03_Definition Related to Information Security Policy

Definition Related to Information
Security Policy
Responsible Area
Version
Corporate Computing - Security
1.2
Issuance Revision
date
date
Effective
date
08/20/2009 12/01/2015 12/01/2016
Purpose
Describe all definitions required in relation to Ultra Information Security Policy.
General Definitions

Information Security Policy
o
Confidentiality: the property which establishes that the information is not
available or disclosed to individuals, entities or unauthorized processes. [NBR
ISO/IEC 27001:2005]
o
Availability: the property of being accessible and usable on demand by an
authorized entity.[NBR ISO/IEC 27001:2005]
o
Security Incident: A single or a series of unwanted or unexpected Information
Security events, which have a high probability of compromising business
operations and threatening information security. [NBR ISO/IEC 27001:2005]
o
Integrity: the property of safeguarding the accuracy and completeness of assets.
[NBR ISO/IEC 27001:2005]
o
NBR ISO/IEC: Brazilian Standard for the International Organization for
Standardization / International Electrotechnical Commission [ABNT - Brazilian
Association of Technical Standards]
o
Computing Resources: all Information Technology assets, services and systems
provided by Ultra.
o
Information Security: Preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity, accountability, nonrepudiation and reliability may also be involved. [NBR ISO/IEC 13335-1:2004]
o
User: is any collaborator, whether employee, intern or contractor to use any
service information available in the Data Network.
 Use of Standard Hardware Assets
o
Computing Assets: Workstations, servers, software, files, E-mail, Authentication
Devices, and any electronic equipment or systems related to information
technology.
o
Mobile Storage Devices: include, among others, pendrive, removable disk, CD,
DVD and print media.
o
Authentication Devices: any device which purpose is to validate the identity of its
bearer (e.g. token, badge, smartcard, etc.).
o
Workstation: any equipment used by Users to access information.
1
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br
o
Shareware: publicly available program for evaluation and experimental use, but
whose use in definitive system assumes that the User shall pay a license to the
author or be holder of the rights. Shareware is different from Free Software
(Freeware), as shareware is commercial, although having different terms and prices
in relation to a commercial product not intended for evaluation and trial use.
o
Open Source Software: name given to certain software whose source code
access is publicly franchised and, usually, free.
o
Free Software: publicly available program, with free access and use under
conditions established by the authors and no licensing cost.
 Data Network Use Standard

o
Dial-up Access: a form of communication through a conventional telephone line.
o
Authentication: the verification process, required for access to IT resources, which
confirms that an entity or object is who or what claims to be.
o
The User Account: Data Network Credential Access which identifies the User who
uses it. Its use is personal, nontransferable and responsibility of the User.
o
Generic Account: Data Network Credential Access which does not identify the
User who uses it.
o
Access Credential: A set of information (User Account and password) used in the
process of authentication.
o
Device Authentication: portable equipment used in the Authentication process,
responsible for maximizing Information Security.
o
Logoff: procedure of closure of use of a computer system or Data Network
resources.
o
Data network: computers and other devices connected to share information or IT
Resources.
o
Wireless: Wireless communication technology, which uses electromagnetic waves
(radio, infrared or laser).
o
VPN (Virtual Private Network): is a secure form of communication, held point-topeer, via the Internet.
Internet Use Standard
o
Internet: Data Network of wide geographic area, which provides transfer of
information among users.
 Standard for Use of Electronic Mail
o
Antispam: Tool used to filter undesirable junk mail (spam).
o
Quarantined files: Suspicious files that might pose a threat to the Information
Technology environment. Quarantined files are automatically removed at the end of
the deadline defined in the document attached to this Standard, called Content
Control Settings.
o
Address Book: electronic Address Book existing in the E-mail application.
o
Disclaimer: a disclaimer or waiver. Disclaimer is a reference found in E-mails and
Web pages that informs the reader's rights to a particular document, the liabilities
undertaken or not, usually, not undertaken by the author.
2
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br
o
E-mail: reduced form for E (lectronic) Mail – Electronic Mail. [DicWeb-On-line
Computing Dictionary].
o
E-mail Message Filing Solution: Message classification system based on
retention rules, originally established by date and size, which aims to optimize the
filing and retrieving process for email messages.
o
Spam: unsolicited, often unwanted message, and sent to a large number of people.
 Standard for System Use
o
Authentication Layer: technology that enables access to one or more systems by
means of an Authentication Process.
 Standard for Physical Access to Data Center
o
Data Center: it is an environment designed to house IT Assets. The main objective
of a Data Center is to ensure the Availability of hosted systems.
Definitions of Related Systems
 Standard for Computing Assets Use
o
Systems for management of IT Assets:



System Center
GERI – Computing Asset Management System
Control Desk
 Standard for Data Network Use
o
SAA - Authentication and Authorization System
o
Control Desk
o
SCA – Access Control System
o
I-550 – Formulário de solicitação de acesso
 Standard for Internet Use
o
Security System: Symantec Protection Suite
o
Content Control System: Webwasher
o
Instant Communication System: Microsoft Office Communicator
 Standard for Use of E-mail
o
Security System: Symantec Mail Security
o
E-mail Application: Microsoft Outlook
o
E-mail Message Filing Solution: Symantec Enterprise Vault
o
File Transfer Solutions: Microsoft SharePoint / Microsoft File Server
 Standard for Use of Systems
3
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br
o
SCA - Access Control System
o
Control Desk
o
SAA - Authentication and Authorization System
o
I-550 – Formulário de solicitação de acesso
 Standard for Physical Access to Data Center
o
SCA - Access Control System
o
Control Desk.
Definitions of Access Control Systems
Request and/or Alteration of Access transgenic product Network and Systems
The request and/or alteration of access to network and systems is provided in accordance with
the procedures in force, namely:



For Ultragaz business and the Corporation, the use of the SCA - Access Control System it
is required;
For Oxiteno and Ultracargo businesses, he use of SDR - Service Desk Request it is
required;
For Ipiranga business, it is necessary to send Form I-550 to the IT area (Grant of Access to
Computerized System).
Unlocking Access Network and Systems
Unlocking of access to the network and systems is available according to the current processes,
namely:

For Ultragaz business and the Corporation, the use of the SCA - Access Control System it
is required;

For Oxiteno and Ultracargo businesses, he use of SDR - Service Desk Request it is
required;

For Ipiranga business, it is necessary to open call at the Help Desk On-line.
Inactivation of Access to Network and Systems
Inactivation of network access systems and is available in accordance with the procedures in
force, namely:

For Ultragaz business and the Corporation, the use of the SCA - Access Control System it
is required;

For Oxiteno and Ultracargo businesses, he use of SDR - Service Desk Request it is
required;

For Ipiranga business, it is necessary to send e-mail to the "Remove Access" distribution
list.
Definitions for Use and Creation of Passwords

The User password must have at least 6 (six) characters, including three of the four
possible options: uppercase letters, lowercase letters, numbers or special characters.

Users who do not use their access credentials for a period of 90 days or more will have their
accounts locked.
4
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br

Users must change their password on the first access.

Users must change their password every 90 days or whenever there is any indication of
possible password compromising.

Reuse of the 4 (four) last registered passwords is not allowed.

After 5 (five) invalid attempts, User access is locked. To unlock, the User will need to
contact the IT area.

The process of disabling User accounts are held by the IT area after receiving the
statement from the User’s Manager and will be reserved for a period of 5 years. After this
period, the User account will be permanently deleted.

Suggestions for developing strong password:
1. Define any sentence:
Copa do Mundo no Brasil em 2014 (World Cup in Brazil in 2014);
2. Use the first, second or last letter of each word in the sentence:
CdMnB014
3. Alternate or replace letters with special characters:
CMB&2@!4
Below more examples of strong password:
Sentence
Strong Password Suggested
CdMnB&2@
Copa do Mundo no Brasil em 2014
oou@B&14
ao@L2014

Examples of weak passwords, which should not be used:
o
Name and surname, especially those contained in the User's login;
o
Numbers of the documents, functional enrollment, banking or credit card
passwords, phone cards, car plates or dates that may be related to the User or
family;
o
Words found in dictionaries;
o
Words suggested from objects or places that can be seen from the User’s desk;
o
Inverted words.
Recommendations regarding the use of passwords

Make sure you are not being observed as you enter your password;

Do not use password automatic recording features when available;

Do not use Ultra passwords for network access for personal purposes.
General Provisions
5
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br

Upon disabling the User Accounts, Managers can access the mailbox information from 3
options:
o
The Manager will be granted access to the disable User mailbox for a period of 30
days;
o
All the new messages sent to the disable User will be redirected to the Manager for
a period of 30 days;
o
The Manager will be granted access to the disable User mailbox and all new
messages sent to the disable User will be redirected to him/her for a period of 30
days.

All disabled Users mailboxes will be permanently deleted after 90 days from the User’s
Manager statement or within 120 days if the Manager requests access to the mailbox
information.

If the request for access to the disable User mailbox has not been made at the time of
account deactivation, it may be held at any time respecting the maximum limit of 90 days.
Settings Archiving Solution
The Filing Solution implemented for Ultra, called Santo Arquivo, is a service responsible for
daily control of automatic and secure filing of electronic mail messages in order provide greater
storage capacity to users' mailboxes.
With this technology, local filing of electronic mail messages (PSTs files) it is no longer needed.
The e-mail messages are stored according to the periodicity of sending and receiving, as
follows:

Up to two months: nothing changes in the message filing process;

From two months to two years: messages are available at Santo Arquivo and visible to
the User;

From two to five years: messages are available at Santo Arquivo and NOT visible to the
User. To access them just use the message search menu;

Over five years: messages are transferred to tape and to access them a call must be open
at the Service Desk. The maximum storage time is 10 years;

All messages above five (05) MB, regardless of date, are automatically transferred to
Santo Arquivo.
Examples of Ultra’s domains

ultra.com.br

ultragaz.com.br

oxiteno.com.br

transultra.com.br

ultracargo.com.br

tequimar.com.br

gultra.com.br

utingas.com.br
6
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br

brasilgas.com.br

grupoultra.com.br

spgas.com.br

oxiteno.com

oxiteno.com.ar

oxiteno.eu

emca.com.br

uniaoterminais.com.br

uniaovopak.com.br

glpbrasil.com.br

ipiranga.com.br

redeipiranga.com.br
Authentication Device Settings

Physical access to the Data Center (São Paulo) is controlled through the following
technologies, namely:
o
Main Data Center – Biometric authentication system;
o
Contingency Data Center – Magnetic Badge.
Related Documents

Information Security Policy;

Standard for Use of Computing Assets;

Standard for Use Data Network;

Standard for Internet Use;

Standard for Use of Electronic Mail;

Standard Systems Use;

Standard for Physical Access to the Data Center.
Addresses for Access

SCA – Sistema de Controle
http://smslbs2k3011:7575/sca/

Control Desk: http://servicedesk.ultra.corp/

http://intranet.ultra.corp/intranet_corp/eventos/SantoArquivo/
de
Acesso
(Access
Control
System):
7
Av. Brigadeiro Luis Antônio, 1343 – CEP 01317-910 – São Paulo – SP
www.ultra.com.br