Information Security (SI)

Plusoft has been certified ISO27001 since 2017, and already in 2023 we recertified ourselves in the new version of the ISO27001/2022 standard. We adhere to the 93 controls set out in the standard that guarantees the maturity of our entire Security process.

Because we work with technology-based solutions, we recognize the risks associated with potential information leaks or loss. For this reason, we pay special attention to all aspects involving data information security. In addition to operating in compliance with current legislation, including the General Data Protection Law (LGPD, law 13,709/2018), we have implemented a series of formal procedures to identify and mitigate potential threats. In this way, we create strict processes in our activities through the adoption of a variety of internal policies, which are constantly reviewed and updated. They are:

• PSI Information Security Policy: this policy applies to the entire organization and is intended to prevent misuse and unauthorized destruction or disclosure of Plusoft's proprietary information. Its purpose is to ensure business continuity and maximize return on investments and opportunities;
• Cloud Information Security Policy: created to establish additional and specific guidelines for the OMNI Plusoft customer relationship solution - or any other solution under the management of the Infrastructure area, which is a customer of the cloud service. The document guides employees to seek continuous improvement in activities related to the planning, execution, analysis of their processes/products, protection of the security of the information generated and the correct functioning of the Information Security Management System;
• Corporate privacy policy: the purpose of this content is to clarify what information is collected from users of our site, how this data is used and with whom it is shared, seeking greater transparency in the relationship between Plusoft and the user;
• SOA-Applicability Statement: clarify which ISO27001/2022 controls we have adopted in our business model;
• Incident Communication Plan: definition of processes to be followed for communication between Plusoft and its clients about incidents;
• Business continuity plan: Plusoft Informática S.A. is committed to ensuring business continuity in the event of the occurrence of anomalous events that may compromise the normal functioning of its business, safeguarding the interests of its clients, employees and other interested parties. This policy applies to the entire organization;
• Corporate data protection policy: data protection in the processing of information from our clients and consumers represents today one of the great assets to be protected in our structure. For this reason, in compliance with data protection legislation, the Plusoft Group has prepared this Corporate Data Protection Policy;
• Desk and clean screen policy: this policy aims to make you aware of good practices both at work in person and at the homeoffice, related to ensuring that sensitive information, both in digital and physical format. Ensuring that assets (notebooks, cell phones, tablets, etc.) are not left unprotected in personal or public workspaces when not in use. Or when someone leaves your work area, either for a short period of time or at the end of the day.
• Information Security Ebook — Learn how Plusoft protects the data of customers, employees, and partners.

And we have other internal documents that guarantee the maturity of our entire process.

• Change Management Standard: the purpose of this standard is to provide guidelines for Plusoft's Change Management process, taking into account technical, organizational, and Information Security aspects. With this policy, we want to achieve transparency and security in work routines, mitigating risks and impacts in the process of updating the artifacts or components of the infrastructure assets of the customer relationship solution - or any other solution under the management of the Infrastructure area;
• Awareness Plan: this Plan aims to define the program of Information Security awareness actions for all Plusoft employees;
• Internal disciplinary sanction policy: the purpose of this policy is to inform and guide the penalties, in case of non-compliance, with the Information Security guidelines and the Code of Ethics and Conduct. To thus ensure that all those involved share responsibility for security processes and ensure the integrity, availability, and confidentiality of information assets. Seeking continuous improvement in activities related to planning, execution, analysis of processes/products and protection of the security of the information generated;
• Continuous improvement methodology: definition of guidelines for the periodic execution of a continuous improvement process, which seeks to improve existing controls or the viability of new controls, mitigating identified threats and risks;
• Risk analysis methodology: provide the guidelines for the Information Security risk management process, meeting the requirements of an information security management system (ISMS) in accordance with ABNT NBR ISO/IEC 27001. The methodology defines the criteria for identifying and evaluating risks, as well as documenting the valid and consistent results of the risk acceptance criteria and identifying those responsible;
• Human Experience Management Standard: this standard defines the guidelines for the process of selecting, hiring, moving and dismissing employees regarding the management of Plusoft's infrastructure area or corporate environment;
• Secure Development Standard: aims to ensure efficient management of the software development and approval process, considering the requirements for the acquisition, development, and maintenance of information systems covered by the ISO 27001 standard;
• Update Management Standard: this standard aims to define guidelines for managing updates, patches, and asset vulnerabilities, in order to avoid the exploitation of technical vulnerabilities;
• Operations Management Standard: this standard aims to define the rules and procedures for monitoring, operating capacity, and administration of information technology environments and systems;
• Physical and Environmental Security Standard: this document provides guidelines for managing access to the customer relationship solution. The standard also establishes rules for physical access to environments and areas containing information and other associated assets, meeting the requirements of an information security management system (ISMS). In this way, we ensure that only authorized persons have access to data when necessary, avoiding unauthorized access, damage, or interference with information systems or information processing areas;
• Documentary Information Management Standard: the purpose of this standard is to provide guidelines for managing Plusoft documents, taking into account technical, organizational, and information security aspects;
• Endpoint_Device Standard: this standard complements the Information Security Policy for the specific purpose of regulating the use of endpoint devices;
• Acceptable Use of Assets Standard: this standard defines the rules and procedures for identifying, treating, and classifying the organization's assets that are under the ownership or custody of Plusoft;
• Communications security standard: definition of communication security rules and procedures involving the organization's assets, with the main objective of mitigating risks within the scope of which the assets are involved
• Information Management and Classification Standard: definition of the rules and procedures for classifying information, documentation, and records. To thus ensure that information owned by Plusoft, or that is in its custody, receives an adequate level of protection and is, according to the degree of secrecy, guaranteed by confidentiality, integrity and availability;
• Standard for relations with suppliers and service providers: maintaining the agreed level of information security in relations with suppliers and service providers;
• Information Security Event Management Standard: provision of guidelines for the Incident Management process, meeting the requirements of the Information Security Management System (ISMS) in accordance with ABNT NBR ISO/ IEC 27001;
• Access control standard: this document provides the necessary guidelines for managing access to the customer relationship solution, meeting the requirements of an information security management system (ISMS). Thus ensuring that authorized users obtain access when necessary, preventing unauthorized access to information systems;
• Remote Work Standard: protection of information accessed, treated, or stored outside the facilities;
• Audit Plan: establishment of the internal audit program at planned intervals, providing information on how to maintain an audit program, including frequency, methods, responsibilities, planning requirements, and reporting. This auditing program takes into account the importance of the relevant processes and the results of previous audits;
• Information Security Management System Manual: this manual aims to establish the guidelines and operation of the Information Security Management System, guiding its employees to seek continuous improvement in activities related to the planning, execution, analysis of its processes/products and protection of the security of the information generated;
• Impact Analysis: identify the most relevant activities in the Production Infrastructure and assess the impacts in adverse contingency or disaster cases;
• SOA-Applicability Statement: clarify which ISO27001/2022 controls we have adopted in our business model and which documents justify the adoption or not of each control.