Information Security Roles and Responsibilities
Information Security Roles and Responsibilities
Policy Owner: Daniel Peixoto Effective Date: Nov 9, 2024 Statement of policy Straloo Tecnologia LTDA is committed to conducting business in compliance with all applicable laws, regulations, and company policies.
Straloo Tecnologia LTDA has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Objective This policy and associated guidance establish the roles and responsibilities within Straloo Tecnologia LTDA, which is critical for effective communication of information security policies and standards.
Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished.
Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.
Applicability This policy is applicable to all Straloo Tecnologia LTDA infrastructure, network segments, systems, and employees and contractors who provide security and IT functions.
Audience The audience for this policy includes all Straloo Tecnologia LTDA employees and contractors who are involved with the Information Security Program.
Awareness of this policy applies for all other agents of Straloo Tecnologia LTDA with access to Straloo Tecnologia LTDA information and infrastructure.
This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.
| The titles will be referred collectively hereafter as "Straloo Tecnologia LTDA community". Roles and responsibilities Employees, Acting at all times in a manner which does not place at risk the health and Contractors, temporary safety of themselves, other person in the workplace, and the information | Roles | Responsibilities | | --- | --- | | CEO | Oversight of Cyber-Risk and internal control for information security, privacy and compliance Ensuring employees and contractors are qualified and competent for their roles Ensuring appropriate testing and background checks are completed Ensuring that personnel and relevant contractors are presented with company policies and the Code of Conduct (CoC) Ensuring that employee performance and adherence the CoC is periodically evaluated Ensuring that personnel receive appropriate security training Responsible for oversight over third-party risk management process Responsible for review of vendor service contracts Approves Capital Expenditures for Information Security and Privacy programs and initiatives Oversight over the execution of the information security and Privacy risk management program and risk treatments | | CTO | Responsible for the design, development, implementation, operation, maintenance and monitoring of IT security controls Responsible for conducting IT risk assessments, documenting identified threats and maintaining risk register Reports information security risks annually to Straloo Tecnologia LTDA's leadership and gains approvals to bring risks to acceptable levels Coordinates the development and maintenance of information security policies and standards Oversight over Identity Management and Access Control processes Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls Responsible for compliance with the company's contractual commitments Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA) Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2, ISO 27001 and Microsoft Supplier Data Protection Requirements (DPR) Oversight and implementation, operation and monitoring of information security tools and processes in customer production environments Execution of customer data retention and deletion processes in accordance with company policy and customer requirements | | Systems Owners | Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with Straloo Tecnologia LTDA policies on information security and privacy Approval of technical access and change requests for non-standard access to systems under their control | workers, etc. and resources they have use of Helping to identify areas where risk management practices should be adopted Taking all practical steps to minimize Straloo Tecnologia LTDA's exposure to contractual and regulatory liability Adhering to company policies and standards of conduct Reporting incidents and observed anomalies or weaknesses Policy compliance The CTO will measure the compliance to this policy through various methods, including, but not limited to—reports, internal/external audits, and feedback to the policy owner. |
Exceptions
to the policy must be approved by the CTO in advance.
Non-compliance will be addressed with management and Human Resources and can result in disciplinary action in accordance with company procedures up to and including termination of employment.
| Version history | Version | Date | Description | Author | Approver | | --- | --- | --- | --- | --- | | 1.0 | Nov 9, 2024 | Version 1.0 | Daniel Peixoto | Daniel Peixoto |