Information Security Policy

1. Introduction

In order to meet best practices in corporate compliance, SoftExpert Software has been making efforts to enhance its information security standards and personal data protection.

SoftExpert is certified with ISO 27001:2022. The ISO 27001 standard is the international benchmark for Information Security Management, which has as its general principle the adoption of a set of requirements and controls aimed at adequately mitigating organizational risks.

2. Objective

The Information Security Policy of SoftExpert is a formal statement from Senior Management regarding its commitment to protecting assets and information owned and/or under its custody.

The application of this policy seeks to preserve SoftExpert’s information in terms of:

  • a) Confidentiality: ensuring that access to information is obtained only by authorized persons.
  • b) Integrity: ensuring that information is maintained in its original state, aiming to protect it during storage or transmission against unauthorized, intentional, or accidental changes.
  • c) Availability: ensuring that authorized users have access to information and related assets whenever needed.

Finally, the Integrated Management System (IMS) includes the Information Security Management System and the Quality Management System, based on the normative requirements of ISO 9001 and ISO 27001.

3. Scope

This policy is applicable to all employees and service providers who had and/or have a relationship with SoftExpert and who accessed and/or access information of the company or its clients.

4. Guidelines

The Information Security Policy is supported by a set of other policies, procedures, and specific controls to ensure adequate protection of information and risk mitigation.

SoftExpert states that it adopts solutions that consider appropriate techniques, application costs, nature, scope, and business risks. Furthermore, it commits to:

  1. Comply with regulations, laws, standards, and contractual clauses related to Information Security and Privacy;
  2. Appropriately address any Information Security incident, including registration, classification, investigation, correction, and documentation, and, when necessary, notify the competent authorities;
  3. Maintain a Risk Management program that meets SoftExpert’s business needs;
  4. Maintain an internal and external audit program to validate the compliance of its IMS;
  5. Oversee and regulate the physical and logical access of all individuals, including employees and service providers;
  6. Categorize information related to the IMS scope to ensure it receives appropriate protection;
  7. Invest in training and awareness programs to educate users about their responsibilities and the importance of taking care of the information under their responsibility;
  8. Have a business continuity plan to ensure the ongoing provision and support of services, even in adverse situations.

SoftExpert seeks to establish relationships with its employees and service providers who share the same commitment to information security, privacy, and the quality of products and services, assigning the same importance and relevance to these aspects as the organization does.

5. Roles and Responsibilities

Senior Management

  1. a) Support the dissemination and maintenance of the IMS;
  2. b) Provide the necessary resources for maintaining the IMS;
  3. c) Perform critical analysis and monitoring of IMS results at planned intervals.

Information Security Committee

  1. a) Support the analysis of the efficiency and effectiveness of controls adopted in the IMS;
  2. b) Support in defining actions to ensure continuous improvement of the IMS;
  3. c) Support the dissemination of the IMS throughout the organization;
  4. d) The committee should include at least one member from each area.

Leaders

  1. a) Demonstrate exemplary compliance with this Information Security Policy and other internal Policies, Standards, and Procedures that complement it;
  2. b) Ensure that their team is aware of this Security Policy and other Policies, Standards, and Procedures that complement it;

Other Users

  1. a) Comply with internal information security policies, guidelines, and procedures;
  2. b) Appropriately use information assets;
  3. c) Seek guidance if in doubt about information security;
  4. d) Ensure the safeguarding and protection of the company’s confidential information against unauthorized access, modification, destruction, or disclosure;
  5. e) Report information security incidents as soon as they are identified;
  6. f) Report potential information security risks identified;
  7. g) Participate in training and awareness activities.

6. Compliance

Non-compliance with the requirements set out in this Information Security Policy will result in a violation of the company’s internal rules and subject the user to applicable administrative and legal measures.

Logo

Copyright © SoftExpert Software for Performance Excellence. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.