SUMMARY

  1. OBJECTIVE
  2. APPLICATION AND SCOPE
  3. REFERENCE AND COMPLEMENTARY DOCUMENTS
    1. Reference Documents
    2. Complementary Documents
  4. DEFINITIONS
  5. AUTHORITY AND RESPONSIBILITY
  6. DESCRIPTION
    1. Guidelines
      1. Information Classification
      2. Network and Computer Security
        1. Use of technological resources
        2. Computer Access to the Computer Network
        3. Logical access by third parties
        4. Use of passwords by third parties
        5. Management of third-party identities and access
      3. Content Restriction
      4. Cloud Computing
      5. Systems Security
        1. Physical Access Control to Technological Resources
      6. Mobility and Remote Access
        1. Mobility
        2. Remote Access
      7. Processing of third parties' personal data
      8. Connecting third-party equipment to the corporate network
      9. Connecting a third-party network to the corporate network
  7. REGISTRATIONS
  8. ANNEXES

  1. OBJECTIVE

Establish information security requirements applicable to third parties, such as service providers, affiliated companies and partner companies, in situations related to Transpetro.

  1. APPLICATION AND SCOPE

Petrobras Transporte S.A. - Transpetro

  1. REFERENCE AND COMPLEMENTARY DOCUMENTS

    1. Reference documents

PL-0TPR-00019-0 CODE OF ETHICAL CONDUCT

    1. Additional documents

N/A

  1. DEFINITIONS

Applications - These are the information systems used by the company, e.g. SAP.

Multifactor Authentication - This is a feature that requires two or more factors to allow access to information and/or a system, for example: something known to the user (password), plus something in the user's possession (token or code sent by SMS to a smartphone).

Authenticity - Guarantee that the origin of the information is proven and capable of generating evidence of the authorship, origin and legitimacy of the entity attributed as creator, publisher and/or issuer.

Key - Code consisting of four to twelve positions through which access to corporate network environments is identified and authorized.

Information Life Cycle - These are the phases of generation, maintenance, distribution and disposal of information.

Employees - Members of the Board of Directors and its advisory committees, members of the Audit Board, members of the Executive Board, employees, trainees, service providers and any person acting on behalf of Transpetro.

Mobile Computing - Portable equipment capable of storing, processing and sharing information, e.g. notebooks, smartphones, ultrabooks, tablets, etc.

Confidentiality - Ensuring that information is accessible only to authorized persons and that it is properly protected from public knowledge.

Contractor - A natural or legal person who has entered into a Contract as a service provider or supplier of goods.

Cryptography - The science of writing messages in cipher or code form. It is used, among other things, to: authenticate the identity of the user, authenticate banking transactions, protect the integrity of electronic transfers and protect the confidentiality of personal and commercial transactions.

Availability - Ensuring that information is accessible whenever it is needed.

Third-party devices - These are devices managed by third parties, whether companies or individuals, such as notebooks, tablets, cell phones and others.

Mobile Devices - Devices capable of storing information (data) for later consultation or use. They can be floppy disks, CDs, DVDs, tapes, hard disks, pen drives, memory cards, smartphones, cell phones and simulators.

Mobile Storage Devices - Devices capable of storing information (data) for later consultation or use. They can be floppy disks, CDs, DVDs, tapes, hard disks, pen drives, memory cards, smartphones, cell phones and simulators.

Partner Company - Company related to Transpetro through an agreement.

Partner Company - A company related to Transpetro through a partnership (a form of association that aims to converge forces to realize a business opportunity).

Access Request Tool - Tool available on the Intranet, used for electronic access requests and approvals and the creation of profiles for the systems used in the company, such as GRC-AC. Access request/approval records (creation, modification, maintenance, blocking and deletion) must be kept for at least 24 (twenty-four) months.

Workforce - Group of own employees and employees of service providers working in the same organization/company.

Information Manager - The employee with authority and responsibility for managing information and information resources used in the execution or management of business process activities. Managers, Directors, Vice Presidents and Presidents.

Security Incident - Any adverse event, confirmed or under suspicion, related to the security of computer systems or computer networks, as well as any situation where an information entity is at risk.

Information - The result of processing, manipulating and organizing data in such a way that it represents a change (quantitative or qualitative) in the recipient's knowledge. Information can exist in various forms. It can be: printed, stored electronically, transmitted by electronic means, shown on digital films, among others. Whatever form the information takes, or the means by which it is shared and stored, it must always be protected.

Critical Information - Information considered essential for business continuity, which may or may not be confidential and restricted.

Privileged Information - Relevant information (Confidential or Secret) that makes it possible to obtain advantages for oneself or for third parties, which must be kept secret.

Integrity - Guarantee that the information is correct, true and maintained in its original state.

Invasion - The action of circumventing previously adopted prevention controls in order to gain undue access to information and/or computer systems.

Legality - Ensuring that the information meets the compliance requirements of the legislation, especially when the information is required for evidentiary purposes in administrative or judicial proceedings.

Removable Media - A form of computer storage designed to be easily inserted and removed from a system. Example: pen drive, memory card, external hard drive, etc.

Monitoring - Activity that consists of maintaining the level of information security, with the aim of ensuring that the information security controls considered appropriate are applied correctly; that security incidents are detected and dealt with in a timely manner; and that the performance of the information security management system is regularly monitored.

Transpetro - For the purposes of this guideline, these are the companies in which Petrobras holds a direct or indirect stake.

Privileges - Allow a third party to manage a system or piece of equipment, changing its parameters and/or settings. They also allow a third party to define or change user IDs, apply security controls or alter system components, or gain access to privileged information.

Technological resources - These can be physical or logical resources, software, hardware or information (microcomputers, electronic file directories, links, etc.). These are all the assets used to store or manipulate information, such as: systems, equipment, data and files.

RIC - Petrobras Integrated Corporate Network.

Segregation of Duties - This consists of separating the functions of authorization, approval of operations, execution, control and accounting, in such a way that no employee has powers and attributions over a significant part of any process. It is one of the ways of significantly increasing process security, with the aim of separating responsibilities and activities, whether they are carried out by areas or people. One of its purposes is to guarantee independence between the request for and authorization of access to information.

Information Security - It is the protection given to Information to preserve it from unauthorized actions regarding manipulation, transfer or destruction.

Information Security Management System - A system made up of processes and technologies that help manage and operate information security.

User with Privileged Profile - User who has administrative privileges to create, change, block, delete parameters and systemic configurations of technological resources and/or user accounts in application systems and operating systems and/or create/change/delete data directly in database tables.

Ordinary User - A user without any administrative permissions or privileges to change settings in the computer environment. Any person able to logically or physically access company information, provided they are authorized and subsequently registered by the Access Management area.

Vulnerability - Any characteristic of a piece of equipment, system or process that allows a threat to affect its normality.

  1. AUTHORITY AND RESPONSIBILITY

N/A

  1. DESCRIPTION

Information Security (IS) is the protection of the attributes of availability, integrity, confidentiality, authenticity and legality of information, and aims to guarantee the secrecy, ownership and appropriate use of information and technological resources. Transpetro adopts information security requirements in processes and technologies, from the design stage.

Transpetro has an Information Security Management System, applicable to the entire company, anchored in its Information Security Policy and Guideline and in the other internal standards associated with them.

This Guideline joins the aforementioned standards in order to ensure that third parties (for this document defined as Service Providers, Partner Companies, Partner Companies and any persons who carry out activities or interact with the Petrobras system on their behalf) adopt IS controls in accordance with those required by Transpetro's processes in the activities carried out for and with the company.

Transpetro's information and technological resources must be used to carry out professional activities in accordance with current legislation, the Code of Ethical Conduct and Transpetro's values.

All information produced, received, accessed, stored, manipulated or distributed as a result of professional activities or in connection with Transpetro, as well as other intangible and tangible assets made available, are the property of or under the responsibility and exclusive right of use of Petrobras. The Company owns and reserves the right to audit and control the use of all information generated in its processes, as well as any information that is received, transmitted or stored in its infrastructure or in its cloud providers and in physical files or electronic devices of any nature.

    1. Guidelines

The guidelines in this Guideline are divided into themes, as follows:

      1. Information Classification

Information must be classified according to the degree of secrecy required, in accordance with the importance of the information to Transpetro's business. The treatment and classification of information must be carried out in accordance with the guidelines contained in an internal corporate standard.

      1. Network and Computer Security

        1. Use of technological resources

Transpetro provides technological resources for carrying out professional activities.

The use of these resources, in any form whatsoever, must always take place within the limits of good faith, ethics and legislation and may never constitute an illicit practice, generate risk or be contrary to Transpetro's values, being granted purely on a discretionary basis and subject to periodic alterations and reviews in accordance with the risks identified and the monitoring of the workforce's conduct, and may be revoked or altered at any time.

Connections made from technological resources made available by Transpetro to external technology environments and computers must be approved according to criteria defined by the cyber security areas, which can monitor, audit and control the connections made, including social networks and instant messaging technologies.

All technological resources must be approved and controlled by the information technology and telecommunications area and the cyber security area. It is not permitted to install and/or use technological resources that have not been duly authorized and/or approved by these areas.

Each member of the workforce is identified by means of a key (unique ID) and an individual, secret and non-transferable password that constitutes their digital identity. Each employee is responsible for any actions or security incidents when using their digital identity.

The use of removable media for copying/storing information is not permitted, except in exceptional cases, with the express approval of the area manager, as well as the contract manager.

It is forbidden to remove information, including for your own e-mail, personal equipment, and private cloud storage account, without the prior authorization of the information manager.

It is the responsibility of each member of the workforce to use only software and hardware made available by Transpetro, duly approved, licensed and/or authorized for use, or third-party equipment bearing the Transpetro image.

It is not permitted to install or use software for which Transpetro does not have a license in technological resources made available by Transpetro, even if the software is free to use.

        1. Computer Access to the Computer Network

Every new computer, whether server or workstation, before being released for the production environment or workforce access, must only have technological resources that have been previously approved and duly licensed by the information technology and telecommunications area. Access to Transpetro's computer resources, including remotely, is only allowed through technological resources owned by Transpetro or duly authorized by the information security and cyber security areas.

        1. Logical access by third parties

Access to information and technological resources will only be granted to third parties with the express authorization of Transpetro.

Access granted by the information technology and telecommunications area must comply with the principle of least privilege, and the use of privileged access is exclusive to activities that justify the need.

All external connections to the corporate network must be authenticated, in which case remote diagnostic ports will be protected and connections to third-party networks will be controlled by Transpetro's information technology and telecommunications department.

        1. Use of passwords by third parties

Corporate passwords must be personal and non-transferable and may not be shared.

Standard passwords supplied by manufacturers should not be used after any technological resource has been installed in the Transpetro environment. Password complexity requirements based on international standards and best practices should always be followed in order to minimize the risk of credentials being breached.

Passwords should be changed periodically, immediately in case of doubt about their compromise, or in the event of any unusual occurrence in the device systems.

        1. Identity management and third-party access

It handles the identities of third parties from their registration to ensure that they have access to the right resources.

Identity and access management at Transpetro is operationalized through a series of activities carried out automatically. Every user will be uniquely identifiable in order to guarantee traceability of actions.

The contract supervisor and the agent must ensure that the registration information of third parties is correct and up-to-date and that the access granted is the minimum necessary to carry out the required activities and is revoked in good time when no longer necessary.

      1. Content Restriction

It is not permitted to transfer and/or store corporate information via private webmail (Gmail, Hotmail, etc.) or on public websites (Google Drive, iCloud, DropBox, etc.) outside the Transpetro domain.

Corporate information must only be stored in technological resources provided by the Company and may not be shared with third parties without due authorization.

You may not use or install Transpetro's information processing resources (software, hardware, application systems and others) to access, store and/or transmit information (including sending e-mail to your own private e-mail address) that contains the following items:

  • Pornographic material and/or obscene, crude or offensive language;

  • Information about illegal activities and/or incitement to crime;

  • Disclosure of names, contacts and other information of third parties as their own or without proper authorization;

  • Political and/or religious content;

  • Programs and files containing malicious code or intended to exploit vulnerabilities;

  • Material that violates local legislation, such as: virtual crime, piracy, practice, induction or incitement of prejudice or any form of discrimination, slanderous, abusive material or material that invades someone's privacy, material protected by copyright, or publication of sounds, photos or texts without the authorization of the author or their legal representative, publication of photos without the authorization of those photographed and distribution of files without the authorization of the persons or companies responsible, insulting or defamatory statements.

It is not permitted to store private information in Transpetro's data storage infrastructure, except for that which may have been required by the company itself, for example, to meet registration needs.

      1. Cloud Computing

To access information, applications or systems that are in the cloud, from an external environment to the corporate network, it is necessary to use multi-factor authentication, duly approved by the Information Security and ICT area.

The environments made available in the cloud, whether Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), must first go through the approval process of the cyber security area and the information technology and telecommunications area as a whole, in accordance with the established guidelines and requirements.

      1. Systems Security

Any contracting of systems, platforms and/or applications that store, modify or transmit Transpetro information must follow the requirements of this Guideline.

Systems developed for Transpetro's purposes must first undergo security analysis by the cyber security and information technology and telecommunications areas.

The security of systems that handle sensitive information or that are critical to Transpetro's operations must be tested periodically, in accordance with requirements defined by Transpetro.

These systems and applications must have audit trails, which must be sent to the cyber security area, containing at least:

  1. The time the event took place;

  1. Information about the event or fault;

  1. Account responsible for the event;

  1. Responsible for requests and approvals.

        1. Physical Access Control to Technological Resources

Physical access to areas where Transpetro's technological resources are located is restricted to authorized persons only.

      1. Mobility and Remote Access

        1. Mobility

The use of mobile computing is allowed for professionals from Transpetro's business partner or outsourced company, when specifically provided for in the contract and approved by the Transpetro manager.

It is the responsibility of the user of mobile computing resources (notebooks, cell phones, tablets, smartphones and the like) to ensure that the information contained on corporate devices is not compromised.

Workforce access to company information from private devices will be subject to the express permission of the cyber security and, where applicable, information security areas, the installation of specific security applications and configurations defined by Transpetro.

        1. Remote Access

Remote access should only be made available to employees upon proof of need, management approval and used for professional purposes.

Remote access to Transpetro's computer environment requires the use of multi-factor authentication, duly approved by the information security, cyber security and information technology and telecommunications areas, as well as managerial approval.

      1. Processing of third parties' personal data

The processing of sensitive or non-sensitive personal data by Transpetro or related parties is permitted, under the terms of the General Personal Data Protection Law (LGPD), only with the express authorization of the Transpetro manager and observing the instructions and limits established in each case.

Any related party in any interaction with Transpetro is also obliged to comply with the requirements and principles regarding the Protection of Personal Data and Privacy, listed in the LGPD.

Contracts between Transpetro and third parties that directly or indirectly involve the processing of personal data are subject to contractual clause(s) stipulating the responsibilities and duties of each of the contracting parties in the processing and protection of personal data.

      1. Connecting third-party equipment to the corporate network

Third-party equipment may not be connected to the corporate network. When provided for in the contract, the contractor's equipment must receive the Transpetro image so that it is managed and follows the Transpetro standards.

The connection of third-party equipment to access the Internet exclusively can be made through any other connection independent of the corporate network, made available by the information technology and telecommunications area for this purpose. This connection may not use Transpetro's internal telephone extensions.

      1. Connecting a third-party network to the corporate network

All extranet connectivity must undergo a technical security assessment by the information technology and telecommunications department. The technical assessment is carried out to ensure that the solution meets Transpetro's business and information security needs.

      1. Systems integration and sharing with third parties

Any technological environment or information system shared with business partners, clients, third parties or those external to Petrobras must be located in a Demilitarized Zone (DMZ) .

The DMZ model is considered to be the sharing of data between Transpetro and partner companies, or external clients, where one takes place via the Internet, or public network, and the other via a private environment with business partners.

      1. Access to the automation environment by third parties

If external access is required, by third parties who do not have access to the corporate network, this must always be accompanied and monitored by an employee from the automation area responsible for the environment. This access must be via Transpetro's official collaboration tool or remote access solution.

The transport of automation data on external networks of third parties or partners must be carried out via a Virtual Private Network (IPSec VPN) specified by the information technology and telecommunications area.

    1. Roles and responsibilities

      1. Third parties are responsible for

  • Maintain professional secrecy and confidentiality of all information that comes to their knowledge as a result of their activities at Transpetro;

  • Make appropriate and authorized use of technological resources, information and social networks related to Transpetro, regardless of hierarchical level, physical or geographical location or the activity carried out;

  • Take due care in the event of the need to delegate an activity, in which case responsibility for any security incidents will remain with the delegating third party together with the employee to whom the activity has been delegated;
  • Immediately report any suspected flaws, vulnerabilities and/or security incidents and any information security controls to the information security department by opening a ticket on GeticWeb or sending a message to geticweb@transpetro.com.br.
      1. It is the responsibility of the cyber security and information security areas:

  • Define the strategy for protecting Transpetro's technology and information used by third parties;

  • Develop and implement an information security program at Transpetro, including training, awareness and a communication plan for the entire workforce, including third parties;

  • Manage the company's information security incidents and their respective treatment.

    1. Sanctions

Failure to comply with this Guideline gives rise to the application of sanctions, as well as penalties provided for in the legislation in force, in the contracts, agreements and terms of cooperation and in the Company's rules, without prejudice to other appropriate measures of an administrative, judicial or extrajudicial nature.

  1. REGISTRATIONS

Not applicable

  1. ANNEXES

N/A