Cyber Security Policy

Welcome to WEpayments Cybersecurity Policy

1.Purpose

This document aims to establish guidelines for WEpayments to secure and protect its clients, staff, service providers, stakeholders and the company’s information against threats and risks related to information security and cybersecurity. It also establishes controls and procedures to reduce WEpayments’ vulnerability to incidents and provides requirements for contracting data processing, storage and cloud computing services.

2. Scope

This Policy applies to all WEpayments Senior Management, staff members, service providers, and business partners.

This Policy may also be amended to comply with regulatory changes and other legal obligations.

3. Responsibilities

The implementation, execution, and maintenance of this Policy are the responsibility of:

  • Director responsible for implementing and maintaining this Policy: in charge of implementing, approving, periodically updating, executing, and maintaining this Policy, and convening the periodic meetings of the information security and cyber security committee.

 

  • Information Security and Cybersecurity Committee: appointed by the WEpayments departments and approved by the Senior Management to decide on matters related to this Policy.

The main objective of the Information Security and Cybersecurity Committee is to develop actions to strengthen specific topics defined as strategic for the business. It comprises a multidisciplinary staff who contribute with different skills and business and project visions and deliver timely solutions that result in valuable business propositions. The Information Security and Cybersecurity Committee is responsible for implementing improvements by automating processes, integrating systems, and standardising activities, with data and information protection in mind.

  • Information Security Department: it is responsible for creating, implementing, and monitoring the security policies used. However, despite being defined by the IT team, security is everyone’s responsibility.

 

  • Users: WEpayments’ Senior Management and staff who directly or indirectly use or support the institution’s systems, infrastructure or information, who must, as applicable: (i) comply with the rules and procedures related to the use of information and associated systems, according to the provisions of this Policy; (ii) immediately report to the responsible departments any failure in devices, services or processes related to Information Security and Cybersecurity, for timely actions to be taken; (iii) use the information related to this Policy, as WEpayments’ assets, and keep them secure, integrated and available, according to their classification and need.

4. Principles

WEpayments is committed to ensuring the security and appropriate handling of information. Therefore, our activities are based on the following principles:

  • Authenticity: ensuring that users, entities, systems, or processes with access to information are identified and authorised.

 

  • Confidentiality: ensuring that only authorised individuals can access information only when necessary.

 

  • Availability: ensuring that information is available to authorised persons whenever needed.

 

  • Integrity: ensuring the information is accurate, complete, and not deliberately modified.

5. General Guidelines And Good Practices

To achieve the goals outlined in this Policy, the Information Security and Cybersecurity procedures will adhere to the following guidelines: 

  • Ensure that there is no unauthorised access, modification, destruction, or disclosure of information. Therefore, staff access must be personal, non-transferable, and restricted to the resources required to perform their duties at WEpayments. 

 

  • Each staff member, when applicable, will receive a personal access password and be responsible for keeping it confidential, avoiding improper access to the information under their responsibility.

 

  • Ensure that all information is treated ethically and confidentially and that appropriate measures to prevent or at least record unauthorised access, modification, destruction or disclosure are in place. 

 

  • Ensure that information is used solely for its intended purpose and that access is conditional on authorisation.

 

  • Ensure that procedures and controls adopted to reduce vulnerability to incidents and meet other Cybersecurity objectives are complied with, such as authentication, encryption, intrusion prevention and detection, information leakage prevention, periodic testing and scanning for vulnerabilities, protection against malware, establishing traceability methods, computer network access and segmentation controls, and maintaining backup copies of data and information.

 

  • Ensure the recording, analysis of the cause and impact, and control of the effects of incidents relevant to WEpayments’ activities, such as IP EME and IP ITP. And

 

  • Ensure incident scenarios are developed as part of the continuity testing of the payment services provided.

6. Information And Cybersecurity Process

To ensure that all the above guidelines are met and that the Information Security and Cybersecurity principles are correctly followed, WEpayments will adopt policies and procedures for the processes listed below.

7. Password generation

As a preventive measure against unauthorised access: 

  • All passwords must contain at least 12 characters.
  • Use a combination of at least five random words, upper- and lower-case letters, numbers and symbols.
  • Avoid creating predictable passwords.
  • Passwords cannot be reused. And
  • Passwords may not contain or be identical to the user’s name.

8. Physical Access To Data

As prevention of data leakage:

  • Use an encrypted partition.
  • Use a screen saver with a password.
  • Never leave your computer without locking the screen. 
  • Enable the antivirus provided by the company. And
  • To prevent legal issues involving licensing, rights of use, incompatibility and security breaches, any necessary software must be installed exclusively by the technical support department. For this, submit a ticket.

9. Information Classification

The information must be classified according to the business’s and its customers’ criticality and sensitivity. Therefore, WEpayments shall adopt the following classification:

  • Public Information: any data that everyone can access without restriction. Examples: information disclosed to the market and promotional data.

 

  • Internal Information: data accessible only by WEpayments’ staff members. Examples: WEpayments’ rules, procedures and forms.

 

  • Restricted Information: any data can be accessed only by staff members who need it to fulfil their duties. Example: WEpayments’ contracts and strategic documents. And

Confidential Information: any data that can be accessed only by staff members authorised to access it or who need it for a specific purpose. Examples: strategic plan and customer information.

10. Access Control

WEpayments uses access controls throughout the infrastructure to prevent unauthorised individuals from accessing segregated environments, internal systems and information that is not freely accessible and without prior permission. Thus, WEpayments implements mechanisms for user authentication, segregation of duties, access traceability and approval, when applicable, to ensure adequate and consistent internal procedures.

11. Remote Access

Only authorised individuals needing to maintain the systems will have remote access to the company’s servers. Entry must be controlled, and access logs must be available in the company’s monitoring system.

12. Risk Management

WEpayments applies processes to analyse vulnerabilities, threats and impacts on Information Assets to adopt the appropriate measures to mitigate the damage caused in the event of an incident.

The risk management processes encompass the changing controls in WEpayments’ technology environment. They are structured and applied through strategies that will act in all potentially impacted areas. They also include the training and engagement of all staff directly involved in the mitigation actions within WEpayments, to ensure readiness for these situations.

13. Continuity Plan

WEpayments adopts a continuity plan for the services provided by implementing preventive strategies and action plans to ensure that WEpayments’ essential services are correctly identified and preserved after a contingency occurs. Accordingly, WEpayments will map critical processes, analyse business impacts, and inventory cyber crisis scenarios related to security incidents.

14. Supplier Management

WEpayments assesses the level of commitment to Information Security and Cybersecurity controls of all its service providers, suppliers and partners processing and storing WEpayments’ data to check the security controls maturity level and the incident handling plan adopted.

15. Physical Security Of The Environment

WEpayments shall implement a system to control the access of service provider staff, suppliers, vendors and partners to restricted locations, such as lockers. Critical or sensitive information processing equipment and systems must be kept in secure areas with appropriate access control levels, including protection against physical and environmental threats. same website.

16. Equipment Disposal And Reuse

Any company equipment should be formatted before being discarded or reused, ensuring that restricted information is deleted. The hard drive should be removed from the computer and handed to the IT department for proper formatting.

17. Capacity Management

WEpayments has implemented controls to ensure that system capacity and planning are aligned with the actual needs and usage of the system.

Preferably all company services should be in self-scalable environments that ensure data consistency and security.

18. Data Backup And Restoration

WEpayments adopts a data backup and restoration routine that ensures the availability of relevant information for the complete operation of its activities.

19. Protection Against Virus, Malware And Malicious Files

WEpayments must adopt appropriate protection measures to prevent viruses and other types of malware and malicious behaviours (e.g. phishing, spam, etc.) from spreading within internal computers, systems and servers or exposing WEpayments to vulnerabilities. Therefore, security software, such as antivirus, must be installed and updated throughout the company’s internal network.

20. Scanning Tests For Vulnerability Detection

WEpayments is committed to identifying and eliminating vulnerabilities in its systems and servers to ensure the integrity of the overall business processes. Therefore, it must constantly monitor and conduct tests and scans to detect vulnerabilities, assess risks and determine appropriate countermeasures.

WEpayments regularly updates the security process in its technological facilities to prevent security gaps that could result in virus attacks and other software spreading on its computers, systems and servers.

21. Cryptography

According to the information classification, WEpayments’ Information Assets must have adequate encryption in all traffic that occurs on a public network. This ensures protection throughout the information life cycle and compliance with the security standards of the regulatory bodies.

22. Security Incidents

Security incidents cannot be published and must be notified immediately to the e-mail: security@wepayout.co.

Once an incident is reported, the CTO must develop an action plan to correct the failure or mitigate damage.

Risk management must follow the steps below:

  1. Observation: validate and ensure that the threat exists.
  2. Guidance: check threat history and analyse the impacts.
  3. Decision: develop the action plan.
  4. Action: create a committee to develop the remedy and test whether the flaw has been corrected.

23. Traceability System

WEpayments must adopt specific controls to trace the information, especially seeking to secure sensitive data.

24. Impact Records

WEpayments must record and analyse the cause and impact and monitor the effects of incidents relevant to WEpayments’ activities, including information received from third-party service providers.

25. Training And Awareness

WEpayments values for an Information Security and Cybersecurity culture. Therefore, policies and procedures must be adopted to disseminate the principles and guidelines in this Policy, ensuring training and awareness for all Senior Management and staff members.

26. Procurement Of Data Processing And Storage And Cloud Computing Service

26.1. Third-Party Procurement

Data processing, storage, and cloud computing services will be done through third parties in Brazil or abroad. The procurement of third parties must be done by assessing the service provider’s ability to perform the activities while complying with applicable laws and regulations.

 

©2022 WEpayments. All rights reserved.