Santen strives to establish an information management and monitoring system in response to various risks, including unpredictable uncertainties, to eliminate such risks or address them appropriately.
Risk Management and Assessment
In line with its rules on crisis management, the company has established a system for each business corporation and organization to identify and manage risks of loss in ordinary times, formulate policies and measures, and collect information, with the aim of appropriately addressing and minimizing risks of major losses expected in its business activities. If an event that is likely to develop into a serious crisis occurs or is reported, a Crisis Management Committee, chaired by the CEO, will be organized to address and resolve that event and adopt measures to prevent the recurrence of similar events.
Moreover, to address various risks that are likely to have impacts on corporate management, we are working to enhance our risk management activities under the oversight of the Chief Risk Officer. We are also engaged in continuous risk management activities, including identifying risks that are likely to have impacts on corporate management, and discussing and devising measures to prevent the realization of significant risks.
The Internal Auditing Group, in an independent position, examines the status of the company's risk management through operational audits.
A risk assessment conducted in cooperation with an external research company in 2020 found neither major violations of compliance nor major injustices. As a result, it has been verified that the company has maintained a corporate climate and environment favorable for preventing such problems.
In the most obvious sense, effective information security assures the safety of our critical assets, protects individual privacy, and guards the integrity of our systems and infrastructure. In a broader sense, information security is the essential first ingredient to our evolution as a global society. Therefore in Santen, we see information security is a strategic priority.
Santen is committed to implement and maintain an Information Security Management System (ISMS) based on ISO/IEC 27001. The main objective of the system is to guarantee the confidentiality, integrity and availability of information which is required for the continuity of daily operations, regulations and maintaining strategic competitive advantage. To implement and operate this management system, Santen;
- Develops a clear, comprehensive security vision and implement metrics relevant to business outcomes,
- Implements an Information Security Risk Management methodology which is efficient and effective to eliminate or reduce risks affecting processes and allocate necessary resources to mitigate information security risks to an acceptable level. It addresses uncertainties around valuable assets to ensure the desired business outcomes are achieved,
- Conducts education program and awareness training activities regularly in order to make employees, contractors and business partners aware of their roles and responsibilities regarding Information Security,
- Provides business continuity for critical processes by developing and maintaining business continuity framework, plans and systems,
- Complies with and continuously seek to improve on all applicable information security related laws, market regulations, contractual obligations, industry standards and other related internal and external requirements,
- Takes appropriate actions to manage and prevent information security policy violations,
- Continually improves ISMS by setting security control objectives and performing regular internal audits and gap assessments,
- Ensures that all employees comply with ISMS policies, detailed rules and controls.
Information Security Governance
Top Management's support, commitments, accountability is vital in ensuring information security implementation and achieving the Information Security Management System's intended results.
In Santen, Chief Digital & Information Officer (CDIO) acts as Chief Information Security Officer (CISO), and is accountable from the global information security strategy and its execution.
In this role, CDIO reports directly to the Chief Executive Officer (CEO), and Board of Directors (BoD) and is responsible from maintaining the security governance framework, focusing on information and business risks, concentrating on the protection of critical business processes and applications, protecting classified information from disclosure, taking responsibility for developing and maintaining an information security architecture, and ensuring that new systems are developed securely, as clearly stated in the 'Santen Global Information Security Policy'.
CDIO is supported by the ISMS Committee, the governance body which is chaired by the Global Head of Information Security and consists of several critical stakeholders. The ISMS Committee meets on a regular basis to make strategic decisions and perform other key responsibilities listed below, and reports the identified risks, and decisions to CDIO, CEO and BoD:
- Approve enterprise wide, key decisions affecting the information security status of Santen,
- Create a pragmatic, risk-aware culture where information security is subconsciously considered across all aspects of business,
- Promote timely decision-making about information risks by monitoring Santen's exposure to information security threats, and making recommendations to the governance body,
- Monitor security performance using information that is timely and accurate (Key Performance Indicators and Key Risk Indicators),
- Report to stakeholders about risks identified and progress of information security-related projects and initiatives.
Security awareness trainings both for information technology (IT) and operational technology (OT)
Our security education and awareness program expect all employees to take ownership of our security practices. we train all new employees on information security policies and detailed rules.
The online IT security awareness training in FY2021 has a completion rate of 96%. Below topics are some examples that are covered in the training:
- Understanding the importance of 'information security'
- Understanding the security threats and how to prevent information security incidents
- The responsibilities of the employees
- Specific information security measures that help employees in their daily activities
- Understanding mobile device risks
- Measures against malware
- E-mail and internet acceptable usage
- Information classification and handling
The online OT security awareness training in FY2021 has a completion rate of 98%. Below topics are some examples that are covered in the training:
- Understanding the importance of 'information security' and difference between OT and IT
- Understanding the security threats and how to prevent information security incidents
- Business continuity
- Physical and environmental security
- Network isolation and access controls
- Change management
- Third party risks and management
Global phishing gamification
As phishing is one of the most effective and widespread techniques used by cyber criminals, Global Information Security innovated a new phishing training approach to drive a more secure corporate culture founded upon employee behavior that reduces risk of the human element.
The team launched an ongoing phishing gamification experience globally, to encourage our colleagues learn safer email habits in an engaging and playful way, while making sure they are part of the incident response process.
Security policies and procedures
The company aims to apply industry best practices as part of our information security policies, processes and invest in strategies that are commensurate with the changing nature of the security threat landscape. Some of the policies and procedures that provide guidance to our employees in their daily operations include the following: all are for global.
- Information Security Policy
- Information Security Detailed Rules
- Security Incidents Management Procedure
- Major Security Incidents Management Procedure
- Data Classification and Handling Policy
- Encryption Procedure
- Backup and Restore Procedure
- Access Management Procedure
- Mobile Device Management Procedure
- Data Transfer Procedure
- Log Management Procedure
- Information Security Risk Management Procedure
Third party security risk management
In Santen, third parties are treated as an extension of our Information Security Management System (ISMS), i.e. when Santen provides or receives services from a third party supplier, the scope of our ISMS extends to the third parties. Our information security policies, procedures, instructions enforced in Santen, are applicable to all third parties who hold a relationship with us.
Before engaging with third parties, information security risk assessments are performed. As third party security risks are always evolving, and continuous monitoring at regular intervals is vital; we monitor the security risks via different tools and processes (such as; Maturity Level Assessments, Cyber Risk Scorecards) throughout the entire vendor lifecycle, from onboarding to off boarding.
Measures against COVID-19 Infections
We in Santen believe that our mission is to continue delivering of treatments for visual conditions to our patients around the world based on Santen's CORE PRINCIPLE, even in the event of emergencies, including the worldwide COVID-19 pandemic and the consequent adoption of lockdown measures in various cities and countries around the world. In addition, as a life science company that contributes to society, we place high importance on avoiding committing any act that could help to spread the virus, and continuing our efforts toward future innovation in ophthalmic treatment even amid such an emergency. As an emergency measure, on January 28, 2020, we organized the Crisis Management Committee chaired by the President. We have since carried out various initiatives, including monitoring the situations in our business locations in Japan and abroad, and devising countermeasures and giving directions on their implementation.