Santen strives to establish an information management and monitoring system in response to various risks, including unpredictable uncertainties, to eliminate such risks or address them appropriately.
Risk Management and Assessment
To avoid risks to the continuity of our business, Santen established the Risk Management Committee, which holds two meetings per year. This Committee conducts risk assessment to comprehensively identify group-wide risks, including production, quality, human rights and corruption risks. Assessment conducted in cooperation with an external research company in 2020 found neither major violations of compliance nor major cases of injustice, verifying that Santen had maintained a corporate climate and environment generally favorable to preventing such problems.
In the most obvious sense, effective information security assures the safety of our critical assets, protects individual privacy, and guards the integrity of our systems and infrastructure. In a broader sense, information security is the essential first ingredient to our evolution as a global society. Therefore in Santen, we see information security is a strategic priority.
Santen is committed to implement and maintain an Information Security Management System (ISMS) based on ISO/IEC 27001. The main objective of the system is to guarantee the confidentiality, integrity and availability of information which is required for the continuity of daily operations, regulations and maintaining strategic competitive advantage. To implement and operate this management system, Santen;
- Develops a clear, comprehensive security vision and implement metrics relevant to business outcomes,
- Implements an Information Security Risk Management methodology which is efficient and effective to eliminate or reduce risks affecting processes and allocate necessary resources to mitigate information security risks to an acceptable level. It addresses uncertainties around valuable assets to ensure the desired business outcomes are achieved,
- Conducts education program and awareness training activities regularly in order to make employees, contractors and business partners aware of their roles and responsibilities regarding Information Security,
- Provides business continuity for critical processes by developing and maintaining business continuity framework, plans and systems,
- Complies with and continuously seek to improve on all applicable information security related laws, market regulations, contractual obligations, industry standards and other related internal and external requirements,
- Takes appropriate actions to manage and prevent information security policy violations,
- Continually improves ISMS by setting security control objectives and performing regular internal audits and gap assessments,
- Ensures that all employees comply with ISMS policies, detailed rules and controls.
Information Security Governance
Top Management's support, commitments, accountability is vital in ensuring information security implementation and achieving the Information Security Management System's intended results.
In Santen, Chief Information Officer (CIO) acts as Chief Information Security Officer (CISO), and is accountable from the global information security strategy and its execution.
In this role, CIO reports directly to the CEO and is responsible from maintaining the security governance framework, focusing on information and business risks, concentrating on the protection of critical business processes and applications, protecting classified information from disclosure, taking responsibility for developing and maintaining an information security architecture, and ensuring that new systems are developed securely, as clearly stated in the 'Santen Global Information Security Policy'.
CIO is supported by the ISMS Committee, the governance body which is chaired by Head of Global Information Security and consists of several critical stakeholders, and meets on a regular basis to make strategic decisions and perform other key responsibilities listed below:
- Approve enterprise wide, key decisions affecting the information security status of Santen,
- Create a pragmatic, risk-aware culture where information security is subconsciously considered across all aspects of business,
- Promote timely decision-making about information risks by monitoring Santen's exposure to information security threats, and making recommendations to the governance body,
- Monitor security performance using information that is timely and accurate,
- Report to stakeholders about risks identified and progress of information security-related projects and initiatives.
Security awareness training
Santen security education and awareness program expects all employees to take ownership of our security practices. Santen trains all new employees on information security policies and detailed rules. The online training has a completion rate of 99%. Below topics are covered in the training:
- Understanding the importance of 'information security'
- Understanding the security threats and how to prevent information security incidents
- The responsibilities of the employees
- Specific information security measures that help employees in their daily activities
- Understanding mobile device risks
- Measures against malware
- E-mail and internet acceptable usage
- Information classification and handling
Security policies and procedures
Santen aims to apply industry best practices as part of our information security policies, processes and invest in strategies that are commensurate with the changing nature of the security threat landscape. Some of the policies and procedures that provide guidance to our employees in their daily operations include the following:
- Global Information Security Policy
- Global Information Security Detailed Rules
- Global Security Incidents Management Procedure
- Global Major Security Incidents Management Procedure
- Global Data Classification and Handling Policy
- Global Encryption Procedure
- Global Backup and Restore Procedure
- Global Access Management Procedure
- Global Mobile Device Management Procedure
- Global Data Transfer Procedure
- Global Log Management Procedure
Measures against COVID-19 Infections
We in Santen believe that our mission is to continue delivering of treatments for visual conditions to our patients around the world based on Santen's CORE PRINCIPLE, even in the event of emergencies, including the worldwide COVID-19 pandemic and the consequent adoption of lockdown measures in various cities and countries around the world. In addition, as a life science company that contributes to society, we place high importance on avoiding committing any act that could help to spread the virus, and continuing our efforts toward future innovation in ophthalmic treatment even amid such an emergency. As an emergency measure, on January 28, 2020, we organized the Crisis Management Committee chaired by the President. We have since carried out various initiatives, including monitoring the situations in our business locations in Japan and abroad, and devising countermeasures and giving directions on their implementation.