Information Security Policy

1. Scope

Information and its repositories are critical assets for Vieira de Almeida (VdA). Regardless of the form and means of transmission, collection and storage of information, it must be adequately protected. In this context, information security is a top priority and a focus of all the company's activities and is considered an essential practice for the sustainable development of its business.

The Information Security Policy (ISP) is a document that falls within the strategic level of VdA's Information Security document structure, a structure that is defined and organised in the Information Security Management System (ISMS), in compliance with ISO/IEC 270001 (Information Security Management Systems), which:

  • Defines the strategy and general principles of Information Security management;
  • Defines the organisational and governance model for Information Security;
  • Aims to foster a culture of Information Security;
  • Aims to promote Information Security as an indispensable goal.

2. Definition of Information Security

Information Security aims to safeguard information against a wide range of threats through a risk management process. This ensures the continuity of business activities and optimises the return on investments made.

All information has a value for society and must be properly protected. Information protection is centred around three main axes:

  • Confidentiality: Ensuring that information is only accessed by those authorised to do so;
  • Integrity: Safeguarding the accuracy of information and processing methods to ensure their credibility and robustness; and
  • Availability: Ensuring that authorised users have access to the corresponding information and related assets whenever necessary.

VdA uses the ISO/IEC 20071 standard as a benchmark for information security management, which, together with the applicable laws and regulations, as well as other best practices international in this field, are the basis for all the controls, policies and procedures that make up its ISMS.

3. Information security principles and objectives

The principles of Information Security are based on supporting and protecting VdA's operational activities, as well as the promotion of acceptable and desired behaviours that all users should adopt, thus defining a pro-Information Security culture across the entire firm. In this context, the objectives of the ISMS are:

  • Ensuring that Information Security is an integral part of all essential activities;
  • Ensuring that Information Security contributes to value creation and supports the business;
  • Ensuring that legal and regulatory obligations are met, stakeholder expectations are managed and met, and fines imposed by regulators are avoided;
  • Analysing and assessing emerging threats to Information Security, so that informed and timely risk mitigation actions can be taken;
  • Reducing costs, improve effectiveness and efficiency and promote a culture of continuous improvement in Information Security;
  • Ensuring that risks are dealt with consistently and effectively;
  • Guiding Information Security resources to protect assets where security incidents could have a significant impact on operational activity;
  • Promoting a proactive culture with regard to Information Security issues, encouraging responsible end-user behaviour, reducing the likelihood of security incidents and limiting the impact on operational activity.

4. Information Security Responsibilities

The PSI applies to all VdA employees, regardless of their position or function, and irrespective of their level of responsibility and functions performed, as well as to all stakeholders (interested parties or those involved in VdA's business process; including but not limited to employees, customers, suppliers, shareholders, regulators, etc.) who have access to information under VdA's responsibility.

Stakeholders must be aware of the instructions, rules and sanctions relating to the operation of the services they use and must also:

  • Fully accept the rules and liabilities defined in this document and in VdA's internal rules and procedures on the use of information handling resources;
  • Comply with professional codes of ethics and the requirements of the legislation in force relating to the sector's activities, with particular attention to data protection legislation;
  • Immediately report any failure or non-compliance identified in Information Security, in accordance with the incident reporting procedure;
  • Take responsibility for your electronic identity, passwords, authentication credentials, authorisations or other security devices and not share this information with anyone;
  • Respect the access and distribution rules for all assets classified as confidential, restricted or internal information.

5. Disclosure

The PSI is categorised according to its purpose and target group and is available to all VdA's internal and external stakeholders.

6. Validity and Review

This document is valid from the date of its approval until a new version is communicated and approved. It is reviewed on an annual basis or whenever there are changes to internal or external requirements that require a more regular review.

7. Version and classification

This document is publicly available and corresponds to its update of 2025-02-13.