Introduction

The information managed by INCM, its support processes, systems, applications and networks are valuable assets to the organisation and, in this context, information security should be a priority, in order to ensure the continuity of the organisation's activity, minimising risks and maximising performance and service delivery. Information security should be applied in all phases of its life cycle, ensuring the maintenance, in a permanent and balanced way, of a high level of quality and security, preventing the materialisation of inherent risks, to mitigate potential damage caused by the exploitation of vulnerabilities and security incidents, and ensuring that the business operates as expected over time.

It is the understanding of INCM that information security is a fundamental premise for the success of the services it provides, and it is the responsibility of all, employees, suppliers or other entities that have access to information at any given time to act in accordance with the rules defined and imposed by the policy.

Information Security is supported by a management system, known as the Information Security Management System (ISMS), consisting of a set of policies and procedures that ensure the essential principles of information, availability, integrity and confidentiality, in accordance with the business requirements, relevant laws and regulations.

Objective

This policy aims to define the purpose, direction, principles and fundamental rules of information security management, according to the characteristics and needs of the business of Imprensa Nacional - Casa da Moeda (INCM) and its stakeholders.

Scope/Target Public

Applicable to the entire organisation including all stakeholders, entities that maintain any type of commercial/contractual relationship with the INCM (employees, customers, suppliers, service providers) who have access, the right to use or control information assets held by the INCM and/or the resources associated with them.

All stakeholders must know and act in accordance with this Policy and the other documents related to Information Security, as applicable and appropriate.

Failure to Comply

All covered stakeholders who deliberately violate this policy will be subject to sanctions and other actions, up to and including termination of contract and/or reporting to the police or judicial authorities situations that may suggest the commission of a crime.

Information Security Policy

The Information Security Policy expresses the considerations of the INCM with regard to information security on the following aspects:

1. Basic aspects of Information Security
   The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity and availability of the information. In this sense INCM commits itself to:
   1. To guarantee the security of the information it holds as well as all resources associated with it, whether procedural, technological or human.
   2. To ensure the establishment and implementation of the principles described in this policy, as well as its approval, publication and communication to all employees and relevant external entities;
   3. To guarantee the necessary resources for the operationalisation of information security management processes and activities;
   4. To ensure the definition, implementation and review of the information security management strategy and to guarantee its correct alignment with the strategic business policies and objectives of the INCM;
   5. Ensure that the ISMS achieves its intended results;
   6. To promote, in a structured and systematic way, continuous improvement.
2. Information Classification and Handling
   Defining an information security asset as any resource of value to the organisation, these are classified according to their sensitivity regarding their attributes, namely confidentiality, integrity and availability, in order to apply the appropriate controls to safeguard them.
3. Use of mobile devices and remote access
   Security measures are applied to the use of mobile devices to ensure the confidentiality, integrity and availability of business information so that it can be accessed (locally or remotely) and/or processed by these devices.
4. Acceptable use of assets:
   The information assets owned by INCM are used in order to guarantee their protection, avoiding their exposure to Information Security risks with the potential impact of compromising the continuity of the Company's business. INCM.
   A INCM grants its employees and visitors the right to use their own equipment, provided that internal guidelines are complied with.
5. Relations with suppliers
   Suppliers are evaluated in order to guarantee contractual relations with entities that contribute to obtaining access to materials and services appropriate to the Company's business INCM.
   The specifications drawn up by the INCM for awarding contracts for the supply of goods or services include aspects that guarantee Information Security, stipulating the supplier's responsibilities and duties.
6. Physical and logical access controls
   Physical and logical access controls are implemented, allowing the management of identities through user identification and authentication processes, which in turn allow the implementation of restriction rules based on security criteria.
   The different profiles, privileges and physical and logical access levels are defined following the Principle of Minimum Privilege, i.e. by assigning the level of access strictly necessary for the user to perform the assigned functions and no more.
7. Cryptography
   A INCM implements cryptographic mechanisms to protect logical information from unauthorised access.
8. Table and screen clean
   Information considered sensitive, in physical or digital format, is duly protected whenever it is not in use.
9. Backups
   Backup copies are made at defined intervals in order to safeguard the information.
   Employees and visitors are responsible for backing up the information contained on the equipment under their charge.
10. Transfer of Information
    Information is exchanged on approved communication channels following the security requirements defined according to their security classification.
11. Engineering principles and policy for developing secure information systems:
    Principles of secure information systems development are applied at all levels of the systems architecture (business, data, applications and technology) balancing the need for security with the need for accessibility/functional efficiency. The principles are considered throughout the entire life cycle of information systems from an evolutionary perspective.
12. Information Security in Project Management
    Information security is addressed in project management through the identification of possible information security risks associated with the project to be implemented.
13. Risk Management and Incident Management and Business Continuity
    Risks arising from various sources of risk to its information assets are identified, analysed, quantified/qualified.
    Events that call into question or have the potential to call into question Information Security commitments are treated as possible security incidents and are handled in accordance with the internal Incident Management process.
    The continuity of Information Security is contemplated in business continuity, in such a way that it contemplates the loss of information resources through the implementation of preventive and recovery controls.
14. ISMS Profiles, Responsibilities and Authorities
    Roles, responsibilities and authorities are defined to enforce the commitments of the INCM in the face of Information Security.

Information Security Responsibilities

The Information Security Policy is the responsibility of the CISO - Chief Information Security Officer, it is responsible for monitoring and evaluating ISMS implementation, reporting to senior management on its performance and ensuring compliance of the system with the Standard requirements.

Maintenance and communication of Information Security Policies

The Information Security Policy should be periodically reviewed in order to ensure that it continues to be appropriate to the INCM and should be communicated to all stakeholders within the scope of their relationship with the INCM.

Talk to us

You can contact INCM for all matters relating to this policy at the following email address: ciso@incm.pt or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.