The Programa de Privacidade e Segurança da Informação (PPSI) was released in March 2023 and comes into force in January 2025. The clock is ticking, and Brazilian organizations affected by the norm need to act now to align their operations with PPSI requirements, especially when it comes to creating a compliant asset inventory.
Is this your case? Then tag along! In this article, we’ll guide you through the steps to build an effective inventory that meets PPSI standards and how InvGate Asset Management can help you meet the framework's standards in a breeze.
The sooner you begin, the smoother and more effective the process will be. So, let’s get to it!
What is PPSI?
The Privacy and Information Security Program (PPSI) is a Brazilian government initiative designed to enhance cybersecurity and standardize data protection across public institutions. It provides a framework for organizations to establish strong security policies and apply controls that safeguard the confidentiality, integrity, and availability of information.
The document is intended for Federal Public Administration (APF) entities, and it’s aligned with the National Information Security Policy (PNSI) and the General Personal Data Protection Law (LGPD).
So, what does this mean for IT managers? It involves tailoring processes and tools to manage assets while maintaining transparency. They must also ensure that systems and workflows adhere to top security standards.
What are the objectives of the Programa de Privacidade e Segurança da Informação?
These are the goals behind PPSI:
- Safeguard sensitive data from internal and external risks.
- Align with national and international information security standards.
- Strengthen privacy practices by minimizing vulnerabilities and enhancing security maturity.
Where does the standard operate?
The PPSI (Privacy and Information Security Program) operates on several fronts related to data protection and cybersecurity in the Brazilian public sector. Its areas of activity include the creation of security policies, IT Asset Management (ITAM), access control, continuous monitoring, and compliance with national and international standards
In addition, the program promotes practices such as identifying vulnerabilities, applying patches, conducting regular audits, and training IT teams. These actions help establish a secure and well-managed IT environment, reduce operational risks, and strengthen information security within public bodies.
The PPSI framework vs. CIS controls
The PPSI framework and the CIS Controls share a focus on strengthening information security, but PPSI aligns specifically with Brazilian government requirements, while CIS Controls provide globally recognized guidelines.
The PPSI framework was designed specifically for the Brazilian public sector. It aims to standardize privacy and cybersecurity practices across governmental organizations. The framework's emphasis is on aligning processes with national regulations and creating a robust security culture through structured guidelines.
In contrast, the CIS Controls offer a globally recognized set of best practices designed to help organizations of all types prioritize and implement security measures effectively. The CIS Controls are particularly action-oriented, providing detailed steps that can be tailored to various industries and operational scales.
However, IT managers can integrate CIS Controls into a PPSI implementation plan to reinforce the PPSI's requirements with actionable, global best practices. For instance:
- Asset Inventory and Control (PPSI): This is completed by CIS Control 1, which emphasizes creating and maintaining a complete inventory of hardware assets.
- Vulnerability Management (PPSI): Supported by CIS Control 7, which focuses on continuous vulnerability assessment and remediation.
- Access Control (PPSI): Aligned with CIS Control 6, which highlights the importance of controlled administrative privileges.
PPSI requirements
The PPSI framework establishes a series of structured requirements to ensure the effective protection of sensitive data and the management of IT environments within public institutions.
Key requirements include:
- Developing robust security policies:
- Organizations must create clear and enforceable policies that govern data protection, System Management, and cybersecurity practices. These policies serve as the foundation for compliance and operational consistency.
- Implementing Asset Management controls:
- All hardware, software, and cloud-based resources must be identified, categorized, and continuously monitored to prevent loss or misuse.
- Ensuring Vulnerability Management:
- Organizations are required to adopt proactive measures to identify, assess, and mitigate system vulnerabilities, including verifying regular patch updates and software versions.
- Access control protocols:
- Access to sensitive systems and information must be restricted to authorized users. This includes implementing multi-factor authentication and tracking user activities to detect anomalies.
- Data confidentiality, integrity, and availability:
- Security measures must guarantee that data remains protected against unauthorized access, tampering, and disruptions that could compromise operational continuity.
- Auditing and compliance reporting:
- Regular audits are mandated to verify adherence to PPSI standards. Detailed reports must be generated to demonstrate transparency and effectively address gaps.
How to build an asset inventory compliant with the Programa de Privacidade e Segurança da Informação
Let’s go through the steps of building an Asset Inventory that complies with PPSI in mind.
Step 1: Preparation for implementation
Before diving into the tool, it’s important to plan how you will use it to comply with PPSI.
- Review the PPSI requirements to understand which controls must be in place for Asset Management.
- Define the scope of the inventory, determining which assets need to be tracked (e.g., computers, mobile devices, servers).
- Involve key stakeholders, such as IT, compliance, and information security teams, early on.
With this preparation in place, you can move to the next step: setting up InvGate Asset Management to match your organization’s needs.
Step 2: Installation and initial configuration
Now that you're prepared, it's time to set up InvGate Asset Management. The installation process is designed to be quick and secure so you can focus on the configuration.
- Download and install InvGate on your server or cloud environment, depending on your preference.
- Configure users and permissions within InvGate to ensure that the right people have access to the tool.
- Integrate InvGate with your network, automatically detecting all connected devices.
By setting up your system this way, you ensure that only authorized users can access sensitive data, and the tool can start working for you right away.
Step 3: Automated inventory and asset identification
Now it's time to jump into the actual unified asset inventory. You’ll have to record all institutional assets, such as computers, servers, and mobile devices, including key details like IP addresses, locations, and assigned users.
With InvGate Asset Management you have a different options to populate your inventory:
- With the automatic asset discovery feature, InvGate can detect all devices (computers, laptops, servers, etc.) connected to your network.
- Install the agent on your devices to track them automatically through inventory.
- If you already have an informal inventory, say, in an Excel spreadsheet, you can also import them using the .xls template in just a few clicks.
Following this, the next step is simply to ensure that all necessary details, such as asset type, location, responsible user, and status, are completed for each item.
And, last but not least, remember to classify assets by their criticality or sensitivity to align with your PPSI compliance needs.
Step 4: Access and permissions control
Control who can view or modify asset data to ensure compliance and security. InvGate provides easy tools for managing access rights.
- Create user profiles in InvGate and assign specific permissions based on roles (e.g., IT staff, security team, compliance officers).
- Use role-based access control to restrict access to sensitive data, ensuring that only authorized users can make changes.
- Set up access logs in InvGate to keep a record of who viewed or modified asset information.
This way, you maintain a secure environment where only authorized personnel can make changes to critical data.
Step 5: Continuous tracking and audit reports
These are the steps toward tracking asset activity and flagging suspicious changes or events.
- Automatically track asset status and any changes made within InvGate’s platform.
- Generate compliance reports for PPSI audits, facilitating compliance with requirements.
- Integrate with other security systems to detect anomalies.
These features make it easy to stay on top of your assets, ensuring nothing slips through the cracks when it comes to PPSI requirements.
Step 6: Asset Lifecycle Management
Keep records for each asset from acquisition through transfer, maintenance, and secure disposal.
- Use InvGate to track each asset's entire lifecycle, from purchase to maintenance and eventual decommissioning.
- Monitor asset movements and location changes so you always know where each asset is and who’s responsible for it.
The most important thing is that you must maintain detailed logs of all changes or transfers to enable traceability and support audits.
Step 7: Compliance reports
You’ll need to prepare periodic reports that detail the asset inventory’s compliance with PPSI standards and track indicators such as inventory coverage, update frequency, and instances of non-compliance.
- Create customized reports to highlight key compliance metrics relevant to PPSI, such as asset status or audit results.
- Use InvGate’s built-in compliance indicators to track Asset Management efforts and identify areas that need attention.
- Export these reports to share with auditors or stakeholders as needed, ensuring transparency and accountability.
InvGate’s ability to generate custom reports is perfect for tracking compliance with PPSI and preparing for audits.
In short
The PPSI framework provides a valuable guide for federal public administration entities to identify, monitor, and address gaps in their data protection and security measures.
As the deadline to comply with this new regulation approaches, it's more important than ever to prioritize good practices in security.
With InvGate Asset Management, you’ll be able to:
- Set up your asset inventory in 24 hours.
- Keep all your asset data in one place for easy access and control.
- Help your team adopt Asset Management with a user-friendly platform.
- Automate key processes like asset discovery and report generation and save valuable time.
If you're looking for a reliable and efficient way to manage your assets and ensure the security and integrity of your organization's data, InvGate Asset Management is the way to go. Still not sure? Try it out for free for 30 days and see for yourself how it can help you achieve PPSI compliance and more.
