INFORMATION SECURITY POLICY (Public version)
(Abridged version of INCM's Internal Information Security Policy_v5)

Introduction

Information managed by the INCM, its software, systems, applications and networks, are valuable assets for the organisation. In this context, information security is regarded as a priority, in order to ensure the continuity of the organisation's activity, minimising risks and maximising the performance and delivery of its service. Information security is applied at all stages of its life cycle, making sure that a high level of quality and security is maintained in a steady and balanced manner, preventing the materialisation of inherent risks and minimizing the potential damage caused by exploiting vulnerabilities and security incidents, and ensuring that the business operates as expected over time.

It is the INCM's belief that information security is a fundamental prerequisite for the success of the services it provides, and it is the responsibility of all, employees, suppliers or other entities that have access to information at each moment, to act in accordance with the rules defined and imposed by this policy.

Information Security is supported by a so called Information Security Management System (SGSI) consisting of a set of policies and procedures that safeguard the essential principles of information, i.e. availability, integrity and confidentiality, in accordance with the relevant business requirements, laws and regulations.

Purpose

This policy aims to define the purpose, direction, principles and fundamental rules of information security management, according to the characteristics and needs of the business of the Imprensa Nacional - Casa da Moeda (INCM) and its stakeholders.

Scope/Target user

Covers the entire organisation including all interested parties, entities that maintain any kind of commercial/contractual relationship with the INCM (employees, customers, suppliers, service providers) and who have access, right of use or control over information assets owned by INCM and/or any associated resources.

All interested parties have access to and act in accordance with this Policy and other Information Security documents, as feasible and appropriate.

Non-compliance

All interested parties concerned who deliberately violate this policy shall be subject to sanctions and other actions, which may extend to the termination of the contract and/or to reporting to police or judicial authorities any situations that might involve the possible commission of criminal offenses.

Information Security Policy

Information Security Policy reflects INCM's considerations regarding the following aspects:

  1. Basic aspects of Information Security
    The management of information security and of its supporting systems is carried out by ensuring, through a risk management and continuous improvement approach, confidentiality, integrity and availability of information. In this context, INCM is committed to:
    1. Ensuring the security of the information it holds, as well as of associated resources, whether procedural, technological or human.
    2. Ensuring the establishment and continuation of principles described in this policy, as well as their approval, publication and communication to all relevant external collaborators and entities;
    3. Guaranteeing the resources necessary for the operationalization of information security management processes and activities;
    4. Ensuring the definition, implementation and revision of the information security management strategy and ensuring the correct alignment with INCM's strategic business policies and goals;
    5. Ensuring that the SGSI achieves the desired results;
    6. Ensuring that the SGSI achieves the desired results;


  2. Information Classification and Handling
    By defining as information security assets any resources of value to the organisation, they are classified according to the sensitiveness of their attributes, in particular confidentiality, integrity and availability, so as to implement the appropriate means of control to safeguard them.

  3. Use of mobile devices and remote access
    Security measures are enforced regarding the use of mobile devices, so as to ensure confidentiality, integrity and availability of business information, so that it may be accessed (locally or remotely) and/or processed by these devices.

  4. Acceptable use of assets

    The information assets owned by INCM are used in order to ensure their protection, avoiding their exposure to Information Security risks with potential for compromising INCM's business continuity.

    INCM grants its employees and visitors the right to use their own equipment, provided that its internal guidelines are followed.


  5. Relationship with suppliers

    Suppliers are evaluated in order to ensure contractual relations with entities that contribute to obtaining access to materials and services appropriate to INCM's business.

    The specifications drawn up by INCM for the award of supply contracts of goods or services comprise aspects that guarantee Information Security, stipulating the responsibilities and duties of the supplier.


  6. Physical and logical access controls

    Physical and logical access controls are implemented allowing the management of identities through user identification and authentication processes which, in turn, allow the implementation of restriction rules based on security criteria.

    The different profiles, privileges and levels of physical and logical access are defined by following the Minimum Privilege Principle, i.e. by assigning the access level strictly necessary for the user to perform the assigned functions and not more.


  7. Encryption
    INCM implements cryptographic mechanisms to protect logical information from unauthorised access.

  8. Table and clean screen
    Information regarded as sensitive, whether in physical or digital format, is properly protected whenever it is not in use.

  9. Security Copies
    Backups are made in order to safeguard information within pre-defined periods.
    Employees and visitors are responsible for the backup of information contained in the equipment they use.

  10. Information Transfer
    Information is exchanged in approved communication channels following security requirements adopted for each kind of security classification.

  11. Engineering principles and policy for the development of secure information systems
    Principles for developing secure information systems are applied on all levels of system conception (business, data, applications and technology) balancing the need for security with the need for functional accessibility/efficiency. These principles are considered throughout the life cycle of information systems from an evolutionary perspective.

  12. Information Security in Project Management
    Information security is addressed in project management by identifying possible information security risks associated with the project to be implemented.

  13. Risk Management, Incident Management and Business Continuity

    Risks arising from various sources to its information assets are identified, analysed and quantified/qualified.

    Events that question or have the potential to challenge Information Security commitments are treated as possible security incidents and are handled in accordance with the internal Incident Management procedure.

    The continuity of Information Security falls within business continuity, in such a way that it covers the loss of information resources by the implementation of preventive and recovery controls.


  14. SGSI Profiles, Responsibilities and Authorities
    The roles, responsibilities and authorities in charge of enforcing INCM's commitments to Information Security are properly defined.

Responsibilities regarding Information Security

The Information Security Policy is led by the CISO - Chief Information Security Officer, who is responsible for controlling and assessing the implementation of the SGSI, reporting to top management on its performance and ensuring that the system complies with the Standard requirements.

Maintenance and communication of Information Security Policies

The Information Security Policy is reviewed periodically, so as to ensure that it remains adjusted to the INCM goals. It is communicated to all interested parties in the framework of their relationship with INCM.

Change History

Revision nº Date Reason
012/11/2020Creation of the External Information Security Policy
117/05/2021It was introduced the change history

Contact Us

You may contact the INCM for all matters related to this policy at the email address ciso@incm.pt or address your request by letter to: Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.