©2022 WEpayments. All rights reserved.
This document aims to establish guidelines for WEpayments to secure and protect its clients, staff, service providers, stakeholders and the company’s information against threats and risks related to information security and cybersecurity. It also establishes controls and procedures to reduce WEpayments’ vulnerability to incidents and provides requirements for contracting data processing, storage and cloud computing services.
This Policy applies to all WEpayments Senior Management, staff members, service providers, and business partners.
This Policy may also be amended to comply with regulatory changes and other legal obligations.
The implementation, execution, and maintenance of this Policy are the responsibility of:
The main objective of the Information Security and Cybersecurity Committee is to develop actions to strengthen specific topics defined as strategic for the business. It comprises a multidisciplinary staff who contribute with different skills and business and project visions and deliver timely solutions that result in valuable business propositions. The Information Security and Cybersecurity Committee is responsible for implementing improvements by automating processes, integrating systems, and standardising activities, with data and information protection in mind.
WEpayments is committed to ensuring the security and appropriate handling of information. Therefore, our activities are based on the following principles:
To achieve the goals outlined in this Policy, the Information Security and Cybersecurity procedures will adhere to the following guidelines:
To ensure that all the above guidelines are met and that the Information Security and Cybersecurity principles are correctly followed, WEpayments will adopt policies and procedures for the processes listed below.
As a preventive measure against unauthorised access:
As prevention of data leakage:
The information must be classified according to the business’s and its customers’ criticality and sensitivity. Therefore, WEpayments shall adopt the following classification:
Confidential Information: any data that can be accessed only by staff members authorised to access it or who need it for a specific purpose. Examples: strategic plan and customer information.
WEpayments uses access controls throughout the infrastructure to prevent unauthorised individuals from accessing segregated environments, internal systems and information that is not freely accessible and without prior permission. Thus, WEpayments implements mechanisms for user authentication, segregation of duties, access traceability and approval, when applicable, to ensure adequate and consistent internal procedures.
Only authorised individuals needing to maintain the systems will have remote access to the company’s servers. Entry must be controlled, and access logs must be available in the company’s monitoring system.
WEpayments applies processes to analyse vulnerabilities, threats and impacts on Information Assets to adopt the appropriate measures to mitigate the damage caused in the event of an incident.
The risk management processes encompass the changing controls in WEpayments’ technology environment. They are structured and applied through strategies that will act in all potentially impacted areas. They also include the training and engagement of all staff directly involved in the mitigation actions within WEpayments, to ensure readiness for these situations.
WEpayments adopts a continuity plan for the services provided by implementing preventive strategies and action plans to ensure that WEpayments’ essential services are correctly identified and preserved after a contingency occurs. Accordingly, WEpayments will map critical processes, analyse business impacts, and inventory cyber crisis scenarios related to security incidents.
WEpayments assesses the level of commitment to Information Security and Cybersecurity controls of all its service providers, suppliers and partners processing and storing WEpayments’ data to check the security controls maturity level and the incident handling plan adopted.
WEpayments shall implement a system to control the access of service provider staff, suppliers, vendors and partners to restricted locations, such as lockers. Critical or sensitive information processing equipment and systems must be kept in secure areas with appropriate access control levels, including protection against physical and environmental threats. same website.
Any company equipment should be formatted before being discarded or reused, ensuring that restricted information is deleted. The hard drive should be removed from the computer and handed to the IT department for proper formatting.
WEpayments has implemented controls to ensure that system capacity and planning are aligned with the actual needs and usage of the system.
Preferably all company services should be in self-scalable environments that ensure data consistency and security.
WEpayments adopts a data backup and restoration routine that ensures the availability of relevant information for the complete operation of its activities.
WEpayments must adopt appropriate protection measures to prevent viruses and other types of malware and malicious behaviours (e.g. phishing, spam, etc.) from spreading within internal computers, systems and servers or exposing WEpayments to vulnerabilities. Therefore, security software, such as antivirus, must be installed and updated throughout the company’s internal network.
WEpayments is committed to identifying and eliminating vulnerabilities in its systems and servers to ensure the integrity of the overall business processes. Therefore, it must constantly monitor and conduct tests and scans to detect vulnerabilities, assess risks and determine appropriate countermeasures.
WEpayments regularly updates the security process in its technological facilities to prevent security gaps that could result in virus attacks and other software spreading on its computers, systems and servers.
According to the information classification, WEpayments’ Information Assets must have adequate encryption in all traffic that occurs on a public network. This ensures protection throughout the information life cycle and compliance with the security standards of the regulatory bodies.
Security incidents cannot be published and must be notified immediately to the e-mail: firstname.lastname@example.org.
Once an incident is reported, the CTO must develop an action plan to correct the failure or mitigate damage.
Risk management must follow the steps below:
WEpayments must adopt specific controls to trace the information, especially seeking to secure sensitive data.
WEpayments must record and analyse the cause and impact and monitor the effects of incidents relevant to WEpayments’ activities, including information received from third-party service providers.
WEpayments values for an Information Security and Cybersecurity culture. Therefore, policies and procedures must be adopted to disseminate the principles and guidelines in this Policy, ensuring training and awareness for all Senior Management and staff members.
26.1. Third-Party Procurement
Data processing, storage, and cloud computing services will be done through third parties in Brazil or abroad. The procurement of third parties must be done by assessing the service provider’s ability to perform the activities while complying with applicable laws and regulations.
©2022 WEpayments. All rights reserved.