Information Security Policy

 1. OBJECTIVE

Establish the Information Security Policy of Transpetro

2.  APPLICATION AND SCOPE    

  

Applies to TRANSPETRO and its subsidiaries, observing company particularities.

Policy approved according to Minutes CA no. 308 implemented on 10/28/2021.

3.  REFERENCE AND COMPLEMENTARY DOCUMENTS

3.1.  Reference Documents   

 

PL-0SPB-00019 Petrobras INFORMATION SECURITY POLICY  

3.2.  Complementary Documents

Not Applicable

4.  DEFINITIONS

Confidentiality: property for which it is assured that the information is not available or will not be disclosed to a  non-authorized or accredited person, system, agency or entity; 

Availability: property for which it is assured that the information is accessible and used by request from a duly authorized person or a certain system, agency or entity;  

Integrity: property for which it is assured that the information was not modified or destroyed in a non-authorized or accidental manner; 

Authenticity: property for which it is assured the information was produced, issued, modified or destroyed by a certain person, system, agency or entity.  

5.  AUTHORITY AND RESPONSIBILITY  

 

Not applicable

6.  DESCRIPTION  

 

6.1 Principles

6.1.1. The Company handles information respecting the business requirements, pertinent regulations and the pillars of Information Security: 

            Confidentiality, Availability, Integrity and Authenticity.   

6.1.2. The Company maintains an encompassing and systemic view of information security in its businesses, processes and relations.  

6.2 Directives 

The Company must: 

6.2.1. Maintain governance pertaining to Information Security, defining activities, roles and responsibilities;  

6.2.2. Promote an Information Security culture, disseminating in an effective and continuous manner;  

6.2.3. Apply technological and administrative measures geared to Information Security and Cyber Security, aligned with the priorities resulting from Corporate Risk Analysis, including capability to disconnect non-compliant units and localities from the Petrobras corporate network. Always noting that cyber security is an essential part of information security; 

6.2.4. Provide the required resources for maintaining the technological and administrative Information Security measures;  

6.2.5. Adopt Information Security requirements in processes and technologies from their inception;  

6.2.6. Provide means to identify, prevent, and deal with Information Security incidents.  

The Company contributors must: 

6.2.7. Use, classify and protect information in an ethical and secure manner, according to current standards;  

6.2.8. Report possible Information Security incidents using a specific channel.  

7.  RECORDS  

 

 Not applicable

8.  ANNEXES

  

Not applicable