Information Security Policy
Information Security Policy
Information security requirements
A clear definition of Sphere IT information security requirements is agreed and maintained so that all ISMS activity is focused on meeting these requirements. Regulatory and contractual requirements are also documented and fed into the planning process. Specific requirements regarding the security of new or changed systems or services are addressed as part of the development stage of each project.
It is a fundamental principle of the Information Security Management System that the controls implemented are driven by business needs and this is regularly communicated to all employees through team meetings and information documents.
Framework for setting goals
A regular cycle is used to establish information security objectives.
Information security objectives are documented, along with information on how they are achieved. These are assessed and monitored as part of management reviews to ensure they remain valid.
In accordance with ISO/IEC 27001, the reference controls detailed in the Annex A of the standard are adopted when appropriate by Sphere IT. These are reviewed regularly according to the results of risk assessments and in accordance with information security risk treatment plans. For details on which Annex A controls have been implemented and which have been excluded, see the Statement Of Applicability.
In addition, enhanced and additional controls from the following codes of practice are adopted and implemented where appropriate:
- ISO/IEC 27002 – Controles de segurança da informação
Continuous improvement of the ISMS
Sphere IT's guidelines for continuous improvement are:
- Continuously improve the effectiveness of the ISMS
- Improve current processes to align with best practices as defined in ISO/IEC 27001 and related standards
- Obtain ISO/IEC 27001 certification and maintain it continuously
- Increase the level of proactiveness (and stakeholder perception of proactiveness) with regard to information security
- Review relevant metrics annually to assess whether it is appropriate to change them, based on historical data collected
- Obtain improvement suggestions through regular meetings and other forms of communication with stakeholders
- Review suggestions for improvement at regular management meetings to prioritize and assess deadlines and benefits
Suggestions for improvements can be obtained from any source, including employees, customers, suppliers, risk assessments and service reports. Once identified, they are recorded and evaluated as part of management reviews.
Information security policy areas
Sphere IT sets policy in a wide variety of information security-related areas that are described in detail in a comprehensive set of documentation that accompanies this comprehensive information security policy.
Each of these policies is defined and agreed upon by one or more people with competence in the area in question and, once formally approved, is communicated to an appropriate audience, both internal and external to the organization.
A tabela abaixo mostra as políticas específicas por tema dentro do conjunto de documentação e resume o conteúdo de cada política.
| Policy | Content |
| PO8.1 08-20 Política de GMUD | Diretrizes para que as mudanças sejam realizadas de forma estruturada e controlada. |
| DS5.1 A05-2 Política de Uso da Internet | Commercial Internet use, personal Internet use, Internet account management, security and monitoring, and prohibited uses of the Internet service. |
| DS5.1 A05-5 Política de Mídia Social | Guidelines on how social media should be used when representing the organization and when discussing issues relevant to the organization. |
| DS5.1 A05-10 Política de Uso Aceitável | Comprometimento dos funcionários com as políticas de segurança da informação da organização. |
| DS5.1 A05-14 Política de Transferência de Informações | Diretrizes para transferência de informações de forma adequadamente segura. |
| DS5.1 A05-15 Política de Controle de Acesso | Registration and deregistration of users, granting of access rights, external access, access reviews, password policy, user responsibilities and access control to systems and applications. |
| DS5.1 A05-19 Política de Segurança da Informação no Relacionamento com Fornecedores | Due diligence, agreements with suppliers, monitoring and review of services, changes, disputes and termination of contract. |
| DS5.1 A05-32 Política de Propriedade Intelectual | Protection of intellectual property, law, penalties and software license compliance. |
| DS5.1 A05-33 Política de Proteção de Registros | Retention period for specific record types. |
| DS5.1 A05-34 Política Interna de Privacidade | Requisitos, regulamentos e legislação de proteção de dados pessoais. |
| DS5.1 A06 Política de Segurança da Informação em RH | Recruitment, employment contracts, policy compliance, disciplinary process, termination. |
| DS5.1 A06-7 Política de Trabalho Remoto | Information security considerations when establishing and managing a remote work site and arrangement, eg physical security, insurance and equipment. |
| DS5.1 A07-5 Política de Segurança Física e do Ambiente | Define guidelines for secure areas, security of equipment and physical documents, and equipment lifecycle management. |
| DS5.1 A07-7 Política de Tela Limpa e Mesa Limpa | Security of information displayed on screens, printed and maintained on removable media. |
| DS5.1 A08-1 Política para o Uso de Dispositivos Móveis | Care and security of mobile devices such as notebooks, tablets and smartphones. |
| DS5.1 A08-7 Política Antimalware | Firewalls, antivirus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerting, technical analysis and malware incident management. |
| DS5.1 A08-8 Política de Gestão de Vulnerabilidades Técnicas | Definition of vulnerabilities, sources of information, patches and updates, vulnerability assessment, hardening, awareness training and vulnerability disclosure. |
| DS5.1 A08-13 Política de Backup | Backup cycles, cloud backups, offsite storage, documentation, recovery and protection tests. |
| DS5.1 A08-16 Política de Registros e Monitoramento | Settings for event collection (logs), protection and review. |
| DS5.1 A08-19 Política de Software | Purchasing software, registering, installing and removing software, in-house software development, and using software in the cloud. |
| DS5.1 A08-20 Política de Segurança de Rede | Network security design, including network segregation, perimeter security, wireless networks and remote access. Network security management, including roles and responsibilities, logging, monitoring, and changes. |
| DS5.1 A08-24 Política de Criptografia | Risk assessment, technique selection, deployment, testing and review of cryptography and cryptographic key management. |
| DS5.1 A08-25 Política de Desenvolvimento Seguro | Specification of business requirements, systems design, software development and testing. |
Application of information security policy
The policy statements made in this document and in the set of supporting policies listed above have been reviewed and approved by Sphere IT management and must be complied with. An employee's failure to comply with these policies may result in disciplinary action being taken in accordance with the current Disciplinary Process.
Versão: março/2025
Talk to our team
+55 11 4178-8811
sphere@sphereit.com.br
Address: Rua José Versolato, 111 - 18th Floor - São Bernardo do Campo
Talk to our team
+55 11 4178-8811
sphere@sphereit.com.br
