Security Policy

Information Security Risk Management Policy

  1. 1. OBJECTIVE
  2. 2. SCOPE
  3. 3. DEFINITIONS
  4. 4. GUIDELINES
    1. 4.1 Risk Identification
    2. 4.2 Risk Assessment
    3. 4.3 Risk Strategy
    4. 4.4 Validation Controls
    5. 4.5 Risk Treatment
    6. 4.6 Risk Monitoring
    7. Risk Communication
  5. 5. RESPONSIBILITIES
    1. 5.1 Epimed Solutions management and directors must:
    2. 5.2 Epimed Solutions Risk Management Committee must:
    3. 5.3 The workforce must:
    4. 5.4 Customers must:
  6. 6. DISCIPLINARY PROCESS

1 - OBJECTIVE

This document aims to establish guidelines and responsibilities to be observed in the Epimed Solutions Information Security Risk Management process, in order to enable the identification, assessment, treatment, monitoring and communication of operational, technological and imaging risks.

2 - SCOPE

This policy is applicable to all organizational levels of Epimed Solutions that integrate its risk management process directly or indirectly.

3 - DEFINITIONS

Term Definition
Risk Possibility of an event that negatively affects the achievement of the objectives of the Company or its processes
Risk Appetite Degree of exposure to risks that the Company is willing to accept in order to achieve its strategic objectives and generate value for its cooperative members.
Team Members They are all people who provide services internally or externally to the company, whether as temporary or full-time employees, including service providers. The following are examples of team members: directors, cooperative members, employees, interns, third parties who work within the facilities of the company.
Third Parties Outsourced service providers, permanent or temporary, that provide services to Epimed Solutions.
Risk Analysis Systematic use of information to identify sources and estimate risk.
Risk Identification It is the process used to locate, list and characterize elements of the risk.
Risk Estimate Process used to assign values to the probability and consequences of a risk.
Risk Management Coordinated activities to direct and control an organization in terms of risk.
Risk Reduction A form of risk treatment in which actions are taken to reduce the likelihood, the negative consequences, or both, associated with risks.
Information Knowledge presented to a person in a way that can be understood. Data that has been processed or organized to have meaning. Information is like any other important asset for business, it has value for the organization and, therefore, needs to be adequately protected.
Integrity It is the principle of security through which the authenticity of information is guaranteed.
Information Security Preservation of confidentiality, integrity and availability of information.

4 - GUIDELINES

The guidelines presented in this policy define and characterize the macro stages of the Epimed Solutions Information Security Risk Management process.

4.1 Risk Identification
The identification of risks aims to recognize and describe the risks to which the Company is exposed. 

4.2 Risk Assessment
After identifying the risks, qualitative and quantitative analyzes are carried out, aiming at defining the impact and probability attributes, used in prioritizing the risks to be addressed.

4.3 Risk Strategy

After risk assessment, risk treatment strategies are carried out, aiming at defining the items below:

  • Reducing
  • Accepting
  • Transferring
  • Avoiding

4.4 Validation Controls
This stage includes the degree of importance in the implementation of a control over the risk, as well as the survey and analysis of existing controls.

4.5 Risk Treatment
After the validation control stage, the way risks will be handled is defined and also how they must be monitored and communicated to the different parties involved.

4.6 Risk Monitoring
Aiming at the continuous improvement of Risk Management, the monitoring process consists of following up on the performance of risk indicators, supervising the implementation and maintenance of action plans and the achievement of established goals, through continuous management activities and/or independent assessments.

4.7 Risk Communication
Communication during all stages of the integrated risk management process reaches all interested parties. It is carried out clearly and objectively, respecting the good practices of governance required by the market.

5 - RESPONSIBILITIES

5.1.1 Epimed Solutions management and directors must:

  • Approve the level of risk appetite of Epimed Solutions and the tolerance ranges for deviations from acceptable risk level;
  • Approve the Information Security Risk Management Policy of Epimed Solutions, as well as any future reviews.

5.1.2 Epimed Solutions Risk Management Committee must:

  • Monitor risk management, periodically validating and reviewing the risk matrix of Epimed Solutions, as well as the structure of internal controls capable of minimizing the occurrence of risks;
  • Define the risks to be prioritized for treatment, based on the level of risk exposure; 
  • Evaluate the performance of the risk indicators, in order to align them with the strategic objectives of the Company;
  • Provide the alignment of strategic and operational matters in the integrated risk management (IRM) process;
  • Review and evaluate the effectiveness of the IRM work processes;
  • Report to the Executive Board the results of the risk management process;
  • Review the Information Security Risk Management Policy of Epimed Solutions;
  • Indicate risk owners;
  • Approve the action plans to mitigate the risks of the Company’s areas;
  • Disseminate the risk management culture, making Team Member aware of the risks inherent in the business and their responsibilities in the IRM process;
  •  Evaluate, monitor and propose procedures that mitigate the risks of violation of personal data collected, stored and distructed of.

5.1.3 The workforce must:

  • Manage the risks inherent to the business processes for which they are responsible;
  • Optimize risk-based decisions; 
  • Seek opportunities, aiming to obtain competitive advantage and increase value for customers.

5.1.4 Customers must:

  • Ensure basic security measures to avoid risky situations.

6 - DISCIPLINARY PROCESS

  • Failure by Team Member to comply with this Information Security Risk Management Policy will result in the application of penalties as assessed by the “Ethics Committee” in accordance with the Company’s Code of Ethics and Conduct.
  • Failure by third parties to comply with this Information Security Risk Management Policy will result in disciplinary action, as provided for in the contract, or termination thereof.