Integrated Management System Risk & Incident Management

Risk Management

In today’s rapidly evolving business environment, managing risks related to both quality and information security is vital for protecting organisational assets and ensuring business continuity.

Devoteam Portugal is committed to implementing an effective risk management framework that identifies, assesses, and mitigates risks to maintain operational excellence, quality, and security. This approach applies to all employees, processes, and business functions.

The process begins with risk identification, where potential threats and vulnerabilities are uncovered through audits, stakeholder feedback, and detailed analysis. This is followed by risk assessment, which evaluates the impact and likelihood of each risk, prioritises them, and reviews existing controls.

This comprehensive approach ensures a deep understanding of the risks and enables the development of robust mitigation strategies, ultimately enhancing both quality and information security.

Incident Management

At Devoteam Portugal, maintaining the integrity and security of our information systems is a top priority. We take a proactive approach to incident management and encourage all employees to promptly report any potential threats or security incidents related to information security.

Incidents can be reported through the following channels:

Service Desk Platform: Use the dedicated form "Security & Data Privacy -> Information Security Event / Incident".
External Reporting: Individuals outside the company can report incidents via email at pt.it.security.incident@devoteam.com. All reports will be reviewed by the Devoteam Portugal IT Department.

Incident Classification

To ensure effective identification and response to incidents, it is crucial to understand key terms and definitions related to information security:

Information Security Weakness

Information Security Event

Information Security Incident

Something that we know can jeopardise the information security system. [+]

Examples: Unsecured networks; Outdated systems; Lack of network monitoring; Employees not trained in information security; Lack of awareness for information security; Antique hardware; Unprotected lines of communication; Lack of regular audits; Lack of physical access management.

An occurrence on a system, service or network, indicating a possible violation of the Information Security policy, failure of controls, or a previously unknown situation, which may be relevant to Information Security. [+]

Examples: Written passwords (papers, words, notepads…); Printing or copying confidential information and not storing it correctly; An employee flags a suspicious email; Finding a document in a place it wasn't supposed to be; Unsuccessful phishing attack.

Event that effectively compromises the confidentiality, integrity, or availability of a Devoteam managed information system, data, or service. This can include unauthorised access, data breaches, malware attacks, or system failures that negatively impact security. [+]

Examples: Intrusion into a computer system; Unauthorised access to, or use of systems, software, locations or data; Unauthorised changes to systems, software or data; Loss or theft of equipment used to store or work with confidential data. System failures that negatively impact security.

This page contains important compliance-related information for Devoteam Portugal Employees and Contractors. All content is intended for internal use and must be adhered to in accordance with Devoteam's corporate standards and policies.
Last updated: 11/12/2024Author: Rute Reizinho, Compliance Director / DPO at Devoteam Portugal