The MEDINA GUIMARÃES ADVOGADOS law firm offers advisory and litigation services in the areas of Civil Law, Business Law, Tax Law, health, judicial recovery, credit recovery, banking, among others. The office is also specialized in performance in the Higher Courts.
This organization aims legal improvement, enabling concrete results for clients, partners and third parties in a safe and modern way.
It is the understanding of the Firm that corporate information is essential for the necessary activities for its regular performance and for safeguarding the quality and guarantee of the services offered to customers, as well as for the relation with service providers, outsourced workers, suppliers, and all those who maintain a commercial bond with this organization.
Understanding the information within the organizational microsystem, the MEDINA GUIMARÃES ADVOGADOS Office establishes its General Information Security Policy as an integral and indispensable part of the corporate management process, always preserving good practices, in order to ensure adequate information protection under its responsibility.
Establish security procedures and rules due to the manipulation of data and information, from its collection to disposal, as well as defining the rules for the use of work equipment made available by the company to employees, ensuring good practices and privacy throughout the treatment process.
The Policy final purpose is to prevent possible information security incidents, minimizing risks and adopting controls and processes to achieve the requirements of Information Security.
This policy is applied without distinction to all employees of the MEDINA GUIMARÃES ADVOGADOS office, at all hierarchical levels, including, but not limited to, outsourced workers and suppliers.
It is also applied to all those who already had some link with this organization and had access to information and / or used computational resources within its infrastructure.
In order to protect the data and information under our custody, we base our policy on three principles: confidentiality, integrity and availability.
The principle of confidentiality guarantees that access to information is made exclusively by an authorized person and provided only if absolutely necessary for the purpose contracted, typified by law or by the express consent of the holder.
The principle of integrity ensures that the information is not modified and remains intact during its processing, except in cases of legal necessity or when the data holder requests.
Finally, the principle of availability allows employees, customers, third parties and website users to access the personal data they hold in an accessible, safe and efficient manner, with the possibility of revoking consent for treatment at any time, since they require.
The Managing Partners and the managers of the nucleus responsible for Information Security are committed and constantly updated of the necessary processes for the systematic and effective management of everything involving information security to occur, providing operational support in order to minimize the identified risks and their eventual impacts for this institution, its collaborators, customers, third parties and website users.
All security controls and mechanisms implemented aim to fulfill the requirements of reliability, that is, confidentiality, integrity and availability, measuring all risks, threats and vulnerabilities that may exist in the organization.
Information on the organization of employees, customers, contractors, suppliers, third parties and website users must be treated in an ethical and confidential manner, always guided by existing rules and legislation, preserving their integrity and preventing misuse.
Each employee has a unique and non-transferable identification, as well as limited access to the necessary areas for the exclusive performance of their activities.
Update and awareness training related to information security will be carried out periodically with all employees, with no distinction.
Besides the risk management, it has been established management and response to security incidents, with defined action plans to ensure the immediate recovery of the information system. Likewise, the management of business continuity processes has been implemented so that, if necessary, in the event of incidents, there is a quick resumption of the activities of this organization, all with the intention of ensuring that the information protection policy takes place in a systematically and effectively manner, preventing incidents from occurring and minimizing the risks for the Office itself and for the holders of the processed personal data.
5.1 Effective information security policies
5.1.1 To Develop, to implement, to monitor and to update the information security rules and procedures, ensuring that the principles that rule this policy are observed and achieved through the controls of any internal and external threats.
5.1.2 To provide the policies, standards and all information security processes available to interested and authorized parties, involving employees, third parties, suppliers, customers and users of the website.
5.1.3 To ensure constant training and awareness about the information security practices adopted by the organization.
5.1.4 To achieve and to apply the information security requirements required by the law, regulation or contractual clause.
5.1.5 To deal with information security incidents, ensuring their registration, investigation, classification, correction and documentation and, when necessary, if there is any threat or indication of risk, notify the necessary authority and the holders who may suffer some type of damage.
5.1.6 To have a Business Continuity Plan that guarantees the quick return of services in case of incidents.
5.1.7 Always aim to improve information security management, periodically reviewing its objectives and guidelines.
6.1 Information Security Committee
The Information Security Committee is constituted of a member of the Board of Directors, two members of the Advisory Board, a member responsible for the area of technology and information security and a member responsible for the area of human resources.
The committee is responsible for:
Analyzing, review and propose the approval of policies and standards related to information security.
Ensuring the availability of the necessary resources to accomplish effective information security management.
Ensuring that information security activities are accomplished, based on this general policy.
Disclosing and to the culture of information security within the organization.
6.2 Information Security Management
The Information Security Management will be composed of a representative of the Committee, who should:
Conduct the management and operation of information security, always based on this policy and other resolutions of the Committee.
Elaborate and to propose to the Committee the information security rules and procedures necessary to accomplish the Policy.
Identify and to assess existing information security threats, as well as propose and, if approved, implement measures to inhibit or minimize risk.
Ensure that this policy is complied with by everyone.
Perform the management of information security incidents in an appropriate manner.
6.3 People and / or process managers
Managers must adopt an exemplary posture in terms of information security, serving as a model and inspiration for their subordinates.
They must also:
Manage information in its all process, including the creation, capture, handling and safe disposal, in accordance with the rules established in this policy.
Identify and classify the generated information or the information under their responsibility according to standards, criteria, guidelines and procedures adopted by this Policy
Periodically, review the information handled, adjusting its classification if necessary.
Authorize, prohibit and review access to information and systems under their responsibility.
Request to grant or revoke access to information or information systems in accordance with the procedures adopted in this instrument.
6.4 Employees and other users of information
It is considered a collaborator any natural person, who does any activity inside or outside this institution, no mattering the contracting regime.
It is considered a user any and all natural or legal person who maintains a relation with this organization, including via the website, like contractual relation, which provides some type of service; provides products; have access to information or consent to the processing of your own data, except employment, association or internship contract.
The aforementioned parties are responsible for:
• Read, understand and fully comply the guidelines of the General Information Security Policy, as well as the other standards and security procedures included in this policy.
• Send doubts or clarification requests about the general policy, its rules and procedures to the person in charge or to the Information Security Committee, through the electronic address firstname.lastname@example.org.
• Communicate to the Information Security Committee Manager any violation of the Policy or something that may cause risks to information security or threaten the computer network and / or the technologies employed by this organization, which can be done through the electronic address email@example.com.
• When requested, sign the Term of Use of the organization’s information systems, formalizing the reading, acknowledgment, consent and full acceptance of the provision of the General Information Security Policy and the norms that integrate it.
The employee / user will be fully responsible for the losses that this organization may suffer as a result of non-observance of the guidelines and rules defined in this security policy.
7.1 Violations, even if by omission or attempt, of this policy, as well as of the information security rules and procedures, will be subject to penalties that include oral warning, written warning, unpaid suspension and dismissal with cause.
7.2 The application of the sanction / punishment will be according to the analysis of the Information Security Committee and will consider the gravity of the infraction, the effect achieved, possible recurrence, observing, also, the provisions of art. 482, of the CLT, for employment contracts governed by the aforementioned legislation.
7.3 For other users, third parties, contractors, service providers and website users, the Information Security Management Committee will analyze the occurrence and decide on the application of sanctions / punishments in accordance with the contract between the parties, based on the legislation applicable and duly communicated to the competent authority.
7.4 In case of violation resulting from illegal activity or that cause damage to the organization, the infringer will be responsible for the damages, with the consequent application of the appropriate legal measures, also safeguarding the right of recourse of MEDINA GUIMARÃES ADVOGADOS, in addition to the items supra.
Omitted cases, which have not been expressly covered by this Policy, will be evaluated and deliberated by the Information Security Management Committee.
The guidelines established in this Policy, as well as in the other norms and procedures that integrate it, are not depleted, due to the rapid and continuous technological evolution and new threats.
Therefore, collaborators and users of information in general, related to this organization, should, whenever possible, adopt other security measures in addition to those provided herein, in order to ensure proper protection and maintenance of the processed data.
Potential cause of incidents that can result in damage to the organization, its employees, members, customers and third parties.
Everything that has value for the MEDINA GUIMARÃES ADVOGADOS office, including the tangible (documents, systems, database, contracts, manuals, equipment in general), and the non-tangible, such as the organization’s image and reputation.
9.3 Information Asset
MEDINA GUIMARÃES ADVOGADOS patrimony, including information of any nature, whether of a strategic, technical, administrative, financial nature, human resources, knowledge and skills of the team, as well as information created or acquired through partnership, acquisition, purchase, or entrusted by partners, customers, employees and third parties.
9.4 Information Security Committee (ISC)
Internal and multidisciplinary working group whose objective is to deal, uninterruptedly, with issues related to information security.
Prohibition of making information assets available to unauthorized persons, processes or entities whose purpose is not prescribed by applicable law – (Law 13,709 / 2018).
Security measure adopted to deal with a specific risk.
It is the degree to which information is available to the user and the information system at the time the organization requires it.
9.8 Information manager
Information user who has a specific position to whom has been assigned responsibility for one or more information assets processed by the organization. To contact the person in charge / manager, using the following e-mail adress: firstname.lastname@example.org.
9.11 Information Security Incident
Adverse event, confirmed or suspicious, related to information security, which may lead to the loss of one or more basic principles of information security (confidentiality, integrity and availability).
Maintenance of the initial conditions of the information according to the form that it was produced and stored, without altering the original form, except for the cases of express request of the holder or legal determinations.
9.13 Information security risk
It concerns the likelihood of a threat agent will take advantage of an eventual vulnerability and impact business assets.
9.14 Information security
It is the protection of information against the most diverse types of threat, in order to guarantee the continuity of the business, preserving the principles of confidentiality, integrity and availability of information.
9.15 Information technology (IT)
It is the set of activities and solutions provided by computing resources that aims at the production, storage, transmission, access, security and use of information. The IT analyst, member of the Information Security Management Committee, is responsible for implementing, maintaining and managing these activities within the organization.
It is the degree to which an asset, group of assets or control (s) can be exploited by one or more threats. It is the absence or weak point of a preventive measure that can be exploited. Potential cause of information security incident.
This policy is reviewed, at least, every six months, or according to the understanding of the Information Security Management Committee.
The General Information Security Policy is approved by the Information Security Committee and is available to all employees, users and third parties, including on the Office’s website – medina.adv.br.
Medina Guimarães Advogados
Information Security Management Committee
Sign up for our newsletter
and stay on top of news