Privacy and Security Policies

Privacy Policy

  1. Declaration of Data Privacy

Korn Traduções (“Korn” or “we”) cares about respecting and protecting your privacy.

This Privacy Policy (“Privacy Policy”) is applicable to all employees, service providers, partners, and clients and is intended to present the guidelines defined and applied by Korn in the processing of your personal information.

This Privacy Policy comprises and contemplates, among other things, every personal information collection and/or processing through several channels, such as websites, applications, social networks, sales and events, or processing of data provided by partners, clients, and service providers for the provision of services.  

 

Our Privacy Policy is based on ethics and values followed by Korn and meets the Brazilian General Personal Data Protection Law (LGPD – Law no. 13.709/2018) and the Civil Rights Framework for the Internet (Law no. 12.965/2014), which set out the principles, guarantees, and duties for the use of the Internet in Brazil.

Please, read this Privacy Policy carefully to understand how and for what purpose your Personal Data may be collected by Korn. It is important that the Privacy Policy is interpreted jointly and in accordance with any other document, contract, or privacy clause that comes with it. Korn will act as the controller of your Personal Data; that is, it is incumbent upon us to make the decisions related to Personal Data Processing.

By selecting the acceptance field of the Privacy Policy, you declare that you accept and consent to the information provided herein.

 

  1. Personal Data, Collection Means, and Purpose of the Processing

“Personal Data” means information about an identified or identifiable individual. Examples of Personal Data include full name, occupation, identification document, address, email, telephone number, education degree, IP, geolocation, vehicle information, among others.

“Processing” means every operation performed with Personal Data, such as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, assessment or control of information, modification, communication, transfer, diffusion, or extraction;

“Subject” is a natural person related to the Personal Data subject to Processing.

Depending on the type of Subject (employees, service providers, partners, or clients) and the manner said Subject interacts with Korn, several categories of information are collected, such as:

  • Personal contact information: any information provided for purposes of contact, such as name, mailing address, email, business address, social network information, and telephone number.

 

  • Account login information: any information needed to give access to a specific account profile for the use of our services. Examples include email address, user name, password in irrecoverable format, and/or security questions and answers, among others.

 

  • Technical information on the computer/mobile device: any information on the computer system or other device that you use to access our web pages, our services, or our applications, the IP address used to connect your computer or device to the Internet, the type of operating system and the type and version of the web browser, among other browsing information.

 

  • Financial and payment information: necessary information to perform orders/agreements/invoicing/collections/payments/reimbursements. Korn certifies that its payment processing service ensures conformity of the financial and payment information with the applicable security laws, rules, and standards.

 

  • Sensitive Personal Data: whenever there is a need to collect and process Sensitive Personal Data for any reason, your prior and express consent will be requested. If Sensitive Personal Data needs to be processed for other purposes, such purposes have legal grounds, and Korn will notify the Subject in advance.

 

  • Personal Data of Children and Adolescents: whenever there is a need to collect and process Personal Data of children and minors (such as information on health care plan and other benefits or obligations), explicit consent from the parents or guardian will be requested.

 

2.1. Purpose of the Personal Data Processing

The Processing of your Personal Data may be performed by Korn in several means upon your consent, where applicable, by legal, regulatory, or contractual obligation, or otherwise. Korn may request that you provide your consent in writing, or through any means that confirms it, whenever necessary.

Your Personal Data is collected for feasibility and/or improvement of the translation services for which Korn was engaged to provide, as well as for:

  1. Identification and/or offering of relevant content on certain preference and/or interest expressed by you to Korn, including without limitation, newsletters, events, invitations, reminders, thank you notes, among others;
  2. Performance of client relations and service activities;
  3. Composition de database for suppliers and service providers of Korn;
  4. Composition of the database of job and internship applications and service providers to Korn;
  5. Conduction of recruiting, hiring, and training processes to meet our labor obligations to professionals/employees;
  6. Composition of employees’ databases, Alumni members, committees, and other groups;
  7. Registration of service providers and execution of related agreements;
  8. Conduction of internal operations (financial, accounting, labor, among others), problem solution, data analysis, data integration and consolidation;
  9. Sale of products and/or services;
  10. Risk management and detection, prevention and/or remediation of fraud or other potentially illegal or forbidden activities, further to violations of policies, agreements, or applicable terms of use;
  11. Protection, defense, and management of Korn’s interests;
  12. Performance of environmental and social projects and activities;
  13. Compliance with the applicable legislation;
  14. Notice on any changes in the Privacy Policy;
  15. Fulfillment of any other demand from you to Korn;

 

  • Types of Data Collected from the Website and Registration Methods

Korn collects Personal Data through online forms or physical means when you, for instance, enroll in an event, sends information to apply for a position or fills out a contact form on the website.

When you register or send information to Korn, we generally request data such as your name, email, telephone number, position and company. In addition, other personal information may be received through resumés sent by you when applying for a position, through third parties, such as the company you work for, or even from public sources.

 

  • Internet Browsing Data

When you access our website, we collect internet standard registration data and behavior standard. Korn executes this action to gather information such as the number of visitors to different parts of Korn’s website.

We use analytics tools that help us analyze the access and use of our website. The tool uses “cookies”, which are text files located in your computer, to collect information on standard internet registration and visitor’s behavior anonymously, always with the purpose of assessing the use of the website by visitors and compile statistical reports on the activity on Korn’s website. In case of interest in knowing more about cookies, including how to control them, see the website https://www.allaboutcookies.org/

Korn’s pages or services may also use other tracking technologies, including IP addresses, registration files, and web beacons, which also help us adapt Korn’s website to your personal needs.

 

  1. Data Storage and Retention

Korn may store your Personal Data for the time needed to meet the purposes mentioned in this policy and applicable laws and regulations, as the case may be. For determination of the method and duration of the Processing of your Personal Data by Korn, the nature of your Personal Data provided to Korn and the purpose of the Processing will be considered. Once this purpose is met, your Personal Data will be deleted.

Certified translations, also known as sworn translations, are public documents and cannot be discarded. Certified translators must keep a copy of each translation made and record it in the Registry of Commerce of the state in which they are enrolled (Decree no. 13.609/43 and Resolution of the Registry of Commerce of each State).

The elimination of data and information, when necessary, will be made through established physical or electronic elimination procedures, subject to the existing legislation and in such manner as to eliminate all evidence and copies in possession of Korn.

 

  1. Personal Data Sharing

Korn will not sell your Personal Data, but may share or transfer them to third parties, in Brazil or abroad, for meeting the purposes set out in this policy and any court orders or decisions by any other competent authority, according to the applicable legislation. Therefore, Korn may share with or transfer your Personal Data to third parties, within or outside Brazil, in the following events:

  • The services provided by Korn require the support of a technologic infrastructure that may be established outside Brazil, such as cloud servers and services, which may be owned or provided by third parties, IT systems providers or services related to payroll and human resources, among others;
  • Banks, exclusively for contractual or labor transactions;
  • Business partners with which Korn keeps cooperation or alliances, which will be aware and undertake responsibilities and commitments regarding Personal Data privacy agreed in specific contractual clauses. By authorizing the quotation, you are giving consent to Korn Traduções to send, whenever necessary, your personal data or possible personal and/or sensitive data contained in documents sent, to partner professionals who are outside Brazil for the sole purpose of meeting your request for translation services in the best manner. The data sent will only be that needed to perform the requested activities, ensuring the rights, principles, and safeguards set out by the LGPD regime; and
  • Administrative and judicial authorities that, in the performance of their authority, require such information.

For cases not provided for above that call for Personal Data sharing, the express authorization (consent) will be requested from the Personal Data Subject through a notice with information on the sharing.

In all events, Korn undertakes to share only the Personal Data needed for the performance of the respective purpose or meeting the respective specific order, as the case may be.

 

  1. COVID-19 – Item Applicable to Employees and Visitors

By virtue of the Covid-19 contagion prevention and control measures, Korn and/or the building where it is located may also collect personal information from its employees, service providers, and visitors, such as health history in relation to Covid-19, information on the workplace and body temperature, among others.

 

  1. Cross-Border Processing

The services provided by Korn require the support of a technological infrastructure that may be established outside Brazil, such as cloud servers and services, which may be owned or provided by third parties. In addition, for the performance of its activities, Korn may have to share your Personal Data with third parties outside Brazil.

In such events, Korn ensures that will only engage third parties that meet the highest security standards and apply at least the same level of Personal Data Protection provided for in the Brazilian Legislation.

 

  1. Security

Korn and the third parties with which your Personal Data may be shared follow the security standards required for prevention and remediation of unauthorized access to Personal Data, employing the applicable means and recommended security standards to protect it, to the extent technically and operationally feasible.

 

  1. Third Parties’ Link

Korn may offer links for forwarding to third parties’ websites for purposes of improving your browsing experience, information, or service provision.  Korn clarifies that this Privacy Policy does not apply to Personal Data provided by you to any companies, individuals and/or organizations other than Korn. Such natural or legal persons may adopt different policies related to privacy and information of Personal Data collected by them and processed in any other manner.

Korn recommends that you check the privacy policies of such persons and/or third parties’ websites prior to providing your Personal Data.

 

  1. Rights of the Data Subject

Korn respects your privacy and cares about providing the necessary channels to enable you to exercise your rights and receive proper, clear, and transparent information on the use and processing of your Personal Data. Therefore, any request to change incomplete, inaccurate, or outdated data and/or for exclusion of data provided to Korn, including Personal Data, should be done by email to [email protected].

The request will be analyzed, and, in case it does not entail interruption of the service provision by Korn or fits within one of the events of preservation of data, performed. Should it entail interruption of the service provision, your relationship with Korn will be terminated, but the obligations resulting from the provision will remain valid and, in such event, your information and Personal Data will remain being used and processed by Korn and/or authorized third parties until the need or purposes set out in this Policy are met.

Further to the change and exclusion of Personal Data, you may also exercise the following rights upon request to Korn by email to [email protected]

  • confirmation on whether the processing of your Personal Data is performed by Korn and/or authorized third parties, including after termination of your relationship with Korn;
  • obtaining information on which Personal Data is stored and otherwise processed by Korn;
  • information on the public and private entities with which Korn shared the data;
  • request the correction of incomplete, inaccurate, or outdated data;
  • information on the possibility of not providing consent and on the consequences of the denial when Korn requests your consent for Personal Data processing in some specific situation;
  • revocation of the consent when Korn requests your consent for Personal Data processing in any specific situation; and
  • notice to Korn that you disagree with your Personal Data processing with an explanation of the reasons for refusal, for analysis of the case by Korn.

For security purposes, Korn may request additional data or information to confirm the Subject’s identity and authenticity in case of requested exercise of such rights.

The Subject may contact the company through an email to privacidade@korntraduções.com.br.

 

  1. Communication: Change, Cancellation, or Doubts about this Privacy Policy

If you wish to access, change, or delete your Personal Data provided to Korn or exercise any of your rights as Data Subject, contact us through email to [email protected]. We will take the required measures and/or reply to the email within a reasonable period, according to Korn’s technical and operational feasibility. Korn may also request you to update your Personal Data periodically.

If you disagree with this Privacy Policy, wish to delete any Personal Data processed by Korn or obtain clarifications on the application of this Privacy Policy and your rights, contact us by email to [email protected]. We will be happy to clarify any doubts and/or meet your request.

Lastly, if you received communication from Korn and did not intend to receive it, notify us through the link “Unsubscribe” or send an email to [email protected].

Korn’s purpose is to answer all requests above as soon as possible.

 

  1. Data Protection Officer

Korn is headquartered in São Paulo – Brazil. The contact information for Korn’s Data Protection Officer is:

Av. São Gabriel, 201, conj. 1403

São Paulo – São Paulo, 04532-080

[email protected]

 

  1. Changes in this Privacy Policy

All Personal Data processed by Korn will be in conformity with this Privacy Policy and the above-mentioned purposes.

Korn reserves the right to change this Privacy Policy in full or in part at any time.  The date of the latest update will be inserted in the revised Policy, as indicated below.

Refer to this Privacy Policy periodically for any changes. The use of Korn’s website or provision of Personal Data through any other means presumes your consent to this Privacy Policy.

 

  1. Revision and Approval of this Policy

This Policy may be revised every two years or at any time, as needed or desired by Korn, according to the approval cycle of the involved areas and authorities. An updated version of this Policy will be made duly available on this page as soon as it is completed.

Information Security Operational Policy

INTRODUCTION

Korn Traduções, aiming to establish a lasting and trustworthy alliance with its clients, employees and vendors, and with the purpose of satisfying its clients’ needs with excellence, confidentiality, integrity and availability, is committed to protecting the information it owns used in providing its services.

The establishment of an Information Security and Privacy Management System is a commitment from Korn Traduções’ senior management whose focus is:

  • Guarantee the confidentiality, integrity and availability of information owned by Korn Traduções or used by it, with the purpose of ensuring the continuity of processes and quality in the provision of its services.
  • Ensure compliance with current legislation and contractual requirements.
  • Promote the qualification of your employees.
  • Practice continuous improvement of the Information Security and Privacy Management System.

This Policy is endorsed and complemented by the Privacy Policy, the Code of Ethics and Conduct, the Confidentiality Agreements and the Employment Contract Addendum – Change from in-person work to partial or full-time remote work (Home Office).

Scope

This Policy applies to all employees and outsourced parties who are users of Korn Traduções resources and information.

Applicable Legislation

The laws listed below correlate with the policy, guidelines and Information Security standards, but are not limited to them:

Korn’s Senior Management, together with the internal areas involved, is responsible for reviewing and keeping records of applicable legislation updated and carrying out adjustment actions, when applicable.

Other interested parties in Korn’s operational chain (clients, vendors, outsourced parties, legal entities/subcontractors, among others), according to their scope and applicability, must also comply with the legislation applicable to them.

  • Federal Constitution;
  • Consumer Protection Code
  • Federal Law No. 8,159, of January 8, 1991 (Provides for the National Policy on Public and Private Archives)
  • Federal Law No. 9,610, of February 19, 1998 (Provides for Copyright)
  • Federal Law No. 9,279, of May 14, 1996 (Provides for Trademarks and Patents)
  • Federal Law No. 3,129, of October 14, 1982 (Regulates the Granting of Patents to authors of inventions or industrial discoveries)
  • Federal Law No. 10,406, of January 10, 2002 (Institutes the Civil Code)
  • Decree-Law No. 2,848, of December 7, 1940 (Institutes the Penal Code)
  • Federal Law No. 9,983, of July 14, 2000 (Amends Decree-Law No. 2,848, of December 7, 1940:

– Penal Code and provides other provisions.

  • Law No. 12,965, of April 23, 2014 (Internet Civil Framework Law)
  • Federal Law No. 13,709, of August 14, 2018 (General Data Protection Law – LGPD)
  • Anti-Corruption Law (Law No. 12,846, of August 1, 2013)
  • Law No. 10,097/2000 and Decree No. 9,579, of November 22, 2018, relating to the Law on Learning and Employability of Minors.
  • LAW No. 12,737, OF NOVEMBER 30, 2012.
  • Law No. 5,452, of May 1, 1943

 

Terms and Definitions

For the purposes of this Policy, the following terms and definitions apply:

  • Risk acceptance: decision to accept a risk.
  • Critical areas: premises of Korn Traduções or its clients where an information asset related to critical information for the company’s or its clients’ business is located.
  • Threat: potential cause of an unwanted incident that could result in damage to a system or organization.
  • Risk analysis: systematic use of information to identify sources and estimate risk.
  • Risk assessment: process of comparing the estimated risk with predefined risk criteria to determine the importance of the risk.
  • Corrective action: action to eliminate the cause of an identified non-conformity or other undesirable situation.
  • Attack: attempt to destroy, expose, change, disable, steal or gain unauthorized access to or make unauthorized use of an asset.
  • Asset: any component, resource or set of these applicable to the preservation of confidentiality, integrity and availability of data and information (hardware, software, infrastructure, people with their expertise, etc.).
  • Information asset: knowledge or data that has value for the company.
  • Authenticity: property that guarantees the authorship of a given piece of data.
  • ISMC (Information Security Management Committee): Information Security Management Committee, a multidisciplinary group that brings together representatives from different areas of the company, approved by the Executive Board, with the aim of defining and supporting necessary strategies for the implementation and maintenance of the ISMS – Information Security Management System.
  • Risk communication: exchanging or sharing information about risks between the decision maker and other interested parties.
  • Reliability: characteristic of consistent behavior and desired results.
  • Confidentiality: characteristic information is not available or may be disclosed to unauthorized individuals, entities or processes.
  • Control: means of risk management, including policies, procedures, guides, practices or organizational structures, which may be administrative, technical, management or legal in nature.
  • Access control: means to ensure that access to assets is authorized and restricted based on security and business requirements.
  • Risk criteria: terms of reference by which the importance of the risk is assessed.
  • Personal data: any information associated with an identified or identifiable individual provided by Korn Traduções and/or accessed on its behalf and/or that relates to the condition of an individual linked to Korn Traduções, including, but not limited to, name, address, telephone, email, bank details.
  • Sensitive data: personal data on racial or ethnic origin, religious conviction, public opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.
  • Applicability statement: documented statement that describes the control purposes and controls that are relevant and applicable to the company’s ISMS.
    • Note: control purposes and controls are based on the results and conclusions of the risk analysis/assessment and risk processing processes, legal or regulatory requirements, contractual obligations and the company’s business requirements for information security.
  • Availability: characteristic of being accessible and usable on-demand by an authorized entity.
  • Information Security Event: an identified occurrence of a system, service or network state indicating a possible violation of the Information Security and Privacy Policy or failure of controls, or a previously unknown situation, that may be relevant to information security.
  • Risk Management: coordinated activities to direct and control a company regarding risks.
  • Critical information for Korn Traduções’ business: all information that, if subject to unauthorized access, modification, destruction or disclosure, will result in operational or financial losses to Korn Traduções or its clients. Example: clients’ data, system sources, business rules, strategic or business information from clients obtained in meetings, Korn Traduções’ strategic planning, prospecting, Korn Traduções’ strategic information.
  • Impact: adverse change in business purposes.
  • Information security incidents: a single event or a series of unwanted or unexpected information security events that have a high probability of compromising business operations and threatening information security.
  • Integrity: property of safeguarding the accuracy and completeness of assets.
  • Mitigation: limiting the negative consequences of a given event.
  • Non-repudiation: ability to prove the occurrence of an alleged event or action and its originating entities in order to resolve disputes about the occurrence or non-occurrence of the event or action and involvement of entities in the event.
  • Risk: combination of the probability of an event and its consequences.
  • Information Security Risk: possibility of a threat exploiting a vulnerability in an asset or group of assets and thus causing damage to the company.
  • Residual risk: remaining risk after risk processing.
  • Data Sanitization: Understood in Digital Forensics, the process of cleaning data storage media consists of irreversibly erasing all data from a storage device, that is, permanently eliminating its residual information.
  • Information security: preservation of confidentiality, integrity and availability of information.
    • Note: Additionally, other properties such as authenticity, accountability, non-repudiation and trustworthiness may also be involved.
  • Management system: framework of policies, procedures, guides and associated resources to achieve company purpose.
  • Information Security Management System – ISMS: part of the global management system, based on the business risk approach, to establish, implement, operate, monitor, critically analyze, maintain and improve information security.
  • Risk processing: process of selecting and implementing measures to modify a risk.
  • Vulnerability: weakness of an asset or control that can be exploited by a threat.

DOCUMENTED INFORMATION

Normative Structure

The documents that make up the normative structure are divided into 5 categories:

  1. Policy (strategic level): defines the high-level rules that represent the basic principles that Korn Traduções decided to incorporate into its management in accordance with the strategic vision of senior management. It serves as the basis for creating and detailing operational policies and procedures.
  2. Operational policy: constituted by this document, defines specific rules that guide and regulate responsibilities and actions at an operational level.
  3. Procedures (operational level): implement the provisions of the policy, allowing direct application in Korn Traduções’ activities.
  4. Manual: instruction guide that supports the execution of a process or the use of software.
  5. Templates: documents and controls templates under version control.

All processes and templates are available on the Process Portal and the records are in the Korn Traduções documents repository. All documented information that demonstrates the execution of a process must have its storage controlled with a view to its prompt retrieval.

New documents or revisions must be submitted by the managers of the areas in question for approval by senior management before being made available, according to the Documented Information process, belonging to Quality.

Printed copies of the contents of the Korn Traduções Process Portal are not considered valid and are prohibited.

The documents forming part of the structure must be disclosed to all employees, interns, young apprentices and service providers of Korn Traduções upon their admission through the company’s official means of internal disclosure, in accordance with the Korn Traduções Communication Plan, and may be made available by the current HR management software, the Process Portal and the shared documents repository, so that their content can be consulted at any time.

Any change made to the Information Security and Privacy Policy must be passed on to the CEO or Executive Board for approval. After approval, the policy must be published, and employees must be trained.

Information Classification

It is necessary to classify all information owned by Korn Traduções or in its custody, in proportion to its value to the company.

Information that makes up the ISMS must be classified into:

  • Confidential – are those that, if disclosed internally or externally, have the potential to cause great financial losses or to the image of Korn Traduções. They can be protected, for example, by encryption.
  • Restricted – this is strategic information that must only be available to restricted groups of employees. They are protected by access restrictions to the folders in which they are contained on the network drive and the different access levels in the systems and on the Korn Traduções
  • Internal – are those that cannot be disclosed to people outside Korn Traduções, but which, if this happens, will not cause major losses. The concern at this level is mainly related to the integrity of the information.
  • Public – data that does not require specific protection against leaks, as it may be public knowledge.

Information relating to employees, the Financial Department of Korn Traduções and clients’ information (registration data and documents) are always considered restricted, with access granted only to people who need them to carry out their activities and provide the contracted service. To enable adequate control of information, the access levels described in General Infrastructure and IT Procedures must be used.

INFORMATION SECURITY GUIDELINES

The following are the guidelines for Korn Traduções‘ Information Security and Privacy Policy, which constitute the main pillars of the company’s information security management, guiding the preparation of standards and procedures.

The protection of information that belongs to Korn Traduções or is in its custody is defined as necessary, being a primary factor in the professional activities of each employee, intern, young apprentice or service provider of the company:

  1. Employees must take a proactive stance when it comes to protecting Korn Traduções‘ information and must be alert to external and internal threats, as well as fraud, information theft and improper access to information systems under the responsibility of Korn Traduções.
  2. Confidential matters must not be exposed publicly.
  3. Passwords, keys and other personal resources are considered non-transferable and cannot be shared or disclosed.
  4. Only approved software can be used in the Korn Traduções computing environment.
  5. Printed documents and files containing confidential information must be stored and protected. Disposal must be carried out in accordance with the relevant legislation and respecting the disposal procedure.
  6. All data considered essential to Korn Traduções‘ business must be protected through backup routines and must be subjected to periodic recovery tests.
  7. Access to Korn Traduções‘ facilities must be controlled in such a way that the principles of integrity, confidentiality and availability of the information stored or handled there are applied, guaranteeing the traceability and effectiveness of authorized access.
  8. Logical access to computer systems made available by Korn Traduções must be controlled in such a way that the principles of integrity, confidentiality and availability of information are applied, guaranteeing the traceability and effectiveness of authorized access.
  9. All creations, source codes or procedures developed by any employee, intern, young apprentice or service provider during the course of their employment with the company are the property of Korn Traduções.
  10. The use of cameras, video or audio recorders or other recording equipment, such as cameras on mobile devices, is not permitted on Korn Traduções premises, unless authorized by senior management. It is strictly forbidden to photograph or film computer screens, whether in the office or home office.
  11. Installing printers on Korn Traduções computers is not permitted, except when authorized by senior management. Access to printers already installed in the office must also be authorized by senior management upon request from the manager.
  12. Employees who work from home must always carry out their activities at the address provided to Korn Traduções, on a private internet access network, protected by a password. It is strictly forbidden to carry out your functions at another address, which involves transporting the machine and accessing another network, except with authorization from senior management, after communicating the new location, the need and after analyzing risks. No access to Korn Traduções data and systems should be made on a public network (airports, restaurants, etc.).
  13. The computers made available by Korn Traduções to employees, interns and young apprentices, to carry out their activities, are for exclusive use for activities related to Korn Traduções and cannot be used for personal activities. When authorized by senior management, computers can be used for training, lectures or online webinars. Young apprentices are allowed to attend classes through the formal platform of the institute responsible for hiring them, but internet searches and file storage are strictly prohibited.
  14. The connection of private mobile devices (laptops, tablets, cell phones) to Korn Traduções‘ main network, whether in wired or wireless segments, is not permitted. If necessary, it should only be released with prior formal authorization from senior management. For clients’ and employees’ own devices, a separate Wi-Fi network can be made available for visitors.

 

It should be noted that the situations provided for in this Policy are not exhaustive, and it is certain that others related to the use of equipment in the workplace or doubts regarding information security may occur.

Regarding these situations, not expressly provided for in this Policy and/or in other Policies and in our Code of Ethics and Conduct, Korn Traduções counts on the common sense of its employees and if any doubts remain, the IT and HR/People Management can always be contacted with questions via emails [email protected] and [email protected].

Assessment of Information Security Risks

Korn Traduções‘ ISMS management must take actions to identify and classify the company’s Information Security risks by mapping vulnerabilities, threats, impact and probability of occurrence, as well as adopting controls that mitigate these risks with those responsible by the assets to which the risks are associated.

Necessary Competencies for Information Security

Those directly responsible for managing the ISMS must have the necessary competencies to perform their duties appropriately at Korn Traduções, thus ensuring the success of the ISMS. The required competence must:

  1. It must enable people to be competent based on appropriate education, training or experience;
  2. Retain appropriate documented information as proof of competence.

 

 

PHYSICAL ENVIRONMENT

Access to Korn Traduções‘ physical environment is controlled and monitored. Visitors and vendors must be restricted to the reception and the meeting room, when necessary, with access to other environments being restricted. The presence of a vendor in the restricted environment is required and must be accompanied by a Korn employee at all times.

Employees and vendors are not permitted to enter after hours, except when strictly necessary and with prior authorization from senior management, and outsourced parties must always be accompanied by a Korn Traduções employee.

All details regarding access control to Korn Traduções facilities, protection against external threats, alarms, utilities (electricity, water, air conditioning and others) are described in the General Infrastructure and IT Procedures.

Vendors

Contracts signed with vendors who may have access to confidential information and personal data must have information security and confidentiality clauses. The most relevant and critical vendors, in terms of information security, who work directly with Korn Traduções receive training in the guidelines established in this policy.

CLEAN DESK AND CLEAN SCREEN POLICY

All employees, interns and young apprentices who work on behalf of Korn Traduções must be aware of and practice the guidelines and guidelines contained in this policy and they must be respected both in activities within the Korn Traduções office and in home office activities, when relevant to this modality.

The purpose of this Clean Desk and Clean Screen Policy is to ensure that data and information, in both digital and physical formats, and assets, tangible and otherwise, are not left unprotected in the workplace during their use or when someone leaves their workplace, whether for a short period, during downtime (lunch, meetings, etc.) or at the end of the working day.

Employees, interns and young apprentices must:

  • Use Korn Traduções assets, whether internal or external (home office or client allocation), with care, aiming to ensure their preservation and proper functioning.
  • Lock workstations when moving away or away from the work site to prevent unauthorized access.
  • Do not leave printed documents on the table unnecessarily. When not in use, these should be stored in locked cabinets or drawers, especially outside office hours.
  • Keep keys to cabinets or rooms in protected locations or places with access only to authorized personnel.
  • Do not store folders with sensitive, confidential, strategic documents or personal data in easily accessible places.
  • Sensitive or critical information for Korn Traduções‘ business must be kept in a secure location (lockers with keys or, when digital, in folders with restricted access).
  • Do not write down or leave confidential or sensitive information on bulletin boards or in visible places.
  • Do not leave notes, messages and reminders displayed on the table or glued to walls, dividers, bulletin boards or computer keyboards and monitors, including, but not limited to: access or screen unlock passwords, telephone numbers, email addresses of clients or contacts, confidential information, among others.
  • Destroy printed documents before discarding them. Whenever possible, use a shredding machine or, if there is a large quantity, a company specializing in disposal and recycling. In the latter case, always accompanied by a Korn Traduções employee to ensure the correct destruction of the information.
  • Do not print documents just for your reading. Read them on the information asset screens, preferably. Seek a paperless culture as it reduces information security risks and benefits nature.
  • If you need to print, immediately remove documents with personal, sensitive or confidential information from the printer.
  • If you use a scanner or image copying equipment, remove the documents to be copied immediately after use.
  • Position tables and furniture so that confidential and sensitive data is not visible from windows, corridors, passages of people nearby or who have a view of assets with data and information such as screens and papers on tables.
  • After the end of the working day or during a prolonged absence, keep the workspace clean and organized, keep documents stored, keep drawers and cabinets locked, and turn off computer or mobile devices, especially those connected to a network/internet. While using the equipment, properly close applications or services that are not in use to carry out your current activities.
  • Discard information left in meeting rooms (erase boards, shred sheets or other resources used during the meeting).
  • Do not consume food at the workstation, both in the office and in the home office environment, avoiding degradation and poor conservation of equipment and documents. Korn allows the use of bottles with tightly sealed lids containing only water and no other liquids (such as tea, coffee, soft drinks, juices, etc.) on tables, but never on tables where documents are present. In these cases, we recommend placing them in the nearest drawer or shelf, to avoid spilling liquids.

 

Cases not foreseen or that are omitted in this policy must be forwarded to the IT department.

INFORMATION TRANSFER POLICY

  • Korn employees and external parties who handle or have access to Korn’s assets must be informed and be aware of and guided by the information security requirements of related assets, information and personal data.
  • The procedures established by Korn for security, access control, use of software and antivirus, storage and termination of data and information processing must be followed by everyone involved, including employees and vendors/outsourced parties, as applicable.
  • Data and information Non-Disclosure Agreement, including data privacy, are signed between parties, with in-house employees and vendors/outsourced parties.

 

 

MOBILE DEVICES’ USE POLICY

The purpose of this policy is to establish standards for the use of mobile devices to ensure Information Security and compliance with legislation.

A mobile device is understood as any electronic equipment with mobility functions, such as laptops, tablets and cell phones, owned by Korn Traduções or private individuals, in the case of cell phones used, with the approval of senior management, to carry out professional activities related to the company.

  • All Korn Traduções mobile devices made available must be registered and configured with unique, personal and non-transferable identification, with minimum security standards and with a user responsible for the use.
  • The mobile devices provided must be used solely and exclusively by users who have assumed responsibility for their use.
  • Private cell phones authorized for use in Korn Traduções activities must meet the security requirements informed by the IT department.
  • If a cell phone operator’s chip is provided for use in professional contacts, the identification of the chip and the person responsible for its use must be kept under the control of the IT department.
  • Use of shared credentials is discouraged. However, in situations where nominal credentials are not possible, credential sharing must be done through the password vault.
  • In accordance with the clean desk and clean screen policy, the device must be locked while not in use, in order to protect access from unauthorized persons.
  • Following the recommendations of the Clean Desk and Clean Screen Policy, mobile devices must be locked when not in use in order to protect information from access by unauthorized persons.
  • Transport the device carefully: It is not permitted to transport the laptop on public transport, only in private driving, in a private car or using Uber applications. In case of transportation request from Korn, transportation reimbursement can be requested from the financial department. If you have your own car, the laptop must be protected against impacts from backpacks or bags.
  • Avoid overheating, use the laptop only on tables, do not use it on beds, cushions and pillows.
  • Be careful with adverse weather conditions, avoid leaving your laptop near windows or damp places.

 

DATA SHARING

Only computers provided by Korn Traduções must be used by employees, interns and young apprentices, and no company employee is permitted to access data on personal computers. All data must be stored in the appropriate folders on the network drive. The IT department must periodically check all existing shares and ensure that data considered confidential or restricted has appropriate access control. If there is a need to use a virtual machine, for business continuity reasons, it can be accessed through a personal computer, when authorized by Korn Traduções‘ senior management and following the IT department guidelines.

Everyone at Korn Traduções must consider information as a company asset, one of the critical resources for carrying out business.

Information Privacy under company custody

It is necessary to protect the privacy of information that is in the custody of Korn Traduções, that is, that which belongs to its clients and which is manipulated or stored in the means over which Korn Traduções has full administrative, physical, logical and legal.

The directives below reflect the institutional values ​​of Korn Traduções and reaffirm its commitment to the continuous improvement of this process:

  1. Information is collected ethically and legally, with the client’s knowledge, for specific and duly informed purposes;
  2. The information is received by Korn Traduções, processed and stored in a secure and complete manner, with restricted access and handled only by the people necessary to provide the service;
  3. Information is only accessed by people authorized and qualified for its proper use;
  4. Information may be made available to companies contracted to provide services, and such organizations are required to comply with our data security and privacy policy and directives, in addition to signing a non-disclosure agreement;
  5. Information is only provided to third parties with prior written authorization from the client or to comply with legal or regulatory requirements;
  6. The information and data contained in our registrations, as well as other requests that guarantee legal or contractual rights, are only provided to interested parties, upon formal request, following current legal requirements.

 

Creation of Access and Email Accounts for Non-Employees

The creation of access and email accounts for people who are not Korn Traduções employees is not permitted, except for interns and young apprentices.

If outsourced parties need logical access credentials to systems or tools that depend on email for their correct functioning, the employee’s manager must justify the need and request approval from Senior Management. In these cases, the outsourced party’s access must be restricted to correspondence related to the performance of their functions within the company, during business hours and in accordance with Korn Traduções‘ policies.

Korn Traduções service providers must not be part of any Korn Traduções distribution list and/or public folders that may contain information intended for employees.

Access management

All types of systems that require logical access must have formal control from the release of access to its revocation.

  1. PASSWORD MANAGEMENT
    • Passwords for all access must be changed every 3 (three) months.
    • New users must change their password upon first access.
    • Passwords for accessing the machine, VPN (Virtual Private Network) and email and drive must be at least 10 (ten) characters long. Other passwords must follow the definition of each application.
    • Passwords for a cell phone or tablet must be 6 (six) characters long.
    • Passwords for accessing the machine, VPN, email, and drive must have a level of complexity containing numbers, special characters, and uppercase and lowercase letters. Other passwords must follow this determination, when possible, otherwise they must follow the definition of each application.
    • Access to the VPN must be done using the firewall server’s password.
    • New passwords must not match the last 24 (twenty-four) passwords entered.
    • Passwords should not be saved in the application, much less written down on paper, and should be typed at each access.

Logical Access Reviews

The IT department will carry out periodic reviews of access, which can be carried out jointly with users. Employees, interns and young apprentices must always report any abnormality or access that is not necessary for their job.

  1. ACCESS RELEASE
    • Unique, personal and exclusive identification must be used to ensure the responsibility of each user in their actions.
    • Provide access considering the minimum necessary for the user to perform their functions.
    • New employees, interns and young apprentices receive access depending on the role they will perform. This information must be provided to IT in accordance with the HR Recruitment, Selection and Admission Procedure.
    • Privileges must be authorized by the Executive Board of each area (Administrative Board or Customer Service and Financial Board).
    • The use of generic (non-nominal) users is not permitted, except in systems that do not have this functionality;
    • Access authorization is formalized in the General Infrastructure and IT Procedures.
    • Privilege control is carried out by groups of users or the role they perform (profile) in order to facilitate privilege management.
    • Administrative or generic passwords, when released, must have specific control. The IT department maintains an updated list of people (Employees/Vendors) who have such passwords so that other revocation and change control operations can be carried out.
    • The release of access to vendors or consultants must be critically analyzed by those responsible for the application, every application must have a responsible person.
  2. REVOKING ACCESS

Access revocation may occur in situations where an employee is terminated according to the termination flow, change of role, termination of a contract with a vendor or request.

  • IT must keep access records up to date so that it is possible, at the time of revocation, to immediately delete or deactivate user access.
  • Access for employees, interns or young apprentices who have left the company is blocked following the HR Recruitment, Selection and Admission Process.

 

  1. ROLE CHANGES AND CRITICAL ANALYSIS OF ACCESS RIGHTS
    • IT and Managers must be formally notified of role changes, following the HR Recruitment, Selection and Admission Process. IT must analyze access and permissions with the new manager.

 

  1. SEGREGATION OF FUNCTIONS
    • Segregation of functions criterion for releasing permissions, based on “positions/functions/operation”, must be considered, so that the user (Employee, intern, young apprentice, client, vendor) has access only to what is essential for carrying out its activity.
    • Privilege changes must be authorized by leadership.

 

  1. REMOTE ACCESS TOOL
    • Access to workstations and servers by remote assistance applications must only be done using authorized tools and always with IT knowledge. The tools used by Korn Traduções and the procedure for these accesses are described in General Infrastructure and IT Procedures.
    • Access and its logs must be analyzed periodically in order to avoid improper access.
  2. PASSWORD RESET
    • Password reset must be done by the account owner through the system itself. If the password is blocked, communication must be made through secure and approved channels such as WhatsApp so that IT can unlock it. IT must communicate that the password will be unlocked or reset, at their request, via email to the owner in order to guarantee the integrity of the operation.
    • When a generic or administrative password is changed, this must be communicated to the responsible person and the people who use it.

 

Attack Prevention

 

  1. CLOCK SYNCHRONIZATION

Applications, servers, physical access and resources must have their clock synchronized so that it is possible to carry out a careful analysis of incidents or user operations and ensure non-repudiation.

  1. INTERNET NAVIGATION

The Internet is considered an essential means of searching for information and job productivity, therefore, its use at workstations is permitted under monitoring. Such monitoring must be capable of:

  • Detect the accesses being made;
  • Detect files downloaded and sent over the Internet;
  • Identify possible misconduct or information leaks.

The rules regarding the use of the Internet determined in the Korn Traduções Code of Ethics and Conduct must be followed.

.

  1. NETWORKS AND NETWORK SEGREGATION

Considering that most of our employees work from home, the information and applications used by Korn Traduções are on cloud servers, with Firewall protection through VPN, implemented in software to cover all equipment used both internally, both in the office and externally.

At Korn Traduções’ physical office, access to the main or wired wireless network by visitors is not permitted. If there is a need for connection, access must only be made available to the Wireless network for visitors.

The network description is detailed in the General Infrastructure and IT Procedures.

  1. STATIONS AND SERVERS
    • Workstations and servers must have idle session control. The blocking must be done automatically after a period of inactivity determined by IT in accordance with General Infrastructure and IT Procedures.
    • Access to workstations must be done through credentials provided by the IT department and must follow determined password standards.
    • Data transfer via the USB port must be blocked.
    • Confidential information must be stored encrypted, following guidelines defined in the General Infrastructure and IT Procedures. Laptops must have their HD encrypted.
    • Sharing folders on the computers of Korn Traduções employees is not permitted. Data must always be on the network drive and data that requires sharing between employees must be allocated in appropriate folders, with attention to the access permissions applicable to said data.
  2. REMOVABLE MEDIA

The use of removable media (such as USB storage devices, external hard drives, etc.) is prohibited. If the use is strictly necessary for some activity, the employee must justify it to the responsible manager, who will evaluate the possibility, together with the IT department, of release following the premises and needs set out in this Policy.

  1. EXCHANGE OF INFORMATION WITH CLIENTS AND VENDORS

The exchange of information with clients or vendors must be carried out through secure channels.

  • Always adopt the practice of encryption in communication channels (email with PGP keys, cryptographic keys, encrypted VOIP, SFTP, file managers).
  • Confidential information should not be transferred over unencrypted channels.

 

  1. ANTIVIRUS USE POLICY

 

  • Every Korn Traduções device must have the corporate antivirus solution installed.
  • Each and every device that has the antivirus installed will be scanned to check whether or not it is infected.
  • Every day, the antivirus will scan all of the company’s computers looking for virtual pests. This scan will cover the entire device.
  • The IT department will be responsible for maintaining the tool and has the autonomy to, if they deem it necessary, take proactive measures to combat or prevent the spread of virtual pests.

 

CRYPTOGRAPHIC CONTROLS’ USE POLICY

Procedures to ensure the confidentiality, integrity and availability of information through the activation of information security features and the configuration of a secure communication channel must be established and maintained by the IT department. These procedures must contain rules on the effective and appropriate use of cryptographic controls to protect information.

In order to guarantee the integrity and recovery of information, the implementation of cryptographic controls that are not approved or use outdated technology by the IT department is prohibited.

Backup Management

To guarantee the integrity of systems and data, the IT department is responsible for systems that perform security copies (Backup), which are defined in this Policy and in the General Infrastructure and IT Procedures, which guarantee that:

  • Applications and logical information must have data backed up periodically.
  • Backups must be stored in locations other than the production environment.
  • Backups, when transferred or stored on physical media, must be encrypted.
  • Backups must be tested regularly for a maximum period of 6 months, or tested immediately if there is any change in the environment. Tests must be documented for audit.

Intellectual property

All projects, creations, deliverables and innovations created and developed internally or procedures developed by any employee during the course of their employment are the property of Korn Traduções.

Use of electronic mail (email)

The electronic mail provided by Korn Traduções is an internal and external communication tool with professional content regarding the activities carried out by employees. Messages must not compromise the image of Korn Traduções and cannot be contrary to current legislation or ethical principles.

The use of electronic mail is personal and the user is responsible for all messages sent to their address.

Employees are informed that all emails exchanged on Korn computers they use may be tracked and verified.

It is strictly forbidden to send messages that:

  • Contain defamatory statements and offensive language;
  • May cause harm to other people;
  • Be hostile and useless;
  • Whether relating to “chain letters”, pornographic content or equivalent;
  • May harm the image of Korn Traduções;
  • May harm the image of other companies;
  • Be inconsistent with Korn Traduções‘ policies.

 

The rules contained in the Korn Traduções Code of Ethics and Conduct must also be followed.

 

Suspicious emails received (such as suspected phishing, suspected viruses in a file, among others) must be made direct contact with a member of the IT team (Do not send emails to avoid spreading the virus) so that this can be done remote access and analyze the suspicious message.

 

If an email is sent improperly to a recipient, compromising the information security of Korn Traduções and/or its interested parties, immediate communication must be made to the email [email protected]  so that necessary actions can be taken.

Access to personal emails via Korn Traduções‘ computer is not permitted.

 

The email service must observe the following:

  • Emails must be transmitted via an encrypted channel.
  • The email tool must have an AntiSpam feature enabled and controlled by both the email service and the antivirus and content control.

 

Instant Messenger

 

Only the use of Google Chat via the Korn Traduções login is permitted for internal communication;

Skype is permitted for organizational use only;

Communication with clients and vendors via WhatsApp Business should preferably be done through the application installed on the computer. The use of WhatsApp Business, both web and app versions, is monitored by the IT department to monitor the Input and Output of files and can be blocked according to security guidelines in force at Korn Traduções.

The use of these applications on the Korn Traduções computer must be exclusively with internal Korn Traduções contacts or with external contacts (clients and vendors) when dealing with matters related to the company.

Other applications are forbidden and, if necessary, it is mandatory to contact the ISMC for validation.

Illegal software and copyright

Korn Traduções respects the copyright of software, not allowing the use of unlicensed software. The use of illegal software (without licensing) is strictly forbidden and users are not permitted to install them, and it is necessary to contact the IT department for any type of installation (even if it is software that only needs to be copied and executed).

Periodically, the IT department will inspect data on servers and/or users’ computers to ensure the correct application of this policy. If unauthorized software is found, it must be removed from computers. Those who install such unauthorized software on their work computers are responsible to Korn Traduções for any problems or losses caused as a result of such act.

The IT department maintains evidence of ownership of software use licenses and records of the proper use of the number of licenses ensuring intellectual property rights. This item is applied according to the Asset Inventory item of this Information Security Operational Policy and respective procedures.

Korn Traduções also does not copy all or parts of books, articles, reports or other documents, other than those permitted by copyright law and without due citation of applicable references.

Disciplinary actions may occur if this item is violated and will be applied by the ISMC in accordance with the Sanctions item of this Information Security Operational Policy.

Asset Inventory

Resources must be monitored for capacity and to meet the company’s growth or information. Critical points to be monitored, such as storage space, space for database growth, and the number of computers and software licenses.

  • All Korn Traduções software and hardware must be inventoried and controlled by the IT department.
  • Installation of any software is not permitted without the consent of the IT department.
  • It is not permitted to hire and use any software for organizational use, in the cloud or desktop, without the consent of the IT department.
  • It is not permitted to purchase or install any equipment or resources without the consent of the IT department.
  • The IT department must have processes for detecting installed software.
  • Assets held by employees and vendors must be controlled. In the event of dismissal or contract termination, the asset must be returned in accordance with the procedure established by the IT department.
  • Software must have its licenses managed and use controlled by the IT department.
  • The inventory must be updated, by the IT department, with each acquisition or disposal.

Disposal, destruction and reuse of equipment and media

All media used in the operation of ISMS processes must be stored, reused and destroyed in a safe and protected manner, such as incineration, shredding or sanitizing data. Media disposal can be done through a specialized company.

You must ensure that all sensitive data and licensed software has been securely removed or written to:

  • Formatting storage devices for reuse must be carried out using a secure formatting process through data sanitization by an IT professional.
  • Defective or no longer used devices must be destroyed, preventing any data recovery.
  • Confidential or internally used papers must be stored in secure locations and cannot be discarded without first being shredded by a shredder, and it is up to each responsible person to adopt this practice with all documents under their responsibility.

Roles and responsibilities

It is the duty of everyone – employees, interns, young apprentices and service providers at Korn Traduções – to comply with the following obligations:

Employees, interns, apprentices and service providers

It is necessary to classify all information that is owned by Korn Traduções or that is in its custody, in a manner proportional to its value to the company, to enable adequate control of it:

  1. Continuously ensure the protection of Korn Traduções or its clients’ information against unauthorized access, modification, destruction or disclosure;
  2. Ensure that the resources (computer or otherwise) made available to you are used only for the statutory purposes of Korn Traduções;
  3. Ensure that systems and information under your responsibility are adequately protected;
  4. Ensure the continuity of processing of critical information for Korn Traduções‘ business;
  5. Comply with laws and regulations that regulate aspects of intellectual property;
  6. Comply with the laws that regulate the activities of Korn Traduções and its operating market;
  7. Consistently select information security mechanisms, balancing risk, technology and cost factors;
  8. Immediately report to the DPO, ISMC or Quality any non-compliance with the Information Security and Privacy Policy and/or Information Security procedures;
  9. Maintain complete confidentiality regarding information obtained as a result of the employment relationship, and any form of transmission and use of this information in relation to third parties or for personal use is prohibited.

 

  1. Every request for access to IT Resources must be formally documented and justified as to its real need.

 

  1. Users are responsible for the conservation, integrity, use and information contained in the Mobile Devices they use

Information Security Management Committee (ISMC)

The Information Security Management Committee (ISMC) is a multidisciplinary group that brings together representatives from different areas of Korn Traduções, appointed by Senior Management, with the aim of defining and supporting strategies necessary for the implementation and maintenance of the ISMS. ISMC meetings are quarterly, for planning and reviewing actions, and there may be extraordinary meetings, when there is a need for urgent deliberation.

The ISMC is responsible for:

Propose adjustments, improvements and modifications to the normative structure of the ISMS, submitting it to Senior Management for approval;

  1. Write the text of information security standards and procedures, submitting it to Senior Management for approval;
  2. Request information from other areas of Korn Traduções, through the Executive Board and managers, in order to verify compliance with information security policy, standards and procedures;
  3. Receive, document and analyze cases of violation of information security policy and standards and procedures;
  4. Establish mechanisms for recording and controlling information security events and incidents, as well as non-conformities with information security policy, standards or procedures;
  5. Notify managers and the Executive Board regarding cases of violation of information security policy, standards and procedures;
  6. Receive suggestions for implementing information security standards and procedures;
  7. Propose projects and initiatives related to improving information security;
  8. Monitor the progress of projects and initiatives related to information security;
  9. Maintain the management of information assets;
  10. Manage business continuity, requesting Business Continuity Plans from the various areas of Korn Traduções, validating them periodically. The Business Continuity Plan must be defined, implemented and tested in order to guarantee the availability of information systems;
  11. Systematically carry out risk management related to information security;
  12. Adopt automated mechanisms, whenever possible, for management, prevention and detection of security events;
  13. Implement mechanisms to protect physical and environmental security in order to prevent damage and unauthorized access to information;
  14. Decide on the authentication and secure access control processes adopted for information systems;
  15. Decide on the use of protection tools against malicious software, viruses, spam, phishing scans and other devices that could threaten the company’s information systems.

 

Directors and Managers

It is up to each manager and director to master all the business rules necessary to create, maintain and update security measures related to the information asset under their responsibility (team or business unit), whether it is owned by Korn Traduções or a client.

Managers and directors can delegate their authority over the information asset, however, the final responsibility for its protection remains theirs.

This role is responsible for:

  1. Participate in the investigation of security and privacy incidents related to information under your responsibility and, when identifying possible problems and/or threats, check possible causes and initiate corrective action procedures, when necessary.
  2. Comply with and enforce the information security and privacy policy, standards and procedures;
  3. Ensure that your teams have access to and understanding of Information Security and privacy policy, standards and procedures;
  4. Proactively suggest to the ISMC information security and privacy procedures related to its areas;
  5. Monitor the corrective action until its completion and critically analyze the corrective actions carried out, to verify their effectiveness and identify possible necessary adjustments.
  6. Manage organizational changes in order to guarantee aspects of availability, integrity and confidentiality of information;

Immediately report to the ISMC any cases of violation of the information security and privacy policy, standards or procedures and possible corrective actions that require the involvement of the ISMC.

 

Senior Management

Korn Traduções Senior Management is committed to the information security and privacy management system and must:

  1. Establish the responsibilities and duties of the Information Security Management Committee;
  2. Ensure that the information security policy and purposes are established in a manner compatible with Korn Traduções‘ strategic guidance;
  3. Promote the onboarding of information security management system requirements into Korn Traduções processes;
  4. Ensure that the necessary resources for the information security management system are available;
  5. Communicate the importance of effective information security management and compliance with the requirements of the information security and privacy management system;
  6. Ensure that the information security management system achieves its intended results;
  7. Coordinate and encourage people to contribute to the effectiveness of the information security and privacy management system;
  8. Promote the continuous improvement of this ISMS; and
  9. Support other relevant management functions as they demonstrate their leadership and how it applies to their areas of responsibility.
  10. Critically analyze, together with the Information Security Management Committee (ISMC), the records and results of audits carried out at Korn Traduções, including the status of its corrective actions, listed below.

The analysis must be carried out immediately after carrying out the respective audits and adequate records must be made of these analyses carried out, as well as correction and improvement actions defined in the analyses.

  • Information System Audit according to the Information Systems Audit Controls process.
  • Internal audit of the QMS and ISMS: This policy, the internal audit item, and the operationalization of the internal audit process are already described in this presentation on the Process Portal.
  • Audit of certification or maintenance of certification of the QMS and ISMS by OCC – Accredited Certification Body.
  1. Request the Quality Management Area to plan audits according to the frequency below:
  • Information System Audit: Yearly.
  • Internal Audit Yearly.
  • Certification or certification maintenance audit: according to the audit plan agreed with OCC.

Human Resources Area

  • Additionally, the Human Resources Area is responsible for:
  1. Ensure that employees, interns and young apprentices prove, in writing, that they are aware of the normative structure of the ISMS and the documents that comprise it;
  2. For new employees, interns and young apprentices, information security training must be applied at the beginning of their activities, with their manager being responsible for supervision during this period;
  3. Have retraining plans for Korn Traduções‘ internal standards;
  4. Create mechanisms to inform, in advance of the facts, the most appropriate technical service channel, changes to Korn Traduções‘ functional framework.

Quality Management Area

The Quality Management Area is responsible for:

  1. Consolidate and coordinate the implementation, execution, monitoring and improvement of the ISMS;
  2. Convene, coordinate and provide support for ISMC meetings;
  3. Provide, when requested by the ISMC, information security management information that is being treated jointly with the QMS processes;
  4. Coordinate ISMS critical analysis meetings and monitor the action plans resulting from them;
  5. Facilitate awareness, dissemination and training regarding information security policy, standards and procedures;
  6. Carry out periodic compliance audits and inspections, as well as evaluate effectiveness, monitor compliance with respective action plans and promote continuous improvement;
  7. Develop, together with the People Management area, a training program for employees and contractors in order to raise awareness of each person’s responsibilities in relation to information security;
  8. Inform all employees and contractors about the importance of Information Security and the need to follow the Policy, Standards and Procedures relating to the Information Security Management System (ISMS);
  9. Establish with Senior Management standards and procedures regarding the mandatory disclosure of security events and incidents by all employees, as well as the respective penalties for failure to meet this purpose.

CONTINUOUS IMPROVEMENT

  • Training focused on information security should occur frequently, in order to raise awareness of the importance of employees and improve existing controls.
  • Consideration should be given to hiring or benchmarking with other companies considering improving the information security and privacy process.

 

INTERNAL AUDIT

All information assets under the responsibility of Korn Traduções are subject to audit on dates and times determined by the ISMC. However, if practices that do not respect the guidelines of this Policy are observed, records of problems found may be made and corrective actions will be required.

The carrying out of an audit must be approved by Senior Management and, during its execution, the rights regarding the privacy of personal information must be protected, as long as it is not stored in a physical or logical environment owned by Korn Traduções or its clients in a way that mixes or prevents access to information owned by or under the responsibility of Korn Traduções.

In order to detect anomalous information processing activities and violations of information security policy, standards or procedures, the IT department may carry out proactive monitoring and control, maintaining the confidentiality of the process and the information obtained.

In both cases, the information obtained may serve as clues or evidence in administrative and/or legal proceedings.

Internal audits are planned with a focus on analyzing compliance with all processes related to the ISMS and the results of previous audits.

Internal audits must be carried out every year by internal or external auditors who are qualified and trained and have knowledge of the ISO 27001 standard and the LGPD. There must be independence, ensuring that auditors do not audit the processes in which they are involved.

External audits must be carried out to maintain the validity of the defined certifications.

 

Corrective action

When non-conformities are identified in the execution of processes or during internal or external audits, they must be recorded for analysis and processing.

All registered non-conformities must have the cause identified. Actions must be taken to eliminate these causes and the effectiveness of the actions must be verified, according to the Quality Non-Conformity process.

 

Contact with Authorities

 

Contacts with authorities are consolidated in the Korn Traduções Communications Plan.

The management of contacts with authorities is the responsibility of People Management, which must consolidate, communicate and publish in a known and accessible Korn Traduções repository the list of periodically updated contacts.

 

Critical Analysis of the ISMS

Korn Traduções must carry out a critical analysis of the ISMS at least once a year. Such analysis must have the direct participation of Senior Management and must consider:

  1. The result of previous critical analysis actions by the ISMS;
  2. Changes in external and internal issues that are relevant to the information security management system;
  3. Feedback on information security performance, including trends in:

1) non-conformities and corrective actions;

2) monitoring and measurement results;

3) results of internal or external audits of the ISMS; and

4) compliance with information security objectives;

  1. d) Comments from interested parties;
  2. e) The results of the risk assessment and the status of the risk processing plan;
  3. f) Opportunities for continuous improvement;
  4. g) Impacts of changes that have occurred or may occur (organizational changes, changes in personal data processing procedures, changes resulting from government decisions, among others).

The outputs of critical analyses should include decisions related to opportunities for continuous improvement and any need for changes to the information security management system.

Korn Traduções must maintain documented information as evidence of the results of critical analyses by Senior Management.

 

Critical analysis of Technical Compliance

Korn Traduções carries out verification and critical analysis of technical compliance considering:

  1. Carrying out the Information System Audit following the checklist defined in the Information Systems Audit Controls process, which is carried out by a qualified IT person, internal or external to Korn Traduções, such as an experienced systems professional, considering:
    • It is done by a professional independent of the IT area and different from the professional who has already carried out the information systems audit controls process internally;
    • Frequency of execution at least annually;
    • The checklist must be fully completed in all its verification requirements and the professional, based on his or her experience, must include other verification items as appropriate;
    • That the records defined in the checklist and others that the professional defined are properly documented and kept in appropriate locations.
  2. If applicable and technically feasible, due to possible risks mapped and raised on the assets of the information security system, according to the Risks for the Information Security Management System (ISMS) process, perform penetration testing or vulnerability assessments, considering:
    • Be done when the risk analysis really requires, due to its criticality, the need to carry out penetration testing or vulnerability assessments (such as pen testing; penetration testing, intrusion testing, penetration testing and vulnerability assessments)
    • Made by companies or professionals with proven qualifications and with clearly defined procedures for carrying it out.
    • For the pentest to take place, authorization from Senior Management will be required, including the scope of the test. The execution of a pen test without due authorization, as provided by law, and outside the previously defined scope is prohibited.
    • That records of penetration tests or vulnerability assessments that are performed are properly documented, delivered by the performing professional and kept in appropriate locations. And if vulnerabilities are found, recommendations to resolve them must be included in the final report.

 

Reports

Any non-compliance with this Policy or any suspicions or evidence must be reported to Korn Traduções via email at [email protected] or by correspondence to:

A/C DPO

Classification: CONFIDENTIAL

Address: Av. Nove de Julho, 3384 – conj. 64/65 – Jardim Paulista, São Paulo – SP, 01406-000

Violations and Sanctions

Violations

 

The following situations are considered violations of information security policy, standards or procedures, and this is not an exhaustive list:

  1. Any actions or situations that may expose Korn Traduções or its clients to financial and image loss, directly or indirectly, potential or real, compromising its information assets;
  2. Improper use of corporate data, unauthorized disclosure of information, commercial secrets or other information without the express permission of Senior Management;
  3. Use of data, information, equipment, software, systems or other technological resources for illicit purposes, which may include violation of laws, internal and external regulations, ethics or requirements of regulatory bodies in Korn Traduções‘ area of ​​activity or its clients;
  4. Failure to comply with some of the items established in this security policy;
  5. Failure to immediately communicate to the Executive Board or DPO any non-compliance with the Information Security policy, standards or procedures that an employee, intern, young apprentice or service provider may become aware of or witness.

 

Sanctions

 

Violation of the information security policy, standards or procedures or non-adherence to the Korn Traduções Information Security Policy is considered serious misconduct, and the sanctions contained in the Korn Traduções Code of Ethics and Conduct may be applied: formal warning, suspension, termination of the employment contract, other disciplinary action and/or civil or criminal proceedings. Sanctions defined by the ISMC may also occur, always respecting current legislation.

The penalties provided for in the Consolidation of Labor Laws – CLT will also be observed and applied.

Information Security Policy for Service Providers

  1. Purposes

The main purpose of this document is to set forth the practices and commitments of all service providers with regards Korn Traduções’ information assets, as well as to raise awareness among service providers about correct use of the resources provided.

This document also includes a definition of liability regarding the actions of service providers and related disciplinary actions.

1.1 Authors    

The Korn Traduções Service Provider Information Security Policy, as well as any reviews and updates, is the responsibility of the Information Security Management Committee (ISMC).

Any questions regarding the application of this policy, or suggestions for improvements and amendments can be sent to members of the Information Security Management Committee (ISMC) at: [email protected].

1.2 Disclosure and Distribution

This information security policy for service providers must be an integral part of the service provision agreement for all Information Technology service providers to Korn Traduções.

By signing the service provision agreement, the service provider recognizes they are totally familiar with and agree to the guidelines set forth herein.

1.3 Version and Review

This Policy, as well as the Guidelines and General Responsibilities of Service Providers contained herein may be reviewed, and new version must be produced, ratified, disclosed and distributed in the following cases:

  • Significant amendment to an information asset covered by this policy;
  • Creation of new information assets relevant to this policy;
  1. Guidelines and General Responsibilities of Service Providers

All service providers are aware of their responsibilities regarding information security in line with the GDPR and undertake to follow this Policy, as well as the documents below, thus signing the commitment regarding Korn Traduções information and guidelines:

  1. INFORMATION SECURITY RULES AND PROCEDURES FOR SERVICE PROVIDERS

The items below describe the security guidelines related to Korn Traduções service providers.

3.1 Intellectual Property

  • Service providers are responsible for ensuring the legal compliance of any and all systems of content used while carrying out the service;
  • Service providers are responsible for the intellectual property of the content of equipment they bring on to Korn Traduções premises;
  • Service providers are responsible for ensuring that the software they install do not breach any kind of copyright law.

3.2 Internet access on Korn Traduções premises

  • Korn Traduções reserves the right to monitor service provider internet access to ensure appropriate use;
  • Korn Traduções reserves the right to block sites it considers inappropriate for the company, with no prior warning;
  • Service providers must only access the internet for the purpose of completing the provision of services to Korn Traduções.

3.3 Mobile Computing

  • Service providers are committed fully to the security of the data of their equipment on Korn Traduções premises;
  • Service providers are responsible for ensuring that equipment or media uses have up-to-date, legal software, with antivirus and free from any type of software that could damage Korn Traduções systems and assets.

3.4 Emails

  • Service providers must not, at any time or from any place, send emails to Korn Traduções staff containing content unrelated to work.

3.5 Information Handling Logic

  • Service providers undertake to only process information received from Korn Traduções that is directly related to the service as described in the service provision agreement;
  • Service providers are committed to the total confidentiality, integrity and availability of Korn Traduções information granted to them;
  • Internal disclosure of Korn Traduções information within the service provider company must be formally reported to and agreed on between the parties;
  • Service providers undertake not to transmit any Korn Traduções information via insecure communication channels, such as social media, WhatsApp, etc. that could lead to the leak of such information;
  • Service providers undertake to dispose of Korn Traduções information appropriately and securely at the end of the service or when it is no longer being used (whichever occurs first);
  • Korn Traduções reserves the right to carry out information security audits on their service providers, with prior notice.

3.6 Information Storage Logic

  • If the service provider stores Korn Traduções information, it must do so in a way that is secure, in other words, with access control limited to the service provider;
  • It is prohibited to store data belonging to Korn Traduções on removable media.
  • Service providers also undertake to ensure that Korn Traduções information is not adulterated during storage on media in its possession.

3.7 Access to Korn systems or equipment (On site or remote)

  • Service providers may only access Korn Traduções systems or equipment for support or maintenance when applicable to the scope of the service, and in such cases, access will only be permitted following formal communication;
  • Remote access by all service providers, when applicable to the scope of the service, must use a secure means (VPN/controlled passwords/ controlled and monitored access/ private or particular access).

 

3.8 Use of Passwords, applicable to IT service providers

  • Under no circumstances may service providers request, accept or use Korn Traduções staff access passwords;
  • All passwords used by service providers must be specifically created for the related activities as defined and authorized by the Korn IT team.
  • Korn Traduções is responsible for deactivating service provider passwords. Should the service provider identify that the credential is still active following the end of the contract or project, it must request immediate deactivation thereof;
  • Service providers are responsible for the security of the passwords they are given and must immediately inform Korn Traduções of loss or leaks.

3.9 Service Provider Staff

  • Service providers are responsible for informing Korn Traduções immediately of the dismissal of any of their staff who provide a service or possess access credentials to Korn Traduções systems;
  • Service providers must immediately report any change in the list of their staff authorized to provide services to Korn Traduções;
  • All service provider staff who provide services to Korn Traduções recognize they are totally familiar with and agree to the content of this document, as well as the documents described in item 2 above.

3.10 Physical Security

  • Service providers are responsible for returning to Korn Traduções or for disposing appropriately of any information no longer necessary or at the end of the service;
  • Service providers undertake to access Korn Traduções premises only when duly authorized and accompanied by a Korn Traduções employee;
  • Service providers may only access the Korn physical environment following approval from the Korn IT team, and must be accompanied by a Korn employee while carrying out the activity.
  • If, for any reason, Korn Traduções equipment needs to be removed, service providers must fill in a Delivery and Maintenance Instrument prepared by the Korn IT team.
  1. Incidents and Disciplinary Measures

Any breach of the guidelines set forth in this policy is and information security incident and must be duly recorded and analyzed by the Korn Traduções Information Security Management Committee (ISMC).

Following analysis by the committee, disciplinary measures for the service provider will be decided on, pursuant to the legislation in effect, and which may include:

  • Formal or informal warning;
  • Cancellation of the service provision agreement;
  • Legal action or police report.

Este site usa cookies para garantir que você obtenha a melhor experiência em nosso site.