Information Security Policy

Roles and Responsibilities

Which are the main roles and responsibilities pertaining to the management of Information Security & Privacy in the company?

Everyone at NOS must be concerned and share responsibility for information protection. We all must know our roles and assume our responsibilities regarding information protection.

Click the positions to discover their chief responsibilities.

Executive Committee

Executive Committee (EC) Responsibilities

  • Promoting Security and Privacy at NOS, exercising maximum responsibility for Security and Privacy issues;
  • Approving the Governance Model and General S&P Policy;
  • Approving the S&P Strategy and Planning, as well as the correspondent area budgets;
  • Approving a strategy for addressing S&P risks of highest criticality (top risks);
Core S&P Department

Responsibilities of the S&P Core Role (S&P NOS)

  • Proposing and monitoring the S&P Strategy and Planning;
  • Defining and maintaining NOS’ S&P policies, standards and general rules;
  • Support the organization in the implementation of initiatives/measures to ensure S&P compliance;
  • Prepare and monitor NOS’ S&P certification audits (ISO 27001 and other standards);
  • Monitor compliance with Crisis Management policies/standards and processes (e.g. KPI/KRI dashboards);
  • Monitoring Incidents/Crises;
  • Coordinating S&P Steerings;
  • Developing and maintaining the training and awareness programme on S&P topics.

Responsibilities of the CISO

  • Developing, implementing and maintaining cybersecurity management policies, standards and procedures;
  • Keeping up with technological advances and ensuring the reassessment of security issues;
  • Creating mechanisms for continuous and proactive monitoring of security weaknesses;
  • Identifying possible threats based on information from external sources;
  • Creating and implementing a response plan for threats, incidents and critical scenarios;
  • Planning and performing regular security assessments.

Data Protection Officer (DPO) Responsibilities

  • Acting as an advisory element on NOS’ Privacy strategy and policies;
  • Providing advice and intervening on the Privacy Impact Assessment (PIA) process, providing opinions;
  • Acting as a liaison with the subjects of personal data (e.g., customers) and cooperating with the Control Authorities (e.g., CNPD - National Data Protection Commission);
  • Controlling and monitoring compliance on personal data processing, in accordance with applicable regulations.

Legal Responsibilities

  • Acting as a consulting element in the definition and review of S&P policies and standards, providing advice;
  • Identifying new Security & Privacy laws and regulations or changes to existing ones;
  • Supporting development and maintenance of privacy tools (e.g. RAT, PIA);
  • Preparing Data Processing Agreements (DPA) with subcontractors;
Internal Audit

Responsibilities of the Internal Audit (IA) Team 

  • Conducting reliability assurance audits covering Security and Privacy risks and processes;
  • Carrying out research of S&P incidents and monitoring the resolution, by the departments, of any risk situations identified in incidents;
  • Acting as an independent advisory element, proposing, upon request, recommendations/improvement measures on matters pertaining to Security and Privacy;
S&P Sponsor

Responsibilities of S&P Sponsors

  • Acting in decision-making on S&P-related topics;
  • Ensuring adequate technological, human and financial resources so as to comply with Security and Privacy strategy and planning;
  • Monitoring compliance with the S&P strategy and plan by the areas/departments under its purview;
  • Taking part and contributing to the inclusion, review and maintenance of S&P Crisis Management scenarios in line with the S&P Central Function guidelines;
  • Monitoring the implementation success of Business Continuity, Disaster Recovery processes and plans and correspondent tests;
Local S&P Function/Pivot

Responsibilities of the Local S&P Function/Pivot

  • Coordinating and monitoring the planning of the Department's S&P initiatives, in line with the S&P main plan;
  • Acting as a Department advisory and support element when implementing initiatives/measures;
  • Defining and maintaining the S&P standards and procedures;
  • Ensuring implementation and use of S&P by Design processes and tools;
  • Monitoring S&P risks, mitigation initiatives/measures and Area-related controls (e.g., through KRIs);
  • Ensuring the inclusion, review and assessment of the adequacy of the Department's S&P controls and cooperation during the Audits;
  • Support the area in the development and maintenance of Business Continuity Plans, disaster recovery and respective tests;
Departments / Employees

Responsibilities of the Departments/Employees

  • Complying with S&P policies, rules and procedures;
  • Applying S&P by Design rules in the development of processes and systems;
  • Reporting changes in activities or partners with an impact on processes containing personal data to the Department S&P Function/Liaison;
  • Ensuring possible S&P non-conformities are managed;
  • Reporting existing business continuity risks;
  • Developing and maintaining Business Continuity, Disaster Recovery Plans and correspondent tests;