Last Update: October 2025.
Information Classification: Public Use.
Definition
This document describes guidelines on the Information Security Policy of Grupo Senior, whose rules and procedures are confidential and published internally. Such guidelines define the acceptable use of the institution’s information assets, based on the principles of confidentiality, integrity, and availability.
Target Audience
Grupo Senior, Third Parties, Service Providers, Clients, Partners, and Channels.
Objective
• Establish Information Security guidelines and standards that enable Senior employees to adopt secure behavior patterns, suitable for their goals and needs;
• Guide employees in adopting controls and processes to meet Information Security requirements;
• Train Senior employees regarding prevention, detection, and response to Information Security incidents;
• Prevent possible causes of Information Security incidents;
• Protect Senior's information and/or technological assets, ensuring confidentiality, integrity, and availability requirements;
• Minimize risks of financial loss, loss of customer trust, or any other negative impact on Senior’s business as a result of security failures.
Responsibilities
The Information Security Policy of Grupo Senior addresses the general responsibilities of the institution, its employees, third parties, and Senior Management.
Information Security Awareness and Training
Grupo Senior defines continuous education guidelines for the cultivation of good security practices to be used in employees' daily activities, both professionally and personally. The Policy covers procedures used in the institution’s awareness program, such as internal training and communications.
Information Security Risk Management
Cyber risk management is the responsibility of the Information Security area. This process identifies security requirements related to the institution’s needs. Cyber risk management is continuous and defines internal and external contexts for evaluation, in addition to treating identified risks so that they are reduced to acceptable levels.
Password Management
Grupo Senior uses best practices for password usage, requiring a defined level of complexity to create them, as well as preventing the reuse of previous passwords.
Passwords are generated with a minimum number of required characters, are subject to lockout after failed attempts, and must be changed periodically.
Asset Management
Grupo Senior keeps its information assets identified, updated, classified, and assigned with responsible owners for their acceptable use, in accordance with internal policy.
Information Protection and Classification
Grupo Senior establishes guidelines for classifying, handling, and labeling the company’s information assets. The internal document outlines all guidelines used for information classification, describes its categories, includes handling and disposal procedures, describes rules on data leakage prevention, data backup and restore policies, as well as encryption.
Acceptable Use of Technological Resources
Grupo Senior’s technological resources must be used in a professional, ethical, and legal manner, as defined in the applicable responsibility agreement. The Information Security Policy defines the technological resources and the rules regarding their usage, which must be followed by employees and third parties at Senior.
Identity and Access Management
Grupo Senior establishes general guidelines for accessing information assets and systems. All access management is the responsibility of the IT department and is based on the principle of access necessity for employees to perform their work activities.
The Policy defines guidelines such as:
• Business Area Access Profiles;
• Employee Onboarding or Department Transfer Processes;
• Employee Offboarding Process;
• Third-Party, Visitor, and Temporary Access;
• Database Access;
• Remote Access;
• Physical Access;
• Access Review;
• Password Settings; and
• Multi-Factor Authentication.
Encryption
Senior’s information assets are encrypted appropriately to ensure protection throughout the information lifecycle, in compliance with regulatory security standards.
Software Development
Grupo Senior develops its applications in accordance with internal procedures, documents, and work instructions, following information security practices aligned with the internal Security Policy.
Production environments are segregated from other environments, and access is granted only to previously authorized users or approved tools.
All systems or applications purchased from third parties must follow the guidelines defined in the Information Security Policy and be properly approved.
Protection Against Malicious Code
Senior defines guidelines and uses industry-leading tools for protection against malicious code (malware). In addition, Grupo Senior uses AI-based security solutions to identify, detect, and immediately respond to threats.
Security Monitoring
The Information Security Policy covers security monitoring, describing the necessary aspects for identifying potential threats. Grupo Senior relies on effective practices, procedures, and processes to monitor security-related activities.
Remote Work
Grupo Senior imposes requirements for remote work, such as the use of Virtual Private Network (VPN).
Vulnerability and Compliance Management
Grupo Senior has vulnerability and compliance management processes, with the following established guidelines:
• Vulnerability Management;
• Compliance Management;
• Periodic Security Testing; and
• Security Patch Management.
Backup
Grupo Senior uses Backup and Disaster Recovery solutions to protect its data against loss of information.
Periodic tests are performed to ensure data integrity, verify process effectiveness, and promote improvements.
Security Incident Response
Grupo Senior defines guidelines to prevent, respond, and properly handle security incidents that impact or may impact the institution’s information assets/services or technological resources.
This topic covers responsibilities of different areas in incident prevention and response.
The Policy also describes rules on prioritization and severity regarding possible incidents, procedures on authority designation, and rules for developing business continuity test scenarios.
It is worth noting that Grupo Senior has an Incident Response Plan, containing methodology and guidelines for handling cybersecurity incidents.
Business Continuity Management
Grupo Senior performs business continuity management with solutions, strategies, and procedures to be executed during contingency scenarios aligned with the institution’s purpose and strategic goals. To this end, Senior maintains a Business Continuity Plan (BCP) defined in internal documents.
Third-Party Management
Grupo Senior establishes guidelines for third-party professionals in its premises or for service contracting.
Grupo Senior has additional due diligence rules for relevant third parties, defined as those who store or process critical data in non-Senior technology infrastructure.
Mobile Device Security
Grupo Senior defines guidelines for the secure use of mobile devices, as well as the responsibilities of the areas in charge of monitoring.
Network Security
Grupo Senior maintains security tools capable of detecting and responding to intrusion attempts in its environment. This topic also includes rules for corporate and public wireless networks.
Personal Data Privacy
Grupo Senior ensures that the purpose of processing personal data is neither unlawful nor abusive, and guarantees fundamental privacy rights according to LGPD – Brazilian General Data Protection Law (Law No. 13.709, August 14, 2018).
Sanctions and Penalties
The Information Security area continuously monitors the technological environment through various methods to ensure compliance with this Policy. In case of violation of the rules stated herein, as well as other Information Security norms and procedures, even by omission or attempted actions, such violation may be classified as an Information Security incident and may result in penalties.
Other sanctions and penalties for non-compliance with the Information Security rules are described in the internal Policy
