Oi S.A. – In Judicial Reorganization
CNPJ/MF 76.535.764/0001-43
NIRE 33.30029520-8
PUBLICLY HELD COMPANY
EXCERPT OF ITEM 6 OF THE MINUTES OF THE 302nd BOARD OF DIRECTORS MEETING HELD ON SEPTEMBER 30, 2021.
As Secretary of the Board of Directors Meeting, I CERTIFY that item 6 “Changes to Information Security Policy” of the Minutes of the 302nd Meeting of the Board of Directors of Oi S.A.- In Judicial Reorganization held on September 30, 2021, at 2:00 p.m., by videoconference, pursuant to article 29, paragraph 1 of the Company's bylaws, reads as follows:
“As to item 6 of the Agenda, Mr. Gustavo Brambila presented a proposal for changes in the Information Security Policy ("Policy"), in order to adapt it to Resolution No. 740, of December 21, 2020, of the National Telecommunications Agency, or ANATEL. It was informed that this proposal was previously considered by the Audit, Risks and Controls Committee in the meeting held on September 21, 2021. The changes in the Policy were approved unanimously, with retroactive effect to September 22, 2021. The updated version of the Information Security Policy is attached as Annex I to these minutes.”
All members of the Board of Directors were present in the meeting and signing members Mr. Eleazar de Carvalho Filho (Chairman), Mr. Marcos Grodetzky, Mr. Roger Solé Rafols, Mr Henrique José Fernandes Luz, Mr. Paulino do Rego Barros Fr., Ms. Claudia Quintella Woods, Mr. Armando Lins Netto, Mr. Mateus Affonso Bandeira, Ms. Maria Helena dos Santos F. Santana, Mr. Raphael Manhães Martins and Mr. Luís Maria Viana Palha da Silva (represented by Mr. Mateus Affonso Bandeira).
Rio de Janeiro, September 30, 2021.
Luciene Sherique Antaki
Secretary of the Meeting
ANNEX I TO THE MINUTES OF THE 302nd BOARD OF DIRECTORS MEETING HELD ON SEPTEMBER 30, 2021.
INFORMATION SECURITY POLICY
1 OBJECTIVE
To establish guidelines, principles, and responsibilities, in addition to guiding in the execution of actions related to the treatment of information and the appropriate use of assets and/or information by employees, trainees, third parties, suppliers, partners, and other parties interested in the group companies' businesses.
2 TARGET AUDIENCE
Employees, trainees, third parties, suppliers, partners and other stakeholders of the group companies' businesses.
3 GUIDELINES
3.1 CONTENT
Information is Heritage: all information generated, acquired, handled, stored, kept, transported and/or disposed of on the premises and/or assets of the companies in the group is considered to be the organization's heritage and must be used exclusively for corporate interests.
The responsibility and commitment must be of all: all employees, interns, third parties, suppliers and partners, in any relationship, function or hierarchical level, are responsible for protecting and safeguarding the assets and information of which they are users or with which they have contact, as well as the physical and computational environments to which they have access, regardless of the security measures implemented.
Access to information must be managed: logical access, physical access control, and the use of information must be approved, controlled, registered, stored, and monitored so as to enable the proper execution of the tasks inherent to their position or function.
Security Incidents must be treated: information security incidents must be identified, monitored, communicated and properly treated in order to reduce risks in the environment, avoiding interruption of activities and not affecting the achievement of the organization's strategic objectives and the service to its clients.
The organization's assets and their use can be monitored: the organization can monitor the access and use of its technological assets, such as environments, equipment and information systems, so that undesirable or unauthorized actions are detected.
The organization may audit the compliance with IS practices: the organization may periodically audit the Information Security practices, in order to evaluate the compliance of the actions of its employees, trainees, third parties, suppliers and partners in relation to what is established in this Policy, other regulations that compose it and in the applicable legislation.
3.2 INFORMATION SECURITY PRINCIPLES
These are the bases for security actions or guidelines that act as a guide for the implementation and management of Information Security:
Establish Information Security throughout the organization: Information Security is addressed at the organizational level, according to decision making that takes into account all critical business processes of the organization.
Adopt a risk-based approach: Information Security is founded on risk-based decisions such as loss of competitive advantage, compliance, liability, operational disruptions, reputational damage and financial loss, misuse, fraud, sabotage, theft and cyber attacks.
Promote a positive security environment: Information Security is structured based on the analysis of human behavior, observing the growing needs of all stakeholders, through awareness, education and maturity of human capital, strengthening one of the key elements to maintain the appropriate level of Security.
3.3 COMMITMENT AND PENALTIES
All the guarantees necessary for compliance with this Policy are formally established with the employees of the Group's companies.
Failure to comply with the Policy is considered a serious breach of conduct and may result in the application of sanctions provided by law, as well as warnings according to internal regulations and contractual provisions.
All legal provisions and other rules of the organization, such as the Code of Ethics and Conduct, must be strictly observed.
3.4 TRAINING, UPDATING AND DISSEMINATION
The organization has a continuous security awareness program that aims to make people aware, train and protect them, following the best international practices and the company's security policy, and contributes to the dissemination of the Security culture to employees, trainees, third parties, suppliers, partners of the group's companies and its clients.
The organization also makes available on its website awareness material, notices and safety tips so that the community and customers can have easy access to this content.
Likewise, the content of the Policy is broad and constantly updated and disclosed. Rereading this Policy, even if not directly requested, should be done periodically for better understanding.
4 ROLES AND RESPONSIBILITIES
4.1 ROLES AND RESPONSIBILITIES
The Information Security Policy is approved by the Board of Directors, reinforcing the top management's commitment to the continuous improvement of security processes and has designated in its corporate structure a director responsible for its management.
4.1.1 Information Security Division
| · | Manage, coordinate, guide, evaluate and promote the implementation of actions, activities and projects related to Information Security in the organization, promoting actions of interest to the company, and educational and awareness programs for human capital. |
4.1.2 Employees, Trainees, Third Parties, Suppliers, Partners and Stakeholders of the Group's Companies
| · | To know and comply with the standards and guidelines established in this Policy and other Regulations that make up the Information Security Policy of the organization; |
| · | To report situations that compromise the security of information through the Reporting Channel made available by the organization for this purpose; |
| · | All information created, modified during the performance of duties and any information contained in corporate electronic mail messages must be treated as referring to the organization's business, and must not be considered personal, private or confidential, even if stored in one's personal folder; |
| · | Ensure that the prohibition of sharing or trading credentials (IDs, passwords, badges, tokens and the like) is known and enforced; |
| · | Ensure that Information Security and data protection requirements, policies, and processes are included in technology acquisitions and/or implementations and are maintained during their life cycle. |
5 REFERENCES
Reporting Channel: 0800-2822088 (https://www.canalconfidencial.com.br/oi/)
Warnings and security tips: (https://www.oi.com.br/oi/sobre-a-oi/empresa/informacoes/avisos-e-dicas-de-seguranca)
ABNT NBR ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements.
ABNT NBR ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls.
6 GLOSSARY
| · | Authenticity - assurance of the veracity of the authorship of information. |
| · | Confidentiality - information must be available and only disclosed to authorized individuals, entities or processes; |
| · | Compliance - the process of ensuring compliance with a requirement, which may be business obligations to stakeholders (investors, employees, creditors, etc.) and with legal and regulatory aspects related to business administration, within the ethical principles and conduct established by Senior Management; |
| · | Availability - authorized persons must obtain access to the information and corresponding assets whenever necessary; |
| · | Integrity - safeguarding the accuracy of information and processing methods; |
| · | Information - is the assembly or set of data and knowledge resulting from the processing, manipulation and/or organization of data, in such a way that it represents a change (quantitative or qualitative) in the knowledge of the system (human or machine) that receives it; |
| · | Information Security Incident - event resulting from the action of a threat, which exploits one or more vulnerabilities and affects one of the aspects of information security: confidentiality, integrity or availability. |
| · | Information Security Risk - risks associated with the violation of authenticity, confidentiality and integrity, as well as the availability of information in physical and digital media. |
| · | Information Security (IS) - is the set of actions and controls that aims at preserving the confidentiality, integrity, availability, authenticity and compliance aspects of information, contributing to the fulfillment of the organization's strategic objectives and the service to its clients. |
THIS DOCUMENT REVOKES PREVIOUS VERSIONS