What happened?
On 5/4/2022 A Arson caused the destruction of 90% of the group Civil registry of natural persons and notary office from Itapimirim district, In the Holy Spirit. According to the civilian police, the goal was to cover up evidence that the investigation was continuing..
Despite the undeniable material losses, the group was fortunately not lost, as did the service to support double and cloud. In this context, it is worth considering the importance of information security for non-judicial services.
Why is information security so important in registry offices?
Since before the General Data Protection Regulation (LGPD) came into force, the documentation and recording system has been regulated Information security, by Judgment No. 74/2018 issued by the National Council of the Judiciary.
string lists at Technical and administrative measures, such as information security policy, continuity plan, to supportAnd FirewallAnd agentAntivirus, UPSetc.
Full compliance with Provision 74 commitment costs and investment. Given this, it is common to question the true need for many safeguards. “Even the forum has a lot!”is what is usually heard from friends delegates, when commenting on such requirements.
This is simple to answer. The level of security must be proportional to the risks of data processing, measured by the suitability, nature and volume of the processed data, namely:
1) Suitability: The data held by the Services is of general interest and contains, in its content, many subjective rights. They are of great importance to the state and to the people in general;
2) Nature: many data are confidential or sensitive in nature and require protection at a different level;
3) Size: The database is always huge. In companies, the rule is to discard as much as possible and keep only what is really useful. In notaries, the rule is to keep everything and ignore only what is mandatory.
These considerations are sufficient for us to realize that information security at higher levels is justified.
But the simple logic is that it is nothing compared to the facts. In difficult times, the need for security becomes even more apparent. In them, the old saying Information security is always excessive, until it becomes insufficient.
The Itapemirim Tool Fire is definitely one of those moments that makes us think. In this text, we will comment on two important points of the security architecture set out in provision 74.
to support
Article 3 of Verdict 74 Decides that each service has the backup (backup) of the entire group, and this is done in two ways: 1) in electronic media (eg: external HD); 2) In digital form, which is a cloud backup. In this regard, two observations are valid.
The first is that the backup must be done every daybecause if a notary loses his material collection in a disaster, he will be able to re-establish his activities without heavy losses.
The second is that making a backup is not enough. It is important that its efficacy be proven.
This brightens the face for decades with service providers upon you. Suppose the seller contractually guarantees that it backs up daily, but never tests it. What if the backup has been corrupted for a long time? At the time of the accident, the group is likely to be damaged.
Of course, the person responsible for the service is entitled to compensation for damages. But does that solve the problem?
To avoid this situation, it is very important Regularly test the integrity of your backupswhich requires periodic reports on this check to be sent to the data person in charge of the service.
The latter must analyze it and evaluate its practical effectiveness, providing the person in charge of the service with accurate information so that he can make the best decisions for the sake of preserving the collection.
Business Continuity Plan
In addition to backup, provision 74 states that there must be storage media in use fault tolerance. This highlights the necessity of having a plan B if something fails. This is a Business Continuity Plan (BCP).
Set forth in Section 2, Clause 1 of Provision 74/CNJ, the PCN is the list of incidents that may affect collection and prevent the provision of services. Such events can have natural, technical and human causes, the latter intended or not. Examples are: electrical failure, infection Malwaretheft, floods, fires, data hijacking, among others.
With this planning of potential disasters in hand, the service can anticipate what measures will be taken in the event of an accident. Thus, a guide is drawn on how to act in each context.
With a plan developed in advance – Away from the stress and pressure of the accident – The service has much better conditions for working in emergency situations, since all planning efforts have already been made. Therefore, the PCN permits prompt action to contain the damage, and to ensure uninterrupted continuity of activity, as defined in Section 7 of Provision 74.
Conversely, the absence of a PCN requires the rep to plan hastily, in the midst of the moment. Inevitably, the batch recovery time is high, which is detrimental to service bills and the continuity of service provision to users.
Finally, it is necessary to emphasize one very important thing: PCN must be written.
When laws and regulations use the terms “policy” or “plan,” they mean something that is written and documented. This can be seen in light of the standards of good practices in information security, especially the standards of the ISO 2700 family, the logic is simple. Conversations do not guarantee the security needed to deal with tense moments following a security incident.
This is fully consistent with the notary and registry logic. After all, if notaries exist to ensure there is Legal certainty by saving Written legal actswhy dispense with Information Security Introduction of written documents?
references
Brazil. CNJ Judgment No. 74 dated 7/31/2018. Provides minimum IT standards for the security, integrity and availability of data for the continuation of activity by notary services and registration in Brazil and other provisions. Available at: https://atos.cnj.jus.br/atos/detalhar/2637. Accessed May 10, 2022.
Clement, Beatrice. The delegate believed that the fire in the ES notary’s office was a crime. Dgalma Pereira, city delegate, said the fire that occurred in the early hours of Wednesday (4) may have caused the documents to be destroyed. Newspaper, 04 May 2022. Available at: https://www.agazeta.com.br/amp/es/policia/delegado-acredita-que-incendio-em-cartorio-no-es-foi-criminoso-0522. Accessed May 10, 2022.
Hammerley, Bruna. Criminal fire destroys civil registry and documents office in ES. The case occurred in the city of Itapmirim in the early hours of Wednesday (4). According to the owner of the registry office, about 90% of the collection was burned. st 1, 04 May 2022. Available at: https://g1.globo.com/es/esspirito-santo/noticia/2022/05/04/incendio-destroi-cartorio-de-registro-civil-e-documentos-no es.ghtml. Accessed May 10, 2022