INFORMATION SECURITY POLICY

This policy aims to define the purpose, direction, principles, and fundamental rules of information security management, according to the characteristics and needs of the business of Imprensa Nacional – Casa da Moeda (INCM) and its stakeholders.

Applicable to the whole organization including all stakeholders, and entities that maintain any kind of commercial/contractual relationship with INCM (employees, customers, suppliers, service providers) that have access, usage right, or control over the information assets held by INCM and/or the resources associated to them.

All stakeholders must know and act in accordance with this Policy and the other Information Security related documents, as applicable and appropriate.

All covered stakeholders who deliberately violate this policy will be subject to sanctions and other actions, up to and including termination of the contract and/or reporting to the police or judicial authorities situations that suggest the commission of a crime.

The Information Security Policy expresses the considerations of INCM regarding information security on the following aspects:

The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity, and availability of information. In this sense, INCM commits itself to:

1. To ensure the security of the information it holds title to, as well as all resources associated with it, whether procedural, technological, or human.
2. Ensure the establishment and pursuit of the principles described in this policy, as well as its approval, publication, and communication to all relevant collaborators and external entities;
3. Ensure the necessary resources for the operationalization of information security management processes and activities;
4. Ensure the definition, implementation, and revision of the information security management strategy and ensure the correct alignment with the policies and strategic business objectives of INCM;
5. Ensure that the ISMS achieves its intended results;
6. Promote, in a structured and systematic way, continuous improvement.

Defining an information security asset is any resource of value to the organization, these are classified according to their sensitivity to its attributes, namely confidentiality, integrity, and availability, in order to apply the appropriate controls to safeguard them.

Security measures are applied to the use of mobile devices to ensure the confidentiality, integrity, and availability of business information so that it can be accessed (locally or remotely) and/or processed by these devices.

The information assets owned by INCM are used in a way to guarantee its protection, avoiding exposure to Information Security risks with the potential impact to compromise the business continuity of INCM.

The INCM grants its employees and visitors the right to use their own equipment, as long as the internal guidelines are followed.

Suppliers are evaluated in order to guarantee contractual relationships with entities that contribute to obtaining access to materials and services that are suitable for INCM‘s business.

The specifications drawn up by INCM for awarding contracts for the supply of goods or services include aspects that guarantee Information Security, stipulating the supplier’s responsibilities and duties.

Physical and logical access controls are in place that allows the management of identities through user identification and authentication processes and, in turn, allow the implementation of restriction rules based on security criteria.

The different profiles, privileges, and levels of physical and logical access are defined following the Principle of Least Privilege, that is, by assigning the level of access strictly necessary for the user to perform the assigned functions and no more.

INCM implements cryptographic mechanisms to protect logical information from non-authorized accesses.

Information considered sensitive, in physical or digital format, is duly protected whenever it is not in use.

Backup copies are made with a defined periodicity in order to safeguard the information.
Employees and visitors are responsible for backing up the information contained on the equipment under their charge.

Information is exchanged over approved communication channels following the security requirements defined according to your security classification.

Principles of secure information system development are applied at all levels of the system architecture (business, data, applications, and technology) balancing the need for security with the need for accessibility/functional efficiency.

The principles are considered throughout the life cycle of information systems from an evolutionary perspective.

Information security is addressed in project management by identifying possible information security risks associated with the project to be implemented.

Risks arising from various sources of risk to your information assets are identified, analyzed, quantified/qualified.

Events that call into question or have the potential to call into question Information Security commitments are treated as possible security incidents and are handled according to the internal Incident Management process.

Continuity of Information Security is contemplated in business continuity, in such a way that it contemplates the loss of information resources by implementing preventive and recovery controls.

The roles, responsibilities, and authorities to enforce INCM’s commitments are defined by INCM to Information Security.

The Information Security Policy is the responsibility of the CISO – Chief Information Security Officer, who is in charge of monitoring and evaluating the ISMS implementation, reporting to top management on its performance, and ensuring the system’s compliance with the Standard requirements.

The Information Security Policy must be periodically reviewed in order to ensure that it continues to be adequate to INCM and must be communicated to all stakeholders within the scope of their relationship with INCM.

You may contact INCM for all matters related to this policy through the following email address: ciso@incm.pt or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.