20/01/2025, 10:51 Trust Center - Privacy - Identity and Access Management

 IDENTITY AND ACCESS MANAGEMENT Home / Trust Center / Privacy / Identity and Access Management

IDENTITY AND ACCESS MANAGEMENT


General Personal Data Protection Law (LGPD)



Introduction

We are making this document available to provide important information on the topic: Identity and Access Management , with the aim of providing
security guidelines for our Clients, related to the activities that are their responsibility, based on the main market references.


 Access Management is an initiative that manages user navigation in contracted applications, as well as managing authorization levels according to the
needs of each profile.

To understand how Access Management applies to you, the Customer, it is first necessary to clarify the concept of shared responsibility, an essential
 component of cloud computing services.

Shared responsibility


The cloud brings the Client some benefits, from an operational point of view, such as the possibility of reducing costs, the possibility of concentrating
the efforts of the IT area on the company's core activities and the ability to provision a virtual environment with elasticity, that is, capable of meeting
peak moments, reducing it quickly, when necessary.

Additionally, the cloud is an effective alternative for the Client to significantly reduce cyber risks involved in its operations. Therefore, the cloud is also
considered an important tool for the Client to adapt to the requirements of the LGPD, considering those requirements related to data governance and
information security.

TOTVS Cloud guarantees a structure composed of people, processes and technology capable of ensuring the secure handling of its Customers'
information, protecting the confidentiality, integrity and availability of information, adopting technical and organizational controls as standard
procedure, from the conception of the product and/or service offered.

However, for a successful partnership between TOTVS Cloud and the Client, it is necessary to be aware of the concept of shared responsibility
inherent to cloud computing.

By understanding the shared responsibility model, the Customer will identify which security tasks are handled by the cloud provider and which tasks
must be handled by the Customer itself.

In general terms, both TOTVS Cloud and the Client have responsibilities to ensure the security of the products and databases hosted in the TOTVS
Cloud environment. Such responsibilities vary depending on the type of contract chosen by the Client.

To make things easier, we can explain that the responsibility model exists because both TOTVS Cloud and the Client must act together to ensure the
security of data in the cloud.

TOTVS Cloud is responsible for ensuring the security of the “operation”, that is, all the infrastructure necessary for the cloud to operate securely, while
the Client must ensure security “in the operation”, that is, adopt the necessary mechanisms to ensure the secure use of the contracted services and
products.

The table below clarifies the different assignments for Client and TOTVS Cloud, considering each layer of the structure that makes up the cloud and
the different contracting modalities.

Infrastructure as a Service (IAAS) Platform as a Service (PAAS) Software as a Service (SAAS)

Data CLIENT Responsibility CLIENT Responsibility CLIENT Responsibility

Application Support CLIENT Responsibility CLIENT Responsibility TOTVS Cloud Responsibility

Operating system CLIENT Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility

Virtualization TOTVS Cloud Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility

Servers TOTVS Cloud Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility

Storage TOTVS Cloud Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility

https://tcloud.totvs.com.br/trust-center/privacidade/lgpd-identidade 1/3
20/01/2025, 10:51 Trust Center - Privacy - Identity and Access Management

Infrastructure as a Service (IAAS) Platform as a Service (PAAS) Software as a Service (SAAS)

Network TOTVS Cloud Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility

Physical Components TOTVS Cloud Responsibility TOTVS Cloud Responsibility TOTVS Cloud Responsibility


CLIENT Responsibility

TOTVS Cloud Responsibility

TOTVS Cloud focuses on cloud security, that is, the security of its infrastructure, which includes its operating system (software and hardware), storage,

network and physical components that make up its structure. For the SAAS model, this includes applications. TOTVS Cloud is also responsible for the
 security configurations of its Sub-operators involved in data processing.

 In order to ensure security on its side, the Client must focus on cloud security, i.e., it must correctly configure the tools provided by TOTVS Cloud and
the contracted products, so that, among other things, it prevents improper sharing of its information and can identify potential users who have
 misused the platform. The Client is also responsible for customizations and integrations.

In the next topic, we will specifically describe the control related to Identity and Access Management, one of the activities that are the responsibility of
the Customer.


 Identity and Access Management

 Considering the PAAS and SAAS contracting methods, identity and access management are controls for which responsibility is shared between TOTVS
Cloud and the Client. TOTVS Cloud provides Clients with features that enable them to control “who” accessed and “what” was accessed, but it is the

Client who must configure these controls.

For example, TOTVS Cloud implements several layers of security features that prevent unauthorized access to its infrastructure, including password
 policies and access profiles. However, for the contracted product (ERP), it is the Customer's responsibility to ensure that the parameterization of
access profiles and the activated password policy adhere to its internal rules.

In general terms, cloud security is a joint effort and to achieve this goal, TOTVS Cloud strongly recommends to the Customer:

Creating a strong password policy
A proteção com senhas é essencial para se prevenir de ameaças na utilização cotidiana dos acessos às suas contas, assim, é fundamental que sejam
utilizadas senhas “fortes” através da definição de uma política de senha, além de armazená-las de forma segura.

Gostaríamos de apresentar algumas recomendações para a elaboração de uma política de senha forte, com base nos melhores frameworks do
mercado (CERT.BR, NIST, ISO 27002).

Defina uma quantidade mínima de caracteres; Utilize diferentes caracteres especiais, bem como a utilização de letras maiúsculas e minúsculas;
Utilize números aleatórios na composição de sua senha e não permita o uso de números sequenciais ou repetidos; Não utilize como senha
nada relacionado a informações pessoais ou que fazem parte de listas públicas já conhecidas, como nomes, números de telefone e datas de
aniversário; e por fim, Crie uma senha que não seja composta por uma sequência de teclado como por exemplo, “QwertyUIOP” e “WSXedcrfv”.

Além da criação de uma senha forte, alguns cuidados adicionais devem ser tomados, e sua política deve conter algumas orientações importantes,
como por exemplo:

Gestão de usuários e senhas

Além da política de senha forte, recomendamos que o Cliente realize uma revisão de acessos dos usuários, gerenciando “quem” pode acessar as suas
informações.

É extremamente importante que o Cliente realize a gestão de acessos dos seus ambientes e principalmente da aplicação, ou seja, revise os usuários
que estão ativos, incluindo aqueles que possuem acesso ao T-Cloud, portal de atendimento, usuário disponibilizado para acesso SFTP, dentre outros.

É indispensável uma revisão periódica dos usuários que possuem acesso aos sistemas, tendo em vista que através deles diversas mudanças
estruturais podem ser realizadas.

Todos os produtos contratados também devem ter seus acessos gerenciados, por isso é importante ter implementada uma gestão de identidades
que inclua revisões periódicas e controles sobre quem pode e ou deve ter acesso a ferramentas e/ou informações que lhe cabem.

Como esse tipo de controle mitiga riscos de segurança e privacidade, sugerimos fortemente que sejam observadas as recomendações abaixo:

Revise os usuários com acesso aos sistemas contratados;

Limite as permissões do usuário para níveis onde seja possível realizar tarefas apenas necessárias ao cumprimento das suas responsabilidades
inerentes ao cargo que ocupa;
Oriente os colaboradores a não anotar suas senhas; não permita o armazenamento da senha no computador/dispositivo de forma
desprotegida; defina um período para a troca de senhas; altere as senhas iniciais assim que as receber; e não reutilize suas senhas anteriores;
Verifique a retirada de suas contas (logout) ao usar equipamentos compartilhados;
Desabilite usuários inativos e/ou não utilizados.

Auto avaliação
Mais ainda, TOTVS Cloud recomenda que o Cliente faça auto avaliação das suas práticas adotadas envolvendo medidas de segurança da informação
como, por exemplo:

Are users in the ERP with access to the graphical interface periodically reviewed?
Are users in the ERP with access to make requests via API periodically reviewed?

https://tcloud.totvs.com.br/trust-center/privacidade/lgpd-identidade 2/3
20/01/2025, 10:51 Trust Center - Privacy - Identity and Access Management

Is password history policy enabled?

Is multi-factor authentication (MFA) enabled, if supported by the product?
Was a list of profiles and privileges mapped and built as an Anti-fraud action?
Do Franchises and/or Partners have access to your ERP data?
Are users with permission to activate contact channels with TOTVS - Support and telephone service portal reviewed? For example, users are
updated in the event of dismissals or changes in the positions of the Client's employees;
 Considering the Client's computing environment, is there an area responsible for access control?
Are the contact points authorized to make requests to TOTVS Cloud reviewed?

For further clarification, we will be happy to help you.

Contact us through the Call Center (11 4003-0015) or look for your relationship manager.


https://tcloud.totvs.com.br/trust-center/privacidade/lgpd-identidade 3/3