How I protect client information and conduct my consulting work

Download PDF

Purpose and scope

Luis Ferreira, founder and owner of LuisFerreira Consulting OÜ, as part of the firm’s service delivery, sets out the principles and posture on cybersecurity and artificial intelligence adopted in the conduct of senior consulting engagements with clients, and in particular with boards of directors, CEOs, CFOs, CIOs and CISOs.

This statement is addressed to current and prospective clients, partners and any third party with a legitimate interest in understanding the safeguards applied to information exchanged during engagements. It complements, but does not replace, the Privacy Policy published on this site, which governs the processing of personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).

Guiding principles

Information security and the ethical use of technology are foundational to the trust placed in independent senior advisory work. Six principles guide all engagements:

  • Confidentiality — client information is shared only with those with a legitimate need to know within the scope of the engagement.
  • Integrity — information is protected against unauthorised modification, loss or corruption throughout its lifecycle.
  • Availability — engagement deliverables and supporting information remain accessible when needed by the client.
  • Least privilege and minimisation — access to client systems and data is requested only to the extent strictly required, for the time strictly required.
  • Privacy and security by design — recommendations and architectures proposed to clients embed privacy and security considerations from the outset, not as an afterthought.
  • Technical protection — all data collected during the execution of the engagement is catalogued and stored on encrypted media, with access protected by multi-factor authentication. Where personal data is involved, it is additionally anonymised whenever practicable.

Reference frameworks and credentials

The professional posture described in this document is grounded in recognised international frameworks and in four decades of executive experience in information technology, governance, risk and compliance.

  • ISO/IEC 27001 — used as an orientation framework for information security management practices. No certification is claimed.
  • NIST Cybersecurity Framework (CSF) 2.0 — structures the identify, protect, detect, respond and recover functions applied to my own consulting environment.
  • General Data Protection Regulation (GDPR) — governs the processing of personal data and is reflected in the Privacy Policy referenced above.
  • EU Artificial Intelligence Regulation (Regulation (EU) 2024/1689) — observed in the role of deployer of artificial intelligence systems, with the corresponding transparency and oversight obligations.

The advisor, Luis Ferreira, is a member of ISACA (Information Systems Audit and Control Association) and served as CIO and CISO of a major Portuguese group prior to founding LuisFerreira Consulting OÜ.

Information classification and handling

Client information is treated as confidential by default and classified according to its sensitivity. The following commitments apply throughout the engagement and after its conclusion:

  • Client information is processed only for the purposes agreed in the engagement letter or equivalent contractual instrument.
  • Confidentiality obligations survive the conclusion of the engagement and are formalised through Non-Disclosure Agreements whenever requested.
  • Sensitive personal data, regulated data (financial, health) and information classified as restricted by the client are subject to enhanced handling, including pseudonymisation or anonymisation prior to any analytical work, whenever practicable.
  • Client information is segregated from personal information and from information of other clients.

A simple classification scheme is applied internally, distinguishing confidential client information, sensitive or regulated information (subject to enhanced handling) and non-sensitive information, with controls proportionate to the sensitivity of each category. The operational detail of this scheme may be shared with clients in the context of supplier due diligence.

Technical and organisational measures

Without disclosing operational detail that would itself constitute a security risk, the following categories of controls are in place:

  • Access control and authentication on all systems used in the conduct of consulting work, including multi-factor authentication.
  • Encryption of data at rest and in transit on devices and storage used for client information.
  • Endpoint protection and patch management on all workstations and servers under direct control.
  • Public Wi-Fi — access to client systems or data over public or open Wi-Fi networks is always carried out through a VPN.
  • Antivirus and anti-malware — all devices run active protection software, with valid subscriptions and permanent automatic updates.
  • Backup and recovery procedures with redundancy and periodic verification.
  • Secure communication channels for the exchange of confidential information with clients.
  • Physical security of devices and documents, including travel security practices when engagements are conducted on the client’s premises.
  • Vendor due diligence on third-party services used in the delivery of consulting work, with preference for providers offering contractual data protection guarantees.
  • Continuous learning in security and emerging threats, including formal professional development and active participation in the security community.
  • Cloud hosting and data processing policy — outsourcing only to cloud services provided by hyperscale providers (specifically Google Cloud, AWS and Microsoft Azure), ensuring, whenever technically and contractually possible, that data hosting and processing take place in data centres located within the European Union, in line with applicable security and data protection requirements.

A detailed inventory of technical measures is maintained internally and may be discussed, under appropriate confidentiality arrangements, with clients conducting supplier due diligence.

Use of artificial intelligence in consulting work

Artificial intelligence tools are used selectively to support research, analysis, drafting and code development in consulting engagements. Their use is governed by the following commitments, designed to ensure that AI adoption does not compromise the confidentiality and quality clients are entitled to expect.

  • Paid, professional-grade subscriptions are the only ones used for AI services. Free or unverified tools are not used in the processing of client information, consistent with the cloud hosting and EU data centre policy detailed above.
  • No-training guarantees — only services that contractually exclude the use of submitted content for model training are used to process client information.
  • Anonymisation and minimisation — client information submitted to AI systems is anonymised, pseudonymised or generalised whenever the analytical goal can be achieved without identifiable detail. Sensitive identifiers, proprietary configurations and personal data are removed before submission whenever possible.
  • Human oversight — all AI-assisted outputs are reviewed, validated and, where appropriate, corrected before being delivered to clients. The professional responsibility for deliverables rests entirely with the advisor.
  • Transparency — clients are informed when AI tools are used in a material way in the production of deliverables, and AI is never presented as a substitute for senior executive judgement.
  • Prohibition of opaque automation — no automated decisions affecting client interests are taken without human review.
  • AI Act alignment — in the role of deployer of AI systems, applicable transparency, oversight and record-keeping obligations under Regulation (EU) 2024/1689 are observed.

Clients with specific restrictions on the use of AI in their engagements (for example, regulated sectors with explicit prohibitions) are invited to communicate those restrictions in writing; such restrictions are formally incorporated into the engagement and respected without exception.

Use of content by AI: what is permitted, what is not

The content of this website may be consulted in real time by AI-powered search assistants — notably Claude, ChatGPT Search and Perplexity — so that users querying these tools on matters of strategic IT, information security or governance can be directed to relevant material published here.

The use of this content to train AI models is, however, reserved. The site remains open to consultation and citation by AI search assistants, but closed to automated scraping for the purpose of building or improving large language models. This reservation is technically asserted through the Content-Signal directive in robots.txt, with the value search=yes, ai-train=no, under the rights reservation provided by Article 4(3) of Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market.

Incident handling and client notification

In the event of a security incident affecting client information:

  • The client is notified without undue delay and, in any event, within 72 hours of becoming aware of the incident, in line with the standard set out in Article 33 of the GDPR.
  • The notification covers the nature of the incident, the categories of information affected, the measures taken to contain it and the recommended actions, where applicable.
  • Full cooperation is provided to the client and, where relevant, to competent authorities (CNPD, the national cybersecurity authority) in the investigation and remediation of the incident.
  • Lessons learned are documented and incorporated into the controls described above.

Responsibility and contact

In a sole-advisor consulting practice, the role of accountable owner for cybersecurity and artificial intelligence governance rests with the founder and managing director, Luis Ferreira. This responsibility is not delegated.

For any matter related to this statement — including supplier due diligence requests, incident notifications or specific contractual security requirements — please get in touch via:

Review and version control

This statement is reviewed at least annually, and whenever a material change occurs in the technological, regulatory or threat landscape that warrants an update.

  • Version: 1.0
  • Effective date: 10 May 2026
  • Next scheduled review: 10 May 2027
  • Owner: Luis Ferreira, Managing Director, LuisFerreira Consulting OÜ.
Scroll to Top