset of great value to All Tax PLATFORM - SOLUÇÕES TRIBUTÁRIAS S.A. and must be properly used and protected against threats and risks. The adoption of policies and procedures aimed at ensuring information security is a constant priority for the company, thereby reducing the risks of failures, damages, and/or losses that could compromise the company's image and objectives.

In this regard, the All Tax Information Security Policy presents general conduct guidelines, as well as obligations to be followed at All Tax in order to mitigate potential risks and damages related to external and internal threats that may impact the confidentiality, integrity, and availability of information of any nature.

Furthermore, it is important to highlight All Tax's commitment to the continuous improvement of the Information Security Management System, using indicators to measure the effectiveness of controls and processes.

In accordance with the precepts of the ISO 27001 Standard, All Tax's Information Security Policy also defines roles and responsibilities for the implementation of the following classes of information security controls.

1. Definitions

  • Threat: An event that has the potential to compromise the company's objectives, either by causing direct damage to assets or indirect losses arising from unexpected situations.
  • Information Assets: The means of production, storage, transmission, and processing of information, information systems, locations where these means are found, or people who have access to information, as well as the information itself collected, produced, processed, discarded, and transmitted by All Tax.
  • Information Classification: Identification of the protection levels that information requires, establishment of classes and ways to identify them, as well as determination of protection controls necessary for each.
  • Confidentiality: Only people duly authorized by the Company should have access to information.
  • Compliance: Action aimed at verifying compliance with requirements established in Standards.
  • Cryptography: A means of encoding information to prevent it from being understood or altered by unauthorized persons.
  • Personal Data: Any and all data related to an identified or identifiable natural person (as defined in Article 5, I, Law 13.709/2018 - General Data Protection Law), including identification numbers, location data, or electronic identifiers when related to a person. Also considered personal data for the purposes of this law are those used to form the behavioral profile of a particular natural person, if identified.
  • Availability: Information must be available to authorized persons whenever necessary or requested.
  • Information Security Incident Response Team: A group of people responsible for receiving, analyzing, and responding to notifications related to incidents with All Tax information assets.
  • GDPR: General Data Protection Regulation, a set of rules on data processing approved in 2018 valid for the European Union (EU). It also regulates the export of personal data outside the EU.
  • Integrity: Only changes, deletions, and additions authorized by the company should be made to information.
  • General Data Protection Law (LGPD): Law No. 13.709/2018, which provides for the processing of personal data, in physical or digital media, by natural persons or legal entities of public or private law. Every natural person has ensured ownership of their personal data and guaranteed fundamental rights of freedom, intimacy, and privacy, under the terms of the Law.
  • Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats.

2. Information Security Policy

The Information Security Policy, also called ISP, is the document that guides and establishes corporate guidelines for the protection of information assets and the prevention of legal liability for all users.

Therefore, it must be complied with and applied in all areas of the company.

This ISP requires compliance with the All Tax Code of Conduct and all applicable and current laws and regulations related to data protection, including, without limitation, the General Data Protection Law (LGPD) and the General Data Protection Regulation (GDPR).

Applications of the Information Security Policy

The guidelines established here must be followed by all employees as well as service providers, and apply to information in any medium or support.

This policy notifies each employee that the company's environments, systems, computers, and networks may be monitored and recorded for information security purposes, as provided for in Brazilian laws.

It is also the obligation of each employee to stay updated regarding this policy and related procedures and standards, seeking guidance from their Manager, Coordinator, or IT Management whenever not absolutely certain about the acquisition, use, and/or disposal of information.

Principles of the Information Security Policy

  • All information produced or received by employees as a result of professional activities contracted by All Tax belongs to said Company.
  • Exceptions must be explicit and formalized in a contract between the parties.
  • Information technology and communication equipment, systems, and information are used by employees to carry out professional activities.
  • Personal use of resources is not permitted.
  • All Tax, through IT Management, may record all use of systems and services, aiming to ensure the availability and security of the information used.

3. Recipients

This Policy applies to Senior Management, all employees, suppliers, and persons who may access areas, equipment, information, files, networks, and data owned by All Tax.

Therefore, all recipients must observe these rules and recommendations in any operations that may impact the security of All Tax information.

Non-compliance with the provisions will subject the offender to sanctions established by the Information Security Managers provided for in this Policy.

4. Applicability

All Tax's Information Security Policy establishes guidelines to ensure that its employees and partners understand and comply with the General Data Protection Law, as well as standards and technical measures aimed at All Tax's information security.

5. Objectives

This Information Policy has the following objectives:

  • Establish guidelines that ensure and reinforce the Company's commitment to practices and preventive measures that guarantee information security.
  • Establish guidelines that allow employees to follow behavior patterns related to security appropriate to the company's and individual's business and legal protection needs.
  • Guide the definition of specific information security procedures, as well as the implementation of controls and processes designed to protect All Tax information assets, aiming to preserve the Confidentiality, Integrity, and Availability of information assets.
  • Provide All Tax with mechanisms for compliance with information security laws and international standards.
  • Describe behavioral rules and guidelines to be followed in conducting activities developed by All Tax that ensure the prevention of information security incidents and the protection of personal data.

Other All Tax documents that relate to this policy are:

  • Confidentiality Agreement
  • Code of Conduct
  • Backup Policy
  • Internal Controls and Compliance Policy
  • Privacy Policy

6. Principles

All Tax's commitment to the proper handling of information is based on the following principles:

  • Confidentiality: The principle of confidentiality determines that certain information, source, or system should be accessible only to authorized persons. In other words, if an unauthorized individual accesses confidential information, intentionally or not, there will be a breach of confidentiality.
  • Integrity: The principle of integrity establishes that certain information must be correct, complete, and protected against unauthorized changes. That is, data must be kept intact, taking precautions so that it is not modified or deleted without authorization, to preserve its reliability and originality.
  • Availability: The principle of availability determines that information must always be accessible for the legitimate use of authorized persons.

7. Guidelines

**7.1. General Guidelines**

Information security management at All Tax is the responsibility of the Information Security Team and its members are defined by the CEO of All Tax.

All Tax, in addition to the guidelines established in this ISP, should also be guided by the best practices and information security procedures recommended by public and private bodies and entities.

The establishment of guidelines aims to support information security. Both the ISP and the guidelines should be reviewed and updated periodically, whenever any relevant fact or event motivates its early review.

**7.2. Guidelines Aligned with ISO 27001 Standard**

For each of the controls defined as applicable to the Information Security Management System, the Information Security Team must develop strategies, guidelines, and conduct procedures that will be addressed in the control manuals.

All Tax's Information Security Policy proposes the prioritized implementation of the following controls and their guidelines.

7.2.1 Inventory of Information and Other Associated Assets (Organizational Control #8)

Information assets must:

  • Be inventoried and protected;
  • Have their owners identified;
  • Have their threats and vulnerabilities mapped;
  • Be subject to monitoring and have their use investigated when there are indications of security breach, through mechanisms that allow traceability of the use of these assets;
  • Be used strictly within their purpose, and their use for personal or third-party purposes, entertainment, dissemination of political-partisan, religious, discriminatory opinions, etc. is prohibited.

And furthermore:

  • 1. All Tax must create, manage, and evaluate criteria for information processing and classification according to the required secrecy, critical level, and sensitivity, observing current legislation.
  • 2. Technological resources and infrastructure facilities must be protected against unavailability, improper access, failures, and unscheduled interruptions.
  • 3. User access to information assets and their use, when authorized, must be conditional upon acceptance of the Confidentiality Agreement.

7.2.2. Return of Assets (Organizational Control #5.11)

Upon termination of the EMPLOYEE's relationship with All Tax, all Confidential information and/or documents (originals or copies) received as a result of the function performed within All Tax must be returned, destroyed, or rendered unusable.

7.2.3. Information Classification (Organizational Control #5.12)

Information Classification is an important factor to help define appropriate levels and criteria for protecting data and information, ensuring confidentiality according to the importance of certain information to the organization. Information Classification serves to ensure that no data leaks improperly and that only people who have the right and authorization receive access to information.

Our information policy recommends that information should be classified according to the levels and essential characteristics defined below:

  • **Confidential:** This is the highest level of security within this standard. Confidential information is that which, if disclosed internally or externally, has the potential to cause great damage to the company's image or finances. They can be protected, for example, by encryption, information security software, storage in more secure media, authorization levels for access, carrying, security, and more rigorous operations.
  • **Restricted:** Medium level of confidentiality. These are strategic information that should be available only to restricted groups of employees. They can be protected, for example, by restricting access to a network folder or directory, access passwords, activation keys, and authorization levels for access, carrying, security, and operation with medium rigor.
  • **Internal Use:** Represents a low level of confidentiality. Internal use information is that which cannot be disclosed to people outside the organization, but which, if it happens, will not cause great damage. The concern at this level is mainly related to the integrity of the information. They can be protected, for example, with security labels and tags, standard passwords, written and/or verbal requests with proof of receipt, authorization levels for access, carrying, security, and operation with low rigor.
  • **Public:** Data that does not require sophisticated protection against leaks, as it may be public knowledge. However, it is always worth remembering the other two pillars, availability and integrity, which must always be maintained.

7.2.4. Planning and Preparation of Information Security Incident Management (Organizational Control #16)

Information asset managers at All Tax are responsible for the Information Security infrastructure.

These also compose the Information Security Incident Response Team and must establish Information Security Risk Management processes that enable identifying threats and reducing vulnerability of information assets, as well as reducing the impacts of any incidents with them.

7.2.5. Intellectual Property Management (Organizational Control #5.32)

The Information Security Team must include clauses related to intellectual property protection in commercial and employment contracts.

7.2.6. Confidentiality or Non-Disclosure Agreements (People Control #6)

All All Tax contracts must include a Confidentiality Agreement annex or Confidentiality Clause as an essential condition for granting access to information assets made available by the Company.

Responsibility for information security must be communicated during the hiring phase of Employees. All employees must be guided on security procedures as well as the correct use of assets to reduce possible risks. Employees must sign a term of responsibility.

7.2.7. Software Installation on Operating Systems (Technological Control #12)

Only software approved by All Tax can be installed on workstations, which must be done exclusively by the Project IT services team.

7.2.8. Use of Cryptography (Technological Control #8.24)

The Information Security Team must establish specific guidelines dictating when and where cryptographic resources should be used within All Tax to protect its information, in addition to establishing which encryption standards are accepted.

7.2.9. Equipment Location and Protection (Physical Control #7)

It is the responsibility of the Information Security Team to ensure the correct positioning of computers used, so that their screens are not visible to unauthorized persons.

Additionally, raise awareness among employees working from home about the importance of maintaining a neutral workspace where other people will not have access to equipment and information, encouraging screen locking whenever they step away from the equipment, so that confidentiality is not affected.

8. Roles and Responsibilities Regarding Information Security

**8.1. INFORMATION SECURITY TEAM**

  • a. Supervise information security within All Tax;
  • b. Propose adjustments, improvements, and modifications to this Policy;
  • c. Propose improvements and approve Information Security Standards;
  • d. Define the classification of information belonging to or in the custody of All Tax, based on the information inventory presented by Information Security Management officers and on the classification criteria contained in a specific Standard;
  • e. Analyze cases of violation of this Policy and Information Security Standards, forwarding them to executive management when appropriate;
  • f. Propose projects and initiatives related to improving All Tax information security;
  • g. Propose planning and allocation of financial, human, and technology resources regarding information security;
  • h. Determine the preparation of reports, surveys, and analyses that support information security management and decision-making;
  • i. Monitor the progress of major projects and initiatives related to information security.

**8.2. EMPLOYEES**

All employees (staff, interns, and service providers) of All Tax are responsible for:

  • a. Faithfully comply with All Tax's Information Security Policy, Standards, and Procedures;
  • b. Seek guidance from their immediate supervisor in case of questions related to information security;
  • c. Sign the term of this document, formalizing awareness and acceptance of the Information Security Policy and Standards, as well as assuming responsibility for its compliance;
  • d. Protect information against access, modification, destruction, or unauthorized disclosure by All Tax;
  • e. Ensure that technological resources at their disposal are used only for purposes approved by All Tax;
  • f. Comply with laws and regulations governing aspects of intellectual property;
  • g. Immediately communicate to Information Security Management officers any non-compliance or violation of this Policy and/or its Standards and Procedures.

**8.3. INFORMATION SECURITY INCIDENT RESPONSE TEAM**

The Information Security Incident Response Team is responsible for:

  • a. Identify if an incident has occurred or is occurring;
  • b. Determine the extent of the incident and contain it;
  • c. Ensure that the problem is eliminated;
  • d. Identify and eliminate the means by which the system was compromised;
  • e. Restore the system to an operational state.

**8.4. HUMAN RESOURCES**

The Human Resources area is responsible for:

  • a. Collect the signature of the Term of Responsibility from employees, filing them in their respective records;
  • b. Inform IT management, as soon as receiving information from managers, of all dismissals, leaves, and modifications in the company's staff.