M L

General External Information Security Policy

1. Scope and objective

The Information Security Policy applies to all information under the responsibility of Morais Leitão (ML or Firm), regardless of the support of the register, and covering notably databases, any computer environment, documents, files and other technological and/or application tools.

The objective of the Information Security Policy is to preserve the confidentiality, integrity and availability of information, thus contributing to ensure ML objectives and to maintain client confidence as well as compliance with legal and regulatory obligations.

This Policy formalises and aims to communicate the strategic and programmatic definitions approved for information security, which are assumed as an ethical commitment and professional responsibility of ML.

In this sense, ML defines clear objectives for the implementation of information security processes, controls and practices and promotes the adoption and implementation of an Information Security Policy across the whole Firm.

The defined information security objectives are:

  • Assessing the information security risks in order to implement the necessary controls that allow the mitigation of the risks up to the established acceptance level
  • Creating an information security culture through training and awareness-raising activities
  • Defining and implementing the technical and organisational controls necessary to guarantee confidentiality, integrity and availability of information
  • Considering information security as a process of continuous improvement, which allows for increasingly advanced security levels. 

2. Security responsibilities and organisation

The IS Policy is aimed at all ML lawyers and employees, regardless of their legal relationship, as well as at suppliers and service providers and their employees who have access to information under ML responsibility.

To this extent, all are obliged to comply and ensure compliance with this Policy and to report any event that causes or may cause an information security breach.

3. Information security policy

The Information Security Policy is guided by the following principles:

  • Confidentiality: information is only made available to those who are duly authorised to this effect
  • Integrity: safeguarding and preserving information, and the adequacy of the respective processing methods
  • Availability: information is available to all duly authorised users
  • Auditability: corporate and/or business data and information is recorded, compiled, analysed and disclosed so as to enable internal auditors or external certifying entities to attest to its integrity
  • Traceability: the capacity to recover the history of the actions carried out.

Information is an essential good or asset of the Firm, so it has to be protected in the most appropriate way. Information security protects information against a multiplicity of threats and is essential for service continuity (business), minimising the negative effects on the organisation, maximising the profitability of investments and continuously improving service quality.

Information security is obtained through the implementation of a set of controls, namely: policies, standards and procedures, which are in accordance with the international ISO/IEC 27001 standard.

To comply with these principles, ML, in compliance with the legislation and standards in force regarding information security, adopts the best national and international practices, in a manner appropriate to the organisation's specificities. 

4. Information security organisation

The information security organisation is implemented and managed through an Information Security Management System (ISMS), in a manner integrated with the Firm processes and with its global management structure, which guarantees a multidisciplinary approach to the subject and allows to plan, design, control, evaluate and improve all the information security implementation processes in a transversal manner, considering three strands of action: people, technologies and processes.

ML implements specific policies and procedures that respect the international reference standards, that can be audited and that define the requirements for implementing the ISMS, namely:

  1. ML promotes the definition of appropriate rules for data privacy and compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, and applicable national legislation
  2. ML promotes, through its ISMS, the protection of confidentiality, integrity, availability of information, as well as the resilience of its systems and information processing services.
  3. Through its Incident and Business Continuity plans, ML promotes the capacity to minimise the impact of physical or technical incidents, as well as the recovery of availability and access to personal data in a timely manner, in the event of a disaster or serious incident.
  4. Regular assessment of the security of information processing and respective support systems is promoted by formal external audit processes, carried out by suitable, impartial auditors with certified skills.
  5. The risk analysis process implemented in the ISMS includes the risks associated with personal data processing, including accidental or unlawful destruction, loss or alteration, and unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
  6. ML, as entity responsible for processing personal data, undertakes measures to ensure that any natural person acting under its authority or of a processor has access to personal data and processes them only on instructions from the responsible entity, unless required to do so by European Union or Member State law.

4.1. Information security risk assessment

Information security requirements and risk acceptance criteria are identified through a precise information security risk assessment. Performing a risk analysis helps to determine the risk exposure and consequently to prioritise the most relevant risks, allowing the identification of appropriate mitigating actions and controls.

4.2. Information Security Controls

The selection of controls depends on decisions taken by ML based on risk acceptance criteria, risk treatment and in general risk management. These criteria result from the risk analysis carried out and shall take into account the applicable national and international regulations and legislation.

The implemented information security mechanisms are subject to periodic reviews to guarantee the expected security levels, with particular focus on safeguarding business continuity and critical processes.

4.3 Continuous improvement

The ISMS is subject to periodic reviews previously scheduled or justified by significant changes, in order to provide improved applicability, suitability and effectiveness.

4.4 Review and communication of the general information security policy

The Information Security Policy will be reviewed annually or whenever significant changes occur, in order to provide for its continuous applicability, adequacy and effectiveness.

Public Document
14/03/2022

Patrons of the Serralves Foundation's National Contemporary Art Collection