Security Policy
Effective Date: 16/12/2024
Last Updated: 16/12/2024
This Security Policy outlines the principles, responsibilities, and procedures that govern how Nexwinds Solutions Lda (“Nexwinds”, “we”, “us”, or “our”) protects its systems, services, client data, and business operations against security threats. This policy applies to all employees, contractors, subcontractors, clients, and users of Nexwinds services.
1. Purpose
The purpose of this Security Policy is to establish and maintain a secure environment that safeguards Nexwinds’ systems, networks, and information assets. By adhering to this policy, Nexwinds aims to:
- Prevent unauthorized access to sensitive data.
- Ensure the integrity, confidentiality, and availability of systems and services.
- Comply with applicable data protection and cybersecurity laws, including GDPR.
2. Scope
This policy applies to:
- All information systems managed by Nexwinds, including servers, networks, software, and cloud infrastructure.
- All client and user data processed, transmitted, or stored through Nexwinds services.
- All employees, subcontractors, and third-party service providers who interact with Nexwinds systems or handle client data.
3. Security Principles
Nexwinds is committed to implementing the following security principles:
3.1 Confidentiality
Ensure that sensitive and personal data is accessed only by authorized individuals.
3.2 Integrity
Maintain the accuracy and completeness of information by protecting it from unauthorized modification.
3.3 Availability
Ensure that systems, networks, and data are accessible to authorized users whenever needed, minimizing disruptions or downtime.
4. Roles and Responsibilities
4.1 Management
- Develop and enforce security policies, procedures, and practices.
- Allocate resources to address security risks and implement controls.
- Ensure compliance with legal and regulatory security requirements.
4.2 Employees and Contractors
- Adhere to security policies and participate in security awareness training.
- Report security incidents or vulnerabilities to the designated security team.
- Use systems and tools only for authorized purposes.
4.3 Third Parties and Subcontractors
- Abide by Nexwinds’ security policies and contractual obligations.
- Implement security measures consistent with Nexwinds’ standards.
- Notify Nexwinds immediately in the event of a security incident.
4.4 Information Security Officer (ISO)
- Oversee the implementation of security measures and monitor compliance.
- Respond to security incidents and manage investigations.
- Conduct regular audits and risk assessments.
5. Data Protection and Encryption
5.1 Data Classification
Data is categorized into the following types to apply appropriate protection levels:
- Public Data: Information available to the public.
- Internal Data: Business information not intended for public distribution.
- Confidential Data: Sensitive data requiring strict access controls, including client data and personal data governed by GDPR.
5.2 Encryption
- All sensitive data in transit is encrypted using TLS (Transport Layer Security) or similar protocols.
- Confidential data stored on systems or devices is encrypted using industry-standard methods such as AES-256.
5.3 Data Access Controls
- Access to data is granted on a least-privilege basis, ensuring users access only what is necessary for their role.
- Multi-factor authentication (MFA) is required for access to critical systems.
6. Network Security
6.1 Firewalls and Intrusion Detection
- Firewalls are configured to monitor and control incoming and outgoing traffic.
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed to identify and mitigate potential threats.
6.2 Secure Remote Access
- Remote access is secured via VPN or other encrypted connections.
- Remote users must use company-approved devices with up-to-date security patches.
6.3 System Hardening
- Servers, endpoints, and devices are configured following secure baseline configurations.
- Unnecessary services, ports, and applications are disabled.
7. Incident Response
7.1 Incident Identification and Reporting
- All employees, contractors, and third parties must report suspected security incidents immediately to the designated security team at [email protected].
- Examples of incidents include unauthorized access, data breaches, malware infections, and phishing attempts.
7.2 Response Plan
The Incident Response Plan involves:
- Identification and containment of the incident.
- Investigation to determine the root cause.
- Eradication of the threat and recovery of systems.
- Post-incident review and implementation of preventative measures.
7.3 Notification
In the event of a data breach involving personal data, affected parties and relevant authorities (such as the Portuguese Data Protection Authority) will be notified within 72 hours, in compliance with GDPR.
8. Risk Management and Audits
8.1 Risk Assessments
- Regular risk assessments are conducted to identify vulnerabilities and evaluate potential threats.
- Risks are mitigated through the implementation of appropriate technical and organizational measures.
8.2 Audits and Penetration Testing
- Nexwinds conducts regular internal and external security audits.
- Penetration testing is performed to assess the resilience of systems to cyberattacks.
9. Employee Awareness and Training
All employees and contractors undergo regular security training covering:
- Cybersecurity best practices.
- How to identify and avoid phishing, malware, and other threats.
- Compliance with data protection laws and security policies.
10. Policy Enforcement
10.1 Non-Compliance
Non-compliance with this Security Policy may result in disciplinary action, including termination of employment or contracts.
10.2 Updates
This Security Policy will be reviewed and updated periodically to address emerging threats and changes in regulatory requirements.
11. Governing Law
This Security Policy is governed by the laws of Portugal. Any disputes arising under or in connection with this policy will be subject to the exclusive jurisdiction of the courts of Porto, Portugal.
IN WITNESS WHEREOF, this Security Policy is adopted by Nexwinds Solutions Lda and is effective as of the date first written above.