Linkedin Facebook Instagram
Request a Quote

Information Security Operational Policy

INTRODUCTION

Korn Translations (hereinafter referred to as Idlewild Burg), aiming to establish a lasting and trustworthy alliance with its clients, collaborators, and suppliers, and with the objective of satisfying its clients’ needs with excellence, confidentiality, integrity, and availability, is committed to protecting its proprietary information used in providing its services.

Establishing an Information Security and Privacy Management System is a commitment from Idlewild Burg’s senior management, whose focus is:

  • To guarantee the confidentiality, integrity, and availability of information owned by or used by Idlewild Burg, with the goal of ensuring the continuity of processes and quality in the provision of its services.
  • To ensure compliance with current legislation and contractual requirements.
  • To promote the professional development of its employees.
  • Practice continuous improvement of the Information Security and Privacy Management System.

 

This Policy is endorsed and supplemented by the Privacy Policy, the Code of Ethics and Conduct, the Confidentiality Agreements, and the Addendum to the Employment Contract – Change from on-site work to partial or full-time telework (Home Office).

 

Scope

This Policy applies to all employees who use Idlewild Burg’s resources and information.

 

Applicable Legislation

The following laws, but not limited to them, correlate with, but are not limited to, information security policies, guidelines, and standards:

It is the responsibility of Idlewild Burg’s Senior Management, along with the relevant internal departments, to review and keep up-to-date records of applicable legislation and to take appropriate actions where applicable.

Other stakeholders in Idlewild Burg’s operational chain (customers, suppliers, third parties, legal entities/subcontractors, among others), according to their scope and applicability, must also comply with the applicable legislation.

  • Federal Constitution;
  • Consumer Protection Code
  • Federal Law No. 8,159, of January 8, 1991 (Provides for the National Policy on Public and Private Archives)
  • Federal Law No. 9,610, of February 19, 1998 (Provides for Copyright Law)
  • Federal Law No. 9,279, of May 14, 1996 (Provides for Trademarks and Patents)
  • Federal Law No. 3,129, of October 14, 1982 (Regulates the Granting of Patents to the authors of industrial inventions or discoveries)
  • Federal Law No. 10,406, of January 10, 2002 (Establishes the Civil Code)
  • Decree-Law No. 2,848, of December 7, 1940 (Establishes the Penal Code)
  • Federal Law No. 9,983, of July 14, 2000 (Amends Decree-Law No. 2,848, of December 7, 1940):
    • Penal Code and other provisions.
  • Law No. 12,965, of April 23, 2014 (Brazilian Internet Bill of Rights)
  • Federal Law No. 13.709, of August 14, 2018 (General Law on the Protection of Personal Data – LGPD)
  • Anti-Corruption Law (Law No. 12,846, of August 1, 2013)
  • Law No. 10,097/2000 and Decree No. 9,579, of November 22, 2018, relating to the Law on Apprenticeship and Employability of Minors.
  • LAW No. 12,737, OF NOVEMBER 30, 2012. Law Against Digital Crimes.
  • Law No. 5,452, of May 1, 1943

 

Terms and Definitions

For the purposes of this Policy, the following terms and definitions apply:

  • Risk acceptance: the decision to accept a risk.
  • Critical areas: Idlewild Burg’s or its clients’ dependencies where an information asset related to information critical to the company’s or its clients’ business is located.
  • Threat: a potential cause of an unwanted incident that could result in damage to a system or organization.
  • Risk analysis: the systematic use of information to identify sources and estimate risk.
  • Risk assessment: the process of comparing estimated risk with predefined risk criteria to determine the significance of the risk.
  • Corrective action: action to eliminate the cause of an identified nonconformity or other undesirable situation.
  • Attack: an attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to or make unauthorized use of an asset.
  • Asset: any component, resource, or set thereof applicable to preserving the confidentiality, integrity, and availability of data and information (hardware, software, infrastructure, people with their knowledge, etc.).
  • Information asset: knowledge or data that has value to the company.
  • Authenticity: a property that guarantees the authorship of a given piece of data.
  • CGSI: The Information Security Management Committee is a multidisciplinary group that brings together representatives from various areas of the company, approved by the Board of Directors, with the aim of defining and supporting strategies necessary for the implementation and maintenance of the ISMS – Information Security Management System.
  • Risk communication: the exchange or sharing of information about risks between the decision-maker and other stakeholders.
  • Reliability: a characteristic of consistent behavior and desired results.
  • Confidentiality: the characteristic that information is not available to, nor can it be disclosed to, unauthorized individuals, entities, or processes.
  • Control: risk management methods, including policies, procedures, guidelines, practices, or organizational structures, which may be administrative, technical, managerial, or legal in nature.
  • Access control: means to ensure that access to assets is authorized and restricted based on security and business requirements.
  • Risk criteria: terms of reference by which the importance of the risk is assessed.
  • Personal data: any information associated with an identified or identifiable natural person provided by Idlewild Burg and/or accessed on their behalf and/or relating to the status of a natural person linked to Idlewild Burg, including, but not limited to, name, address, telephone number, email, bank details.
  • Sensitive data: personal data concerning racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
  • Applicability statement: a documented statement describing the control objectives and controls that are relevant and applicable to the company’s ISMS.
    • Note: Control objectives are based on the results and conclusions of risk analysis/assessment and risk treatment processes, legal or regulatory requirements, contractual obligations, and the company’s business requirements for information security.
  • Availability: the characteristic of being accessible and usable on demand by an authorized entity.
  • Information security event: an identified occurrence of a system, service, or network state indicating a possible violation of the Information Security and Privacy Policy or failure of controls, or a previously unknown situation that may be relevant to information security.
  • Risk management: coordinated activities to guide and control a company with regard to risks.
  • Information critical to Idlewild Burg’s business: any information that, if accessed, modified, destroyed, or disclosed without authorization, will result in operational or financial losses to Idlewild Burg or its customers. Example: customer data, system sources, business rules, strategic or business information from customers obtained in meetings, Idlewild Burg’s strategic planning, prospecting, Idlewild Burg’s strategic information.
  • Impact: adverse change in business objectives.
  • Information security incident: a single event or a series of unwanted or unexpected information security events that have a high probability of compromising business operations and threatening information security.
  • Integrity: the property of safeguarding the accuracy and completeness of assets.
  • Mitigation: limiting the negative consequences of a given event.
  • Non-repudiation: the ability to prove the occurrence of an alleged event or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event or action and the involvement of entities in the event.
  • Risk: the combination of the probability of an event and its consequences.
  • Information security risk: the possibility of a threat exploiting a vulnerability in an asset or group of assets and thus causing damage to the company.
  • Residual risk: risk remaining after risk treatment.
  • Terminology Consistency: within the context of Digital Forensics, the process of wiping data storage media consists of irreversibly erasing all data from a storage device, that is, permanently eliminating its residual information.
  • Information security: preserving the confidentiality, integrity, and availability of information.
    • Note: Additionally, other properties such as authenticity, responsibility, non-repudiation, and reliability may also be involved.
  • Management system: a framework of policies, procedures, guidelines, and associated resources for achieving the company’s objectives.
  • Information Security Management System – ISMS: part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
  • Risk treatment: the process of selecting and implementing measures to modify a risk.
  • Vulnerability: a weakness in an asset or control that can be exploited by a threat.

 

Documented Information

Regulatory Structure

The documents that make up the regulatory framework are divided into 5 categories:

a) Policy (strategic level): defines the high-level rules that represent the basic principles that Idlewild Burg has decided to incorporate into its management in accordance with the strategic vision of senior management. It serves as a basis for creating and detailing operational policies and procedures.

b) Operational policy: as set out in this document, it defines specific rules that guide and regulate responsibilities and actions at the operational level.

c) Procedures (operational level): these implement the policy provisions, allowing for direct application in Idlewild Burg’s activities.

d) Manuals: instruction guides that support the execution of a process or the use of software.

e) Templates: document models and controls under version control.

All processes and templates are available on the Process Portal, and the records are in the Idlewild Burg document repository. All documented information that evidences the execution of a process must have its storage controlled to ensure its prompt retrieval.

New documents or revisions must be submitted by the managers of the areas in question for approval by senior management before being made available, in accordance with the Documented Information process, which belongs to Quality.

Printed copies of the content from the Idlewild Burg Process Portal are not considered valid and are prohibited.

The documents that make up the structure must be disclosed to all Idlewild Burg employees, interns, young apprentices, and service providers upon their admission through the company’s official internal communication channels, in accordance with Idlewild Burg’s Communication Plan, and may be made available through the current HR management software, the Process Portal, and the shared document repository, so that their content can be consulted at any time.

Any changes made to the Information Security and Privacy Policy must be submitted to the CEO or the Administrative Board for approval. After its approval, the policy should be publicized and employees trained.

 

Information Classification

It is deemed necessary to classify all information owned by or in the custody of Idlewild Burg in a manner proportional to its value to the company.

Information that makes up the ISMS should be classified as:

  • Confidential information – this refers to information that, if disclosed internally or externally, has the potential to cause significant financial or reputational damage to Idlewild Burg. They can be protected, for example, by encryption.
  • Restricted access – this refers to strategic information that should only be available to restricted groups of employees. They are protected by restricting access to the folders in which they are contained on the network drive and by different access levels in the systems and on the Idlewild Burg Portal.
  • Internal information – these are items that cannot be disclosed to people outside of Idlewild Burg, but which, if disclosed, do not cause significant harm. The concern at this level is primarily related to the integrity of the information.
  • Public data – this refers to data that does not require specific protection against leaks, as it may be publicly available.

 

Information relating to employees, the financial sector of Idlewild Burg, and customer information (registration data and documents) is always considered restricted, with access granted only to those who need it to perform their duties and provide the contracted service. To enable proper information control, the access levels described in the General Infrastructure and IT Procedures should be used.

 

Information Security Guidelines

The following are the guidelines of Idlewild Burg’s Information Security and Privacy Policy, which constitute the main pillars of the company’s information security management, guiding the development of rules and procedures.

The protection of information belonging to or under the custody of Idlewild Burg is defined as essential and a primary factor in the professional activities of each employee, intern, apprentice, or service provider of the company.

a) Employees must take a proactive stance regarding the protection of Idlewild Burg’s information and must be vigilant against external and internal threats, as well as fraud, information theft, and unauthorized access to information systems under Idlewild Burg’s responsibility.

b) Confidential matters should not be discussed publicly.

c) Passwords, keys, and other personal information are considered non-transferable and cannot be shared or disclosed.

d) Only certified software may be used in the Idlewild Burg computing environment.

e) Printed documents and files containing confidential information must be stored and protected. Disposal must be carried out in accordance with the relevant legislation and respecting the disposal procedure.

f) All data deemed essential to Idlewild Burg’s business must be protected through backup routines and subjected to periodic recovery tests.

g) Access to Idlewild Burg’s premises must be controlled in a way that ensures the integrity, confidentiality, and availability of the information stored or handled there, guaranteeing the traceability and effectiveness of authorized access.

h) Logical access to computer systems provided by Idlewild Burg must be controlled in a way that applies the principles of integrity, confidentiality, and availability of information, ensuring the traceability and effectiveness of authorized access.

i) All creations, source code, or procedures developed by any employee, intern, apprentice, or service provider during their time with the company are the property of Idlewild Burg.

j) The use of cameras, video or audio recorders, or other recording equipment, such as cameras on mobile devices, is not permitted on Idlewild Burg premises, unless authorized by senior management. It is strictly forbidden to photograph or film computer screens, whether in the office or working from home.

k) The installation of printers on Idlewild Burg computers is not permitted, except when authorized by senior management. Access to printers already installed in the office must also be authorized by senior management upon request from the manager.

l) Employees working from home must always perform their duties at the address provided to Idlewild Burg, using a private, password-protected internet connection. It is strictly forbidden to perform your duties at another address, which implies transporting the machine and accessing another network, except with authorization from senior management, after the new location and the need for it have been communicated, and after a risk analysis. No access to Idlewild Burg’s data and systems should be made over public networks (airports, restaurants, etc.).

m) The computers provided by Idlewild Burg to employees, interns, and young apprentices for the performance of their duties are for exclusive use in activities related to Idlewild Burg and may not be used for personal activities. When authorized by senior management, computers may be used for online training, lectures, or webinars. Young apprentices are allowed to attend classes through the formal platform of the institute responsible for their hiring, however, internet research and file storage are strictly prohibited.

n) Connecting personal mobile devices (laptops, tablets, cell phones) to the Idlewild Burg main network is not permitted, whether via wired or wireless connections.

 

If necessary, it should only be released with prior formal authorization from senior management. A separate WiFi network can be provided for visitors, both for customers and employees’ own devices.

It should be noted that the situations described in this Policy are not exhaustive, and other situations related to the use of equipment in the workplace or questions regarding information security may arise.

Regarding situations not expressly covered in this Policy and/or other Policies and our Code of Ethics and Conduct, Idlewild Burg relies on the good judgment of its employees, and should any doubts remain, the IT and HR/People Management departments can always be contacted to clarify any questions via email at it@korntranslations.com and hr@korntranslations.com.

 

Acceptable Use of Artificial Intelligence (GenAI)

1. Terminology Consistency It is strictly prohibited to enter Personally Identifiable Information (PII), financial information, contracts, or trade secrets into public or free Artificial Intelligence tools where the data could be used for model training.

2. Approved Tools: Korn Traduções’ use of AI for data processing must occur exclusively through corporate tools approved by IT.

3. Responsibility: AI-generated content must be validated by a human. The responsibility for the accuracy and integrity of the information remains with the employee.

 

Information Security Risk Assessment

The management of Idlewild Burg’s ISMS (Information Security Management System) must conduct actions to identify and classify the company’s Information Security risks by mapping vulnerabilities, threats, impact, and probability of occurrence, as well as adopting controls that mitigate these risks together with those responsible for the assets to which the risks are associated.

 

Essential Skills for Information Security

Those directly responsible for managing the ISMS must possess the necessary skills to perform their duties effectively at Idlewild Burg, thus ensuring the success of the ISMS. The required competence must:

a) It should enable people to become competent based on appropriate education, training, or experience;

b) Retain adequate documented information as proof of competence.

 

Physical Environment

Access to the physical environment of Idlewild Burg is controlled and monitored. Visitors and suppliers must remain in the reception area and meeting room when necessary. Access to other areas is restricted, and if a supplier needs to be present in a restricted area, they must be accompanied by an Idlewild Burg employee at all times.

Employees and suppliers are not allowed entry outside of business hours, except when strictly necessary and with prior authorization from senior management. Third parties must always be accompanied by an Idlewild Burg employee.

All details regarding access control to Idlewild Burg facilities, protection against external threats, alarms, utilities (electricity, water, air conditioning, and others) are described in the General Infrastructure and IT Procedures.

 

Suppliers

Contracts with suppliers who may have access to confidential information and personal data must include security and confidentiality clauses. The most relevant and critical suppliers, with regard to information security, who work directly with Idlewild Burg receive training on the guidelines established in this policy.

 

Table and Clean Screen Policy

All employees, interns, and young apprentices working on behalf of Idlewild Burg must be aware of and practice the guidelines and directives contained in this policy, and these must be respected both in activities within the Idlewild Burg office and in home office activities, when relevant to this modality.

The objective of this Clean Desk and Clean Screen Policy is to ensure that data and information, both in digital and physical format, and assets, tangible or intangible, are not left unprotected in the workplace during their use or when someone leaves their workplace, whether for a short period, during breaks (lunch, meetings, etc.) or at the end of the workday.

Employees, interns, and young apprentices must:

  • Use Idlewild Burg’s assets, whether for internal or external use (home office or client site), with care to ensure their preservation and proper functioning.
  • Lock workstations when users step away or leave the workplace to prevent unauthorized access.
  • Avoid leaving printed documents unnecessarily on the desk. When not in use, these should be stored in locked cabinets or drawers, especially outside of business hours.
  • Keep keys to cabinets or rooms in protected locations or locations accessible only to authorized personnel.
  • Do not store folders containing sensitive, confidential, strategic documents or personal data in easily accessible locations.
  • Sensitive or business-critical information for Idlewild Burg must be kept in a secure location (locked cabinets or, if digital, in folders with restricted access).
  • Do not write down or leave confidential or sensitive information on bulletin boards or in visible locations.
  • Do not leave notes, messages, and reminders visible on the desk or stuck to walls, partitions, bulletin boards, or computer keyboards and monitors, including but not limited to: access or screen unlock passwords, phone numbers, email addresses of clients or contacts, confidential information, among others.
  • Destroy printed documents before discarding them. Whenever possible, use a shredder or, if dealing with large quantities, hire a company specializing in disposal and recycling. In the latter case, always accompanied by an Idlewild Burg employee to ensure the proper destruction of the information.
  • Do not print documents just for your own reading. Read them on the information asset screens, preferably. Pursue a paperless culture, as it reduces information security risks and benefits the environment.
  • If you need to print, immediately remove documents containing personal, sensitive, or confidential information from the printer.
  • If using a scanner or image copying equipment, remove the document to be copied immediately after use.
  • Position desks and furniture so that confidential and sensitive data is not visible from windows, hallways, passageways, or from people who have a view of assets containing data and information, such as screens and papers on desks.
  • After the end of the workday or during an extended absence, keep your workspace clean and organized, documents stored away, drawers and cabinets locked, and your computer or mobile device turned off, especially those connected to a network/internet. While using the equipment, properly close any applications or services that are not in use for your current tasks.
  • Discarding information left in meeting rooms (erasing whiteboards, shredding paper, or other resources used during the meeting).
  • Avoid eating at your workstation, whether in the office or at home, to prevent damage and poor preservation of equipment and documents. Idlewild Burg allows the use of tightly sealed bottles containing only water and no other liquids (such as tea, coffee, soda, juice, etc.) on the tables, but never on tables where there are documents. For these situations, we recommend placing them in the nearest drawer or on the shelf to prevent liquid spills.

 

Any unforeseen or omitted cases in this policy should be referred to the IT department.

 

Policy for Information Transfer
  • Idlewild Burg employees and external parties who handle or have access to Idlewild Burg assets must be informed of, aware of, and guided on the information security requirements for those assets, information, and related personal data.
  • The procedures established by Idlewild Burg regarding security, access control, use of software and antivirus, storage and termination of data and information processing must be followed by all involved, including employees and suppliers/third parties, as applicable.
  • The Data and Information Confidentiality Agreement, including data privacy, is signed between parties, including internal employees and suppliers/third parties.

 

Device Use Policy

The objective of this policy is to establish standards for the use of mobile devices to ensure information security and compliance with legislation.

A mobile device is defined as any electronic equipment with mobility capabilities, such as laptops, tablets, and cell phones, owned by Idlewild Burg or privately owned, in the case of cell phones used with the approval of senior management, for carrying out professional activities related to the company.

 

  • All Idlewild Burg mobile devices made available must be registered and configured with a unique, personal, and non-transferable identifier, meeting minimum security standards and assigned to a user responsible for their use.
  • The mobile devices provided must be used solely and exclusively by the users who have assumed responsibility for their use.
  • Personal cell phones authorized for use in Idlewild Burg activities must meet the security requirements specified by the IT department.
  • If a mobile phone operator’s SIM card is provided for use in professional contacts, the identification of the SIM card and the person responsible for its use must be kept under the control of the IT department.
  • The use of shared credentials is discouraged. However, in situations where nominal credentials are not possible, credential sharing must be done through the password vault.
  • In accordance with the clean desk and clean screen policy, the device must be locked when not in use to protect against unauthorized access.
  • Following the recommendations of the Clean Table and Clean Screen Policy, mobile devices should be locked when not in use to protect information and prevent access by unauthorized persons.
  • Handle the device with care: transporting laptops on public transport is not permitted; they can only be done via private transport, such as a private car or ride-sharing services like Uber. If transportation is requested, reimbursement for the transportation costs can be requested from the finance department. If you are driving your own car, your laptop should be protected from impacts in backpacks or bags.
  • To avoid overheating, use the notebook only on tables; do not use it on beds, cushions, or pillows.
  • Be mindful of weather conditions; avoid placing your laptop near windows or in damp places.

 

Data Sharing

Only computers provided by Idlewild Burg should be used by employees, interns, and young apprentices; no company employee is allowed access to data on personal computers. All data should be stored in the appropriate folders on the network drive. The IT department should periodically review all existing shared resources and ensure that data considered confidential or restricted has proper access control. If a virtual machine is required for business continuity reasons, it can be accessed via a personal computer, provided authorization is granted by Idlewild Burg’s senior management and in accordance with IT department guidelines.

Everyone at Idlewild Burg should consider information as a company asset, one of the critical resources for conducting business.

 

Data Masking

Idlewild Burg applies the masking of personal and/or sensitive data as a complementary measure to protect information, in situations where data is shared or used outside its original context, or accessed by multiple profiles, provided that its application does not compromise the integrity and purpose of the processing.

The application of masking should consider the purpose of the information use, the level of access granted, applicable legal requirements, and access control principles, including the principle of least privilege.

In cases where access to information is restricted and controlled, based on defined access profiles, and the risk of exposure is considered low (such as in documents for the exclusive use of specific areas), masking may not be applied.

Additionally, in processes that require the full use of data to ensure the proper execution of activities, such as in translation operations assisted by specialized tools, masking may not be applicable due to the need to preserve the context and accuracy of the information.

In these situations, appropriate compensatory controls should be adopted, including, but not limited to, access control, contractual confidentiality, and the use of qualified suppliers, ensuring the protection of information in accordance with legal, contractual, and business requirements.

 

Information privacy under company custody

It is defined as necessary to protect the privacy of information held by Idlewild Burg, that is, information belonging to its clients that is handled or stored in environments over which Idlewild Burg has full administrative, physical, logical, and legal control.

The guidelines below reflect Idlewild Burg’s institutional values and reaffirm its commitment to the continuous improvement of this process:

a) The information is collected ethically and legally, with the client’s knowledge, for specific and duly disclosed purposes;

b) The information is received by Idlewild Burg, processed and stored securely and with integrity, with restricted access and handled only by the people necessary to provide the service;

c) The information is accessed only by authorized and trained individuals for its proper use;

d) The information may be made available to companies contracted to provide services, and these organizations will be required to comply with our data security and privacy policies and guidelines, as well as sign a confidentiality agreement.

e) Information is only provided to third parties with the client’s prior written authorization or to comply with legal or regulatory requirements.

f) The information and data contained in our records, as well as other requests that may guarantee legal or contractual rights, are only provided to the interested parties themselves, upon formal request, following the current legal requirements.

 

Creating Access and Email Accounts for Non-Employees

Creating accounts and email accounts is not permitted for individuals who are not Idlewild Burg employees, with the exception of interns and apprentices.

If third parties require logical access credentials to systems or tools that rely on email for their proper functioning, the employee’s manager must justify the need and request approval from senior management. In these cases, the third party’s access should be restricted to correspondence related to the performance of their duties within the company, during business hours and in accordance with Idlewild Burg’s policies.

Idlewild Burg service providers should not be included in any Idlewild Burg distribution lists and/or public folders that may contain information intended for collaborators.

 

Access Management

All types of systems that require logical access must have formal control from the granting of access to its revocation.

 

a. PASSWORD MANAGEMENT

  • All access passwords must be changed every 3 (three) months.
  • New users must change their password upon first login.
  • The passwords for accessing the machine, email, and drive must be at least 12 (twelve) characters long. The remaining passwords should follow the definition of each application.
  • Mobile phone or tablet passwords must be 6 (six) characters long.
  • Passwords for accessing the computer, email, and drive should have a level of complexity that includes numbers, special characters, uppercase and lowercase letters. Other passwords should follow this guideline whenever possible; otherwise, follow the definition of each application.
  • The new passwords must not match the last 24 (twenty-four) passwords entered.
  • Passwords should not be saved in the application, much less written down on paper; they should be typed in each time they log in.
  • The use of Multi-Factor Authentication (MFA/2FA) is mandatory for accounts with administrative privileges and for access to confidential data. For other standard profile accounts, the use of MFA is highly recommended, with security ensured by password complexity and periodic changes.

 

Logical Access Reviews

The IT department will conduct periodic reviews of access logs, which may be done jointly with the users. Employees, interns, and young apprentices should always report any abnormalities or unauthorized access to their work area.

 

b. ACCESS RELEASE

  • Unique, personal, and exclusive identification should be used to ensure each user’s accountability for their actions.
  • Provide access considering the minimum necessary for the user to perform their functions.
  • New employees, interns, and young apprentices receive access according to the role they will perform. This information must be provided to IT in accordance with the HR Recruitment, Selection and Hiring Procedure.
  • Privileges must be authorized by the management of each area (Administrative Directorate or Commercial and Financial Directorate).
  • The use of generic (non-nominal) users is not permitted, except in systems that do not have this functionality;
  • The granting of access is formalized in the General Infrastructure and IT Procedures.
  • Privilege control is done by user groups or by the role they perform (profile) in order to facilitate privilege management.
  • Administrative or generic passwords, when released, should have specific controls in place. The IT department maintains an up-to-date list of people (Employees/Suppliers) who possess such passwords so that it is possible to perform other revocation and change control operations.
  • The granting of access to suppliers or consultants should be critically reviewed with those responsible for the application; every application should have a designated person responsible for it.

 

c. REVOCATION OF ACCESS

Access revocation may occur in situations such as employee termination according to the termination process, change of role, termination of a contract with a supplier, or request.

  • IT must keep access logs up-to-date so that, upon revocation, it is possible to immediately delete or deactivate user access.
  • Access for employees, interns, or young apprentices who have left the company is blocked following the HR Recruitment, Selection, and Hiring Process.

 

d. Changes in Function and Critical Analysis of Access Rights

  • IT and managers must be formally notified of job changes, following the HR Recruitment, Selection and Hiring Process. The IT department will need to review access and permissions with the new manager.

 

e. SEGREGATION OF DUTIES

  • A segregation of duties criterion for granting permissions, based on “job titles/functions/operations,” should be considered, so that the user (employee, intern, apprentice, client, supplier) only has access to what is essential for performing their job.
  • Changes to privileges must be authorized by leadership.

 

f. REMOTE ACCESS TOOL

  • Access to workstations and servers via remote assistance applications should only be done using authorized tools and always with the knowledge of IT personnel. The tools used by Idlewild Burg and the procedure for accessing them are described in the General Infrastructure and IT Procedures.
  • Access logs should be analyzed periodically to prevent unauthorized access.

 

g. PASSWORD RESET

  • The password reset must be done by the account owner through the system itself. If the password is locked, communication must be made through secure and approved channels such as WhatsApp so that the IT department can unlock it. The IT department must then notify the owner via email that the password will be unlocked or reset at their request, in order to guarantee the integrity of the operation.
  • When a generic or administrative password is changed, this must be communicated to the person in charge and the people who use it.

 

Attack Prevention

a. CLOCK SYNCHRONIZATION

Applications, servers, physical access, and resources must have their clocks synchronized to enable thorough analysis of incidents or user operations and ensure non-repudiation.

 

b. INTERNET BROWSING

The Internet is considered an essential tool for information retrieval and work productivity; therefore, its use in workstations is permitted under monitoring. Such monitoring should be able to:

  • Detect the accesses that are being made;
  • Detect files downloaded and uploaded via the Internet;
  • To identify potential misconduct or information leaks.

 

The rules regarding internet use, as set out in the Idlewild Burg Code of Ethics and Conduct, must be followed.

 

c. NETWORKS AND NETWORK SEGREGATION

Given that most of our employees work remotely, the information and applications used by the organization are hosted on cloud servers (SaaS), protected by encryption in transit (HTTPS/TLS) and identity-based access controls. Device security is ensured by endpoint protection solutions (Antivirus/EDR) installed on all corporate equipment, both in the office and externally.In the Idlewild Burg physical office, visitors are not permitted access to the main wireless or wired network. If a connection is required, only wireless network access should be provided for visitors.

The network description is detailed in the General Infrastructure and IT Procedures.

 

d. STATIONS AND SERVERS

  • Workstations and servers should have inactive session control. The blocking should be done automatically after a period of inactivity determined by IT, according to the General Infrastructure and IT Procedures.
  • Access to workstations must be via credentials provided by the IT department, and following the established password standards.
  • Data transfer via the USB port should be blocked.
  • Confidential information must be stored encrypted, following the guidelines defined in the General Infrastructure and IT Procedures. Laptops should have their hard drives encrypted.
  • Sharing folders on Idlewild Burg employee computers is not allowed. Data should always be stored on the network drive, and data that needs to be shared among collaborators should be placed in appropriate folders, paying attention to the access permissions applicable to that data. e. REMOVABLE MEDIA

 

The use of removable media (such as USB storage devices, external hard drives, etc.) is prohibited. If the use is strictly necessary for any activity, the employee must justify it to the responsible manager, who will evaluate the possibility, together with the IT department, of authorization following the premises and needs foreseen in this Policy.

 

f. EXCHANGE OF INFORMATION WITH CUSTOMERS AND SUPPLIERS

The exchange of information with clients or suppliers must be carried out through secure channels.

  • Always adopt the practice of encryption in communication channels (email with PGP keys, cryptographic keys, encrypted VoIP, SFTP, file managers).
  • Confidential information should not be transferred through unencrypted channels.

 

Antivirus Usage Policy
  • All Idlewild Burg devices must have the enterprise antivirus solution installed.
  • Any and all devices with antivirus software installed will be scanned to check if they are infected or not.
  • Every day, the antivirus software will scan all company computers looking for malware. This scan will cover the entire device.
  • The IT department will be responsible for maintaining the tool and has the autonomy to take proactive measures, if deemed necessary, to combat or prevent the spread of malware.

 

Policy for the Use of Cryptographic Controls

Procedures to ensure the confidentiality, integrity, and availability of information through the activation of information security features and the configuration of secure communication channels must be established and maintained by the IT department. These procedures should contain rules regarding the effective and appropriate use of cryptographic controls in protecting information.

In order to guarantee the integrity and recovery of information, the implementation of cryptographic controls that are not approved or use outdated technology by the IT department is prohibited.

 

Backup Management

To guarantee the integrity of systems and data, the IT department is responsible for the systems that perform backups, as defined in this Policy and in the General Infrastructure and IT Procedures, which ensure that:

  • Applications and logical information should have data backups performed periodically.
  • Backups should be stored in locations separate from the production environment.
  • Backups, when transmitted or stored on physical media, must be encrypted.
  • Backups should be tested regularly, at most every 6 months, or immediately if there are any changes to the environment. The tests must be documented for auditing purposes.

 

Intellectual Property

All designs, creations, products, and innovations conceived and developed internally, or procedures developed by any employee during the course of their employment, are the property of Idlewild Burg.

 

Use of electronic mail (e-mail)

The email address provided by Idlewild Burg is a tool for internal and external communication of professional content related to the activities performed by employees. The messages must not compromise the image of Idlewild Burg, nor can they be contrary to current legislation or ethical principles.

The use of email is personal and the user is responsible for all messages sent from their email address.

Employees are informed that all emails exchanged on Idlewild Burg computers used by them can be tracked and verified.

Sending messages that: is strictly prohibited.

  • They contain defamatory statements and offensive language;
  • They may cause harm to other people;
  • Be hostile and useless;
  • Whether they relate to “streams” of pornographic content or equivalent;
  • They could damage the image of Idlewild Burg;
  • They could damage the image of other companies;
  • Be inconsistent with Idlewild Burg’s policies.

 

The rules set out in the Idlewild Burg Code of Ethics and Conduct must also be followed.

Suspicious emails received (such as suspected phishing, suspected virus in a file, among others) should be reported directly to a member of the IT team (Do not send emails to avoid spreading the virus) so that remote access can be performed and the suspicious message analyzed.

If an email is sent in error to a recipient, compromising the information security of Idlewild Burg and/or its stakeholders, immediate notification should be sent to privacy@korntranslations.com so that the necessary actions can be taken.

Access to personal email accounts is not permitted via Idlewild Burg computers.

 

The email service should observe:

  • Emails should be transmitted through an encrypted channel.
  • The email tool should have an enabled and controlled anti-spam feature, both from the email service and the antivirus software, as well as content control.

 

Instant Messenger

Only the use of Google Chat via Idlewild Burg login is permitted for internal communication;

Communication with customers and suppliers via WhatsApp Business should preferably be done through the application installed on a computer. The use of WhatsApp Business, both web version and app, is monitored by the IT department to track incoming and outgoing files and may be blocked according to the security guidelines in effect at Idlewild Burg.

The use of these applications on Idlewild Burg’s computer should be exclusively for internal Idlewild Burg contacts or for external contacts (clients and suppliers) when dealing with company-related matters.

Other applications are prohibited and, if necessary, it is mandatory to contact CGSI for validation.

 

Illegal software and copyright

Idlewild Burg respects software copyrights and does not allow the use of unlicensed software. The use of illegal (unlicensed) software is strictly prohibited, and users are not permitted to install it. It is necessary to contact the IT department for any type of installation (even for software that only needs to be copied and run).

Periodically, the IT department will inspect server data and/or user computers to ensure the correct application of this policy. If any unauthorized software is found, it must be removed from the computers. Those who install such unauthorized software on their work computers are liable to Idlewild Burg for any problems or damages caused as a result of such action.

The IT department maintains evidence of software license ownership and records of proper use of the number of licenses, ensuring intellectual property rights. This item is applied in accordance with the Asset Inventory section of this Information Security Operational Policy and its respective procedures.

Idlewild Burg also does not copy all or part of books, articles, reports, or other documents, except as permitted by copyright law and without proper citation of the relevant references.

Disciplinary actions may occur for violations of this item and will be applied by the CGSI as per the “Sanctions of this Information Security Operational Policy” section.

 

Asset Inventory

Resources must be monitored for their capacity and to meet the company’s growth or information needs. Critical points to monitor include, for example, storage space, space for database growth, number of computers, and software licenses.

  • All software and hardware at Idlewild Burg must be inventoried and controlled by the IT department.
  • No software may be installed without the consent of the IT department.
  • It is not permitted to contract and use any software for organizational use, whether in the cloud or on the desktop, without the consent of the IT department.
  • It is not permitted to purchase or install any equipment or resources without the consent of the IT department.
  • The IT department should have processes in place for detecting installed software.
  • Assets held by employees and suppliers must be controlled. In the event of termination or contract expiration, the asset must be returned according to the procedure established by the IT department.
  • Software licenses and usage should be managed by the IT department.
  • The inventory must be updated by the IT department with each acquisition or disposal.
  • Installing software or contracting cloud services (SaaS) without prior IT approval is prohibited. The use of unauthorized tools (‘Shadow IT’) to store company data constitutes a violation of this policy.

 

Disposal, destruction and reuse of equipment and media

All media used in the operation of the ISMS processes must be stored, reused, and destroyed in a secure and protected manner, such as through incineration, shredding, or data sanitization. Media disposal can be handled through a specialized company. It must be ensured that all sensitive data and licensed software have been removed or securely backed up.

  • Formatting storage devices for reuse should be done using a secure formatting process through data sanitization by an IT professional.
  • Defective or no longer used devices should be destroyed, preventing any data recovery.
  • Confidential or internal documents must be stored in secure locations and cannot be discarded without first being shredded by a shredder. Each person in charge is responsible for adopting this practice with all documents under their responsibility.

 

Roles and Responsibilities

It is the duty of everyone – employees, interns, young apprentices, and service providers of Idlewild Burg – to comply with the following obligations:

 

Employees, interns, apprentices, and service providers

It is defined as necessary to classify all information owned by or in the custody of Idlewild Burg, in proportion to its value to the company, to enable its proper control.

a) To continuously safeguard the protection of Idlewild Burg’s information or that of its clients against unauthorized access, modification, destruction, or disclosure;

b) To ensure that the resources (computational or otherwise) placed at your disposal are used only for the statutory purposes of Idlewild Burg;

c) Ensure that the systems and information under your responsibility are adequately protected;

d) To ensure the continuity of processing information critical to Idlewild Burg’s business;

e) Comply with the laws and regulations governing intellectual property aspects;

f) Comply with the laws that regulate the activities of Idlewild Burg and its market of operation;

g) To coherently select information security mechanisms, balancing risk, technology, and cost factors;

h) Immediately report any breach of the Information Security and Privacy Policy and/or Information Security procedures to the DPO, CGSI, or Quality department;

i) Maintain complete confidentiality regarding information obtained as a result of the employment relationship, and any form of transmission and use of this information in relation to third parties or for personal use is prohibited.

j) All requests for access to IT resources must be formally documented and justified as to their actual necessity.

k) Users are responsible for the conservation, integrity, use, and information contained in the mobile devices they use.

 

Information Security Management Committee (CGSI)

The CGSI is a multidisciplinary group composed of representatives from various areas of Idlewild Burg, appointed by Senior Management. Its objective is to define and implement strategies to maintain the Information Security Management System (ISMS).

CGSI meetings are held quarterly for planning and reviewing actions. Extraordinary meetings are called for urgent decisions.

 

Directors and Managers

It is the responsibility of each manager and director to master all the business rules necessary for the creation, maintenance, and updating of security measures related to the information asset under their responsibility (team or business unit), whether owned by Idlewild Burg or a client.

Managers and directors may delegate their authority over the information asset, but they retain ultimate responsibility for its protection.

 

This role involves:

a) Participate in the investigation of security and privacy incidents related to information under your responsibility and, upon identifying potential problems and/or threats, verify possible causes and initiate corrective action procedures when necessary.

b) To comply with and enforce information security and privacy policies, standards, and procedures;

c) Ensure that your teams have access to and understand the information security and privacy policies, standards, and procedures;

d) Proactively suggest information security and privacy procedures related to their respective areas to the CGSI (General Coordination of Information Security).

e) To monitor the corrective action until its completion and critically analyze the corrective actions performed, to verify their effectiveness and identify any necessary adjustments.

f) Manage organizational change to ensure the availability, integrity, and confidentiality of information;

Immediately report to the CGSI any instances of violation of information security and privacy policies, standards, or procedures, and any necessary corrective actions that require the involvement of the CSGI.

 

Senior Management

Idlewild Burg’s Senior Management is committed to the information security and privacy management system and must:

a) To establish the responsibilities and duties of the Information Security Management Committee;

b) To ensure that information security policy and objectives are established in a manner consistent with Idlewild Burg’s strategic direction;

c) To promote the integration of information security management system requirements into Idlewild Burg’s processes;

d) To ensure that the necessary resources for the information security management system are available;

e) To communicate the importance of effective information security management and compliance with the requirements of the information security and privacy management system;

f) To ensure that the information security management system achieves its intended results;

g) To coordinate and encourage people to contribute to the effectiveness of the information security and privacy management system;

h) To promote the continuous improvement of this ISMS; and

i) Support other relevant management functions when they demonstrate their leadership and how it applies to their areas of responsibility.

j) Critically analyze, together with the Information Security Management Committee (CGSI), the records and results of the audits carried out at Idlewild Burg, including the status of its corrective actions, listed below.

The analysis should be carried out immediately after the respective audits are completed, and proper records should be kept of these analyses, as well as of any corrective and improvement actions defined in the analyses.

  • Information System Audit according to the Information Systems Audit Controls process.
  • Internal audit of QMS and ISMS: As already described in this Policy, in the Internal Audit section and in the operationalization of the Internal Audit process, presented on the Process Portal.
  • Audit for certification or maintenance of QMS and ISMS certification by an Accredited Certification Body (OCB).

 

k) Request the Quality department to schedule audits according to the following schedule:

  • Information System Audit: Annual.
  • Internal audit: annual.
  • Certification or certification maintenance audit: as per the audit plan agreed with the OCC.

 

Human Resources Area

Additionally, the Human Resources Department is responsible for:

a) Ensure that employees, interns, and young apprentices provide written proof that they are aware of the regulatory structure of the ISMS (Information Security Management System) and the documents that comprise it;

b) For new employees, interns, and young apprentices, information security training should be provided at the start of their activities, with their manager responsible for supervision during this period.

c) Have plans to update Idlewild Burg’s internal regulations;

d) Create mechanisms to inform the most appropriate technical support channel, in advance of the events, of changes in Idlewild Burg’s workforce.

 

Quality Assurance

The Quality department is responsible for:

a) To consolidate and coordinate the implementation, execution, monitoring, and improvement of the ISMS;

b) To convene, coordinate, and provide support for CGSI meetings;

c) Provide, when requested by CGSI, the information security management information that is being handled jointly with the QMS processes;

d) Coordinate the SGSI (Information Security Management System) review meetings and monitor the resulting action plans;

e) To facilitate awareness, dissemination, and training regarding information security policies, standards, and procedures;

f) To carry out periodic compliance audits and inspections, as well as to evaluate their effectiveness, monitor the implementation of the respective action plans, and promote continuous improvement;

g) Develop, together with the Human Resources department, a training program for employees and contractors to raise awareness of everyone’s responsibilities regarding information security;

h) Inform all employees and contractors about the importance of Information Security and the need to follow the Policy, Standards and Procedures related to the Information Security Management System (ISMS);

i) Establish, together with Senior Management, standards and procedures regarding the mandatory disclosure of security events and incidents by all employees, as well as the respective penalties for non-compliance with this objective.

 

Continuous Improvement
  • Training focused on information security should occur frequently in order to raise awareness of its importance among employees and improve existing controls.
  • Consideration should be given to contracting with or benchmarking against other companies to improve information security and privacy processes.

 

Internal Audit

All information assets under the responsibility of Idlewild Burg are subject to audit on dates and times determined by CGSI. However, if practices are observed that do not respect the guidelines of this Policy, records of the problems found may be made and corrective actions will be required.

The performance of an audit must be approved by Senior Management and, during its execution, the rights to privacy of personal information must be safeguarded, provided that this information is not stored in a physical or logical environment owned by Idlewild Burg or its clients in a way that mixes with or prevents access to information owned by or under the responsibility of Idlewild Burg.

With the goal of detecting anomalous information processing activities and violations of information security policies, standards, or procedures, the IT department may perform proactive monitoring and control, while maintaining the confidentiality of the process and the information obtained.

In both cases, the information obtained may serve as evidence or indication in administrative and/or legal proceedings.

Internal audits are planned with a focus on analyzing the compliance of all processes related to the ISMS (Information Security Management System) and on the results of previous audits.

Internal audits must be conducted annually by qualified and trained internal or external auditors with knowledge of ISO 27001 and the LGPD (Brazilian General Data Protection Law). There must be independence, ensuring that auditors do not audit the processe s in which they are involved.

External audits must be conducted to maintain the validity of the certifications granted.

 

Corrective Action

When nonconformities are identified in the execution of processes or during internal or external audits, they must be recorded for analysis and resolution.

Every recorded nonconformity must have its cause identified. Actions must be taken to eliminate these causes and the effectiveness of the actions verified, according to the Quality Nonconformity process.

 

Contact with Authorities

Contacts with authorities are consolidated in the Idlewild Burg Communications Plan.

Managing contacts with authorities is the responsibility of Human Resources, which must consolidate, communicate, and publish the list of contacts, updated periodically, in a well-known and accessible repository of Idlewild Burg.

 

Critical Analysis of the ISMS

Idlewild Burg must conduct a critical analysis of the ISMS at least once a year. This analysis should involve the direct participation of Senior Management and should consider:

a) The result of previous critical analysis actions by the ISMS;

b) Changes in external and internal issues that are relevant to the information security management system;

c) Feedback on information security performance, including trends in:

1) Nonconformities and corrective actions;

2) monitoring and measurement results;

3) results of internal or external audits of the ISMS; and

4) Meeting information security objectives;

d) Comments from stakeholders;

e) The results of the risk assessment and the status of the risk treatment plan;

f) Opportunities for continuous improvement;

g) Impacts of changes that have occurred or may occur (organizational changes, changes in personal data processing procedures, changes resulting from government decisions, among others).

The outputs of the critical analyses should include decisions related to opportunities for continuous improvement and any need for changes in the information security management system.

Idlewild Burg must maintain documented information as evidence of the results of critical analyses by Senior Management.

 

Critical Analysis of Technical Conformity

Idlewild Burg performs technical compliance verification and critical analysis considering:

a) Conducting an Information System Audit following the checklist defined in the Information Systems Audit Controls process, to be performed by a qualified IT professional, internal or external to Idlewild Burg, such as an experienced systems professional, considering:

    • This should be done by a professional independent of the IT area and different from the professional who has already performed the Information Systems Audit Controls process internally;
    • Execution frequency: at least annually;
    • The checklist must be fully completed in all its verification requirements, and the professional, based on their experience, should include other verification items as appropriate.
    • Ensure that the records defined in the checklist, and others defined by the professional, are properly documented and kept in appropriate locations.

b) If applicable and technically feasible, due to potential risks identified and raised regarding the assets of the information security system, as per the Information Security Management System (ISMS) Risks process, perform penetration testing or vulnerability assessments, considering:

    • This should be done when the risk analysis, due to its criticality, truly requires the execution of penetration tests or vulnerability assessments (such as pentests; penetration tests, intrusion tests, penetration tests, and vulnerability assessments).
    • Done by companies or professionals with proven qualifications and clearly defined procedures for their execution.
    • For a pentest to take place, authorization from Senior Management will be required, specifying the scope of the test. Performing penetration testing without proper authorization, as stipulated by law, and outside of the previously defined scope is prohibited.
    • That records of penetration tests or vulnerability assessments that are performed are properly documented, delivered by the professional performing the tests, and kept in appropriate locations. And if vulnerabilities are found, recommendations for addressing them should be included in the final report.

 

Complaints

Any breach of this Policy, or any suspicions or evidence thereof, should be reported to Idlewild Burg via email at privacy@korntranslations.com or by mail to:

A/C DPO

Classification: CONFIDENTIAL

Address: Rua Dr. Neto de Araújo, 320 – Vila Mariana – São Paulo – SP, 04111-001
The Classic Tower – Suite 1207

 

Violations and Sanctions Violations

The following situations are considered violations of information security policy, standards, or procedures, although this is not an exhaustive list:

a) Any actions or situations that may expose Idlewild Burg or its clients to financial and reputational damage, directly or indirectly, potential or actual, compromising their information assets;

b) Misuse of corporate data, unauthorized disclosure of information, trade secrets or other information without the express permission of Senior Management;

c) Use of data, information, equipment, software, systems or other technological resources for illicit purposes, which may include the violation of laws, internal and external regulations, ethics or requirements of regulatory bodies in the area of operation of Idlewild Burg or its clients;

d) Failure to comply with any of the items established in this security policy;

e) Failure to immediately report to management or the Data Protection Officer (DPO) any breaches of information security policies, standards, or procedures that an employee, intern, apprentice, or service provider may become aware of or witness.

 

Sanctions

Violation of information security policies, standards, or procedures, or failure to adhere to Idlewild Burg’s Information Security Policy, are considered serious offenses and may result in sanctions as outlined in Idlewild Burg’s Code of Ethics and Conduct: formal warning, suspension, termination of employment, other disciplinary action, and/or civil or criminal proceedings. Sanctions defined by the CGSI may also occur, always respecting current legislation.

The penalties stipulated in the Consolidation of Labor Laws (CLT) will also be observed and applied

 

Publication date on the website: 05/15/2026

Este site usa cookies para garantir que você obtenha a melhor experiência em nosso site.

aceitar