Information Security Policies

Kicol maintains a set of information security policies and procedures, periodically reviewed, that guide all our operations and the handling of our clients' data.

Information Security Policy
Establishes the guidelines, responsibilities and practices adopted by Kicol Tecnologia to ensure the confidentiality, integrity and availability of client and organizational data, including rules for authentication, encryption, access control and use of technology resources.
v1.0 March 2026
PDF
Information Classification Policy
Defines the criteria for classifying information into three levels — Confidential, Internal Use and Public — and the controls applicable to each level, covering storage, transmission, sharing and secure disposal of data.
v1.0 March 2026
PDF
Information Security Risk Management Policy
Describes the process for identifying, analyzing, treating and monitoring information security risks, including the evaluation of third-party vendors and platforms used in the company's operations.
v1.0 March 2026
PDF
Access Control Policy
Establishes the rules for granting, reviewing and revoking access to systems, servers and repositories, following the principle of least privilege, with strong authentication requirements, mandatory 2FA and server access exclusively via SSH key.
v1.0 March 2026
PDF
Backup and Recovery Policy
Defines the company's backup strategy, including frequency, storage, retention and encryption, as well as restoration testing procedures and data recovery processes in the event of incidents.
v1.0 March 2026
PDF
Change Management Policy
Establishes the procedure for managing changes to systems and infrastructure, ensuring that changes are planned, tested, approved and documented before being applied to production, with a defined rollback plan.
v1.0 March 2026
PDF
Secure Development Policy
Defines the security practices applied throughout the software development lifecycle, including OWASP Top 10 protection, credential management, environment separation, code review and pre-deployment security testing.
v1.0 March 2026
PDF
Security Incident Response Plan
Describes the procedures for identifying, containing, eradicating, recovering from and communicating security incidents, with severity classification, defined response times and a client notification process.
v1.0 March 2026
PDF
Business Continuity Plan
Defines the strategies to ensure service continuity in disruption scenarios, including business impact analysis (BIA), recovery objectives (RPO, RTO, WRT), procedures by incident type and a crisis communication plan.
v1.0 March 2026
PDF

This site uses cookies to improve your experience. By continuing to browse, you agree to our use of cookies. Privacy Policy.