Đề tài 10

S&P
Security &
Privacy
General Policy for

Information Security
11th of December 2020
Warning: Reproduction or communication, whether written or verbal, whole or in part, of this document without prior approval by NOS SGPS, S.A. is strictly prohibited
and punishable by law. All information contained in this document is property of NOS. Printed versions of this document may be outdated. Therefore, any
printed versions of this document will be regarded as an "uncontrolled copy".
Date: 11th December 2020 | Owner: NOS S&P Central Function
Version: 1.5 | Approved by: NOS Executive Committee

Internal Employees (all); Suppliers and partners (NOS' service providers);
Classification: PUBLIC | Distribution list:
Customers (business segment)
General Policy for Information Security
Table of Contents
1. Introduction .................................................................................... 2
1.1. Objective .......................................................................................................... 2
1.2. Scope .............................................................................................................. 3
1.3. Responsibilities .................................................................................................. 3
2. Declaration of Information Security Principles .......................................... 5

3. Information Security Policy (ISP) ........................................................... 6
3.1. Information Security ............................................................................................ 6
3.2. ISP Levels ......................................................................................................... 8
3.3. ISP Domains ...................................................................................................... 9
3.4. ISP subdomains and security control objectives .......................................................... 10
4. References ..................................................................................... 11
1. Introduction
This document is an integral part of NOS Information Security Policy (ISP). It falls within the
Security & Privacy (S&P) management at NOS.
1.1. Objective
Committee regards as vitally important to define and implement a comprehensive policy that
safeguards the integrity, availability and confidentiality of information, in order to adequately
protect information and guarantee business efficacy and continuity.
This policy has the purpose of identifying the Information Security principles to be followed by
their correspondent control objectives.
PUBLIC DOCUMENT 2/11

Reproduction or communication, whether written or verbal, whole or in part, of this document without prior approval by NOS SGPS, S.A is strictly prohibited and
punishable by law. The information in this document is the property of NOS. Printed versions of this document may be outdated. Therefore, any printed versions
of this document will be regarded as an "uncontrolled copy".
1.2. Scope
The rules contained in this document apply to all companies, areas and information / assets /
processes of the NOS Group ("subsidiaries"), unless expressly defined otherwise. They are
mandatory for all employees, including Internal Employees and Employees (service
providers).
In that context, this General Policy is applicable to all electronic communication companies in the
NOS Group (NOS Comunicações, NOS Açores Comunicações, NOS Madeira Comunicações, NOS
Wholesale) for the purposes included in Regulation on security and integrity of electronic
communications networks and services (hereby defined as Security Regulation by ANACOM) and
to the extent that the obligations under this Regulation apply to such companies.
1.3. Responsibilities
The following table summarizes the main roles and responsibilities related to Security & Privacy
management in the company.
Entity Activity
NOS Executive • Represent the commitment of management towards S&P.
Committee • Promote S&P at NOS, with maximum responsibility for S&P issues.
• Approve the Governance Model and the General Policy for S&P.
• Approve the S&P Strategy and Planning, as well as the respective technological, human and
financial resources suitable for the fulfillment of the strategy.
• Approve the strategy for dealing with S&P risks with the highest criticality (top risks).
NOS S&P Central • Propose and monitor the S&P Strategy and Planning (including Security, Cybersecurity, Privacy
Function and Business Continuity aspects), across NOS.
• Define and maintain S&P policies, standards and cross-cutting rules at NOS.
• Develop S&P by Design methodologies and S&P risk assessment and monitoring.
• Support the organization, through the S&P Functions / Pivots of the areas, in the
implementation of initiatives / measures that guarantee S&P compliance.
• Ensure the maintenance of the Privacy Impact Assessment (PIA), in conjunction with the
Functions / Pivots S&P Areas, Legal and DPO.
• Define Business Continuity Management methodologies and maintain the NOS Crisis
Management Plan, Business Impact Analysis (BIA) and Risk Assessment (RA).
• Ensure that the areas carry out a periodic review and evaluation of the S&P controls in the NOS
Internal Control Manual.
• Prepare and monitor the S&P certification audits at NOS (ISO27001 standard and other
standards).
• Monitor S&P risks, mitigation initiatives / measures and controls, for example through Key Risk
Indicators (KRIs).
• Coordinate the S&P Steerings, articulating with the S&P Functions / Pivots of the areas and
consolidating the S&P reporting to the Executive Committee.
• Develop and maintain the training and awareness program on S&P issues.
Data Protection • Act as an advisory element in NOS 'privacy strategy and policies.
Officer • Provide advice and intervene in the Privacy Impact Asessment (PIA) process, giving its opinion.
• To be a point of contact with the personal data subjects (e.g. Customers) and with the
Supervisory Authorities (e.g. CNPD).
• Control and monitor the compliance of the processing of personal data, in accordance with the
applicable rules.

Entity Activity
Legal Department • Acting as an advisory element in the definition and review of S&P policies and standards, giving
its opinion.
• Identify changes or new legislation or regulation of S&P or changes to the existing one, and
support in the respective impact analysis.
• Support in the preparation and maintenance of Records of Processing Activities (RPA) and
provide advice on Privacy Impact Asessment (PIA).
• Prepare the Data Processing Agreements (DPA) with subcontractors, based on the information
provided by the areas.
Internal Audit • Conduct reliability assurance audits that cover S&P risks and processes.
• Conduct investigation of S&P incidents and monitor resolution by areas of risk situations
identified in the incidents.
• Acting as an independent advisory element, proposing recommendations / improvement
actions in matters related to S&P.
NETWORKS • Be responsible for the security management of networks and services, under the ANACOM
Security Officer Security Regulation.
• Manage the security policy and the respective security measures specific to networks and
services.
• Ensure that the company maintains the inventory of critical assets (classes A and B), maintains
the security plan, prepares the annual security report, performs security audits and executes
security breach notifications, as defined ANACOM Security Regulation.
• Represent the company in the exercise of these functions.
S&P Areas Sponsor • Acting in decision making on issues related to S&P, in articulation with the areas / directions
under its responsibility and respective S&P Functions / Pivots of the areas.
• Ensure adequate technological, human and financial resources to comply with the S&P strategy
and planning of its areas.
• Monitor compliance with the S&P strategy and plan and monitor compliance with the S&P
budget by the areas / directions under its domain.
S&P • Coordinate and monitor the planning of the S&P initiatives of the Areas they represent, in line
Functions/Pivots with the Central S&P plan.
• To act as an advisory and support element to the Area in the implementation of initiatives /
measures that guarantee S&P compliance.
• Define and maintain the S&P rules and procedures applicable to the Area.
• Ensure the implementation and use of S&P by Design processes and tools in the Area.
• Keep the Records of Processing Activities (RPA) and the information of Subcontractors in the
Area updated.
• Support in the preparation and maintenance of Privacy Impact Assessments (PIA) associated
with the Area.
• Prepare the Business Impact Analysis (BIA) and Risk Assessment (RA) and maintain and test the
Area's BCM Plans.
• Monitor the S&P risks, initiatives / measures and mitigation controls associated with the Area,
providing the Central S&P Function with relevant information such as Key Risk Indicators (KRIs).
• Ensure the inclusion, review and assessment of the adequacy of the area's S&P controls in the
Internal Control Manual and collaborate with the S&P audits.
Areas/ • Know and comply with S&P policies, standards and procedures, as well as with laws and
Internal Employees/ regulations.
Service Providers • Apply the S&P by Design rules in the development of processes and systems, as well as
operationalize, monitor and maintain the respective S&P controls.
• Report to the Area Function / Pivot S&P of changes in activities or partners that have an impact
on the Records of Processing Activities (RPA) and on the information of Area Subcontractors.
• Ensure the treatment of any non-conformities in S&P, identified for example in internal and
external audits or by the Areas themselves.
• Report any incidents of S&P or any violation of the ISP through the defined channels.
• Be aware that the violation by a NOS Employee of any ISP standard, rule or procedure that falls
within NOS S&P Policies constitutes a disciplinary offense, subject to sanction, depending on
the seriousness of the infraction, and may incur civil and criminal liability of the Employee. In the
case of a Service Providers, through the Partners/Suppliers, the sanctions provided for by law or
in a contract will apply.

2. Declaration of Information Security Principles
NOS Group's Executive Committee and our Employees are committed to manage effectively the
security of information and of all assets under their purview, in accordance with the
organisation's strategic objectives and the following security principles:
1. Ensuring the protection and classification of information and its supporting assets in all
three fundamental pillars - confidentiality, integrity and availability - according to their
criticality to the organisation.
2. Ensuring that the protection of information complies with both the internal policies of our
company regarding information and the laws, regulations, customer requirements and
other external requirements.
3. Upholding the core values of democracy and freedom, through a non-intrusive approach
to security regarding both the organisation and individuals.
4. Guaranteeing the fundamental right of individuals to privacy, particularly the protection

of personal data belonging to customers, employees and other personal data subjects.
5. Ensuring the development, implementation and periodic review of specific policies and
standards as well as processes and controls, incorporating security and privacy measures
as an essential element for the protection of information assets against internal and
external threats.
6. Performing proper management of security and privacy incidents by putting processes in

place to prevent, detect, record, report, process and investigate any incidents and
vulnerabilities that might compromise the security of information, the protection of
personal data or disrupt business continuity.
7. Periodically carrying out assessment and monitoring of security risks so as to enable

identification and management of risks and ensure that the controls in place are well
8. Promoting awareness, training and certification of employees in the domain of

information security, so that they develop a sense of responsibility also in these matters.
9. Maintaining an integrated system of Internal Control and Information Security

Management to ensure that the organisation´s resources and services are managed in a
sound, effective and efficient manner.
10. Incorporating Information Security on the organisation´s processes and business

objectives, as a necessary condition to gain our customers satisfaction and trust, and
also as a differentiating competitive factor.

3. Information Security Policy (ISP)
3.1. Information Security
Information - Any flow of communication or representation of knowledge such as data, facts or

opinions, in any medium or format (e.g. text, numbers, graphics, maps, narratives, audio-visual or
combinations thereof).
Information Asset - Any asset that stores information, in any format, and has an intrinsic value
to the organisation. Assets include the actual information entities (e.g. databases, contracts,
etc.), software (e.g. applications, operating systems, network platforms), hardware (e.g.
computers, communications equipment, etc.), services (e.g. electronic communications, energy,
etc.), people (e.g. skills, knowledge, etc.), intangible assets (e.g. goodwill and corporate image,
etc.), among others.
Information Security - consists in protecting information and its supporting assets in three
essential aspects throughout the whole life cycle of information.
• Confidentiality - Ensures that information is accessed only by authorised persons on a

need-to-know basis. Prevents unauthorised access and / or disclosure of information,
whether accidentally or intentionally.
• Integrity - Protecting the accuracy of information and processing methods and their
respective storage assets (systems, infrastructures or others). Ensures that information is
consistent regardless of the storage medium used. Prevents modification, loss or
unauthorized and / or accidental deletion of information.
• Availability - Ensuring the access to information/services and respective storage assets
whenever necessary and allowed without undue delay.
The protection of information must also be in Compliance with both the internal policies of our
company regarding information and all external laws and regulations. It should also consider the
service requirements documented in the SLAs, contracts or operating agreements with
customers.
Associated with the three fundamental pillars, there are other concepts of Information Security
that must be clarified in order to ensure a common understanding within the organisation:
• Privacy - A concept related to Confidentiality. Privacy includes the protection of

information, particularly personal data belonging to customers, employees or other data
subjects, in order to ensure compliance with applicable laws and regulations and the
fundamental right every individual has to access and control who has access to their
personal information at any given moment.
• Non-repudiation - A concept related to Integrity. It ensures evidence exists which allows

for checking the occurrence of a particular action or event and that identifies
unequivocally the source of a communication or who´s responsible for an operation.
• Resiliency - A concept related to Availability. It ensures that information supporting

assets (systems, platforms, infrastructure and other assets) have the ability to withstand
an incident and keep information/services available.
• Retention - A concept related to Availability. It ensures that the information can only be
kept for the time period required for business purposes and permitted by law.

3.2. ISP Levels
The Information Security Policy (ISP) determines our whole company's stance regarding security.
organised according to an hierarchical framework.
• General Policy for Information Security -

corporate level areas and to the electronic communications (focus), cinema, audio-visuals
and advertisement businesses.
• Specific Policies, Standards, Rules and Guidelines related to particular subdomains of the
ISP, whose development responsibility is predominantly in the S&P Central Function.
• Procedures, Processes and other documents that constitute a practical application of the
ISP and are managed and controlled by areas (e.g. Network, IT, BUs, etc.) through the
respective S&P Functions/Pivots.

3.3. ISP Domains
NOS adopts international standards and best practices related to Security as references in the
development of its own Information Security Policy (ISP). The main references adopted by NOS
are:
• ENISA - European Network and Information Security Agency | Technical Guidelines on

Security Measures
• ISO - International Organization for Standardization | ISO 27001 Information Security
Management System
• ANACOM National Communications Authority | Regulation on the security and
integrity of electronic communications networks and services
Considering these references, NOS has established a Security Information framework that is
aligned, since 2013, with
domains also overlap with all ISO 27001 -
Information technology -
The following image portrays the chief Information Security domains that compose the
framework adopted by NOS.

3.4. ISP subdomains and security control objectives
The ISP has a structure composed of 8 domains (as previously shown), each including one or
more subdomains. For each of these, NOS has internally established control objectives to be
achieved and security measures and checks to be implemented.
• 1. Security Risk Management and Organisation -

governance scheme pertaining to Security & Privacy (namely S&P roles and responsibilities). It
also includes methodologies for managing and assessing S&P risks and S&P requirements.
Defines S&P requirements for third-party management, in accordance with business
requirements, customers, laws and regulations. This area also contains the specific
governance components related to the management of the S&P Processes and to the S&P
Certifications.
• 2. Human Resources Security - This domain covers security management issues specifically
related to human resources. It includes control objectives related to employee job changes as
well as security training and expertise.
• 3. Security and Operation of Systems & Facilities - This domain covers logical and physical
security objectives to be applied to systems and premises (network resources, information
systems and infrastructure), throughout the development and management/operation
lifecycle. It also focuses on the specifics pertaining to the management of logical and physical
access to these resources.
• 4. Information & Communication Management - This domain includes security objectives

associated with information classification and management throughout its lifecycle, with
operational management and safe use of ICT assets that support end users, and also with
adequate protection of information in some specific communication and transfer processes
within and outside the organization.
• 5. Incident Management - This domain covers security objectives related to security and
privacy incident management processes, including detection, response, reporting and
communicating incidents
• 6. Business Continuity Management - This domain covers security objectives pertaining to the
continuity strategy and to continuity and crisis management plans, having the goal of
mitigating failures with significant impact on the organisation whether caused by technical-
operational risks (e.g. faults in networks and services) or catastrophic risks (e.g. natural
disasters).
• 7. Monitoring & Auditing - This domain covers security objectives related to the processes of
logging, monitoring and security auditing network, information systems and organisation
premises
• 8. Privacy & Personal Data - This domain covers security objectives related to the protection
of personal data, especially data belonging to customers, employees and other personal data
subjects, in order to ensure that the processing of personal data is in compliance with
applicable laws and regulations. This domain defines the Security & Privacy by Design
processes that must be followed. It also defines the technical security measures and the
organizational measures specific for privacy that must be applied to processes and systems
that process personal data.

4. References
• OECD - Organization for Economic Cooperation and Development | Guidelines for the
Security of Information Systems and Networks: towards a culture of security | 2002
• ISO - International Organization for Standardization | ISO/IEC 27001:2013 - Information
technology - Security techniques - Information Security Management System -
Requirements | 2013
• ENISA - European Network and Information Security Agency | Technical Guidelines on
Security Measures | November 2013 (v1.98), October 2014 (v2.0)
• ANACOM National Communications Authority | Regulation nr. 303/2019 - Regulation on
the security and integrity of electronic communications networks and services


Đề tài 10

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Đề tài 10

Uploaded by

Copyright:

Available Formats

S&P

General Policy for

11th of December 2020

Date: 11th December 2020 | Owner: NOS S&P Central Function

Version: 1.5 | Approved by: NOS Executive Committee

2. Declaration of Information Security Principles .......................................... 5

their correspondent control objectives.

PUBLIC DOCUMENT 2/11

PUBLIC DOCUMENT 3/11

PUBLIC DOCUMENT 4/11

2. Declaration of Information Security Principles

4. Guaranteeing the fundamental right of individuals to privacy, particularly the protection

6. Performing proper management of security and privacy incidents by putting processes in

7. Periodically carrying out assessment and monitoring of security risks so as to enable

8. Promoting awareness, training and certification of employees in the domain of

9. Maintaining an integrated system of Internal Control and Information Security

10. Incorporating Information Security on the organisation´s processes and business

PUBLIC DOCUMENT 5/11

3. Information Security Policy (ISP)

3.1. Information Security

Information - Any flow of communication or representation of knowledge such as data, facts or

• Confidentiality - Ensures that information is accessed only by authorised persons on a

• Privacy - A concept related to Confidentiality. Privacy includes the protection of

• Non-repudiation - A concept related to Integrity. It ensures evidence exists which allows

• Resiliency - A concept related to Availability. It ensures that information supporting

PUBLIC DOCUMENT 7/11

3.2. ISP Levels

organised according to an hierarchical framework.

• General Policy for Information Security -

PUBLIC DOCUMENT 8/11

3.3. ISP Domains

• ENISA - European Network and Information Security Agency | Technical Guidelines on

PUBLIC DOCUMENT 9/11

3.4. ISP subdomains and security control objectives

• 1. Security Risk Management and Organisation -

• 4. Information & Communication Management - This domain includes security objectives

PUBLIC DOCUMENT 10/11

PUBLIC DOCUMENT 11/11

You might also like