Coutinho Rebelo Logo

General External Information Security Policy

1. Scope and objective

The Information Security Policy applies to all information that is under the responsibility of Coutinho Rebelo Advogados (hereinafter referred to as CRA), regardless of the recording medium, including, in particular, databases, any IT environment, documents, files and other technological and/or application tools.

The objective of the Information Security Policy is to preserve the confidentiality, integrity, and availability of information, contributing to ensuring the CRA’s objectives and maintaining customer trust as well as compliance with legal and regulatory obligations.

This Policy formalizes and intends to communicate the strategic and programmatic definitions approved for information security, which are assumed as an ethical commitment and professional responsibility of the CRA.

In this sense, the CRA defines clear objectives for the implementation of information security processes, controls and practices and promotes the adoption and implementation of an Information Security Policy transversal to the entire Society.

Information security objectives correspond to:

  • Assess information security risks, in order to implement the necessary controls that allow the risks to be mitigated up to the established level of acceptance.
  • Create a culture of information security through training and awareness actions.
  • Define and implement the technical and organizational controls necessary to guarantee the confidentiality, integrity, and availability of information.
  • Consider information security as a process of continuous improvement, which allows increasingly advanced levels of security to be achieved.

 

2. Responsibilities and security organization

The Information Security Policy is intended for all CRA lawyers and employees, regardless of their relationship, as well as suppliers and service providers and their employees who have access to information under the responsibility of CRA.

To this extent, everyone is obliged to comply with and enforce this Policy and to communicate any event that causes or may cause a breach of information security.

 

3. Information security policy

The Information Security Policy is guided by the following principles:

  • Confidentiality: information is only made available to those who have the appropriate authorization for this purpose.
  • Integrity: the safeguarding and preservation of information, and the adequacy of the respective processing methods.
  • Availability: the information is available to all duly authorized users.
  • Auditability: corporate and/or business data and information are registered, compiled, analyzed, and revealed, in order to allow internal auditors or external certifying entities to attest to their integrity.
  • Traceability: the ability to recover the history of actions carried out. Information is an essential good or asset for the CRA and must be protected in the most appropriate way. Information security protects information against a multitude of threats, being essential to promote service (business) continuity, minimize negative effects on the organization, maximize the profitability of investments and continually improve the quality of the service.Information security is achieved through the implementation of a set of controls, namely: policies, standards, and procedures, which are in accordance with the international standard ISO/IEC 27001.To comply with these principles, the CRA, in accordance with the legislation and standards in force in matters of information security, adopts the best national and international practices, in a manner appropriate to the specificities of the organization.

 

4. Information security organization

The information security organization is implemented and managed through an Information Security Management System (SGSI), in an integrated manner with the office’s processes and its global management structure, which guarantees a multidisciplinary approach to the topic and allows you to plan, design, control, evaluate and improve all information security implementation processes in a transversal way, considering three aspects of action: people, technologies and processes.

The CRA implements specific policies and procedures that respect international reference standards, capable of being audited and that define the requirements for the implementation of the ISMS, namely:

  1. The CRA promotes the definition of appropriate rules for data privacy and compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, and applicable national legislation.
  2. The CRA promotes, through its SGSI, the protection of confidentiality, integrity, availability of information, as well as the resilience of its systems and information processing services.
  3. Through its Incident and Business Continuity plans, CRA promotes the ability to minimize the impact of physical or technical incidents, as well as recover availability and access to personal data in a timely manner, in the event of a disaster or serious incident.
  4. Regular assessment of the security of information processing and respective support systems is promoted by formal external audit processes, carried out by reputable and impartial auditors, with certified skills.
  5. The risk analysis process implemented within the scope of the SGSI includes the risks associated with the processing of personal data, including accidental or unlawful destruction, loss and alteration and unauthorized disclosure or access to personal data transmitted, stored or subject to any other type of treatment.
  6. The CRA, as responsible for the processing of personal data, takes measures so that any natural person who, acting under the authority of the controller or a subcontractor, has access to personal data, and only processes it upon instructions from the controller, unless required to do so by European Union or Member State law.

 

4.1. Information security risk assessment

Information security requirements and risk acceptance criteria are identified through an accurate information security risk assessment. Carrying out a risk analysis helps to determine the risk exposure and, consequently, to prioritize the most relevant risks, allowing the identification of appropriate mitigation actions and appropriate controls.

 

4.2. Information security controls

The selection of controls depends on CRA decisions based on risk acceptance, risk treatment and, in general, risk management criteria. These criteria result from the risk analysis carried out and must consider applicable national and international regulations and legislation.The implemented information security mechanisms are subject to periodic reviews to ensure the expected security levels, with particular focus on safeguarding business continuity and critical processes.

 

4.3. Continuous improvement

The SGSI is subject to periodic reviews previously scheduled or justified by significant changes, in order to provide an improvement in applicability, suitability and effectiveness.

 

4.4. Review and communication of the general information security policy

The Information Security Policy will be subject to annual review or whenever significant changes are made, in order to ensure its continued applicability, suitability and effectiveness.

 

Public Document

10/31/2023