1. Scope and objective
The Information Security Policy applies to all information that is under the responsibility of Coutinho Rebelo Advogados (hereinafter referred to as CRA), regardless of the recording medium, including, in particular, databases, any IT environment, documents, files and other technological and/or application tools.
The objective of the Information Security Policy is to preserve the confidentiality, integrity, and availability of information, contributing to ensuring the CRA’s objectives and maintaining customer trust as well as compliance with legal and regulatory obligations.
This Policy formalizes and intends to communicate the strategic and programmatic definitions approved for information security, which are assumed as an ethical commitment and professional responsibility of the CRA.
In this sense, the CRA defines clear objectives for the implementation of information security processes, controls and practices and promotes the adoption and implementation of an Information Security Policy transversal to the entire Society.
Information security objectives correspond to:
2. Responsibilities and security organization
The Information Security Policy is intended for all CRA lawyers and employees, regardless of their relationship, as well as suppliers and service providers and their employees who have access to information under the responsibility of CRA.
To this extent, everyone is obliged to comply with and enforce this Policy and to communicate any event that causes or may cause a breach of information security.
3. Information security policy
The Information Security Policy is guided by the following principles:
4. Information security organization
The information security organization is implemented and managed through an Information Security Management System (SGSI), in an integrated manner with the office’s processes and its global management structure, which guarantees a multidisciplinary approach to the topic and allows you to plan, design, control, evaluate and improve all information security implementation processes in a transversal way, considering three aspects of action: people, technologies and processes.
The CRA implements specific policies and procedures that respect international reference standards, capable of being audited and that define the requirements for the implementation of the ISMS, namely:
4.1. Information security risk assessment
Information security requirements and risk acceptance criteria are identified through an accurate information security risk assessment. Carrying out a risk analysis helps to determine the risk exposure and, consequently, to prioritize the most relevant risks, allowing the identification of appropriate mitigation actions and appropriate controls.
4.2. Information security controls
The selection of controls depends on CRA decisions based on risk acceptance, risk treatment and, in general, risk management criteria. These criteria result from the risk analysis carried out and must consider applicable national and international regulations and legislation.The implemented information security mechanisms are subject to periodic reviews to ensure the expected security levels, with particular focus on safeguarding business continuity and critical processes.
4.3. Continuous improvement
The SGSI is subject to periodic reviews previously scheduled or justified by significant changes, in order to provide an improvement in applicability, suitability and effectiveness.
4.4. Review and communication of the general information security policy
The Information Security Policy will be subject to annual review or whenever significant changes are made, in order to ensure its continued applicability, suitability and effectiveness.
Public Document
10/31/2023