Security Policy

INFORMATION SECURITY POLICY

SUMMARY Objective

1. Concepts and Definitions

2. Scope of Policy

3. General Guidelines

4. Classification of Information

5. Powers and Responsibilities

6. Information Handling

7. Penalties

8. Final Considerations

9. Additional Norms - NA

Annex I - Additional Norms - NA

NA01 - Access Control Policy

NA02 - Internet Access Policy

NA03 - Informatics equipment use policy

NA04 - Corporate e-mail use policy

OBJECTIVE

The objective is to establish guidelines that allow Serra e Company's employees and collaborators to follow behavioral patterns related to information security appropriate to the needs of the business and the institution's legal protection, preserving information regarding

- Integrity: guarantee that the information is maintained in its original state, aiming to protect it, in the custody or transmission, against undue alterations, intentional or accidental.

- Confidentiality: guarantee that access to information is obtained only by authorized persons.

- Availability: assurance that authorized users will obtain access to the information and corresponding assets whenever necessary.

This way, we seek to develop an ethical and professional behavior, so that everyone can make the best use of IT tools and the information they generate. At the same time, we seek to reduce threats by adopting preventive measures to avoid possible incidents that could bring losses to the institution.

1. Concepts and Definitions

For the purposes of this Policy, the following is defined as

- Unauthorized Access - Improper or unanticipated access obtained, by any means, procedure, and for any reason, in disregard of the policy or access control in place, or arising from failures or imperfections in access control mechanisms. Contrasts with authorized access.

- Logical Access - Access to computer networks, systems and workstations through authentication;

- Remote Access - access, via a network, to data from a computer physically distant from the user's machine;

- Threat - a set of external factors or potential cause of an unwanted incident, which may result in damage to a system or organization;

- Risk analysis/assessment - the complete process of risk analysis and assessment;

- Asset - any asset, tangible or intangible, that has value to the organization;

- Information Asset - the storage, transmission and processing media, the information systems, as well as the locations where these media are located and the people who have access to them;

- Audit - verification and evaluation of internal systems and procedures with the objective of reducing fraud, errors, inefficient or ineffective practices;

- Authentication - is the act of confirming that something or someone is authentic, that is, a guarantee that any claim of or about an object is true;

- Authenticity - the property that information was produced, issued, modified, or destroyed by a particular individual, or by a particular system, agency, or entity;

- Database - is a data storage system, that is, a set of records that aims to organize and store information;

- Access blocking - process whose purpose is to temporarily suspend access;

- Information classification - attribution, by the competent company, of the degree of secrecy given to the information, document, material, area or installation;

- Collaborator - servants, employees, those hired for a fixed term, interns and service providers that perform activities within the scope of the Secretariat of Administration.

- Confidentiality - ownership that information is not available or revealed to an unauthorized individual, system, company or entity;

- Contingency - description of measures to be taken by a company, including the activation of manual processes, in order to get its vital processes back to full operation, or in a minimally acceptable state, as soon as possible, thus avoiding a prolonged stoppage that could cause greater damage to the corporation;

- Access Control - a set of procedures, resources and means used with the purpose of granting or blocking access;

- Backup - Copying data in a separate medium from the original, in order to protect it from any eventuality. Essential for important data;

- Electronic Mail - is a method that allows you to compose, send and receive messages via electronic communication systems;

- Credentials or access accounts - permissions, granted by a competent authority after the accreditation process, that enable a specific person, system or organization to access. The credential can be physical such as badge, card, and seal, or logical such as user identification and password;

- Cryptography - is the study of the principles and techniques by which information can be transformed from its original form into an unreadable one, so that it can be known only to its recipient (holder of the "secret key");

- Data - representation of an information, instruction, or concept, so that it can be stored and processed by a computer;

- Availability - the property that information is accessible and usable on demand by an individual or a particular system, body or entity;

- Download - (Download) copying files from a server (site) on the Internet to a personal computer;

- Business Continuity Management - Overall management process that identifies potential threats to an organization and the impacts on the institution's operations that those threats, if realized, could cause, and providing and maintaining an acceptable level of service in the face of disruptions and challenges to normal day-to-day operation;

- Risk Management - set of processes that allows identifying and implementing the necessary protection measures to minimize or eliminate the risks to which its information assets are subject to, and balance them with the operational and financial costs involved;

- Information and Communications Security Management - a set of processes that allows you to identify and implement the necessary protection measures to minimize or eliminate the risks to which your information assets are subject to, and balance them with the operational and financial costs involved;

- Information Manager - the person responsible for the administration of information generated in their work process and/or information systems related to their activities;

- Information and Communications Security Manager - is responsible for the information and communications security actions within the company.

- Hardware - is the physical part of the computer, a set of electronic components, integrated circuits and peripherals, such as the machine itself, boards, printer, keyboard and others;

- Security Incident - is any adverse event, confirmed or under suspicion, related to the security of computer systems or computer networks;

- Information - data, processed or not, that can be used for the production and transmission of knowledge, contained in any medium, support or format;

- Confidential information - information temporarily subject to restricted access due to its indispensability for the company's security, and those covered by the other legal hypotheses of secrecy;

- Integrity - the property that information has not been modified or destroyed in an unauthorized or accidental manner;

- Internet - World Wide Web;

- Intranet - a private computer network that uses the same protocols as the Internet. It can be understood as the internal network of an institution where access to its contents is generally restricted;

- Log - is the term used to describe the process of recording relevant events in a computer system. This log can be used to reestablish the original state of a system or for an administrator to know its behavior step by step. A log file can be used for auditing and diagnosing problems in computer systems;

- Logon - A procedure for user identification and authentication in Information Technology Resources. It is personal and non-transferable;

- Norm - Internal document that formally and administratively regulates, in a general or specific way, aspects or guidelines expressed in the ISP, in all or part of the institution. The norms map the PSI in the technical-administrative organization of the institution, establishing rules for its implementation.

- Peer-to-peer (P2P) - (Point to Point) allows connecting the computer of one user to another, to share or transfer data, such as MP3, games, videos, images, among others;

- Access Profile - a set of attributes of each user, previously defined as necessary for access credentials;

- Information Security Policy (ISP) - document approved by the body's responsible authority, with the objective of providing guidelines, criteria and sufficient administrative support for the implementation of information security in the institution;

- Protocol - a convention or standard that controls and enables a connection, communication, or data transfer between two computer systems. Standard method that allows communication between processes, set of rules and procedures for sending and receiving data on a network;

- Proxy - is an intermediary service between workstations in a network and the Internet. The proxy network server serves to share the connection to the Internet, improve access performance, block access to certain pages;

- Computational Resources - resources that process, store and/or transmit information, such as applications, information systems, workstations, notebooks, network servers, connectivity equipment and infrastructure;

- Corporate Network - the set of all local networks under the management of the company or institution;

- Public Network - network accessible to everyone;

- Responsibility - Obligations and duties arising from current legislation, office, position, function, or by force of contract, in the protection of information assets of any nature.

- Password or Access Credential - Credential that grants, in a foreseen manner, the right of access, physical or logical, to a given information asset of any nature, or place that houses it. A weak password or credential is any that does not comply with the minimum quality criteria and requirements in effect.

- Network Server - IT resource with the purpose of making available or managing services or computer systems;

- Software - all the existing programs in a computer, such as the operating system, applications, among others;

- Site - a set of dynamic or static virtual pages, whose main objective is to publicize the institution;

- Streaming - data transfer (usually audio and video) in continuous flow through the Internet;

- Term of Responsibility - a term signed by the user agreeing to contribute to the availability, integrity, confidentiality, and authenticity of the information to which he or she has access, as well as to take responsibility arising from such access;

- Treatment of Computer Network Security Incidents - service which consists of receiving, filtering, classifying and responding to requests and alerts and carrying out security incident analysis, seeking to extract information that will prevent the continuation of malicious action and also to identify trends;

- User - employees and collaborators, clients that have obtained authorization from the person responsible for the interested area to access the Information Assets of a company, formalized by means of the signature of the Term of Responsibility;

- VLAN (Virtual Local Area Network or Virtual LAN) - (Virtual Local Area Network) is a logical grouping of network stations, services and devices that are not restricted to a physical segment of a local network;

- VPN (Virtual Private Network) is a private data network that makes use of the public telecommunications infrastructure, preserving privacy, so it is the extension of a private network that includes connections to shared or public networks. With a VPN you can send data between two computers across a shared or public network in a way that emulates a private point-to-point connection;

- Vulnerability - a set of internal factors or potential cause of an unwanted incident, which can result in risk to a system or organization, and which can be prevented by internal information security action;

- Wireless (wireless network) - network that allows the connection between computers and other devices through the transmission and reception of radio signals.

2. Scope of the Policy

2.1 The guidelines established herein must be followed by all employees and collaborators who perform activities within the company that have been given the right to access information data in any medium or support.

2.2 This policy makes the employee and collaborator aware that the company's environments, systems, computers, and networks are monitored and recorded as provided in Brazilian laws.

2.3 It is also the obligation of each employee and collaborator to keep up to date in relation to this ISP and the related procedures and standards, seeking guidance from their manager or the information technology area whenever they are not absolutely sure about the acquisition, use and/or disposal of information.

3. General Guidelines

3.1 All protection mechanisms used for information security must be maintained in order to preserve business continuity;

3.2. all information generated by the employees, using Sierra and Company resources in full or in part, must be kept confidential;

3.3. threats and risks must be periodically reassessed to ensure that the organization is effectively protected

3.4. The access to information, produced or received by the IT area, must be limited to the attributions necessary for the performance of the respective activities of internal and external users;

3.5. The processes of acquisition or contracting of goods and information technology services, in any capacity, should reflect the PSI and its accessory documents;

3.6. The IT and communication equipment, systems and information should be used for the performance of professional activities.

3.7. this Information Security policy can be periodically reviewed and eventually revised whenever relevant events or facts occur;

3.8. Employees and collaborators must avoid circulating information and/or media considered confidential and/or restricted, as well as not leaving reports in printers, and media in places of easy access, always bearing in mind the concept of "clean desk", i.e., when finishing work, do not leave any confidential and/or restricted reports and/or media on their desks.

4. Information classification

4.1 It is the responsibility of the Manager/Supervisor of each area to establish criteria regarding the confidentiality level of the information (reports and/or media) generated by his/her area, according to the table below:

- Public - It is all information that can be accessed by users of the organization, customers, suppliers, service providers and the general public.

- Internal - All information that can only be accessed by the organization's employees. This information has a degree of confidentiality that can compromise the organization's image.

- Confidential - All information that can be accessed by the organization's users and partners. Unauthorized disclosure of this information can cause impact (financial, image or operational) to the organization's business or to the partner's business.

- Restricted - It is all information that can be accessed only by users of the organization explicitly indicated by their directors or by area to which they belong. Unauthorized disclosure of this information may cause serious damage to the business and/or compromise the organization's business strategy.

5. Competencies and Responsibilities

5.1. Purpose of IT Management:

I. Ensure that the implementation of information security controls has a high level of security and allows control throughout the organization;

II. Support the Information Security Policy and maintain commitment to its continuity and results.

5.2 T I Management Actions:

I. Promote information and communications security culture;

II. Follow up on investigations and damage assessments resulting from security breaches;

III. Propose the necessary resources for information and communication security actions;

IV. Conduct and monitor studies of new technologies, regarding possible impacts on information security and communications;

V. Propose Additional Norms and Procedures of Information and Communications Security;

VI. Planning and coordinating the execution of programs, plans, projects and information security actions;

VII. Ascertain critical security incidents and forward the ascertained facts for application of the foreseen penalties;

VIII. Supervising, analyzing and evaluating the effectiveness of information security processes, procedures, systems and devices;

IX. Identify physical, administrative and technological controls for risk mitigation;

X. Receive, organize, store and properly handle information on security events and incidents, determining the respective managers the corrective or contingency actions in each case;

5.3. it is the Employees and Collaborators' responsibility to:

I. Comply with all guidelines and standards established by this policy;

II. Always be updated and aware of the current policies, rules and procedures of Serra e Company;

III. Do not disclose, share, transmit or let yourself be known to people who do not have sufficient authorization level;

IV. Do not conduct, transport, send, transmit, share or let data and information reach an environment or recipient outside the company's premises without the formal authorization of the Directors.

5.4 The Human Resources Department is responsible for

I. Inform the Information Technology sector of all dismissals, withdrawals, returns, and changes in the company's staff.

5.5 The Board of Directors is responsible for

I. Provide legal advice, supervise and coordinate legal activities, including those related to the preparation of normative acts.

5.6. The Sierra and Company

I. Must provide support of a legal nature, in the analysis of non-compliance by employees and collaborators with the rules established for the use of the institution's network.

6. Handling of Information

Specific guidelines and procedures for the treatment of corporate information must be established in a complementary norm, considering the following general guidelines:

I. Documents essential to the activities of the institution's users must be saved on network drives. Such files, if saved only locally on the computers, will not have a backup guarantee and may be lost in case of computer failure, being, therefore, the user's own responsibility.

II. Personal files and/or not relevant to Serra e Company's institutional activities (photos, music, videos, etc.) must not be copied or moved to the network drives, because they can overload the storage on the servers. If identified, the files may be definitively deleted without prior communication to the user.

III. Computer Network Incident Handling is the service that consists of receiving, filtering, classifying and responding to requests and alerts, and performing security incident analysis, seeking to extract information that will prevent the continuity of malicious action and also to identify trends".

IV. The occurrence of security incidents in SERRA E COMPANY's computer networks must be communicated to the DPO - Data Protection Officer, according to procedures to be defined in order to allow integrated solutions, as well as the generation of statistics.

V. When handling incidents on computer networks, the Information Security Technical Team, responsible for handling and responding to the incident, must consider, at least, the following guidelines:

a. All incidents notified or detected shall be registered, with the purpose of ensuring historical record of the activities developed.

b. The treatment of information must be carried out in such a way as to enable and ensure the availability, integrity, confidentiality, and authenticity of the information, observing the legislation in force with regards to establishing degrees of secrecy.

c. During the management of security incidents in computer networks, if there are indications of criminal offenses, the Information Security Manager or members of the Information Security Technical Team have the duty, without prejudice to their other duties, to call the competent police authorities for the adoption of legal procedures deemed necessary, observe the procedures for preserving evidence, requiring consultation of the guidelines on chain of custody, and prioritize the continuity of SERRA E COMPANY's services.

7. Penalties

By managing and monitoring its information assets, SERRA E COMPANY intends to ensure their integrity, together with its information and resources. The non-compliance or non-observance of any rules or guidelines defined in this instrument and in its complementary rules constitutes a serious fault, to which SERRA E COMPANY will respond by applying all administrative, civil and judicial measures.

Any attempt to change security parameters, by any user, without proper accreditation and authorization for such, will be considered inappropriate and the related risks will be informed to the user and to the respective manager.

The use of any resource in non-compliance with the rules in force or to practice illegal activities may lead to administrative actions and penalties resulting from administrative, civil and criminal proceedings, in which the institution will actively cooperate with the competent authorities.

The identification devices and passwords protect the collaborator's identity, avoiding and preventing that one person pretends to be another before SERRA E COMPANY and/or third parties.

Therefore, the user linked to such identification devices will be responsible for their correct use before the institution and the legislation (civil and criminal), and the use of another person's identification devices and/or passwords violates the security rules and may result in the application of applicable administrative, civil and judicial measures.

8. Not Applicable Cases

8.1. Cases of omission and doubts will be submitted to the Information Technology Management.

9. Additional Norms - NA

9.1 The details of the Information Security Policy are segmented into the following Additional Norms:

9.1.1. NA 01 - Access Control Policy;

NA 02 - Internet Access Policy;

NA 03 - IT Equipment Use Policy;

NA 04 - Corporate e-mail use policy.

ANNEX I

ADDITIONAL RULES

NA 01 - Access Control Policy

1. Objective

To establish criteria for the provision and administration of access to Serra and Company's information technology services, as well as to establish criteria regarding passwords for the respective accounts.

2. General Guidelines

2.1 The access account is the instrument for identification of the user in the employees' and collaborators' network and is characterized for being of individual and untransferable use and its divulgation is forbidden under any hypothesis;

2.2 All registering of an access account to Serra e Company's network must be done through an e-mail request from the immediate superior to the Information Technology Management.

2.3 Any use, through identification and access password, is responsibility of the user to whom the information is linked;

2.4 All passwords, for common users, for authentication in the Serra e Company network must follow the following minimum criteria

I. Every password must have, at least, 8 characters, being obligatory the use of alphanumeric characters (letters and numbers);

II. The password cannot contain part of the user's name, for example: if the user is called Jose da Silva, his password cannot contain parts of his name like "1221jose" or "1212silv";

III. The expiration date of the password must be a maximum of 90 days, if it is not changed, it will be blocked;

IV. It will be mandatory to change the password upon first access;

V. V. It will not be allowed to repeat the last 5 passwords already used;

2.5. The password database must be stored with cryptography;

2.6 The access to Serra e Company's information technology services must be available to employees who officially perform activities linked to Serra e Company's operations;

2.7. The process of access approval must be initiated by the user's superior and the privileges granted will remain in effect until the user changes his activities or leaves the company. If one of these two events occurs, the manager must notify the IT Department immediately.

2.8. Any abnormality noticed by the user regarding the privilege of his access to information technology resources must be immediately reported to the Information Technology Management;

2.9 Accounts with network administration privileges must be used only for activities related to environment administration according to the assigned responsibilities. The variables required for access and administration must be known only to network equipment administrators.

2.10. In case of proven compromise of the IT environment security by some unforeseen event, all access passwords must be changed.

3. Remote Access

3.1. Remote access to corporate services must only be made available to employees who officially perform activities linked to Serra e Company, as long as it is requested by the management responsible for the information.

3.2 The liberation of remote access will only be effective after evaluation and approval by the Information Technology Management, in order to avoid threats to the integrity and secrecy of the information contained in the network;

3.3 Remote connections to the Serra e Company network must be made in the following manner

I. Use of authentication;

II. The passwords and the information that travels between the remote station and Serra e Company's network must be encrypted;

III. It is forbidden the use of remote access for purposes unrelated to the institution's activities.

3.4. The remote access service must be cancelled under the following conditions:

I. End of the requested period or termination of the Contract;

II. Loss of the need to use the service;

III. Transfer of the user to other units;

IV. Identification of vulnerability, risk or misuse.

4. Database Access;

4.1. The access to the Serra e Company database will be given by means of a personal and untransferable password, which cannot be disclosed;

4.2 The user is forbidden to access the Serra e Company database for corporate data research with the purpose of

I. Share without the immediate superior's authorization, in whole or in part, the information contained in the corporate database;

4.3 It is the responsibility of the user who has access to Sierra and Company's databases:

I. Keep secret his/her password to access the Serra e Company's databases;

II. II. Close the database access application every time he/she is absent, avoiding undue access;

4.4 About the access to Serra and Company's database:

I. The requesting agency must sign a term of responsibility for the information made available.

II. The responsibility of keeping the data obtained through integrations between systems must be the responsibility of the requesting agency.

5. Physical Access Control

5.1. Physical access controls aim to restrict access to information technology equipment;

5.2 Access to the datacenter can only be made by authorized personnel;

5.3 Visitors or third parties may only access the Datacenter when accompanied by an employee of the information technology area of SC;

NA 02 - Internet Access Policy

1. Objective

To establish criteria for the administration and use of access to Internet services at Serra and Company.

2. General Guidelines

2.1. The access to the Internet must be restricted to the professional sphere with content related to the activities performed by the company;

2.2 Each user is responsible for the actions and accesses made through its Access Account;

2.3 The equipment, technology and services provided for Internet access belong to the institution, which can analyze and, if necessary, block any file, site, e-mail, domain or application stored on the network/internet, whether they are on local disk, on the station or in private areas of the network, aiming to ensure compliance with this Information Security Policy;

2.4 Any change in the access level will only be made upon formal request, by the user's immediate superior, containing the proper justification, which will be evaluated by the Information Technology Management - GTI, and this request may be denied in case of risk or vulnerability to the security and integrity of the Serra e Company network;

2.5 It is forbidden to access pages with content considered offensive, illegal or inappropriate, such as

a. Pornography, pedophilia, prejudice, vandalism, among others;

b. Access or obtain files on the Internet that present a security vulnerability or that may compromise, in any way, the security and integrity of the Serra e Company network;

c. Recreational use of the Internet during working hours;

d. Use of anonymous proxy; e. Access to radio and TV in real time, except the corporate channels in working hours;

e. Access to games;

f. Access to other content notably outside the context of the work developed;

g. Sending to an external destination any software licensed to SC or any data owned by SC or its users, unless expressly authorized by the party responsible for its custody;

h. Bypassing or attempting to bypass the blocking policies automatically applied by the SC systemic tools;

i. Use of peer-to-peer (P2P) content sharing software;

2.6 If the company deems it necessary, there shall be access blocks to unauthorized files and sites that compromise the use of network bandwidth, the performance and productivity of the employee's activities, as well as, that expose the network to security risks;

2.7 It is prohibited to use the SC resources to download or distribute non-legal software or data;

2.8 The websites accessed by users shall be audited to verify their compliance with the policy in effect;

2.9 If irregular use is proven, the user involved may have his/her access to the Internet blocked, and the immediate superior will be informed, and may be subject to disciplinary administrative proceedings and the legally established sanctions, ensuring the adversary and full defense.

NA 03 - Informatics Equipment Use Policy

1. Objective

To establish criteria for the use of IT equipment in the company.

2. General Guidelines

2.1. Computer resources should only be used for activities of interest to the company;

2.2 Each workstation has IP (Internet Protocol) control, which allows it to be identified on the network. Thus, everything that is executed on the workstation is the user's responsibility. Therefore, whenever you leave the work environment, make sure you have logged out or locked the workstation;

2.3 It is not allowed to save MP3s, movies, pictures, copyrighted software or any other type of software that could be considered piracy on the workstations or the SC Network;

2.4 All data relating to company activities shall be kept on the network server, where there is a daily, reliable backup system;

2.5. The files stored in temporary directories (public folders) can be accessed by all users who use the local network, therefore does not guarantee its integrity and can be changed or deleted without notice and by any user;

2.6 Backup copies of files created on the local computer of employees and collaborators will not be made. The user himself must back up the local files and check what can be eliminated, avoiding the accumulation of unnecessary data;

2.7 It is forbidden to open computers for any kind of repair. If necessary, the repair must be done by the Information Technology Management;

2.8. Regarding the use of private IT equipment (cell phones, notebooks, tablets and/or any mobile device that may access the wireless or structured network), the employee must notify his or her immediate superior, who will request access release through the Information Technology Management;

2.9 In case of events in the company's environment, such as seminars and courses, etc., it must be requested to the Information Technology Management - GTI;

2.10. In case of damage, destruction or loss of equipment, the employee must immediately notify the Information Technology Management, which will adopt the appropriate measures;

2.11. In case of theft or robbery, provide an occurrence report to the Civil Police and deliver it to the Information Technology Management, which will adopt the appropriate measures;

2.12. It is mandatory to link the components (cabinet, monitor, keyboard and mouse), according to asset numbers, preventing its use for another user who does not sign the Term of Responsibility;

2.13. It is forbidden to put stickers with magnets on the equipment;

2.14. It is the employee's duty to care for the integrity of the equipment strictly as a work instrument, together with the accessories that were used;

2.15. It is the employees' and collaborators' entire responsibility, when receiving the Term of Responsibility, to verify the information contained in it, such as the Fixed Assets number, series, in addition to their personal data, registration, and work unit;

2.16. It is not allowed to change the network settings and BIOS of the machines, as well as make any changes that might cause any future problems;

2.17. The removal or transport of any SC IT equipment is not allowed without prior authorization from the Information Technology Management;

2.18. The use, without due consent, of IT equipment by persons not connected to the company is prohibited;

2.19. It is forbidden to remove and/or damage asset identification plates, locks and security seals of the IT equipment;

2.20. It is not allowed to connect and / or configure equipment to the network, without the prior permission of the Information Technology Management;

2.21. The antivirus must be updated and with self-protection active on the workstation;

2.22. The user must run anti-virus on removable devices before opening them when inserted into the workstation.

3. File Backup and Restore Policy

3.1 All backups must be automated by automated scheduling systems, preferably at times when there is little or no user or process access to the computer systems and files.

3.2 Incremental File Backups (Incremental daily) shall be performed Monday through Thursday, starting at 8:00 PM, with a one month retention period;

3.3 Full File Backups (weekly full backups) will be performed every Friday of the week, starting at 8:00 PM, with one month of retention;

3.4. Full Backups of Virtual Machines (full weekly) are done on the first Friday of every week, performed from 8:00 PM onwards, with one week of retention;

3.5. File restoration will only be possible on data that was backed up the day before;

3.6. file restoration will have a maximum term of 30 days, not being possible to recover files older than this period;

3.7 The employees responsible for managing the backup systems must conduct frequent surveys to identify patch updates, new product versions, life cycle (when the software will no longer have a manufacturer's warranty), suggestions for improvements, among others;

3.8. The HD backup media must be stored in a dry, climate-controlled, safe place as far away from the datacenter as possible;

3.9 Media with errors should first be formatted and tested. If the error persists, they must be unusable.

4. Printer usage policy

4.1 All printing must be carried out in the respective departments;

4.2 It is not allowed to print documents that are not within the work activities;

4.3 It is not allowed to leave wrong printouts on the printer's desk;

4.4. Employees may use "secure password" for the safety and security of their documents;

4.5. Documents should preferably be printed front and back, to save paper.

NA 04 - Corporate E-mail Use Policy

1. Objective

To establish criteria for making Serra and Company's corporate email service available to users.

2. General Guidelines

2.1. The purpose of the mail service is to send and receive electronic messages and documents related to the institutional functions of the Administration Secretary;

2.2 Users of the corporate e-mail service are employees and collaborators that perform activities related to the CS's institutional activities;

2.3 The granting of e-mail accounts depends on the request of the immediate superior;

2.4 The creation of distribution lists, restricted to their respective areas of activity, may be requested;

2.5 Access to the content of messages processed through the corporate electronic mail service is forbidden, except in cases provided by law;

2.6 Access to the electronic mail service will be by means of a personal, nontransferable password, which may not be disclosed;

2.7 The user is forbidden to use the corporate electronic mail service for the following purposes

I. Commit crimes and offenses of any kind;

II. II. Perform harmful actions against other SC computing resources or external networks;

III. Distribute obscene, pornographic, offensive, prejudiced, discriminatory material, or in any way contrary to the law and good manners

IV. Disseminate advertisements, entertainment messages and chain messages, viruses or any other type of computer program that is not intended for the performance of its functions or that may be considered harmful to the SC network environment

V. V. Send audio, video or animation files, except those related to the institutional functions performed by SC

VI. VI. Disclose, in whole or in part, the corporate email addresses listed in the service's address book

VII. Performing other harmful activities, tending to compromise the intimacy of users, the security and availability of the system, or the institutional image. It is the e-mail user's responsibility

VIII. VIII. Keep his e-mail access password secret;

IX. IX. Close the mail application (client) every time he/she leaves, avoiding undue access;

X. X. Immediately inform the Information Technology Management, preferably at franca@serraecompany.com.br, of the receipt of messages with viruses or that may cause damage to the IT systems;

XI. XI. Maintain its mailbox, avoiding exceeding the storage limit and ensuring its continuous operation.

2.8 The Information Technology Management is responsible for

I. Create and maintain records of users, mailboxes and distribution lists;

II. Cancel the accesses to the e-mail service of users who leave the company;

III. Propose the dissemination of guidance on the correct use of electronic mail

IV. IV. Supervising the use of the electronic mail service, observing the criteria established in this norm;

V. Develop other actions that guarantee the operationalization of this norm.