INCM

INFORMATION SECURITY POLICY

Introduction

The information managed by INCM, its support processes, systems, applications, and networks are valuable assets to the organization and, in this context, information security must be a priority in order to ensure the continuity of the organization’s activity, minimizing risks and maximizing performance and service delivery.

Information security should be applied in all phases of the information life cycle, ensuring that a high level of quality and security is maintained in a permanent and balanced way, preventing the materialization of inherent risks, to mitigate the potential damage caused by the exploitation of vulnerabilities and security incidents, and ensuring that the business operates as expected over time.

It is INCM understanding that information security is a fundamental assumption for the success of its services, being the responsibility of all, employees, suppliers, or other entities that have access to the information at each moment to act according to the rules defined and imposed by the policy.

Information Security is supported by a management system, known as the Information Security Management System (ISMS), consisting of a set of policies and procedures that ensure the essential principles of information, availability, integrity, and confidentiality, in accordance with business requirements, relevant laws, and regulations.

Goal

This policy aims to define the purpose, direction, principles, and fundamental rules of information security management, according to the characteristics and needs of the business of Imprensa Nacional – Casa da Moeda (INCM) and its stakeholders.

Scope/Target Public

Applicable to the whole organization including all stakeholders, and entities that maintain any kind of commercial/contractual relationship with INCM (employees, customers, suppliers, service providers) that have access, usage right, or control over the information assets held by INCM and/or the resources associated to them.

All stakeholders must know and act in accordance with this Policy and the other Information Security related documents, as applicable and appropriate.

Failure to Comply

All covered stakeholders who deliberately violate this policy will be subject to sanctions and other actions, up to and including termination of the contract and/or reporting to the police or judicial authorities situations that suggest the commission of a crime.

Information Security Policy

The Information Security Policy expresses the considerations of INCM regarding information security on the following aspects:

    A. Elementary aspects of Information Security:

    The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity, and availability of information. In this sense, INCM commits itself to:

    1. To ensure the security of the information it holds title to, as well as all resources associated with it, whether procedural, technological, or human.
    2. Ensure the establishment and pursuit of the principles described in this policy, as well as its approval, publication, and communication to all relevant collaborators and external entities;
    3. Ensure the necessary resources for the operationalization of information security management processes and activities;
    4. Ensure the definition, implementation, and revision of the information security management strategy and ensure the correct alignment with the policies and strategic business objectives of INCM;
    5. Ensure that the ISMS achieves its intended results;
    6. Promote, in a structured and systematic way, continuous improvement.

    B. Information Classification and Handling:

    Defining an information security asset is any resource of value to the organization, these are classified according to their sensitivity to its attributes, namely confidentiality, integrity, and availability, in order to apply the appropriate controls to safeguard them.

        C. Use of mobile devices and remote access:

        Security measures are applied to the use of mobile devices to ensure the confidentiality, integrity, and availability of business information so that it can be accessed (locally or remotely) and/or processed by these devices.

            D. Acceptable use of assets:

            The information assets owned by INCM are used in a way to guarantee its protection, avoiding exposure to Information Security risks with the potential impact to compromise the business continuity of INCM.

            The INCM grants its employees and visitors the right to use their own equipment, as long as the internal guidelines are followed.

                E. Relationship with suppliers

                Suppliers are evaluated in order to guarantee contractual relationships with entities that contribute to obtaining access to materials and services that are suitable for INCM‘s business.

                The specifications drawn up by INCM for awarding contracts for the supply of goods or services include aspects that guarantee Information Security, stipulating the supplier’s responsibilities and duties.

                    F. Physical and logical access controls

                    Physical and logical access controls are in place that allows the management of identities through user identification and authentication processes and, in turn, allow the implementation of restriction rules based on security criteria.

                    The different profiles, privileges, and levels of physical and logical access are defined following the Principle of Least Privilege, that is, by assigning the level of access strictly necessary for the user to perform the assigned functions and no more.

                        G. Encryption

                        INCM implements cryptographic mechanisms to protect logical information from non-authorized accesses.

                            H. Clean table and screen

                            Information considered sensitive, in physical or digital format, is duly protected whenever it is not in use.

                                I. Backups

                                Backup copies are made with a defined periodicity in order to safeguard the information.
                                Employees and visitors are responsible for backing up the information contained on the equipment under their charge.

                                    J. Information Transfer

                                    Information is exchanged over approved communication channels following the security requirements defined according to your security classification.

                                        K. Engineering principles and policy for developing secure information systems:

                                        Principles of secure information system development are applied at all levels of the system architecture (business, data, applications, and technology) balancing the need for security with the need for accessibility/functional efficiency.

                                        The principles are considered throughout the life cycle of information systems from an evolutionary perspective.

                                            L. Information Security in Project Management

                                            Information security is addressed in project management by identifying possible information security risks associated with the project to be implemented.

                                                M. Risk Management and Incident Management and Business Continuity

                                                Risks arising from various sources of risk to your information assets are identified, analyzed, quantified/qualified.

                                                Events that call into question or have the potential to call into question Information Security commitments are treated as possible security incidents and are handled according to the internal Incident Management process.

                                                Continuity of Information Security is contemplated in business continuity, in such a way that it contemplates the loss of information resources by implementing preventive and recovery controls.

                                                    N. ISMS Profiles, Responsibilities and Authorities

                                                    The roles, responsibilities, and authorities to enforce INCM’s commitments are defined by INCM to Information Security.

                                                        Information Security Responsibilities

                                                        The Information Security Policy is the responsibility of the CISO – Chief Information Security Officer, who is in charge of monitoring and evaluating the ISMS implementation, reporting to top management on its performance, and ensuring the system’s compliance with the Standard requirements.

                                                        Maintenance and communication of Information Security Policies

                                                        The Information Security Policy must be periodically reviewed in order to ensure that it continues to be adequate to INCM and must be communicated to all stakeholders within the scope of their relationship with INCM.

                                                        Change Control

                                                        REVISION NO.

                                                        DATE

                                                        MOTIVE

                                                        0

                                                        12/11/2020

                                                        Creation of the External Information Security Policy

                                                        1

                                                        17/05/2021

                                                        Change Control Introduction

                                                        Talk to us

                                                        You may contact INCM for all matters related to this policy through the following email address: ciso@incm.pt or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.

                                                        Skip to content