RELATÓRIO ANUAL / 2022 ABOUT FIT FOR GROWTH & ESG INNOVATION BUSINESS SUSUSSTTAINABILAINABILITITYY EMBRAER FINANCIAL PERFORMANCE UNIT INDICINDICAATTORORS S DESCRIPTION OF APPROACH TO IDENTIFYING AND ADDRESSING DATA (RT-AE-230a.2) SECURITY RISKS IN COMPANY OPERATIONS AND PRODUCTS Embraer establishes the guidelines avoiding overloads on critical systems. The the IT Infrastructure area should prioritize regarding the methodology to be used for results of scans should generate visibility the application of updates and 昀椀xes within managing vulnerabilities by the Information into the company’s situation, centralizing a service deadline. Security area. Their use allows appropriate the results in CMDB. Weekly there is a In events detected in vulnerability measures to be taken to eliminate their meeting between representatives of all management, the IT Infrastructure staff vulnerabilities before they can be exploited. managers in the Information Technology has the prerogative to perform remediation Vulnerability management is a continuous (IT) area to report outcomes, review critical actions without prior notice. These and transparent process carried out by cases, and address their treatment. These actions are connected to the purpose of the Information Security staff. Using outcomes are con昀椀dential and not publicly maintaining the levels of operation of digital scanning and auditing solutions disclosed. the business, ensuring the availability, for systems and applications, the process The Patch Management and Update integrity, and con昀椀dentiality of the is responsible for providing, in the Process, under the responsibility of the IT company. Con昀椀guration Management Data Base Infrastructure area, aims to coordinate and (CMDB) setup items, the vulnerabilities perform updates to corporate systems. The identi昀椀ed in the various layers that make process should be organized by listing the up corporate systems. Scans are scheduled vulnerabilities based on the Setup Items with to be performed daily, with mechanisms to the classi昀椀cation of the required updates avoid Impacts on operations. To meet the ordered by criticality, based on the CVE company’s monthly critical routines, the (Common Vulnerabilities and Exposures) scan is performed in a less Intrusive manner, severity metric. For each degree of severity, 138