1. OBJECTIVE

This document defines all the rules and basic principles to ensure the quality and protection of LGK's information. These instructions are developed and maintained taking into account the Information Quality and Security of the suppliers and their infrastructures related to the provision of services.

2. SCOPE

This document applies to all suppliers and partners who provide products or services, or access information from LGK.

3. TERM

This Policy comes into force on the date of its publication.

4. DEFINITIONS

IS: Information Security.

5. RELATED DOCUMENTS

DO.001 - Integrated Management System Manual
PO.001 - Information Security Policy.

6. GUIDELINES

All suppliers must undergo an approval process. This approval process will assess the risks related to information quality and security and the ways of mitigating the risks related to the products or services provided. Risks can be mitigated on the basis of contractual clauses that guarantee information quality and security, or certifications.

The approval process must be recorded in FR.008 - List of suppliers.

Suppliers will be monitored on a monthly basis, and the results of this monitoring will be evaluated on an annual basis. The record of the monitoring and evaluation should be kept in FR.020 - Supplier evaluation and when the supplier is not performing satisfactorily, action should be taken.

The following are the information security guidelines that can be implemented by suppliers.

6.1. Human Resources Information Security
6.1.1 Information Security Awareness

Information security education must be an ongoing process and practiced regularly in order to reduce risks. All employees of the service provider who have access to information systems must participate in an information security awareness program every year.

6.1.2 Confidentiality agreements

Non-disclosure agreements signed by employees and contractors must remain in force after termination or change in the employment relationship.

6.2 Data Integrity Classification

Data must be classified on the basis of data confidentiality requirements. The appropriate set of measures for identifying data processing must be defined and implemented.

6.2.1 Media handling

The service provider must establish a procedure for handling media (internal/external hard drives, memory drives, etc.), considering disposal in order to prevent unauthorized disclosure of data.

6.3 Access control

Access to assets must be managed by the asset owner. In particular, access control standards must be established, documented and periodically reviewed. Access to data, systems and applications must be controlled by a secure authentication procedure.

User access management processes must be defined and formalized, including provisioning, modification and deletion steps. User access must be assigned as required.

The process should ensure accountability for user access management actions. Formal reviews of user access rights should be carried out at regular intervals, depending on the criticality of the asset, at least once a year, in order to identify any unauthorized access and ensure proper segregation of duties. unauthorized access and ensure proper segregation of duties.

6.4 Clean desk and screen policy

A clean desk and clean screen policy should be established in information processing facilities, taking into account data classifications, legal and contractual requirements and risks.

6.5 Network Services Security

Each network service, whether local or outsourced, must include security mechanisms (protection, detection and reaction) adapted to the sensitivity of the data being transmitted. These security mechanisms must be implemented in the network or directly in the systems, applications,
workstations or databases.

All data transfers must be carried out using tools explicitly validated by the Infra team.

6.6 Remote work

A Remote Working Policy must be established to ensure that information is handled outside the work environment.

6.7 Information and systems backup

Backup and restore policies must be defined for LGK's data, software and data handling systems.

6.8 Relations with third parties

Projects delivered by third parties must follow the guidelines set out in this Policy, and the service provider is fully responsible for guaranteeing the services and all legal obligations.

6.9. Acquisition, Development, and Maintenance of Systems

All suppliers of software, systems development or maintenance must follow this policy. Whenever the service provider starts a new IT project or makes a substantial change to an existing information system, we recommend that the mandatory security items are documented.

6.10. Incident management

Information Security incidents must be identified and managed through consistent, disciplined and shared processes.

As soon as they are identified, and as soon as possible, all security incidents that may impact LGK must be notified and reported to Information Security.

6.11. Observance of laws and regulations

The company's activities must guarantee compliance with contractual obligations to ensure that the appropriate quality and occupational safety requirements are taken into account in its processes.

For Suppliers who process personal data, LGK must ensure that personal data is managed in accordance with Law 13709 of August 14, 2019 - General Law on the Protection of Personal Data, when no other guidance is given.

The service provider's activities must guarantee compliance with statutory and regulatory obligations to ensure that the appropriate quality and information security requirements are taken into account in its processes. All relevant legal, statutory and regulatory requirements must be explicitly defined and documented.

6.12. Violations

Any event that results in quality or information security problems must be reported.

In the event of a breach of this policy or the other policies, LGK may warn the Supplier and may even repeat the contract.