Privacy and Security Policies

Privacy Policy

  1. Declaration of Data Privacy

Korn Traduções (“Korn” or “we”) cares about respecting and protecting your privacy.

This Privacy Policy (“Privacy Policy”) is applicable to all employees, service providers, partners, and clients and is intended to present the guidelines defined and applied by Korn in the processing of your personal information.

This Privacy Policy comprises and contemplates, among other things, every personal information collection and/or processing through several channels, such as websites, applications, social networks, sales and events, or processing of data provided by partners, clients, and service providers for the provision of services.  

 

Our Privacy Policy is based on ethics and values followed by Korn and meets the Brazilian General Personal Data Protection Law (LGPD – Law no. 13.709/2018) and the Civil Rights Framework for the Internet (Law no. 12.965/2014), which set out the principles, guarantees, and duties for the use of the Internet in Brazil.

Please, read this Privacy Policy carefully to understand how and for what purpose your Personal Data may be collected by Korn. It is important that the Privacy Policy is interpreted jointly and in accordance with any other document, contract, or privacy clause that comes with it. Korn will act as the controller of your Personal Data; that is, it is incumbent upon us to make the decisions related to Personal Data Processing.

By selecting the acceptance field of the Privacy Policy, you declare that you accept and consent to the information provided herein.

 

  1. Personal Data, Collection Means, and Purpose of the Processing

“Personal Data” means information about an identified or identifiable individual. Examples of Personal Data include full name, occupation, identification document, address, email, telephone number, education degree, IP, geolocation, vehicle information, among others.

“Processing” means every operation performed with Personal Data, such as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, assessment or control of information, modification, communication, transfer, diffusion, or extraction;

“Subject” is a natural person related to the Personal Data subject to Processing.

Depending on the type of Subject (employees, service providers, partners, or clients) and the manner said Subject interacts with Korn, several categories of information are collected, such as:

  • Personal contact information: any information provided for purposes of contact, such as name, mailing address, email, business address, social network information, and telephone number.

 

  • Account login information: any information needed to give access to a specific account profile for the use of our services. Examples include email address, user name, password in irrecoverable format, and/or security questions and answers, among others.

 

  • Technical information on the computer/mobile device: any information on the computer system or other device that you use to access our web pages, our services, or our applications, the IP address used to connect your computer or device to the Internet, the type of operating system and the type and version of the web browser, among other browsing information.

 

  • Financial and payment information: necessary information to perform orders/agreements/invoicing/collections/payments/reimbursements. Korn certifies that its payment processing service ensures conformity of the financial and payment information with the applicable security laws, rules, and standards.

 

  • Sensitive Personal Data: whenever there is a need to collect and process Sensitive Personal Data for any reason, your prior and express consent will be requested. If Sensitive Personal Data needs to be processed for other purposes, such purposes have legal grounds, and Korn will notify the Subject in advance.

 

  • Personal Data of Children and Adolescents: whenever there is a need to collect and process Personal Data of children and minors (such as information on health care plan and other benefits or obligations), explicit consent from the parents or guardian will be requested.

 

2.1. Purpose of the Personal Data Processing

The Processing of your Personal Data may be performed by Korn in several means upon your consent, where applicable, by legal, regulatory, or contractual obligation, or otherwise. Korn may request that you provide your consent in writing, or through any means that confirms it, whenever necessary.

Your Personal Data is collected for feasibility and/or improvement of the translation services for which Korn was engaged to provide, as well as for:

  1. Identification and/or offering of relevant content on certain preference and/or interest expressed by you to Korn, including without limitation, newsletters, events, invitations, reminders, thank you notes, among others;
  2. Performance of client relations and service activities;
  3. Composition de database for suppliers and service providers of Korn;
  4. Composition of the database of job and internship applications and service providers to Korn;
  5. Conduction of recruiting, hiring, and training processes to meet our labor obligations to professionals/employees;
  6. Composition of employees’ databases, Alumni members, committees, and other groups;
  7. Registration of service providers and execution of related agreements;
  8. Conduction of internal operations (financial, accounting, labor, among others), problem solution, data analysis, data integration and consolidation;
  9. Sale of products and/or services;
  10. Risk management and detection, prevention and/or remediation of fraud or other potentially illegal or forbidden activities, further to violations of policies, agreements, or applicable terms of use;
  11. Protection, defense, and management of Korn’s interests;
  12. Performance of environmental and social projects and activities;
  13. Compliance with the applicable legislation;
  14. Notice on any changes in the Privacy Policy;
  15. Fulfillment of any other demand from you to Korn;

 

  • Types of Data Collected from the Website and Registration Methods

Korn collects Personal Data through online forms or physical means when you, for instance, enroll in an event, sends information to apply for a position or fills out a contact form on the website.

When you register or send information to Korn, we generally request data such as your name, email, telephone number, position and company. In addition, other personal information may be received through resumés sent by you when applying for a position, through third parties, such as the company you work for, or even from public sources.

 

  • Internet Browsing Data

When you access our website, we collect internet standard registration data and behavior standard. Korn executes this action to gather information such as the number of visitors to different parts of Korn’s website.

We use analytics tools that help us analyze the access and use of our website. The tool uses “cookies”, which are text files located in your computer, to collect information on standard internet registration and visitor’s behavior anonymously, always with the purpose of assessing the use of the website by visitors and compile statistical reports on the activity on Korn’s website. In case of interest in knowing more about cookies, including how to control them, see the website https://www.allaboutcookies.org/

Korn’s pages or services may also use other tracking technologies, including IP addresses, registration files, and web beacons, which also help us adapt Korn’s website to your personal needs.

 

  1. Data Storage and Retention

Korn may store your Personal Data for the time needed to meet the purposes mentioned in this policy and applicable laws and regulations, as the case may be. For determination of the method and duration of the Processing of your Personal Data by Korn, the nature of your Personal Data provided to Korn and the purpose of the Processing will be considered. Once this purpose is met, your Personal Data will be deleted.

Certified translations, also known as sworn translations, are public documents and cannot be discarded. Certified translators must keep a copy of each translation made and record it in the Registry of Commerce of the state in which they are enrolled (Decree no. 13.609/43 and Resolution of the Registry of Commerce of each State).

The elimination of data and information, when necessary, will be made through established physical or electronic elimination procedures, subject to the existing legislation and in such manner as to eliminate all evidence and copies in possession of Korn.

 

  1. Personal Data Sharing

Korn will not sell your Personal Data, but may share or transfer them to third parties, in Brazil or abroad, for meeting the purposes set out in this policy and any court orders or decisions by any other competent authority, according to the applicable legislation. Therefore, Korn may share with or transfer your Personal Data to third parties, within or outside Brazil, in the following events:

  • The services provided by Korn require the support of a technologic infrastructure that may be established outside Brazil, such as cloud servers and services, which may be owned or provided by third parties, IT systems providers or services related to payroll and human resources, among others;
  • Banks, exclusively for contractual or labor transactions;
  • Business partners with which Korn keeps cooperation or alliances, which will be aware and undertake responsibilities and commitments regarding Personal Data privacy agreed in specific contractual clauses. By authorizing the quotation, you are giving consent to Korn Traduções to send, whenever necessary, your personal data or possible personal and/or sensitive data contained in documents sent, to partner professionals who are outside Brazil for the sole purpose of meeting your request for translation services in the best manner. The data sent will only be that needed to perform the requested activities, ensuring the rights, principles, and safeguards set out by the LGPD regime; and
  • Administrative and judicial authorities that, in the performance of their authority, require such information.

For cases not provided for above that call for Personal Data sharing, the express authorization (consent) will be requested from the Personal Data Subject through a notice with information on the sharing.

In all events, Korn undertakes to share only the Personal Data needed for the performance of the respective purpose or meeting the respective specific order, as the case may be.

 

  1. COVID-19 – Item Applicable to Employees and Visitors

By virtue of the Covid-19 contagion prevention and control measures, Korn and/or the building where it is located may also collect personal information from its employees, service providers, and visitors, such as health history in relation to Covid-19, information on the workplace and body temperature, among others.

 

  1. Cross-Border Processing

The services provided by Korn require the support of a technological infrastructure that may be established outside Brazil, such as cloud servers and services, which may be owned or provided by third parties. In addition, for the performance of its activities, Korn may have to share your Personal Data with third parties outside Brazil.

In such events, Korn ensures that will only engage third parties that meet the highest security standards and apply at least the same level of Personal Data Protection provided for in the Brazilian Legislation.

 

  1. Security

Korn and the third parties with which your Personal Data may be shared follow the security standards required for prevention and remediation of unauthorized access to Personal Data, employing the applicable means and recommended security standards to protect it, to the extent technically and operationally feasible.

 

  1. Third Parties’ Link

Korn may offer links for forwarding to third parties’ websites for purposes of improving your browsing experience, information, or service provision.  Korn clarifies that this Privacy Policy does not apply to Personal Data provided by you to any companies, individuals and/or organizations other than Korn. Such natural or legal persons may adopt different policies related to privacy and information of Personal Data collected by them and processed in any other manner.

Korn recommends that you check the privacy policies of such persons and/or third parties’ websites prior to providing your Personal Data.

 

  1. Rights of the Data Subject

Korn respects your privacy and cares about providing the necessary channels to enable you to exercise your rights and receive proper, clear, and transparent information on the use and processing of your Personal Data. Therefore, any request to change incomplete, inaccurate, or outdated data and/or for exclusion of data provided to Korn, including Personal Data, should be done by email to [email protected]

The request will be analyzed, and, in case it does not entail interruption of the service provision by Korn or fits within one of the events of preservation of data, performed. Should it entail interruption of the service provision, your relationship with Korn will be terminated, but the obligations resulting from the provision will remain valid and, in such event, your information and Personal Data will remain being used and processed by Korn and/or authorized third parties until the need or purposes set out in this Policy are met.

Further to the change and exclusion of Personal Data, you may also exercise the following rights upon request to Korn by email to [email protected]

  • confirmation on whether the processing of your Personal Data is performed by Korn and/or authorized third parties, including after termination of your relationship with Korn;
  • obtaining information on which Personal Data is stored and otherwise processed by Korn;
  • information on the public and private entities with which Korn shared the data;
  • request the correction of incomplete, inaccurate, or outdated data;
  • information on the possibility of not providing consent and on the consequences of the denial when Korn requests your consent for Personal Data processing in some specific situation;
  • revocation of the consent when Korn requests your consent for Personal Data processing in any specific situation; and
  • notice to Korn that you disagree with your Personal Data processing with an explanation of the reasons for refusal, for analysis of the case by Korn.

For security purposes, Korn may request additional data or information to confirm the Subject’s identity and authenticity in case of requested exercise of such rights.

The Subject may contact the company through an email to [email protected]ções.com.br.

 

  1. Communication: Change, Cancellation, or Doubts about this Privacy Policy

If you wish to access, change, or delete your Personal Data provided to Korn or exercise any of your rights as Data Subject, contact us through email to [email protected] We will take the required measures and/or reply to the email within a reasonable period, according to Korn’s technical and operational feasibility. Korn may also request you to update your Personal Data periodically.

If you disagree with this Privacy Policy, wish to delete any Personal Data processed by Korn or obtain clarifications on the application of this Privacy Policy and your rights, contact us by email to [email protected] We will be happy to clarify any doubts and/or meet your request.

Lastly, if you received communication from Korn and did not intend to receive it, notify us through the link “Unsubscribe” or send an email to [email protected]

Korn’s purpose is to answer all requests above as soon as possible.

 

  1. Data Protection Officer

Korn is headquartered in São Paulo – Brazil. The contact information for Korn’s Data Protection Officer is:

Av. São Gabriel, 201, conj. 1403

São Paulo – São Paulo, 04532-080

[email protected]

 

  1. Changes in this Privacy Policy

All Personal Data processed by Korn will be in conformity with this Privacy Policy and the above-mentioned purposes.

Korn reserves the right to change this Privacy Policy in full or in part at any time.  The date of the latest update will be inserted in the revised Policy, as indicated below.

Refer to this Privacy Policy periodically for any changes. The use of Korn’s website or provision of Personal Data through any other means presumes your consent to this Privacy Policy.

 

  1. Revision and Approval of this Policy

This Policy may be revised every two years or at any time, as needed or desired by Korn, according to the approval cycle of the involved areas and authorities. An updated version of this Policy will be made duly available on this page as soon as it is completed.

Information Security Operational Policy

INTRODUCTION

Korn Traduções, seeking to establish a long-lasting and trusting relationship with its clients, employees, and service providers, and aiming at meeting the needs of its clients with excellence, confidentiality, integrity, and availability, is committed to the protection of information owned by it used in the provision of its services.

The setting up of an Information Security and Privacy Management System is a commitment by the senior management of Korn Traduções, focused on:

  • Ensuring confidentiality, integrity, and availability of the information owned by Korn Traduções or that is used by it, for purposes of ensuring the continuity of the processes and quality in the provision of its services.
  • Ensuring compliance with the current legislation and contract requirements.
  • Promoting its employees’ qualification.
  • Carrying out continual improvement of the Information Security and Privacy Management System.

This Policy is endorsed and supplemented by the Privacy Policy, Code of Ethics and Conduct, Confidentiality Agreements, and Amendment to the Employment Contract – Change from Office Working to Partial or Full Home Working.

Scope

This Policy applies to all employees and third parties who are users of the resources and information of Korn Traduções.

Applicable Legislation

The Information Security policy, guidelines, and standards are correlated with, but not limited to, the following laws:

It is the responsibility of Korn’s senior Management, together with the internal departments involved to review and update records on the legislation applicable and take the appropriate actions, when applicable.

Other stakeholders in Korn’s chain of operations (clients, service providers, legal third parties, subcontractors, among others), according to the scope and applicability, must comply with the legislation applicable to them

 

  • Federal Constitution;
  • Consumer Protection Code
  • Federal Law no. 8.159, dated January 8, 1991 (on Public and Private Files National Policy)
  • Federal Law no. 9.610, dated February 19, 1998 (on Copyrights);
  • Federal Law no. 9.279, dated May 14, 1996 (on Trademarks and Patents);
  • Federal Law no. 3.129, dated October 14, 1982 (Regulates Patent Grants to authors of inventions or industrial discovery);
  • Federal Law no. 10.406, dated January 10, 2002 (Establishing the Civil Code):
  • Decree-Law no. 2.848, dated December 7, 1940 (Establishing the Penal Code);
  • Federal Law no. 9.983, dated July 14, 2000 (Amends Decree-Law no. 2.848, dated December 7, 1940;
  • Penal Code and makes other provisions.
  • Law no. 12.965, dated April 23, 104 (Civil Rights Framework for the Internet)
  • Federal Law no. 13.709, dated August 14, 2018 (Brazilian General Personal Data Protection Law – LGPD)
  • Anticorruption Law (Law no. 12.846 of August 01, 2013)
  • Law no. 10.097/2000 and Decree no. 9579 of November 22, 2018 regarding the Law of Apprenticeship and employment of minors

 

Terms and Definitions

For the purposes of this Policy, the following terms and definitions shall apply:

  • Risk acceptance: decision to accept risk.
  • Critical areas: Korn Traduções’ facilities or those of its clients where an information asset related to critical information for the business of the company or its clients is located.
  • Threat: a potential cause of an undesired incident that may result in damage to a system or organization.
  • Risk analysis: the systematic use of information to identify sources and estimate the risk.
  • Risk assessment: the process that compares the estimated risk with predefined risk criteria to determine the relevance of the risk.
  • Remediation action: action to eliminate the cause of an identified nonconformity or other undesirable situation.
  • Attack: attempt to destroy, expose, change, disable, steal, or obtain unauthorized access or make unauthorized use of an asset.
  • Asset: any component, resource, or set thereof, applicable to preserving the confidentiality, integrity, and availability of data and information (hardware, software, infrastructure, persons with knowledge thereof, etc.).
  • Information asset: knowledge or data of value to the company.
  • Authenticity: property that ensures authorship of certain data.
  • ISMC: Information Security Management Committee, a multidisciplinary group composed of representatives from several areas of the company, approved by the Senior Management, for purposes of defining and supporting strategies needed for the implementation and maintenance of the Information Security Management System – ISMS.
  • Risk communication: exchange or sharing of information on risks between decision-maker and other stakeholders.
  • Reliability: characteristic of consistent behavior and desired results.
  • Confidentiality: characteristic of information that is not available or disclosable to unauthorized individuals, entities, or processes.
  • Control: risk management resources, including policies, procedures, manuals, practices, or organizational structures, which may be of administrative, technical, management, or legal nature.
  • Access Control: resources to ensure that access to assets is authorized and restricted, based on security and business requirements.
  • Risk criteria: reference terms to assess the relevance of the risk.
  • Personal data: any information associated with an identified or identifiable individual provided by Korn Traduções and/or accessed on its behalf, and/or related to the status of individual connected to Korn Traduções, including, but not limited to, name, address, telephone number, email, bank information.
  • Sensitive data: personal data on racial or ethnic origin, religious beliefs, political opinions, membership in trade unions or organizations of a religious, philosophical, or political nature, data on health or sex life, genetic or biometric data, when related to an individual.
  • Declaration of applicability: documented declaration with the description of the control purposes and controls pertaining and applicable to the company’s ISMS;
    • Note: the control purposes and controls are based on results and conclusions of the risk analysis/assessment process and risk treatment, on legal or regulatory requirements, contractual obligations, and the company’s business requirements of information security.
  • Availability: characteristic of what is accessible and usable upon demand by an authorized entity.
  • Information security event: an identified event of a system, service, or network status indicating a possible violation of the Information Security and Privacy Policy or control failures, or a previously unknown situation that may be relevant to information security.
  • Risk management: coordinated activities to direct and control a company in relation to risks.
  • Critical information for Korn Traduções’ business: every information that, in case it is the target of access, change, destruction, or unauthorized disclosure, will result in operating or financial losses to Korn Traduções or its clients. Example: client data, system sources, business rules, client’s strategic or business information obtained in meetings, Korn Traduções‘ strategic planning, prospects, strategic information.
  • Impact: adverse change in the business objectives.
  • Information security incident: a single or series of undesired or unexpected information security events that are highly likely to compromise the business operations or threaten information security.
  • Integrity: asset accuracy and completeness.
  • Mitigation: limitation of the negative consequences from a certain event.
  • Non-repudiation: capacity of proving the occurrence of an alleged event or action and the entities that caused it, in order to settle disputes on the occurrence or not of an event or action and the involvement of the entities in the event.
  • Risk: combination of the probability of an event and its consequences.
  • Information security risk: the possibility of a threat to exploit the vulnerability of an asset or group of assets and, thus, cause damage to the company.
  • Residual risk: residual risk after risk treatment.
  • Information security: preservation of the information confidentiality, integrity, and availability.
    • Note: additionally, other characteristics, such as authenticity, responsibility, non-repudiation, and reliability may also be involved.
  • Management system: associated policies, procedures, manuals, and resources to meet the company’s objectives.
  • Information Security Management System – ISMS: part of the global management system, based on the approach of business risks, to set up, implement, operate, monitor, make critical analysis, keep, and improve the information security.
  • Risk treatment: process to select and implement measures to change the risk.
  • Vulnerability: weakness of an asset or control that may be exploited by a threat.

 

DOCUMENTED INFORMATION

Normative Framework

The documents that compose the normative framework are divided into five categories:

  1. Policy (strategic level): defines the high-level rules that represent the basic principles that Korn Traduções decided to incorporate into its management according to the strategic vision of the senior management. It serves as the basis for the operational policies and procedures to be created and detailed.
  2. Operational policy: composed of this document, defines specific rules that guide and regulate responsibilities and actions at the operational level.
  3. Procedures (operational level): enable the provisions of the policy, allowing their direct application on Korn Traduções‘ activities.
  4. Manuals: instruction manuals supporting the performance of a process or use of software.
  5. Templates: templates of documents and controls under version control.

All processes and templates are available in the Process Portal, and the records are in the documents repository of Korn Traduções. Every documented information that evidences the execution of a process must have its storage under control, aiming at its prompt recovery.

Area managers must submit new documents or revisions for approval by the senior management before they are made available, according to the Documented Information process, which is part of Quality.

Printed copies of the contents of Korn Traduções‘ Process Portal are not deemed valid and are prohibited.

The documents that are part of the structure must be disclosed to all employees, interns, apprentices, and service providers of Korn Traduções upon hiring through the company’s official internal disclosure means in accordance with the Korn Traduções Communication Plan, and can be made available through the  HR management software in effect, through the Process Portal and through the repository of shared documents, so that their contents may be surveyed at any time.

Every change made to the Information Security and Privacy Policy shall be passed on to the CEO or to the Senior Management for approval. After its approval, the policy may be disclosed and employees trained.

Information Classification

The classification of every information owned by Korn Traduções or under its custody is deemed necessary, proportionally to its value to the company.

Information composing the ISMS is to be classified as:

  • Confidential – information that, if internally or externally disclosed, could potentially lead to substantial financial or reputational losses to Korn Traduções. It may be protected, for instance, by cryptography.
  • Restricted – strategic information that must be available only to restricted groups of employees. It is stored in files with restricted access in the network drive and in the different access levels in Korn Traduções’ systems and Portal.
  • Internal – information that cannot be disclosed to persons outside Korn Traduções, but, should this occur, does not lead to substantial losses. The concern at this level is mainly related to the integrity of the information.
  • Public – information that does not require specific protection against breaches, as may be of public knowledge.

Information related to Korn Traduções’ employees, financial area, and client information (registration data and documents) is always considered restricted, with access granted only to persons who have a need to know in order to perform their activities and provide the contracted service. To enable adequate control of information, the access levels described in the General Infrastructure and IT Procedures must be used.

INFORMATION SECURITY GUIDELINES

Below are the Information Security and Privacy Policy guidelines of Korn Traduções, which represent the main pillars of the company’s information security management, guiding the preparation of rules and procedures.

Protection of information owned by Korn Traduções or under its custody is deemed necessary, being an underlying factor in the professional activities of each employee, intern, apprentice, or service provider of the company:

  1. The employees must have proactive conduct in relation to the protection of information owned by Korn Traduções and must be attentive to external threats, as well as to fraud, information theft, and undue access to information systems under the responsibility of Korn Traduções.
  2. Confidential matters must not be exposed publicly.
  3. Passwords, keys, and other resources of personal nature are deemed non-transferable and cannot be shared and disclosed.
  4. Only certified software may be used in the computer environment of Korn Traduções.
  5. Printed documents and files containing confidential information must be stored and protected. Disposal must be done according to the applicable legislation and in compliance with the disposal procedure.
  6. All data deemed indispensable to Korn Traduções‘ business must be protected through backup routines and submitted to periodic recovery tests.
  7. Access to Korn Traduções‘ facilities must be controlled, with the application of the principles of integrity, confidentiality, and availability of the information stored or handled therein, ensuring traceability and effectiveness of the authorized access.
  8. The logical access to the computer systems made available by Korn Traduções must be controlled, with the application of the principles of integrity, confidentiality, and availability of the information, ensuring traceability and effectiveness of the authorized access.
  9. All creations, codes, or procedures developed by any employee, intern, apprentice, or service provider during their relationship with the company are the property of Korn Traduções.
  10. The use of photographic cameras, video or audio recorders, or other recording equipment, such as cameras in mobile devices at Korn Traduções‘ facilities is prohibited, except where authorized by the senior management. It is strictly forbidden to take pictures or record computer screens, either in the office or while working from home.
  11. Installation of printers on Korn Traduções’ computers is not allowed, except where authorized by the senior management. Accessing printers already installed in the office must also be authorized by the senior management upon request from the manager.
  12. Employees working under the work from home system shall always perform their activities at the address provided to Korn Traduções, through a private internet access network, protected by a password. It is strictly forbidden to perform activities at another address that entails the transportation of the hardware and access to another network, except upon authorization from the senior management and notification of the new address, the need, and risk analysis. No access to Korn Traduções‘ data and systems may be done through a public network (airports, restaurants, etc.).
  13. The computers provided by Korn Traduções to employees, interns, and apprentices for the performance of their activities are to be used exclusively for activities related to Korn Traduções and cannot be used for personal activities. When authorized by the senior management, the computers may be used for online training, lectures, or webinars. Apprentices are allowed to attend classes through the formal platform of the institute responsible for their hiring; however, research on the Internet and storage of files are strictly forbidden.
  14. It is not permitted to connect private mobile devices (laptops, tablets, among others) to Korn Traduções’ main network, either using cable or using Wi-Fi. If necessary, it will only be allowed with prior authorization from senior management. For Clients, a separate Wi-Fi network for visitors can be provided, with no connection with the internal network.

It should be stressed that the situations provided for in this Policy are not exhaustive, and other situations related to the use of equipment at the workplace or doubts regarding information security may happen.

As to these situations not expressly provided for in this Policy and/or in the other Policies and in our Code of Ethics and Conduct, Korn Traduções relies on the common sense of its employees and, should any doubts remain, the IT and HR/People Management departments can always be contacted to answer any questions through the emails [email protected] and [email protected].

 

Information Security Risk Assessment

The ISMS management of Korn Traduções shall conduct actions to identify and classify Information Security risks of the company by mapping vulnerabilities, threats, impacts, and the likelihood of occurrence, as well as adopt controls that mitigate these risks with those in charge of the assets to which the risks are associated.

Required Competencies for Information Security

Those directly in charge of the ISMS management must have the required competencies to perform their duties at Korn Traduções appropriately, thus ensuring the success of the ISMS. The required competency must:

  1. Allow people to be competent based on appropriate education, training, or experience;
  2. Retain adequate documented information as evidence of competency.

PHYSICAL ENVIRONMENT

Access to the physical environment of Korn Traduções is controlled and monitored. Visitors and service providers must stay at the reception room and meeting room, where necessary, and access to all other environments is restricted.

The entry of employees and service providers off working hours is not allowed, except where strictly necessary and upon prior authorization from the senior management, and third parties must always be escorted by an employee of Korn Traduções.

Every detail regarding control of access to Korn Traduções facilities, protection against external threats, alarms, utilities (electricity, water, air conditioning, etc.) is described in General Infrastructure and IT Procedures.

Service Providers

Contracts entered into with service providers that may have access to confidential information and personal data must contain information security and confidentiality clauses. Service providers who are more important and critical with regards information security, working directly with Korn Traduções, receive training on the guidelines set out in this policy.

CLEAN DESK AND CLEAN SCREEN POLICY

All employees, interns, and apprentices acting on behalf of Korn Traduções must be aware of and follow the advice and guidelines included in this policy, which must be complied with both when performing activities at Korn Traduções‘ office and at home, where related to this regime.

The purpose of this Clean Desk and Clean Screen Policy is to ensure that data and information, both in digital and physical format, and assets, whether tangible or not, are not left unprotected at the workplace when they are being used or when someone leaves the workplace for a short period or during break times (lunch, meetings, etc.), or at the end of working hours.

The employees, interns, and apprentices must:

  • Use the assets of Korn Traduções, internally or externally (at home or at a client’s office), with care, to ensure their preservation and proper operation.
  • Block workstations when leaving or being absent from the workplace to prevent unauthorized access.
  • Never leave printed documents on the desk unnecessarily. When not in use, they must be stored in locked cabinets or drawers, especially off working hours.
  • Not leave cabinets or rooms keys at unprotected places or places where unauthorized persons may have access.
  • Not keep folders with sensitive, confidential, or strategic documents or documents containing personal data at places of easy access.
  • Sensitive or critical information for Korn Traduções‘ business must be kept in a safe place (locked cabinets, or, where digital, in folders with restricted access).
  • Not write down or leave confidential or sensitive information on bulletin boards or visible places.
  • Not leave notes, messages, and reminders at sight on the desk or stuck on walls, partitions, boards, or computer keyboards and screens, including, but not limited, to: access or screen unblocking passwords, telephone numbers, email addresses of clients or contacts, confidential information, among others.
  • Destroy printed documents before their disposal. Whenever possible, use the shredding machine or, in case of large quantities, a company specialized in disposal and recycling. In this latter case, always monitored by a Korn Traduções‘ employee to ensure the proper destruction of the information.
  • Not print documents only for their reading. Read them preferably on the information assets’ screens. Follow a paperless culture, as it lessens information security risk and benefits nature.
  • In case printing is needed, remove the documents with personal, sensitive, or confidential information from the printer immediately.
  • In case a scanner or image copying equipment is used, remove the document to be copied immediately after use.
  • Place the desks and furniture in a manner that confidential and sensitive data cannot be viewed from windows, corridors, pathways of persons nearby or who have a view of the assets with data and information, such as screens and papers on desks.
  • At the end of working hours and during long absences, keep the workplace clean and organized, documents stored, drawers and cabinets locked, and computers or mobile devices, especially those connected to the network/internet, off. While using the equipment, close applications or services which are not in use for carrying out the current activities.
  • Discard information left at meeting rooms (erase boards, shred papers or other resources used during the meeting).
  • Do not consume food or drink at the work station (in the office or working from home) avoiding damage or wear to equipment and documents, as well as avoiding spills.

 

Cases not provided for or omitted in this policy shall be forwarded to the IT department.

INFORMATION TRANSFER POLICY

  • Employees of Korn and external parties that treat or have access to Korn’s assets must be notified, be aware of, and advised of the assets information security requirements, information, and related personal data.
  • The procedures set out by Korn on security, access control, software use, and antivirus, storage and end of data and information processing must be followed by all involved parties, including employees and service providers/outsourced workers, as applicable.
  • Confidentiality Agreements regarding data and information, including data privacy, are executed between the parties, with employees and service providers/outsourced workers.

 

MOBILE DEVICE USE POLICY

The purpose of this policy is to set up rules on the use of mobile devices to ensure Information Security and compliance with the legislation.

Mobile device means any electronic equipment with mobility features, such as notebooks, tablets, and mobile phones owned by Korn Traduções or third parties, in case of mobile phones used in the performance of professional activities related to the company with the approval by the senior management.

  • All mobile devices provided by Korn Traduções must be registered and configured with a unique identification, minimum safety standards, and one user responsible for its use.
  • Mobile devices provided must be used solely and exclusively by users who undertook responsibility for their use.
  • Private cell phones authorized for use in activities to Korn Traduções must meet the security requirements informed by the IT department.
  • In case a chip from the cell phone carrier is provided for use in professional contacts, the identification of the chip and the person responsible for its use must be under the control of the IT department.
  • According to the clean desk and clean screen policy, while the device is not being used it must be locked in order to protect it against access by unauthorized persons (sic).
  • In compliance with the recommendations of the clean desk and clean screen Policy, the mobile devices must be blocked when they are not being used in a manner that protects the information from access by unauthorized persons.

 

DATA SHARING

Only computers provided by Korn Traduções may be used by employees, interns, and apprentices, and no employee of the company is allowed access to data through personal computers. All data must be stored in proper folders in the network drive. The IT department must make periodic checks of all existing sharing and ensure that data deemed confidential or restricted have adequate access control. When a virtual device needs to be used, for continuity, it can be accessed by a personal computer when authorized by Korn Traduções senior management and in compliance with IT department guidelines.

Everyone at Korn Traduções must regard information as an asset of the company, one of the critical resources for the performance of the business.

Privacy of Information in Company’s Custody

Protection is deemed necessary with respect to the privacy of information in Korn Traduções‘ custody, that is, information owned by its clients and handled or stored in media to which Korn Traduções holds full administrative, physical, logical, and legal control.

The guidelines below reflect the institutional values of Korn Traduções and reassert its commitment to the continual improvement of this process:

  1. The information is collected ethically and legally, with the knowledge of the client, for specific and duly informed purposes;
  2. The information is received by Korn Traduções, processed, and stored in a secure manner and with integrity, with restricted access, and handled only by the persons needed to provide the service;
  3. The information is accessed for proper use only by authorized and qualified persons;
  4. The information may be provided to companies engaged to provide the services, which are required to comply with our data security and privacy policy and guidelines, and to sign a confidentiality agreement;
  5. The information is only provided to third parties upon prior written authorization by the client or to meet a legal or regulatory requirement;
  6. The information and data in our records, as well as other requests that may ensure legal or contractual rights, are only provided to the interested parties themselves upon formal request as set out by the legal requirements in effect.

Creation of Access and e-mail Account for Non-Employees

The creation of an access and email account for persons who are not employees of Korn Traduções is not allowed, except for interns and apprentices.

In the event that third parties need a logical access credential to systems or tools that depend on email for their proper operation, the employee’s manager must justify the need and request approval from the ISMC. In such cases, the third party’s access must be restricted to correspondence related to the performance of their duties at the company, during business hours, and according to Korn Traduções‘ policies.

Korn Traduções‘ service providers shall not be included in any of Korn Traduções‘ distribution lists and/or public folders that may contain information intended for employees.

Access Management

All types of systems that need logical access must have formal control from the release of the access to the revocation thereof.

  1. PASSWORD MANAGEMENT
    • Passwords of all accesses must be changed every three (3) months.
    • New users must change their password on the first access.
    • Passwords that grant access to the hardware, Virtual Private Network (VPN), email, and drive must have at least ten (10) characters. All other passwords must follow the definition of each application.
    • Access passwords to the hardware, VPN, email, and drive must require a complexity level containing numbers, special characters, upper case and lower case letters. All other passwords must follow this determination whenever possible, otherwise, follow the definition of each application.
    • The access to the VPN must be done using an access password to the Active Directory (AD, which implements the Single Sign-On – SSO – a method of having only one password to access several applications).
    • The new passwords cannot coincide with the last three (3) typed passwords.
    • The passwords cannot be saved in the application and must be typed at each access.

 

Reviews of Logical Access

The IT department will perform periodical reviews of the access, which may be made jointly with the users.  Employees, interns, and apprentices must always inform any identified abnormality or access unnecessary to their work.

  1. RELEASE OF ACCESS
    • A unique, personal, and exclusive identification must be used to ensure the responsibility of each user in their actions.
    • Provide access considering the minimal requirement for the user to perform their duties.
    • New employees, interns, and apprentices receive access according to the duties they will perform. This information must be provided to the IT department according to the HR’s Recruiting, Selection, and Hiring Procedure.
    • The privileges must be authorized by the management of each area (Administrative or Commercial and Financial Management).
    • The use of generic (non-nominal) users is not allowed, except in systems that do not have this feature.
    • Release of access if formalized in the General Infrastructure and IT Procedures.
    • Privilege control is performed by groups of users or function performed (profile) to facilitate privilege management.
    • Administrative or generic passwords, when released, must have specific control. The IT department also keeps an updated list of persons (Employees/Service Providers) that have such passwords to enable the performance of all other operations of revocation and change control.
    • The release of access to service providers or consultants must undergo a critical analysis by those in charge of its application, and every application must have a person in charge.

 

 

  1. ACCESS REVOCATION

Access revocation may occur in cases of dismissal of an employee according to the dismissal flow, change of duties, expiry of a contract with service providers, or request. 

  • The IT department shall keep the access records always updated to enable immediate exclusion or inactivation of access by users at the time of revocation.
  • The access by dismissed employees, interns, or apprentices of the company is blocked according to the HR’s Recruiting, Selection, and Hiring Process.

 

  1. CHANGES OF DUTIES AND CRITICAL ANALYSIS OF ACCESS RIGHTS
    • The IT department and Managers shall be formally informed of the changes of functions, according to the HR’s Recruiting, Selection, and Hiring Process. The IT department shall review the accesses and permissions with the new manager.

 

  1. SEGREGATION OF FUNCTIONS
    • A criterion for segregation of duties for release of permissions, based on “positions/duties/operation” must be considered so that the user (employee, intern, apprentice, client, service provider) has only the indispensable access to perform their activities.
    • Changes of privileges must be authorized by the leaders.

 

  1. REMOTE USE TOOLS
    • The access to workstations and servers by remote assistance applications may be made only through authorized tools and always with the knowledge of the IT department. The tools used by Korn Traduções and the procedure for these accesses are described in the General Infrastructure and IT Procedures.
    • The accesses and their logs must be periodically reviewed to prevent undue accesses.

 

  1. PASSWORD REINITIALIZATION
    • Reinitialization of password and unblocking must be made by the account owner upon creation of a ticket made through an IT support tool. On reinitialization, the IT department must inform that the password will be unblocked or reinitialized upon request through an email to the account owner to ensure the integrity of the operation.
    • A change in a generic or administrative password must be informed to the person in charge and persons that use it.

Prevention Against Attacks

 

  1. CLOCK SYNCHRONIZATION

Applications, servers, physical access, and resources must have their clock synchronized to enable a careful review of incidents or operations by users.

  1. BROWSING THE INTERNET

The Internet is considered essential means for information survey and work productivity; therefore, its use in workstations is released under monitoring. Such monitoring must be capable of:

  • Detecting accesses that are being made;
  • Detecting files downloaded and sent through the Internet;
  • Identifying possible conduct deviations or information breaches.

The rules on Internet use determined in the Code of Ethics and Conduct of Korn Traduções must be followed.

Access to the Internet on servers must be blocked.

  1. NETWORKS AND SEGREGATION OF NETWORKS

As most of our employees are working from home, the information and applications used by Korn Traduções are in cloud servers, with firewall protection implemented in software to cover all equipment used both internally at the office and externally.

Visitors are no permitted to access the main wireless network. If they need to connect to the internet, they may be provided with access to the network set up for visitors.

The description of the network is detailed in the General Infrastructure and IT Procedures.

  1. WORKSTATIONS AND SERVERS
    • Workstations and servers must have inactive session control. The blocking must be made automatically after a period of inactivity, as determined by the IT department.
    • Workstations and servers must have installed and updated antivirus and cannot be disabled by ordinary users.
    • Workstations shall have access through AD.
    • Access to USB ports must be disabled.
    • Confidential information must be encrypted and stored in compliance with the guidelines defined in the General Infrastructure and IT Procedures. Notebooks must have their HD encrypted.
    • The sharing of folders in computers of Korn Traduções‘ employees is not allowed. Data must always be in the network drive, and those that need to be shared among employees must be placed in appropriate folders, with due regard to the applicable access permissions to said data.
  2. REMOVABLE MEDIA

The use of removable media (such as USB, external HD storage devices, etc.) is forbidden. In case of strict need for a certain activity, the employee must justify it to the manager in charge, who will assess the possibility of release jointly with the IT department, according to the assumptions and needs provided for in this Policy.

  1. EXCHANGE OF INFORMATION WITH CLIENTS AND SERVICE PROVIDERS

The exchange of information with clients or service providers must be made through secure channels.

  • Always adopt the practice of encryption in the communication channels (email, voip, SFTP, file managers).
  • Confidential information should not be carried through unsafe channels.

 

POLICY ON USE OF CRYPTOGRAPHIC CONTROLS

Procedures to ensure confidentiality, integrity, and availability of information through activation of the information security resources and configuration of a secure communication channel must be implemented and maintained by the IT department. These procedures must contain rules on the effective and appropriate use of encryption controls to protect information.

Aiming at ensuring information integrity and recovery, the implementation of encryption control not approved by the IT department is forbidden.

 

Backup Management

To ensure the integrity of the systems and data, the IT department is responsible for making backup copies, which are defined in this Policy and in the General Infrastructure and IT Procedures, which ensure that:

  • The applications and logic information must have a data backup performed periodically.
  • Backups must be stored in different places from the production environment.
  • Backups, when transmitted or stored in physical media, must be encrypted.
  • Backups must be tested regularly, within a maximum period of 6 months, or tested immediately, in case of any change in the environment. The tests must be documented for audit.

Intellectual Property

All projects, creations, products and innovations that appear and are developed internally, or procedures developed by any employee during the course of the employment relationship are the property of Korn Traduções.

Use of Email

The email provided by Korn Traduções is a tool for internal and external communication of professional content regarding the activities performed by the employees. The messages shall not compromise the reputation of Korn Traduções, must not be in opposition to the legislation in effect nor to ethical principles.

The use of email is personal, and the user is responsible for every message sent from their address.

The employees are informed that all emails exchanged in Korn’s computers they use can be tracked and checked.

It is expressly forbidden to send messages that:

  • Contain disparaging declarations and offensive language;
  • May cause damage to other persons;
  • Are hostile and useless;
  • Are related to “chain messages”, have pornographic or equivalent contents;
  • May affect the reputation of Korn Traduções;
  • May adversely affect the reputation of other companies;
  • Are inconsistent with Korn Traduções‘ policies.

 

The rules contained in the Code of Ethics and Conduct of Korn Traduções must be followed as well.

 

Emails received with information security (such as notices on phishing, access to email in another device, suspected virus in a file, among others) must be forwarded to the IT department.

 

If an email is mistakenly sent to the wrong recipient, compromising information security of Korn Traduções and/or its stakeholders, this must eb reported immediately to [email protected] so that the necessary action can be taken.

 

Access to personal emails through Korn Traduções‘ computers is not allowed.

 

The email service must observe that:

  • Emails must be transmitted through a secure channel.
  • The email tool must have an enabled and controlled antispam and content control resource.

 

Instant Messenger

 

The use of Google Chat is allowed only through the login provided by Korn Traduções;

Skype is allowed solely for organizational use;

Communication with clients and service providers via WhatsApp must preferably be made through application installed in the computer. Using the web version or app is monitored by the IT department to monitor incoming and outgoing files and may be blocked in accordance with the security guidelines in effect at Korn Traduções.

The use of these applications in Korn Traduções’ computers must be exclusively for internal contacts of Korn Traduções or with external contacts (clients and service providers) for matters related to the company.

Other applications are forbidden, and, in case of need, the ISMC must be contacted.

Illegal Software and copyright

Korn Traduções respects software copyrights, and the use of non-licensed software is not allowed.  The use of illegal software (non-licensed) is expressly forbidden, and users do not have permission to install them, and the IT department must be contacted for any type of installation (even in case of software that only needs to be copied and executed).

The IT department will perform a periodic inspection on data in servers and/or users’ computers, seeking to ensure the proper application of this policy. In the event that non-authorized software are found, they shall be removed from the computers. Those who install such unauthorized software in their computers are held liable to Korn Traduções for any problems or losses caused as a result of such act.

The IT department hold evidence of possession of software use licenses and records on appropriate use of the number of licenses, guaranteeing intellectual property rights. This item is applied in accordance with the Asset Inventory item of this Information Security Operational Policy and respective procedures.

Korn Traduções also refrains from copying books, articles, reports or other documents, in whole or in part, beyond what is permitted under copyright law, or without due citation of references.

Failure to comply with this item may lead to disciplinary actions applied by the ISMC, in accordance with the Sanctions item of this Information Security Operational Policy.

Asset Inventory

Resources must be monitored as to their capacity and meet the growth of the company or information. The critical points to be monitored, e.g., storage space, database growth space, quantity of computers, and software licenses.

  • All software and hardware of Korn Traduções must be inventoried and controlled by the IT department.
  • No installation of software without the consent of the IT department is allowed.
  • The contracting and use of any software for organizational use, whether in the cloud or desktop, without consent by the IT department is not allowed.
  • The purchase or installation of any equipment or resource without the consent of the IT department is not allowed.
  • The IT department must have processes to detect installed software.
  • Assets in possession of employees and service providers must be controlled. In case of dismissal or expiration of contract, the asset must be returned according to the procedure set out by the IT department.
  • Software must have their license management and use controlled by the IT department.
  • The inventory must be updated by the IT department at each acquisition or disposal.

Disposal, Destruction and Reuse of Equipment and Media

All media used to operate the ISMS processes must be kept, reused, and destroyed in a secured and protected manner, such as incineration, shredding or removal of data for use in another application. The media disposal must be done through a specialized company.

It should be ensured that all sensitive data and licensed software have been removed or recorded in a secure manner:

  • The formatting of storage devices for reuse must be made through formatting with Wipe secured process, with the monitoring of a professional from the Information Security area.
  • Defective devices or no longer used shall be destroyed, preventing any data recovery.
  • Confidential or internal use papers must be stored in secure places and cannot be discarded before being shredded by a shredding machine, and each person in charge shall follow this practice in relation to all documents under their responsibility.

Roles and Responsibilities

It is the duty of all – employees, interns, apprentices, and service providers of Korn Traduções – to comply with the following obligations:

Employees, Interns, Apprentices, and Service Providers

The classification of every information that is owned by Korn Traduções or that is under its custody is deemed necessary, proportionally to its value to the company, to enable its proper control:

 

  1. Continuously care for the protection of Korn Traduções‘ information or those of its clients against unauthorized access, modification, destruction, or disclosure;
  2. Ensure that the resources (computer-related or not) made available are used only for the purposes provided for in Korn Traduções‘ articles of association;
  3. Ensure that the systems and information under their responsibility are adequately protected;
  4. Ensure the continued processing of critical information for the business of Korn Traduções;
  5. Comply with the laws and rules that regulate intellectual property aspects;
  6. Meet the laws that regulate Korn Traduções‘ activities and its operating market;
  7. Select in consistent manner the information security mechanisms, balancing risk factors, technology, and cost;
  8. Report immediately to the DPO, the ISMC, or Quality any violation of the Information Security and Privacy Policy and/or Information Security procedures;
  9. Keep full confidentiality of the information obtained as a result of the employment relationship, and any form of transmission and use of this information in relation to third parties or for personal use is forbidden.

 

Information Security Management Committee (ISMC)

The Information Security Management Committee (ISMC) is a multidisciplinary group composed of representatives from several areas of Korn Traduções appointed by the Senior Management for purposes of defining and supporting the strategies needed to implement and maintain the ISMS. ISMC meetings are held quarterly for planning and reviewing actions and special meetings may be held when there is a need for urgent resolution.

It is incumbent upon the ISMC:

  1. To propose adjustments, enhancements, and modifications in the normative framework of ISMS, submitting it to approval by the Senior Management;
  2. To write the text of the information security rules and procedures, submitting it to approval by the Senior Management;
  3. To request information from other areas of Korn Traduções, through management boards and managers, to check compliance with the information security policy, rules and procedures;
  4. To receive, document, and review cases of violation of the information security policy, rules, and procedures;
  5. To establish mechanisms to record and control information security events and incidents, as well as nonconformities with information security policy, rules, or procedures;
  6. To notify the managers and management boards of any cases of violation of the information security policy, rules, and procedures;
  7. To receive suggestions to implement information security rules and procedures;
  8. To propose projects and initiatives related to the improvement of information security;
  9. To monitor the progress of the projects and initiatives related to information security;
  10. To manage the information assets;
  11. To manage the ongoing concern, requesting Business Continuity Plans from the various areas of Korn Traduções, validating them periodically; The Business Continuity Plan must be defined, implemented, and tested to ensure the availability of the information systems;
  12. To systematically manage the risks related to information security;
  13. Whenever possible, to adopt automated mechanisms for the management, prevention, and detection of security events;
  14. To implement mechanisms to protect the physical and environmental security, preventing damage and unauthorized access to information;
  15. To decide on authentication processes and secure access control adopted for information systems;
  16. To resolve on the use of protection tools against malware, virus, spam, phishing scan, and other devices that may threaten the company’s information systems.

Officers and Managers

It is incumbent upon each manager and officer to master all business rules needed for the creation, maintenance, and update of security measures related to the information asset under their responsibility (team or business unit), whether owned by Korn Traduções or a client.

Managers and officers may delegate their authority on the information asset; however, they remain ultimately responsible for their protection.

It is incumbent upon this role:

  1. To take part in the investigation of security and privacy incidents related to information under their responsibility and, on the identification of possible issues and or threats, check the possible causes and initiate the procedure of taking remediation action, where necessary.
  2. To comply and cause compliance with the information security and privacy policy, rules, and procedures;
  3. To ensure that their teams have access to, and understand the information security and privacy policy, rules, and procedures;
  4. To proactively suggest to the ISMC information security and privacy procedures related to their areas;
  5. To monitor the remediation action until completion and make a critical analysis of the performed remediation actions to check their effectiveness and identify possible required adjustments.
  6. Manage organizational changes in order to ensure aspects regarding information availability, integrity and confidentiality;

To report immediately to the ISMC any cases of violation of the policy, the information security and privacy rules or procedures, and any possible remediation actions that require the involvement of the ISMC.

 

Senior Management

Korn Traduções‘ Senior Management is committed to the information security and privacy management system and shall:

  1. Establish the responsibilities and duties of the Information Security Management Committee;
  2. Ensure that the information security policy and objectives are established consistently with Korn Traduções‘ strategic guidance;
  3. Promote the integration of the information security management system to Korn Traduções‘ processes;
  4. Ensure that the resources needed for the information security management system are available;
  5. Report the relevance of effective information security management and fulfillment of the information security and privacy management system;
  6. Certify that the information security management system achieves its intended results;
  7. Coordinate and motivate people to contribute to the effectiveness of the information security and privacy management system;
  8. Promote a continual improvement of this ISMS; and
  9. Support other relevant management functions when they show leadership and how it applies to the areas under their responsibility.
  10. Make a critical analysis together with the Information Security Management Committee (ISMC) of the records and results of audits performed at Korn Traduções, including the status of the remediation actions, listed below.

The analysis must be made soon after the respective audits are carried out, and proper records of the analysis, as well as of the remediation actions and improvements defined in the analyses, must be made.

  • Audit of the Information System according to the process of information system audit Controls.
  • SGQ and ISMS Internal Audit: Already described in this Policy, in item Internal Audit and in the implementation of the Internal Audit process, presented in the Process Portal.
  • SGQ and ISMS certification audit or certification maintenance by Accredited Certification Body – OCC.
  1. The Quality area requires audit planning according to the frequency below:
  • Information System Audit: annual
  • Internal audit: annual
  • Certification audit or certification maintenance: based on the audit plan agreed with the OCC.

 

Human Resources Area

  • It is also incumbent upon the Human Resources Area to:
  1. Ensure that the employees, interns, apprentices evidence in writing that they are aware of the ISMS normative framework and of the documents comprised in it;
  2. For new employees, interns, and apprentices, training on information security must be provided at the beginning of their activities, which training will be under the responsibility of their managers during this period;
  3. Have refresher plans regarding the internal rules of Korn Traduções;
  4. Create mechanisms to inform the most adequate technical service, prior to the facts, of any change in the staff of Korn Traduções.

Quality Area

 

It is incumbent upon the Quality Area to:

  1. Consolidate and coordinate the implementation, execution, monitoring, and improvement of the ISMS;
  2. Call, coordinate, and provide support to ISMC meetings;
  3. Provide information, when so requested by the ISMC, on information security management dealt with jointly with SGQ processes ;
  4. Coordinate the ISMS critical analysis meetings and monitor the resulting action plans;
  5. Facilitate awareness, disclosure, and training on information security policy, rules, and procedures;
  6. Perform periodic compliance audits and inspections, as well as assess the effectiveness, monitor compliance with the respective action plans, and promote continual improvement;
  7. Develop a training program jointly with the People Management area for employees and contractors for awareness of the responsibilities of each one in relation to information security;
  8. Inform all employees and contractors of the relevance of Information Security and the need to follow the Policy, Rules, and Procedures regarding the Information Security Management System (ISMS);
  9. Establish with the Senior Management rules and procedures regarding mandatory disclosure of security events and incidents by all employees, as well as the respective penalties for failure to comply with this objective.

CONTINUAL IMPROVEMENT

  • Training focused on information security shall take place frequently for employees to become aware of the relevance of enhancing existing controls.
  • A contract or benchmark with other companies should be considered, taking into account the improvement of the information security and privacy process.

 

 

INTERNAL AUDIT

Every information asset under the responsibility of Korn Traduções is subject to audit on a date and at times determined by the ISMC. However, upon identification of practices that do not follow the guidelines of this Policy, records of identified problems may be made, and remediation actions will be required.

An audit must be approved by the Senior Management and, during its performance, the rights regarding the privacy of personal information must be protected, provided that such personal information is not stored in a physical or logical environment of Korn Traduções or its clients in a manner that gets mixed with, or prevents access to, information owned by Korn Traduções or that is under its responsibility.

For purposes of detecting abnormal activities in information processing and violations of the information security policy, rules, or procedures, the IT department may perform proactive monitoring and control, keeping the confidentiality of the process and information obtained.

In both cases, the information obtained may serve as circumstantial evidence or evidence in an administrative or judicial proceeding.

Internal audits are planned with a focus on the analysis of compliance with all processes related to the ISMS and results of previous audits.

The internal audits must be performed each year by internal or external qualified and trained auditors, with knowledge of the ISO 27001 standard and LGPD. There must be independence to ensure that auditors do not audit processes in which they are involved.

External audits must be performed to keep the validity of the defined certifications.

Remediation Action

Upon identification of nonconformities in the performance of processes or during internal or external audits, they must be recorded for analysis and treatment.

Every recorded nonconformity must have its cause identified. Actions to eliminate these causes must be taken, and the effectiveness of the actions must be verified, in accordance with Quality Nonconformity processes .

Contact with Authorities

 

The contacts with authorities are consolidated in the Communication Plan of Korn Traduções.

The contact with authorities management is under the responsibility of the People Management area, which must consolidate, inform, and disclose in a known and accessible repository of Korn Traduções the list of contacts, updated periodically;

ISMS Critical Analysis

Korn Traduções must perform an ISMS critical analysis at least once a year. Such analysis must have direct participation of the Senior Management and must take into consideration:

  1. The result of the previous actions of the ISMS critical analysis;
  2. Changes in external and internal issues that are relevant to the information security management system;
  3. Feedback about the information security performance, including trends of:

1) nonconformities and remediation actions;

2) results of monitoring and measurement;

3) results of the internal or external ISMS audits; and

4) compliance with information security objectives;

  1. d) Comments from stakeholders;
  2. e) The risk assessment results and the status of the risk treatment plan;
  3. f) Opportunities for continual improvement;
  4. g) Impacts of changes that occurred or that may occur (organizational changes, changes in personal data processing procedures, changes resulting from government decisions, among others).

The outputs of the critical analyses must include decisions related to continual improvement opportunities and any needed change in the information security management system.

Korn Traduções shall maintain documented information evidencing the results of the critical analysis by the Senior Management.

Technical Conformity Critical Analysis

Korn Traduções performs the verification and critical analysis of the technical conformity considering:

  1. Performance of the Information System Audit following the checklist defined in the process of information system audit Controls performed by a qualified IT person, internal or external to Korn Traduções, as an experienced systems professional, considering:
    • That it is done by a professional independently from the IT area and different from the professional that already performed the process of information system audit Controls internally;
    • Performance at least annually;
    • The checklist must be fully completed as to all its verification requirements and that the professional, based on their experience, and includes other verification items, as appropriate (sic);
    • That the records defined in the checklist and others defined by the professional are duly documented and kept in appropriate places.
  2. If applicable and technically feasible, due to the possible mapped and identified risks on the information security system assets, according to the process on Risks for the Information Security Management System (ISMS), to perform invasion test or vulnerability assessments, considering:
    • That it is done when the risk analysis actually requires, given its criticality, the need to perform an invasion test or vulnerability assessments (for example, penetration test, intrusion test, invasion test, and vulnerability assessment)
    • Done by companies or professionals with proven qualification and clearly defined procedures for performance.
    • For the pentest to take lace, authorization is needed, containing the scope. The pentest may not be carried out without due authorization, in accordance with the law, or exceeding the previously defined scope.
    • That the records of invasion tests or vulnerability assessments performed are duly documented, delivered by the professional who performed it, and kept in appropriate places. Should weaknesses be found, recommendations to resolve them must be included in the final report.

 

Reports

Any violation of this Policy, or further, suspicions or evidence, must be reported to Korn Traduções through email [email protected] or by mail to:

C/O DPO

Classification: CONFIDENTIAL

Address: Avenida São Gabriel nº 201, conjunto 1403. São Paulo – SP.

Violations and Sanctions

Violations

 

The following situations, which are not exhaustive, are considered violations of the information security policy, rules, or procedures:

  1. Any actions or situations that may expose Korn Traduções or its clients to direct or indirect, potential or effective, financial or reputational losses, affecting their information assets;
  2. Undue use of corporate data, unauthorized disclosure of information, business secrets, or other information without express authorization by the Senior Management;
  3. Use of data, information, equipment, software, systems, or other technologic resources for unlawful purposes, which may include violations of laws, internal and external regulations, ethics or requirements from regulatory bodies in Korn Traduções‘ activity area of that of its clients;
  4. Failure to comply with any items set forth in this security policy;
  5. Failure to notify the senior management or the DPO immediately of any violations of the Information Security policy, rules, or procedures that the employee, intern, apprentice, or service provider may become aware of or witness.

Sanctions

The violation of the Information Security policy, rules, or procedures, or the failure to adhere to the Information Security Policy of Korn Traduções are deemed serious faults, and the sanctions provided for in the Code of Ethics and Conduct of Korn Traduções may be applied: formal warning, suspension, termination of the employment contract, other disciplinary action and/or civil or criminal proceeding. Sanctions defined by the ISMC may also be applied, always in compliance with the legislation in effect.

The penalties under the Brazilian Consolidation of Labor Laws (CLT) will also be complied with and applied.

Information Security Policy for Service Providers

  1. Purposes

The main purpose of this document is to set forth the practices and commitments of all service providers with regards Korn Traduções’ information assets, as well as to raise awareness among service providers about correct use of the resources provided.

This document also includes a definition of liability regarding the actions of service providers and related disciplinary actions.

1.1 Authors    

The Korn Traduções Service Provider Information Security Policy, as well as any reviews and updates, is the responsibility of the Information Security Management Committee (ISMC).

Any questions regarding the application of this policy, or suggestions for improvements and amendments can be sent to members of the Information Security Management Committee (ISMC) at: [email protected]

1.2 Disclosure and Distribution

This information security policy for service providers must be an integral part of the service provision agreement for all Information Technology service providers to Korn Traduções.

By signing the service provision agreement, the service provider recognizes they are totally familiar with and agree to the guidelines set forth herein.

1.3 Version and Review

This Policy, as well as the Guidelines and General Responsibilities of Service Providers contained herein may be reviewed, and new version must be produced, ratified, disclosed and distributed in the following cases:

  • Significant amendment to an information asset covered by this policy;
  • Creation of new information assets relevant to this policy;
  1. Guidelines and General Responsibilities of Service Providers

All service providers are aware of their responsibilities regarding information security in line with the GDPR and undertake to follow this Policy, as well as the documents below, thus signing the commitment regarding Korn Traduções information and guidelines:

  1. INFORMATION SECURITY RULES AND PROCEDURES FOR SERVICE PROVIDERS

The items below describe the security guidelines related to Korn Traduções service providers.

3.1 Intellectual Property

  • Service providers are responsible for ensuring the legal compliance of any and all systems of content used while carrying out the service;
  • Service providers are responsible for the intellectual property of the content of equipment they bring on to Korn Traduções premises;
  • Service providers are responsible for ensuring that the software they install do not breach any kind of copyright law.

3.2 Internet access on Korn Traduções premises

  • Korn Traduções reserves the right to monitor service provider internet access to ensure appropriate use;
  • Korn Traduções reserves the right to block sites it considers inappropriate for the company, with no prior warning;
  • Service providers must only access the internet for the purpose of completing the provision of services to Korn Traduções.

3.3 Mobile Computing

  • Service providers are committed fully to the security of the data of their equipment on Korn Traduções premises;
  • Service providers are responsible for ensuring that equipment or media uses have up-to-date, legal software, with antivirus and free from any type of software that could damage Korn Traduções systems and assets.

3.4 Emails

  • Service providers must not, at any time or from any place, send emails to Korn Traduções staff containing content unrelated to work.

3.5 Information Handling Logic

  • Service providers undertake to only process information received from Korn Traduções that is directly related to the service as described in the service provision agreement;
  • Service providers are committed to the total confidentiality, integrity and availability of Korn Traduções information granted to them;
  • Internal disclosure of Korn Traduções information within the service provider company must be formally reported to and agreed on between the parties;
  • Service providers undertake not to transmit any Korn Traduções information via insecure communication channels, such as social media, WhatsApp, etc. that could lead to the leak of such information;
  • Service providers undertake to dispose of Korn Traduções information appropriately and securely at the end of the service or when it is no longer being used (whichever occurs first);
  • Korn Traduções reserves the right to carry out information security audits on their service providers, with prior notice.

3.6 Information Storage Logic

  • If the service provider stores Korn Traduções information, it must do so in a way that is secure, in other words, with access control limited to the service provider;
  • It is prohibited to store data belonging to Korn Traduções on removable media.
  • Service providers also undertake to ensure that Korn Traduções information is not adulterated during storage on media in its possession.

3.7 Access to Korn systems or equipment (On site or remote)

  • Service providers may only access Korn Traduções systems or equipment for support or maintenance when applicable to the scope of the service, and in such cases, access will only be permitted following formal communication;
  • Remote access by all service providers, when applicable to the scope of the service, must use a secure means (VPN/controlled passwords/ controlled and monitored access/ private or particular access).

 

3.8 Use of Passwords, applicable to IT service providers

  • Under no circumstances may service providers request, accept or use Korn Traduções staff access passwords;
  • All passwords used by service providers must be specifically created for the related activities as defined and authorized by the Korn IT team.
  • Korn Traduções is responsible for deactivating service provider passwords. Should the service provider identify that the credential is still active following the end of the contract or project, it must request immediate deactivation thereof;
  • Service providers are responsible for the security of the passwords they are given and must immediately inform Korn Traduções of loss or leaks.

3.9 Service Provider Staff

  • Service providers are responsible for informing Korn Traduções immediately of the dismissal of any of their staff who provide a service or possess access credentials to Korn Traduções systems;
  • Service providers must immediately report any change in the list of their staff authorized to provide services to Korn Traduções;
  • All service provider staff who provide services to Korn Traduções recognize they are totally familiar with and agree to the content of this document, as well as the documents described in item 2 above.

3.10 Physical Security

  • Service providers are responsible for returning to Korn Traduções or for disposing appropriately of any information no longer necessary or at the end of the service;
  • Service providers undertake to access Korn Traduções premises only when duly authorized and accompanied by a Korn Traduções employee;
  • Service providers may only access the Korn physical environment following approval from the Korn IT team, and must be accompanied by a Korn employee while carrying out the activity.
  • If, for any reason, Korn Traduções equipment needs to be removed, service providers must fill in a Delivery and Maintenance Instrument prepared by the Korn IT team.
  1. Incidents and Disciplinary Measures

Any breach of the guidelines set forth in this policy is and information security incident and must be duly recorded and analyzed by the Korn Traduções Information Security Management Committee (ISMC).

Following analysis by the committee, disciplinary measures for the service provider will be decided on, pursuant to the legislation in effect, and which may include:

  • Formal or informal warning;
  • Cancellation of the service provision agreement;
  • Legal action or police report.

Este site usa cookies para garantir que você obtenha a melhor experiência em nosso site.