Executive Committee (EC) Responsibilities

• Promoting Security and Privacy at NOS, exercising maximum responsibility for Security and Privacy issues;
• Approving the Governance Model and General S&P Policy;
• Approving the S&P Strategy and Planning, as well as the correspondent area budgets;
• Approving a strategy for addressing S&P risks of highest criticality (top risks);

Responsibilities of the S&P Core Role (S&P NOS)

• Proposing and monitoring the S&P Strategy and Planning;
• Defining and maintaining NOS’ S&P policies, standards and general rules;
• Support the organization in the implementation of initiatives/measures to ensure S&P compliance;
• Prepare and monitor NOS’ S&P certification audits (ISO 27001 and other standards);
• Monitor compliance with Crisis Management policies/standards and processes (e.g. KPI/KRI dashboards);
• Monitoring Incidents/Crises;
• Coordinating S&P Steerings;
• Developing and maintaining the training and awareness programme on S&P topics.

Responsibilities of the CISO

• Developing, implementing and maintaining cybersecurity management policies, standards and procedures;
• Keeping up with technological advances and ensuring the reassessment of security issues;
• Creating mechanisms for continuous and proactive monitoring of security weaknesses;
• Identifying possible threats based on information from external sources;
• Creating and implementing a response plan for threats, incidents and critical scenarios;
• Planning and performing regular security assessments.

Data Protection Officer (DPO) Responsibilities

• Acting as an advisory element on NOS’ Privacy strategy and policies;
• Providing advice and intervening on the Privacy Impact Assessment (PIA) process, providing opinions;
• Acting as a liaison with the subjects of personal data (e.g., customers) and cooperating with the Control Authorities (e.g., CNPD - National Data Protection Commission);
• Controlling and monitoring compliance on personal data processing, in accordance with applicable regulations.

Legal Responsibilities

• Acting as a consulting element in the definition and review of S&P policies and standards, providing advice;
• Identifying new Security & Privacy laws and regulations or changes to existing ones;
• Supporting development and maintenance of privacy tools (e.g. RAT, PIA);
• Preparing Data Processing Agreements (DPA) with subcontractors;

Responsibilities of the Internal Audit (IA) Team 

• Conducting reliability assurance audits covering Security and Privacy risks and processes;
• Carrying out research of S&P incidents and monitoring the resolution, by the departments, of any risk situations identified in incidents;
• Acting as an independent advisory element, proposing, upon request, recommendations/improvement measures on matters pertaining to Security and Privacy;

Responsibilities of S&P Sponsors

• Acting in decision-making on S&P-related topics;
• Ensuring adequate technological, human and financial resources so as to comply with Security and Privacy strategy and planning;
• Monitoring compliance with the S&P strategy and plan by the areas/departments under its purview;
• Taking part and contributing to the inclusion, review and maintenance of S&P Crisis Management scenarios in line with the S&P Central Function guidelines;
• Monitoring the implementation success of Business Continuity, Disaster Recovery processes and plans and correspondent tests;

Responsibilities of the Local S&P Function/Pivot

• Coordinating and monitoring the planning of the Department's S&P initiatives, in line with the S&P main plan;
• Acting as a Department advisory and support element when implementing initiatives/measures;
• Defining and maintaining the S&P standards and procedures;
• Ensuring implementation and use of S&P by Design processes and tools;
• Monitoring S&P risks, mitigation initiatives/measures and Area-related controls (e.g., through KRIs);
• Ensuring the inclusion, review and assessment of the adequacy of the Department's S&P controls and cooperation during the Audits;
• Support the area in the development and maintenance of Business Continuity Plans, disaster recovery and respective tests;

Responsibilities of the Departments/Employees

• Complying with S&P policies, rules and procedures;
• Applying S&P by Design rules in the development of processes and systems;
• Reporting changes in activities or partners with an impact on processes containing personal data to the Department S&P Function/Liaison;
• Ensuring possible S&P non-conformities are managed;
• Reporting existing business continuity risks;
• Developing and maintaining Business Continuity, Disaster Recovery Plans and correspondent tests;