check our security policy
Adiq Cybersecurity Policy establishes the following general guidelines:
1- goal
Adiq Instituição de Pagamento SA (“ADIQ”) Information Cybersecurity Policy (“Policy”) has the goal to determine the guidelines adopted by Adiq to regulate and organize the proper procedures for data and information protection, as well as determine rules concerning security in the event this information and data are made available, aiming at minimizing risks involving assets, including Adiq people, environments, technologies and processes.
Additionally, this Policy seeks to:
I. Integrate risk management into Adiq general culture.
II. Ensure confidentiality, integrity and availability of Information related to Adiq and its partners.
III. Comply with regulatory and legislative requirements.
IV. Prevent and address threats and vulnerabilities.
V. Align obligations concerning guidelines, procedures and responsibilities when it comes to your role in the context of Adiq Information Security.
2- application
The provisions established in this Policy apply to all customers, suppliers and partners of Adiq and Adiq Plus organizations, hereafter referred to as ‘Adiq’.
3- guidelines
This current Policy shall be governed by the following guidelines, in addition to being addressed in specific norms and policies:
3.1- information classification
The information classification policy was created according to the current security and regulation best practices, so all pieces of information are classified and receive their proper level of protection. Classification is structured in 4 levels: Public, Private, Restricted and Confidential.
3.2- risks
There shall be a risk identification, assessment and handling plan so as to reduce and/or avoid negative impacts on the organization. Risks shall be monitored according to the classification, so there is a priority determined to handle each one of them.
3.3- remote work
We developed the remote work policy that shall be adopted according to the guidelines established by the organization. Those guidelines support collaborators to follow remote work best practices, ensuring organization and keeping up with the quality level in the activities performed.
3.4- business continuity plan
The Business Continuity Plan Policy has the goal to establish the guidelines and responsibilities in order to assure the continuity of critical operations and the integrity of information processed right after eventual downtime and during the subsequent recovery process.
3.5- access controls
Aiming at assuring the security of our systems and information, we have specific guidelines and norms that address access control, logic environment monitoring, our physical environment monitoring, in compliance with industry best practices and applicable regulations.
We believe each person plays a key role to make the entire process work as a whole, and access shall be properly adjusted according to the corresponding functions, not exceeding the minimum limit necessary for that specific position.
3.6- storage, disposal, destruction and reuse
We established and documented the guidelines needed to ensure the information stored in the equipment and media is securely deleted or destroyed before disposal or reuse.
3.7- firewall rule management
The Norm of Firewall Rules establishes the guidelines with rules to be used to obtain network traffic control, and to block transmissions that do not meet Adiq security criteria.
3.8- information security incident management
It shall ensure incidents are identified, assessed, recorded along with their cause analysis and impact, as well as the control of effects derived from relevant incidents for Adiq activities. The response to incidents shall be provided in a fast and effective manner, preserving Adiq reputation and image. Each and every incident that impacts information security shall be communicated.
3.9- log monitoring and control
There shall be audit trails with sufficient level of detailing to track normal usage and potential failures and frauds. Monitoring and analyzing logs allow us to investigate a security incident, as well as check whether security rules are adequate.
3.10- malicious software
Whenever possible, all Adiq assets shall be equipped with dully monitored and updated antivirus software programs, in accordance with industry best practices and applicable regulations.
3.11- hardening
In order to mitigate known risks (hardening), information security best practices and benchmarks shall be used. They contain recommendations for installation, setup and maintenance of Adiq devices to minimize security failures.
3.12- encryption
Encryption controls are used at Adiq to allow for confidentiality, authenticity, integrity and non-repudiation of Information. Therefore, encryption processes adopted at Adiq shall always use reliable keys and/or certificates, secure configurations and follow industry best practices.
3.13- secure development
We elaborated a secure development norm based mainly on OWASP, assuring the quality of development of our solutions both from the functional and the security perspectives, in order to assure adoption of secure development best practices.
3.14- vulnerability management
The Vulnerability Management Norm has the goal to establish procedures and controls to avoid, detect and reduce incidents that may adversely impact Adiq activities, according to security best practices and applicable regulations.
3.15- changes
Change Management is the process that aims at assuring changes made in production and pre-production environments are performed in a controlled manner, making sure they are assessed, planned, tested, communicated, deployed and documented, thus seeking to mitigate risks involved in technology changes in operational environments.
3.16- backup
Data and information backup shall be regularly performed, according to the established backup norm, determining guidelines related to retention, and storage location, among other factors that make the process secure.
3.17- asset management
We must assure proper security controls are implemented and observed in order to ensure information asset maintenance and life cycle. Assets shall only be used to perform Adiq-related activities.
3.18- use of devices and technologies
Adiq establishes guidelines and recommendations for management, secure, ethical and legal use of devices and technologies made available to Collaborators to develop their professional activities, always supporting information security to protect information that is accessed, processed or stored.
3.19- capacity management
Adiq resource utilization shall be monitored, and there shall be projections for future capacity needs in order to ensure the required performance.
3.20- selection of information technology providers
Adiq previously assesses the hiring of service providers who will handle sensitive data or information, or who are relevant to perform operational activities at Adiq, and also checks whether they adopt procedures and controls aimed at incident prevention and response.
3.21- data and privacy protection
At Adiq we comply with data privacy protection legislation and adhere to security best practices to ensure proper data handling.
3.22- training
Awareness, education and training programs on Information Security shall be held by the Information Security team seeking to meet the goals, principles and guidelines established in this Policy, adjusted to the specific needs and responsibilities of each collaborator.
3.23- audit and compliance
Adiq regularly conducts tests and internal audits, thus seeking to identify: Whether its practices follow this Policy and its Internal Norms, the Reference Documents listed in this Policy, and if this Policy has been effectively implemented and observed.
3.24- communication channels
• Any deviations to the guidelines established in this Policy can be reported to the Ethics Channel (https://www.contatoseguro.com.br/adiq or 0800 515 2223), and the person reporting the deviations may remain anonymous, if they wish to do so.