Information Security Policy

Scope and Purpose

To whom does it apply?

The rules contained in this document apply to all companies, departments and information/assets/processes controlled by the NOS Group, unless explicitly defined otherwise. Compliance with these rules is mandatory for all employees, including internal employees and partner’s (service providers) employees.

Under the present context, this General Policy applies to all of NOS Group’s electronic communications companies (NOS Comunicações, NOS Açores Comunicações, NOS Madeira Comunicações, NOS Wholesale), for the purposes of compliance with the “Regulation on the security and integrity of electronic communications networks and services” and to the extent that the obligations provided for in this Regulation are applicable to the aforementioned companies.

 

What is the objective? 

 

1. To define Information Security principles mandatory to Employees, Suppliers and Partners

  • Guaranteeing protection and classification of information and related supporting assets;
  • Ensuring information protection is in compliance with internal policies as well as laws and regulations;
  • Upholding the core values of democracy and freedom, while maintaining a non-intrusive attitude;
  • To guarantee the fundamental right of individuals to privacy, particularly the protection of personal data belonging to customers;
  • Ensuring development, implementation and periodic reassessment of policies, processes and controls, incorporating security and privacy measures;
  • Carrying out adequate management of incidents that may jeopardise information security, the protection of personal data or business continuity;
  • Assessing and monitoring security risks on a regular basis;
  • Promoting awareness, training and certification of Employees in areas related to Security and Privacy;
  • Maintaining an integrated system of Internal Control and Information Security Management;
  • Incorporating Security and Privacy into business processes and objectives as a differentiating and competitive factor for customer satisfaction and trust;

2. Defining NOS’ security structure

The Information Security Policy (ISP) is NOS’ guideline regarding its global security posture, it is comprised of a number of documents organised according to an hierarchical structure.

  • General Information Security Policy, is a corporate Policy, applicable to the corporate departments and electronic communications (focus), cinemas, audio-visuals and advertising businesses;
  • Specific Policies, Standards, Rules and Guidelines on certain sub-domains of ISP;
  • Procedures, Processes and other documents that operationalise the ISP;

 

3. Define domains and subdomains on ISP security

NOS has defined an Information Security framework in line with the following adopted references:

  • ENISA - European Network and Information Security Agency | Technical Guidelines on Security Measures
  • ISO - International Organization for Standardization | ISO 27001 Information Security Management System
  • ANACOM - Portuguese regulatory authority for electronic communications | Regulation on the security and integrity of electronic communications networks and services