Related Documents:

Introduction and Purpose

Rybená Assistive Technologies Ltda. establishes fundamental guidelines in its Information Security Policy, specifically directed to the Rybená Solution. This policy is applicable to all levels of the team, including Development, Design, Infrastructure, and Technical Support, as well as all third parties and service providers.

The main purpose is to disseminate information security practices and establish criteria for adopting good practices in all aspects related to the Rybená solution security, ensuring data protection and system integrity.

Objectives

Rybená establishes guidelines for the protection, preservation, and disposal of information in its technological environment, strategically guiding issues related to information security. We aim to protect Rybená's information assets, defining appropriate behavior standards for business needs and legal protection of the organization and its employees.

Information Security Principles

  • Confidentiality: Ensure that information will not be disclosed to individuals, entities, or applications without prior authorization from data subjects
  • Integrity: Ensure that the content of information is not altered, remaining intact and authentic
  • Availability: Allow confidential information to be used only when necessary by users and recipients

Technical Security Controls

Encryption and Data Protection

  • In-transit encryption: TLS 1.3 for all communications between clients and servers
  • At-rest encryption: AES-256 for all stored data
  • Key management: HSM (Hardware Security Module) system for cryptographic key protection
  • Hashing: SHA-256 algorithms for passwords and sensitive data

Access Control and Authentication

  • Multi-factor Authentication (MFA): Mandatory for all employees with access to critical systems
  • Identity Management: Centralized system with role-based access control (RBAC)
  • Minimum Privilege: Access granted only to what is strictly necessary for task execution
  • Periodic Review: Quarterly assessment of access permissions

Network and Infrastructure Security

  • Web Application Firewall (WAF): Protection against common attacks (SQL Injection, XSS, CSRF)
  • Intrusion Detection System (IDS/IPS): Real-time monitoring of suspicious activities
  • Network Segmentation: Isolation of development, testing, and production environments
  • DDoS Protection: Automatic mitigation of denial of service attacks
  • VPN: Secure remote access through virtual private network

Application Security

  • Secure Software Development Lifecycle (SSDLC): Integration of security in all development phases
  • Static Code Analysis: Automated tools for vulnerability identification
  • Input Validation: Rigorous sanitization of all input data
  • Penetration Testing: Periodic assessments by security experts
  • Security by Design: Security considerations from project conception

Operational Procedures

Vulnerability Management

  • Vulnerability Scanner: Weekly scanning of all systems
  • Patch Management: 72-hour critical update window for high-severity vulnerabilities
  • CVE Monitoring: Continuous monitoring of newly disclosed vulnerabilities
  • Risk Scoring: Prioritization based on CVSS (Common Vulnerability Scoring System)
  • Patch Testing: Validation in isolated environment before production

Monitoring and Logging

  • Log Retention: Minimum 365 days for security logs
  • Real-time Alerts: Automatic notifications for critical events
  • Behavioral Analysis: Anomaly detection in access patterns
  • Log Centralization: SIEM (Security Information and Event Management) for centralized analysis
  • Event Correlation: Identification of complex attack patterns

Change Control

  • Rollback Procedures: Detailed plans for change reversal
  • Testing in Isolated Environment: Complete validation before production
  • Formal Approval: Change approval requirement for critical changes
  • Documentation: Detailed recording of all changes
  • Maintenance Windows: Defined periods for change implementation

Backup and Data Recovery

General Backup Strategy

  • Used Encryption: AES 256 for data at rest
  • Frequency: Daily backups with 30-day validity
  • Storage: All backups are stored in the cloud, avoiding defective media, loss, and/or information theft
  • Geographic Redundancy: Backups replicated in multiple locations
  • Integrity Testing: Regular verification of stored backups

Backup Testing

  • Periodic Verifications: Quarterly reviews of backup logs to identify errors, abnormal durations, and improvement opportunities
  • Corrective Actions: Implementation of actions to reduce risks associated with failed backups
  • Records: Maintain backup and restoration test records to demonstrate compliance with this policy
  • Disaster Simulations: Annual full recovery tests

Restoration Procedure

As our application is a translation plugin and the user does not need previously stored data, backup restoration is used only in cases of need to recover data related to Rybená.

  • RTO (Recovery Time Objective): 60 minutes
  • RPO (Recovery Point Objective): 15 minutes
  • Designated Team: Professionals trained for restoration procedures
  • Documentation: Detailed and regularly updated procedures

Risk Management and Incidents

Risk Identification and Measurement

Snyk - GitHub Code Assessment

  • Objective: Identify and correct vulnerabilities in open-source libraries and dependencies
  • Scope: GitHub repositories related to Plugin development
  • Frequency: Continuous, with automatic scans on each commit and pull request
  • Responsible: Security team in conjunction with the Development team

Cloudflare Security Center (CSC) - Cloudflare Resource Assessment

  • Objective: Continuously monitor Cloudflare resources to detect and correct vulnerabilities and incorrect configurations
  • Scope: All resources and services deployed on Cloudflare that support the Plugin's production environment
  • Frequency: Continuous monitoring with monthly reviews
  • Responsible: Information Security Team

Disaster Recovery Plan

Definitions

  • RTO (Recovery Time Objective): 60 minutes
  • RPO (Recovery Point Objective): 15 minutes
  • MTPD (Maximum Tolerable Period of Disruption): 48 hours

Management Structure

  • Security Team: Executes the disaster recovery plan, coordinates efforts, internal and external communication, system and data restoration
  • Head of Engineering: Leads the recovery team, makes critical decisions, and coordinates all recovery activities
  • Support Team: Provides technical support during the recovery process, including system restoration, backup verification, and technical problem resolution

Security Incident Notification

Legal Aspects

For information about notification procedures to the ANPD and data subjects, consult our Privacy Policy and LGPD.

Incident Definition

A security incident is considered any adverse event, confirmed or suspected, related to the breach of system or data security, that may entail risk to operations or to the rights and freedoms of data subjects.

Incident Classification

  • Critical: Severe impact on operations, exposure of sensitive data, or service loss
  • High: Significant but limited impact, partial system compromise
  • Medium: Controllable impact, without exposure of critical data
  • Low: Minimal impact, easily circumvented without affecting operations

Response Procedures

  1. Detection and Identification: Continuous monitoring and alert analysis
  2. Containment: Isolation of the affected system to prevent propagation
  3. Eradication: Complete removal of the incident's root cause
  4. Recovery: System restoration and normality validation
  5. Lessons Learned: Post-incident analysis for continuous improvement

Audit and Compliance

Internal Audits

  • Quarterly Audits: Complete assessment of security controls
  • Control Testing: Validation of the effectiveness of implemented measures
  • Executive Reports: Presentation of results to senior management
  • Action Plan: Documented corrections with defined deadlines
  • Follow-up: Implementation monitoring of recommendations

Regulatory Compliance

  • LGPD: Complete compliance program with the General Data Protection Law
  • ISO 27001: Alignment with international security best practices
  • Brazilian Internet Civil Law: Compliance with Brazilian internet legislation
  • ABNT Standards: Compliance with Brazilian technical standards

Third-party Assessments

  • External Audits: Hiring of independent specialists for periodic assessment
  • Penetration Testing: Attack simulations by specialized companies
  • Control Validation: Independent verification of the effectiveness of measures
  • Compliance Reports: Issuance of technical compliance attestations

Information Classification and Protection

Classification Levels

  • Public: Free use and content can be publicly disclosed
  • Internal: Transits internally within Rybená
  • Secret: Accessible only by a restricted group of people

Data Classification Guidelines

  • Protect information according to its importance and consequences if compromised
  • Meet regulatory and legal requirements
  • Comply with contractual obligations
  • Classification independent of format, location, and storage media

Information Lifecycle

  1. Connection creation and translation request
  2. Request acceptance and authentication
  3. Translation in NMT (Neural Machine Translation)
  4. Vectorization frame sending as response
  5. Automatic disposal if the doNotTrack tag is enabled
  6. Data persistence in log if the tag is not enabled
  7. Knowledge generation for NMT from registered data

Data Retention

  • Secret Information: During the contractual relationship or for the time necessary to fulfill the processing purpose or legal requirements
  • Internal Information: Same conditions as Secret Information
  • Public Information: Same conditions as Secret Information

The classification may change during the lifecycle, respecting the reclassification lifecycle. The processing of personal information must be done transparently and with respect to the contracting party, with restricted access regardless of confidentiality classification.

Responsibilities and Consequences for Violations

Individual Responsibility

All employees are responsible for complying with the guidelines and requirements established in this security policy. Each organization member must be aware of their obligations regarding the protection of information assets and cybersecurity risk mitigation.

Disciplinary Consequences

Violations of the security policy may result in appropriate disciplinary measures, which may range from additional training to formal disciplinary actions, including warnings, suspensions, and, in severe cases, dismissals. The nature and severity of the violation will be considered when determining the appropriate disciplinary measures.

Contractual Aspects

For information about contractual responsibilities related to security, consult our Terms of Use.

In addition to internal disciplinary consequences, violations of the security policy may have legal implications. If an employee's actions result in financial damages, data theft, privacy violation, or any other form of legal infringement, appropriate legal measures, including criminal or civil proceedings, may be taken to protect the interests of Rybená and affected parties.

Training and Awareness

Training Program

  • Initial Training: All employees receive security policy training upon joining the company
  • Regular Updates: Quarterly sessions on new threats and best practices
  • Specific Training: Customized programs for development and infrastructure teams
  • Simulations: Periodic security incident response exercises

Continuous Awareness

  • Internal Communication: Monthly security information bulletins
  • Thematic Campaigns: Focus on specific security areas throughout the year
  • Security Alerts: Immediate communication about new threats or vulnerabilities
  • Recognition: Awarding of good security practices

Policy Review and Update

Review Periodicity

This information security policy will be reviewed and updated periodically, at minimum:

  • Annually: For general compliance assessment
  • When necessary: In case of technological, regulatory, or operational changes that impact security
  • After incidents: Review after significant security incidents

Communication of Updates

Any significant change in this policy will be communicated to employees through:

  • Specific training on the changes
  • Publication on corporate intranet
  • Sending communications to all teams
  • Updating of operational procedures

Effectiveness of Changes

Updates will take effect:

  • Immediately: For changes related to critical vulnerability correction
  • After 15 days: For other changes, provided they are properly communicated and trained

Final Provisions

Technical Foundation

This information security policy was prepared in compliance with:

  • ISO/IEC 27001:2013 - Information security management
  • NIST Cybersecurity Framework
  • OWASP Top 10 - Security Risks for Web Applications
  • CIS Controls - Critical Security Controls for Effective Cyber Defense

Application and Accountability

The application of this policy will be consistent throughout the organization, regardless of the position or role occupied by employees. All violations will be treated in a fair and impartial manner, taking into account the severity of the violation and the individual circumstances involved.

Management Commitment

The management of Rybená Assistive Technologies Ltda. commits to:

  • Allocate adequate resources for implementing this policy
  • Support continuous security improvement initiatives
  • Require compliance with all established requirements
  • Promote a security culture throughout the organization
Modificado em: