Objective

This policy aims to establish the principles, guidelines, and responsibilities related to Information Security, aiming to protect the information of Linkana, its clients, and the general public, observing the best market practices.

Introduction

Information constitutes a valuable asset; it is one of the main assets of Linkana due to its extreme importance and is essential for the success of our business, deserving, therefore, special attention and adequate protection. 

Thus, Linkana defines its information security strategy and Cyber Security to protect the confidentiality, integrity, and availability of information. Our strategy is based on detection, prevention, awareness, monitoring, and incident response.

Information Security Principles

Information Security at Linkana is characterized by the preservation of the following principles:

• Confidentiality: it is the guarantee that information is available only to authorized persons when necessary;

• Integrity: it is the guarantee that information is complete, intact, and accurate and that it has not been improperly modified or destroyed, unauthorized, or accidentally during its lifecycle;

• Availability: it is the guarantee that authorized persons have access to information whenever necessary.

Guidelines

Access to systems, resources, and other information assets must be granted through valid authentication and based on:

• Business necessity

• The principle of least privilege

• Segregation of duties

Access will be managed through a lifecycle from user creation to deactivation, including periodic reviews regarding necessity and adequacy.

Information assets considered critical, which store and/or process sensitive information, must be restricted to segregated areas of the network, with appropriate access control.

 Password definitions must follow complexity and uniqueness requirements. They should not be reused, shared, stored in files, or written down anywhere.

 Logs and audit trails must be enabled in production environments, protected from unauthorized access or modifications, and must record:

• What activity was performed

• Who performed the activity

• When the activity was performed

• On which device the activity was performed

Cryptographic algorithms must be applied as needed to data in rest, in transit, or in use.

Tools and processes to monitor and prevent sensitive information from leaving Linkana's internal environment without authorization must be implemented.

Solutions and processes that allow for the identification, detection, and prevention of attacks on Linkana's infrastructure components must be implemented.

Lifecycle management processes for vulnerabilities, from identification to resolution, must be implemented.

Procedures and controls aimed at the prevention, treatment, and reduction of Linkana's exposure to cyber security incidents, in addition to guidelines for recording, root cause analysis, impact assessment, and incident classification must be implemented.

Information must be classified to assist in the consistent mapping of information assets and establish the appropriate level of protection in its storage, transmission, and use.

Anti-malware detection and prevention solutions or equivalent controls must be implemented to protect Linkana's environment.

Databases must have regular backups to restore system operation in events of data loss or service interruption.

Security requirements must be applied to ensure the confidentiality, integrity, and availability of information throughout the software development lifecycle.

The Business Continuity Plan (PCN) aims to ensure that, in the event of a crisis or disaster, essential and critical processes are properly maintained, thereby preserving the continuity of business functions, operations, and critical services. 

The PCN must be tested annually.

Awareness training must be mandatory and held annually, presenting the information security principles to help employees recognize risk situations and act accordingly.

The Information Security Policy of Linkana will be reviewed at least annually.

Protection of Personal Data

Linkana, in compliance with the General Data Protection Law, must ensure the confidentiality, integrity, and availability of personal data throughout its lifecycle, being treated as confidential data. All processing of personal data will have a specific purpose, communicated to the data subject and duly based on the purpose and legal bases provided in the General Data Protection Law, honoring the principles of necessity, adequacy, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.

Any changes or development of systems or products involving personal data processing must apply “Privacy by Design.”

In addition to the principles mentioned, a response plan for personal data breaches must be developed and implemented, as well as the preparation of an Impact Report whenever necessary.

Final Provisions

The above applies immediately to the entire Company, from the publication of this Policy.