Santen strives to establish an information management and monitoring system in response to various risks, including unpredictable uncertainties, to eliminate such risks or address them appropriately.
In line with its rules on crisis management, the company has established a system for each business corporation and organization to identify and manage risks of loss in ordinary times, formulate policies and measures, and collect information, with the aim of appropriately addressing and minimizing risks of major losses expected in its business activities. If an event that is likely to develop into a serious crisis occurs or is reported, a Crisis Management Committee, chaired by the CEO, will be organized to address and resolve that event and adopt measures to prevent the recurrence of similar events.
Moreover, to address various risks that are likely to have impacts on corporate management, we are working to enhance our risk management activities under the oversight of the Chief Risk Officer. We are also engaged in continuous risk management activities, including identifying risks that are likely to have impacts on corporate management, and discussing and devising measures to prevent the realization of significant risks.
The Internal Auditing Group, in an independent position, examines the status of the company's risk management through operational audits.
A risk assessment conducted in cooperation with an external research company in 2020 found neither major violations of compliance nor major injustices. As a result, it has been verified that the company has maintained a corporate climate and environment favorable for preventing such problems.
In the most obvious sense, effective information security assures the safety of our critical assets, protects individual privacy, and guards the integrity of our systems and infrastructure. In a broader sense, information security is the essential first ingredient to our evolution as a global society. Therefore in Santen, we see information security is a strategic priority.
Santen is committed to implement and maintain an Information Security Management System (ISMS) based on ISO/IEC 27001. The main objective of the system is to guarantee the confidentiality, integrity and availability of information which is required for the continuity of daily operations, regulations and maintaining strategic competitive advantage. To implement and operate this management system, Santen;
Top Management's support, commitments, accountability is vital in ensuring information security implementation and achieving the Information Security Management System's intended results.
In Santen, Chief Digital & Information Officer (CDIO) acts as Chief Information Security Officer (CISO), and is accountable from the global information security strategy and its execution.
In this role, CDIO reports directly to the Chief Executive Officer (CEO), and Board of Directors (BoD) and is responsible from maintaining the security governance framework, focusing on information and business risks, concentrating on the protection of critical business processes and applications, protecting classified information from disclosure, taking responsibility for developing and maintaining an information security architecture, and ensuring that new systems are developed securely, as clearly stated in the 'Santen Global Information Security Policy'.
CDIO is supported by the ISMS Committee, the governance body which is chaired by the Global Head of Information Security and consists of several critical stakeholders. The ISMS Committee meets on a regular basis to make strategic decisions and perform other key responsibilities listed below, and reports the identified risks, and decisions to CDIO, CEO and BoD:
Our security education and awareness program expect all employees to take ownership of our security practices. we train all new employees on information security policies and detailed rules.
The online IT security awareness training in FY2021 has a completion rate of 96%. Below topics are some examples that are covered in the training:
The online OT security awareness training in FY2021 has a completion rate of 98%. Below topics are some examples that are covered in the training:
As phishing is one of the most effective and widespread techniques used by cyber criminals, Global Information Security innovated a new phishing training approach to drive a more secure corporate culture founded upon employee behavior that reduces risk of the human element.
The team launched an ongoing phishing gamification experience globally, to encourage our colleagues learn safer email habits in an engaging and playful way, while making sure they are part of the incident response process.
The company aims to apply industry best practices as part of our information security policies, processes and invest in strategies that are commensurate with the changing nature of the security threat landscape. Some of the policies and procedures that provide guidance to our employees in their daily operations include the following: all are for global.
In Santen, third parties are treated as an extension of our Information Security Management System (ISMS), i.e. when Santen provides or receives services from a third party supplier, the scope of our ISMS extends to the third parties. Our information security policies, procedures, instructions enforced in Santen, are applicable to all third parties who hold a relationship with us.
Before engaging with third parties, information security risk assessments are performed. As third party security risks are always evolving, and continuous monitoring at regular intervals is vital; we monitor the security risks via different tools and processes (such as; Maturity Level Assessments, Cyber Risk Scorecards) throughout the entire vendor lifecycle, from onboarding to off boarding.
We in Santen believe that our mission is to continue delivering of treatments for visual conditions to our patients around the world based on Santen's CORE PRINCIPLE, even in the event of emergencies, including the worldwide COVID-19 pandemic and the consequent adoption of lockdown measures in various cities and countries around the world. In addition, as a life science company that contributes to society, we place high importance on avoiding committing any act that could help to spread the virus, and continuing our efforts toward future innovation in ophthalmic treatment even amid such an emergency. As an emergency measure, on January 28, 2020, we organized the Crisis Management Committee chaired by the President. We have since carried out various initiatives, including monitoring the situations in our business locations in Japan and abroad, and devising countermeasures and giving directions on their implementation.