Companies that trust BrownPipe
Compliance
Govern your organization's information technology and security activities with clear, up-to-date policies aligned with applicable legislation.
Companies that trust BrownPipe
Context
Technology policies are documents that define rules, responsibilities, and guidelines for the use of IT resources, data handling, and information security practices within an organization.
It is not just about the information security policy. The full set includes policies for different contexts: acceptable use of resources, access control, privacy, information classification, incident response, remote work, BYOD, and more.
LGPD (Brazil's General Data Protection Law)
Marco Civil da Internet (Brazilian Internet Bill of Rights)
Decreto 7.962/2013 (E-commerce regulation)
Lei Anticorrupção (Brazilian Anti-Corruption Law) and its regulatory decree
Sector-specific regulations (BACEN, CVM, ANVISA, ANS)
Risks
The absence of formal policies is not just an organizational gap -- it is an operational, legal, and reputational risk.
Without documented policies, a company cannot demonstrate compliance in audits or regulatory proceedings. It has no basis to hold employees accountable for misuse of resources. It fails to meet contractual requirements from enterprise clients and partners. And when a security incident or data breach occurs, the lack of documentation significantly worsens the company's position, both before the ANPD (Brazil's data protection authority) and in court.
Clear and up-to-date policies serve to organize practices that often already exist but are not formalized. Documenting them is easier now than justifying their absence later.
Methodology
We do not work with generic templates. Each policy is developed considering the specific context of the company, its industry, applicable regulations, and operational reality.
We identify which policies the company already has, which need revision, and which are missing. We map the regulatory context and the specific requirements of the sector.
We define which policies will be created or revised, prioritizing by criticality, regulatory exposure, and immediate operational needs.
We draft policies grounded in applicable legislation (LGPD, Marco Civil da Internet, sector-specific regulations) and security frameworks (ISO 27001, NIST, CIS Controls).
We present the policies for validation with the relevant departments and make adjustments as needed.
We deliver the finalized policies with guidance on publication, internal communication, and periodic maintenance.
Catalog
Information Security Policy (ISP)
Information Classification
Access Control
Incident Management
Backup and Recovery
Secure Development
Acceptable Use of IT Resources
Remote Work / Home Office
BYOD (personal devices)
Email and Internet Use
Social Media
Privacy Policy (external)
Personal Data Protection (internal)
Data Retention and Disposal
Cookie Policy
Terms of Service
Privacy Policy for websites and applications
Data protection contracts and clauses with vendors
Differentiators
BrownPipe's policy work combines two competencies that typically operate separately: the technical perspective of information security and specialized legal knowledge in data protection and technology law.
This means the policies are not just checkbox documents. They reflect real technical controls and simultaneously meet security requirements, legal compliance, and business expectations.
Consultant with a Doctorate in Law from UFRGS, specializing in data protection and technology law. Policies grounded in current legislation and sector-specific regulations.
Consultant with a Master's degree in Computer Science from UFRGS. Policies aligned with security best practices (ISO 27001, NIST, CIS Controls) and operational reality.
Common questions
An information security policy is an internal document that defines guidelines for protecting all types of organizational information. A privacy policy is an external document, aimed at customers and users, that explains how the company collects, uses, and protects personal data. They are complementary documents with different audiences.
It depends on the context. If you process personal data, you are subject to LGPD and should have at least a privacy policy. If you serve enterprise clients or regulated sectors, formal policies are often contractually required. Even for small companies, basic policies help organize practices and demonstrate due diligence.
We recommend annual reviews or whenever significant changes occur: new legislation, changes in services provided, security incidents, or changes in organizational structure.
Customized. We do not work with generic templates. Each policy is developed considering the company's context, industry, applicable regulations, and operational reality.
We consider the legislation applicable to the client's context: LGPD, Marco Civil da Internet, Decreto 7.962/2013 (e-commerce regulation), Lei Anticorrupção (Anti-Corruption Law), as well as sector-specific regulations such as resolutions from BACEN, CVM, ANVISA, ANS, and others depending on the industry.
No. A privacy policy explains how personal data is processed. Terms of service define the rules for using a service or platform, including rights, duties, and liability limitations. They are complementary documents, both necessary for online services.
Our service focuses on creating and reviewing the documents. Practical implementation (internal communication, training, technical controls) can be supported by other BrownPipe services, such as training and information security consulting.
It depends on the scope. A single policy can be developed in 1 to 2 weeks. A complete set of policies for an organization takes 4 to 8 weeks, including assessment, drafting, and validation.
Clear and up-to-date policies demonstrate maturity, meet regulatory requirements, and protect the company in audits and incidents.
Get in touch