M L

Information Security Policy

1. Scope

Information security is a priority and a responsibility exercised on a daily basis throughout Morais Leitão (ML or the Company).

This Information Security policy

i)      establishes the general objectives applicable within the scope of the Information Security Management System (ISMS), in accordance with ISO/IEC 27001, as well as with all applicable legislation and regulations on information security, in order to preserve the confidentiality, integrity and availability of information;

ii)    formalises and communicates the strategic and programmatic definitions approved for information security, which are assumed as an ethical commitment and professional responsibility by ML.

This policy applies to all information under the Company's responsibility, regardless of the recording medium, including databases, documents, archives and other technological and/or application tools involving its structure.

2. Information security principles

The information security is guided by the following principles:

  • Confidentiality: information is only made available to those authorised to this effect;
  • Integrity: ensuring that information remains integral throughout its life cycle;
  • Availability: information is available to all duly authorised users.

The information security protects information against a multitude of threats in order to ensure business continuity, minimise negative effects on the organisation, maximise return on investment and improve the quality of the service provided.

The information security is achieved through the implementation of a set of controls, reflected in policies and procedures, which are in accordance with the international ISO/IEC 27001standard.

In order to comply with these principles, ML adopts the best national and international practices, in accordance with the legislation and standards in force on information security, in a way that is appropriate for the specific characteristics of the organisation.

3. General information security objectives

The ISMS aims to ensure that:

  • Information security risks are assessed in order to implement the controls needed to mitigate the risks up to the established acceptance level;
  • There is a culture of information security through training and awareness-raising activities;
  • The necessary technical and organisational controls are in place to guarantee the confidentiality, integrity and availability of information;
  • Information security is the target of continuous improvement to increase the applicability, suitability and effectiveness of the ISMS.

4. Information security responsibilities

The Information Security Policy is aimed at all ML lawyers and staff, regardless of their relationship, at suppliers and service providers and their employees, as well as at any other interested parties who have access to information for which ML is responsible.

To this extent, everyone is obliged to comply with and ensure compliance with this Policy and to report any event that causes or may cause a breach of information security.

4.1. Responsibility in case of receipt of messages by unauthorised recipients

All messages and any attachments sent by ML lawyers and staff are confidential and intended exclusively for the people to whom they are addressed. If, by some unlikely chance, a message and any attachments are received by an unintended recipient, the sender must be notified immediately and the message and attachments must be duly deleted.

5. Information security management system

The information security organisation is implemented and managed through an Information Security Management System (ISMS), in a manner integrated with the Company's processes and its overall management structure, which guarantees a multidisciplinary approach to the subject and allows all the information security implementation processes to be planned, designed, controlled, evaluated and improved in a transversal manner, considering three areas of action: people, technologies and processes.

ML implements specific policies and procedures that comply with international reference standards, which can be audited and which define the requirements for implementing the ISMS, namely:

  1. ML promotes the definition of appropriate data privacy rules and compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and applicable national legislation;
  2. ML promotes, through its ISMS, the protection of confidentiality, integrity, availability of information, as well as the resilience of its information processing systems and services;
  3. Through its Incident and Business Continuity plans, ML promotes the ability to minimise the impact of physical or technical incidents, as well as the recovery of availability and access to information in a timely manner in the event of a disaster or serious incident;
  4. The regular assessment of the security of information processing and the respective support systems is promoted by formal internal and external auditing processes, carried out by reputable and impartial auditors with certified competences;
  5. The risk analysis process implemented within the scope of the ISMS includes the risks associated with the processing of personal data, including accidental or unlawful destruction, loss and alteration, and unauthorised disclosure of or access to information transmitted, stored or otherwise processed.

5.1. Information security risk assessment

Information security requirements and risk acceptance criteria are identified through an information security risk assessment. Carrying out a risk analysis helps to determine risk exposure and, consequently, to prioritise the most relevant risks, making it possible to identify suitable mitigation actions and appropriate controls.

5.2. Information security controls

The selection of controls depends on decisions by ML based on risk acceptance criteria, risk treatment and risk management in general. These criteria result from the risk analysis carried out and must take into account the applicable regulations and legislation.

The information security mechanisms implemented must be periodically reviewed to guarantee the expected levels of security, with a particular focus on safeguarding business continuity and critical processes.

5.3. Continuous improvement

The ISMS is subject to periodic reviews, scheduled in advance or justified by significant changes, in order to improve its applicability, suitability and effectiveness.

5.4. Review and communication of the information security policy

The information security policy will be reviewed annually or whenever significant changes occur.

Public Document
29/11/2023

Patrons of the Serralves Foundation's National Contemporary Art Collection