1. OBJECTIVE

Establish security information requirements applicable to third parties, such as service providers and associated companies and partner companies in situations related to  Transpetro.

2. APPLICATION AND SCOPE    

 Petrobras Transporte S.A. – Transpetro

3. REFERENCE AND COMPLEMENTARY DOCUMENTS
   3. Reference documents   

 PL-0TPR-00019-0 ETHICAL CONDUCT CODE

3. Complementary documents  

 N/A

4. DEFINITIONS  

 Applications – information systems used by the company, ex: SAP.

Multifactor Application – a resource that requests two or more factors to allow access to information and/or a system, as for example: something known to the user (password), plus something in possession of the user (token or code sent by SMS to a smartphone ).

Authenticity – guarantee that the origin of the information is authentic and capable of generating proof of authorship, origin and legitimacy of the entity attributed as creator, editor and/or issuer.

Key – code composed of four to twelve positions through which access to the corporate network environment is identified and authorized.

Information Life Cycle – phases of generation, maintenance, distribution and disposal of information.

Contributors – members of the Board of Directors and consultation committees, members of the Audit Committee, Executive Directors, employees, trainees, service providers and any person that acts on behalf of Transpetro.

Mobile Computation – portable equipment with the capacity to store, process and share information, ex: notebooks, smartphones, ultrabooks, tablets , etc.

Confidentiality – guarantee that the information is accessible only to authorized persons and that it is duly protected from public disclosure

Contracted Party – individual or corporate entity that has signed a contract as a service provider or vendor.

Cryptography – science of writing encrypted or coded messages. Used among other applications for the following: authenticating the identity of the user, authenticating bank transactions, protecting the integrity of electronic transfers and protecting the confidentiality of personal and commercial transactions.

Availability – guarantee that the information is accessible whenever necessary.

Third Party Devices – those whose management is being conducted by third parties, whether companies or individuals, such as notebooks, tablets, cell phones and others.

Mobile Devices – devices capable of storing information (data) for subsequent consultation or use. May be diskettes, CDs, DVDs, tapes, HDs, flash drives, memory cards, cell phones or similar devices.

Mobile Storage Devices  - devices capable of storing information (data) for subsequent consultation or use. May be diskettes, CDs, DVDs, tapes, HDs, flash drives, memory cards, cell phones or similar devices.

Associated Company – company associated with Transpetro by means of an Agreement.

Partner Company- company associated with Transpetro through partnership (association mode that seeks to unite strengths to undertake a business opportunity).

Access Request Tool – tool available on the Intranet, used for requests and electronic approval of access and profile creation for the systems used in the company, such as the GRC-AC. The request/approval of access (creation, change, maintenance, blocking and exclusion) records must be stored for a minimum of 24 (twenty-four) months.

Workforce – group of own employees or employees of service provider companies that work at the same organization/company.

Information Manager – contributor with authority and responsibility for information management and for the information resources used in the execution or management of business process activities. Managers, Directors, Vice-Presidents and Presidents.

Security Incident – any adverse event, confirmed or under suspicion, regarding the security of computer systems or computer networks, as well as any situation where an information entity is at risk.

Information – the result of data processing, handling and organization so that it represents a modification  (quantitative or qualitative) in the knowledge of the recipient. The information may exist in various forms. It may be printed, stored electronically, transmitted by electronic means, and shown on digital film, among others. Any form of the information, or means by which it is shared and stored, must always be protected.

Critical Information – information considered essential for continuity of the business, which may or may not be confidential and restricted.

Privileged Information – relevant information (confidential or secret) that allows for obtaining benefits for self or for third parties, and which must be kept confidential.

Integrity – guarantee that the information is correct, true and maintained in its original state.

Invasion – act of violating the prevention controls previously adopted for the purpose of obtaining illicit access to the information and/or computer system.

Legality – guarantee that the information meets the conformity requirements of the legislation, especially when the information is required as evidence in administrative or judicial processes.

Removable Media – form of computer storage designed to be inserted and easily removed from a system. Example: flash drive, memory card, external HD, etc.

Monitoring – activity consisting of maintaining the level of information security in order to ensure that the information security controls deemed appropriate are correctly applied; that the security incidents are detected and handled in timely manner; and that performance of the information security system is regularly monitored.

Transpetro – for purposes of this directive are the companies in which Petrobras is a shareholder directly or indirectly.

Privileges – allows a third party to manage a system or equipment, changing its parameters and/or configuration. Also allows a third party to define or change user IDs, apply security controls or alter system components or furthermore have access to privileged information.

Technological Resources – may be physical or logical resource, software, hardware or information (PC, electronic file directories, links, etc.). All assets used for storing or handling information, such as: systems, equipment, data and files.

RIC – Petrobras integrated corporate network.

Separation of Functions – consists of the separation of the authorization, operation approval, execution, control and accounting functions, such that no contributor has power and attributions over a significant portion of any process. It is one way to significantly increase the security in processes for the purpose of separating responsibilities and activities, whether executed by areas or persons. One purpose is to ensure independence between access to information requests sand authorizations .

Information Security – protection given to information to protect it from non-authorized actions regarding manipulation, transfer or destruction.

Information Security Management System – system composed of process and technologies that aid in the management and operation of Information Security.

Privileged Profile User – user with administrative privileges to create, alter, block and exclude systemic parameters and configurations of the technological resources and/or  user accounts in the application and operational systems and/or create/alter/exclude data directly on the data bank tables.

Common User – user with no administrative permit or privileges for altering configurations in the computational environment. Any person apt to access company data logically or physically, provided the user is authorized and subsequently registered by the Access Management area.

Vulnerability – any characteristic of an equipment, system or process that allows a threat to affect its normal status.

5. AUTHORITY AND RESPONSIBILITY

 N/A

6. DESCRIPTION  

 Information Security  (SI) is the protection of the availability, integrity, confidentiality authenticity and legality of information, and has the purpose of ensuring confidentiality, ownership and adequate use of the information and the technological resources. Transpetro adopts information security requirements in the processes and technologies starting from their creation.

Transpetro has an Information Security Management System applicable to the entire company, based on its Policy and Information Security Directive and other associated internal standards.

This Directive complements the aforementioned standards in order to ensure third parties (for purposes of this document defined as Service Providers, Associated Companies, Partner Companies and any person who in their name executes activities or interact with the Petrobras system) adopt IS in conformity with the requirements of the Transpetro processes in activities developed for and with the company.

The information and the technological resources of Transpetro must be used for the performance of the professional activities according to the stipulations of current legislation, Ethical Conduct Code and Transpetro’s values.

All information produced, received, accessed, stored, handled or distributed due to the professional activities or that have a connection to Transpetro, as well as other tangible and intangible assets made available, are the property of or are under the responsibility and exclusive right of use by Petrobras. The Company possesses and reserves the right to audit and control all information generated in its processes, as well as any information received, transmitted or stored in its infrastructure or in its cloud providers and in physical files or electronic devices of any type.

6.1. Guidelines

The guidelines contained in this Directive are divided into topics as shown below:

6.1.1. Information Classification

The information must be classified as to the degree of required confidentiality according to the importance of the information to the Transpetro business. The handling and classification of information must be executed according to the guidelines contained in the internal corporate standards.

6.1.2. Computer and Network Security

6.1.2.1. Use of Technological Resources

Transpetro makes available technological resources for fulfillment of the professional activities.

The use of these resources, for whatever reason, must always occur within the limits of good faith, ethics and legislation and may never constitute illicit practice, generate risk or be contrary to Transpetro’s values, granted on its own volition and subject to changes and periodic revisions according to the risks identified and with follow-up of workforce conduct, and may be revoked or altered at any time.

The connections performed from technological resources made available by Transpetro for technology environments and external computers must be approved according to criteria defined by the cyber security areas, which may monitor, audit and control the connections made, including social networks and instant message technologies.

All technological resources must be registered and controlled by the information technology and cyber security areas. The installation and/or use of technological resources that were not duly authorized and/or registered by these areas is not allowed.

Each member of the workforce is identified by a key (unique ID) and individual password, secret and non-transferable that configures the member’s digital identity. Each contributor is responsible for the security actions or incidents when using the digital identity.

The use of removable media for copying/storage of information is not allowed, except in extraordinary cases, subject to express authorization by the area manager as well as the contract manager.

The removal of information without prior authorization from the information manager is prohibited, including to personal email, personal equipment and private cloud accounts.

Each member of the workforce is responsible for using only software and hardware made available by Transpetro duly registered, licensed and/or with authorized use or third party equipment with the Transpetro image.

The installation of software in technological resources made available by Transpetro for which Transpetro does not have a license is not allowed, even free software.

6.1.2.2. Computer Access to the Computer Network

All new computers, whether server or workstation, before released to the production or environment or accessed by the workforce, must include only previously registered technological resources duly licensed by the information technology and telecommunications area. Access to Transpetro’s computer resources, including remotely, is only allowed through technological resources owned by Transpetro or duly authorized by the information security and cyber security areas..

6.1.2.3. Logic Access by Third Parties

Access to information and to the technological resources will only be granted to third parties through express authorization by Transpetro.

The access granted by the information technology and telecommunications area must observe the minimum privilege principle, and the use of privileged access is exclusive for activities that justify such use.

All external connections with the corporate network must be authenticated, in which case the diagnostic portals will be protected and the connection with third party networks will be controlled by the information technology and telecommunications area of  Transpetro.

6.1.2.4. Use of Passwords by Third Parties

The corporate passwords must be personal and non-transferable, and sharing is prohibited

Standard passwords provided by manufacturers for any technological resource should not be used after installation in the Transpetro environment. Complexity requirements for passwords based on international standards and best practices  must always be followed so as to minimize the risk of credential violations.

The passwords must be changed periodically, or immediately due to possible compromise, or in case of an unusual event in the device systems.

6.1.2.5. Identity Management and Third Party Access

Handles third party identities from its registration so as to ensure they have access to the due resources.

Identity and access management at Transpetro is made operational through a series of automatically executed activities.

Each user will be uniquely identifiable in order to ensure traceability of actions.

The contract inspector and agent must undertake the correction and updating of the registration of third party data and ensure access granted is the minimum required for performance of  the required activities, to be timely revoked when no longer necessary.

6.1.3. Content Restriction

Transferring and/or storing corporate information by webmail (Gmail, Hotmail etc.) or public websites (Google drive, iCloud, DropBox etc.) outside the Transpetro domain is not allowed.

The corporate information must only be stored in technological resources provided by the Company, and the sharing with third parties without due authorization is prohibited.

The use or installation of information processing (software , hardware, application systems and others) of Transpetro, for access, storage and/or transmission of information (including sending email to own personal email) that contains the following items is not allowed:

• Pornographic material and/or obscene, crude or offensive language e; 

• Information regarding illegal activities and/or incitement to crime;

• Disclosure in own name or without due consent of names, contacts and other information belonging to third parties;

• Political and/or religious content;

• Programs and files that contain malicious codes or have the purpose of exploring vulnerabilities;

• Material that violates local legislation, such as: virtual crime, piracy, practice, solicitation or incitement of prejudice or any type of discrimination, material that is libelous, abusive or constituting invasion of privacy, material protected by copyrights, or publication of audio, photos or texts without authorization by the author or legal representative, publication of photos without consent of those pictured, distribution of files without authorization of the persons or companies responsible, and offensive or defamatory statements.

The storing of personal information in Transpetro’s data storage infrastructure is prohibited, except that which may eventually be requested by the company itself, such as for example for meeting registration requirements..

6.1.4. Cloud Computation

For access to information, applications or system in cloud storage from an environment external to the corporate network, it is necessary to use multifactor authentication, duly registered by the Information Security area and TIC.

Cloud based environments, whether Infrastructure as a service (IaaS), Platform as a service (PaaS) or Software as a service (SaaS), must previously undergo the registration process of the cyber security and the information technology and telecommunication areas as a whole, in accordance with the established directives and requirements .

6.1.5. Systems Security

Any contracting of systems, platforms and/or applications that store, modify or transmit Transpetro information must follow the requirements of this Directive.

Systems developed for Transpetro purposes must previously undergo security analyses from the cyber security and information technology and telecommunications areas.

The security of the systems that handle sensitive information or that are critical for Transpetro’s operations must be tested periodically according to requirements defined by Transpetro.

These systems and applications must have audit trails that must be sent to the cyber security area, containing at a minimum the following:

1. The time at which the event occurred;

2. Information on the event or failure;

3. Account responsible for the event;

4. Responsible party for the request and approval.

6.1.5.1. Physical Access Control to the Technological Resources

Physical access to the areas where Transpetro’s technological resources are located is restricted to authorized personnel.

6.1.6. Mobility and Remote Access

6.1.6.1. Mobility

The use of mobile computation is allowed to the employees of the business partner company or outsourced company of Transpetro, when specifically stipulated in the contract and approved by the Transpetro manager.

The user of mobile computational resources (notebooks, cell phones, tablets, smartphones and similar items) must undertake to ensure the information contained in the corporate devices is not compromised.

Access by the workforce to business information from personal devices is contingent upon express authorization from the cyber security areas, and if applicable, from information security, and upon installation of specific security applications and configurations determined by Transpetro.

6.1.6.2. Remote Access

Remote access must be made available to the contributor only upon verification of need, management approval and for professional purposes.

For remote access to the computation environment of Transpetro it is necessary to use a multifactor authentication resource duly registered by the information security, cyber security and information technology and telecommunication areas, as well as management approval.

6.1.7. Handling of third party personal data

The handling of personal data, sensitive or not, by Transpetro or related parties is allowed under the terms of the General Personal Data Protection Law (LGPD) only by express authorization from the Transpetro manager and observing instructions and  limits established for each case.

Any party linked to any interaction with Transpetro is also obligated to meet the requirements and principles pertaining to the Protection and Privacy of Personal Data stipulated in the LGPD.

Contracts between Transpetro and third parties that directly or indirectly involve handling of personal data are subject to contractual clause that stipulated the responsibilities and obligations of each of the contracted parties in handling and protecting personal data.

6.1.8. Connection of third party equipment to the corporate network

The connection of their party equipment to the corporate network is not allowed. When stipulated in a contract, the contractor equipment must receive the Transpetro image so that they are managed and follow Transpetro’s standards..

The connection of third party equipment for exclusive access to the Internet may be made through any other connection independent of the corporate network, made available by the information technology and telecommunications area for this purpose. This connection may not use the internal phone extensions Transpetro.

6.1.9. Third party network connection to the corporate network

All extranet connectivity must be submitted to a technical security assessment by the by the information technology and telecommunications area. The technical assessment executed for the purpose of ensuring that the solution meets the requirements of the business and Transpetro’s information security.

6.1.10. System integration and sharing with third parties

All technological  environments or information systems shared with business partners, clients, third parties or external parties to Petrobras must be located in a Demilitarized Zone (DMZ) .

A DMZ model is deemed as the sharing of data between Transpetro and partner companies or external clients, through the Internet, public network or other private environment with business partners.

6.1.11. Access to the automation environment by third parties

In the case of need for external access by third parties without access to the corporate network, it should always be followed-up and monitored by a contributor from the automation area responsible for the environment. This access should be made by the official collaboration tool of Transpetro or by the remote access solution.

The transport of automation data in external third party or partner networks must be executed by the Private Virtual Network (VPN IPSec ) specified by the information technology and telecommunications area.

6.2. Attributions and responsibilities

6.2.1. The third parties are responsible for:

• Maintain professional secrecy and confidentiality of all information they have knowledge of due to the activities developed at Transpetro;

• Make adequate and authorized use of the technological resources, information and social networks related to Transpetro, regardless of hierarchical level, physical or geographical layout or type of activity;

• Adopting due precautions in the event it is necessary to delegate activities, in which case the responsibility for any security incidents will remain with the delegating third party together with the contributor to whom the activity was delegated;

• Report to the security information area immediately any suspicion of failures, vulnerabilities and/or security incidents and in any information security controls, by filing a request on the GeticWeb or sending a message to geticweb@transpetro.com.br.

6.2.2. The cyber security and information security areas are responsible for:

• Define the strategy for technological protection and that of the Transpetro information used by third parties;

• Develop and implement the information security program at Transpetro, including training, awareness and communication plan for the entire workforce, including third party workforce;

• Manage information security incidents at the company and their respective resolutions.

6.3. Sanctions

Failure to comply with this Directive incurs the application of sanctions, as well as penalties stipulated in current legislation, contracts, agreements, cooperation terms and company norms, without prejudice to other applicable measures of an administrative, judicial or extrajudicial nature.

7. RECORDS 

 Not applicable