SUMMARY for Medrio’s Code of Conduct

Rio de Janeiro, RJ, on February 5, 2021

Med-Rio Check-up has its Information Security Policy (ISP) which aims to guarantee the requirements of Availability, Integrity, Confidentiality, Authenticity and Privacy provided for in the international standards of the ISO 27000 family, NIST Cybersecurity Framework and in the General Law of Data Protection (LGPD).

To reduce the risks inherent in the technological environment, we keep our computer park, network systems and devices updated and tested against the threats of the digital world, in order to guarantee the resilience of our environment.

We constantly invest in People, Processes and Technologies in order to ensure that the level of security maturity is compatible with good market practices and meets the needs of Med-Rio and its customers.

The governance of Information Technology is guided by the ITIL and COBIT methodologies, being measured by indicators in our IT area, in order to promote the constant improvement of our digital transformation journey.

The principles of Layered Protection, Data Centric Protection , and Time-Based Security guide our cyber security and are ensured by the use of software, hardware and continuous monitoring of our local network and providers cloud service.

Authentication on networks and systems is authorized only for internal personnel and with appropriate access controls. The methods used for this, such as secure passwords, double-factors and digital certificates, are described in our Information Security Policy (PSI).

The use of logical and physical access mechanisms and devices are personal and non-transferable, and sharing is not permitted. In the event of loss, theft or signs of such compromise, the fact must be immediately communicated to the IT sector for the appropriate revocations, analysis and appropriate measures.

Thus, with all the apparatus of technologies and processes developed, people continue to be our greatest asset and also the best defense against cyber-attacks.

In this sense, lectures and training on information security and privacy are given to our employees, in order to create and maintain the security mentality and to develop a culture of protection of our information assets.

Within the Information Security Policy (ISP), we highlight: (1) the responsibilities of all users of our corporate network; (2) the rules of access to the Internet and its contents; (3) corporate systems; (4) the use of personal mobile devices; (5) access controls; (6) copies, prints and destruction; (7) the registration of logs; (8) backups; (9) accreditation and revocations; (10) Privacy rules; among others.

Maintaining cybersecurity and privacy of our data is everyone’s responsibility. Therefore, any abnormality identified in the environment or suspected attack must be reported immediately to the IT sector for appropriate treatment measures.

Users should pay special attention to Social Engineering attacks, perpetrated by e-mail, malicious messages (SMS) or over the telephone channel that aim to compromise workstations, cell phones and / or obtain privileged information.

No software, device, network service or Internet connection (shadow IT) can be installed or configured in the corporate environment other than by Med-Rio’s IT area.

No portable storage device (e.g. Pen drive) can be used on the Med-Rio network, without authorization.

Med-Rio’s documentation is classified as to Confidentiality, Temporality and Privacy, observing the principle of the need to know basis and can only be accessed, treated, printed and digitally attached by authorized personnel and in the approved tools of the technological environment.

All classified documents regarding Confidentiality and Privacy, whether in digital or physical media (Ex. Paper), can only be discarded through secure methods provided for in the ISP, such as, for example, secure erasure tools or paper shredders.

The digital environment is constantly evolving and changing. Always at the forefront, Med-Rio invests in innovations for different areas of medicine and in its information park, aiming at the ideal service to the client, which is the main reason for our existence.