Information Security

In the most obvious sense, effective information security assures the safety of our critical assets, protects individual privacy, and guards the integrity of our systems and infrastructure. In a broader sense, information security is the essential first ingredient to our evolution as a global society. Therefore, in Santen, we see information security is a strategic priority.

Information Security Management

Santen is committed to implement and maintain an Information Security Management System (ISMS) based on ISO/IEC 27001. The main objective of the system is to guarantee the confidentiality, integrity and availability of information which is required for the continuity of daily operations, regulations and maintaining strategic competitive advantage. To implement and operate this management system, Santen;

  • Develops a clear, comprehensive security vision and implement metrics relevant to business outcomes,
  • Implements an Information Security Risk Management methodology which is efficient and effective to eliminate or reduce risks affecting processes and allocate necessary resources to mitigate information security risks to an acceptable level. It addresses uncertainties around valuable assets to ensure the desired business outcomes are achieved,
  • Conducts education program and awareness training activities regularly in order to make employees, contractors and business partners aware of their roles and responsibilities regarding Information Security,
  • Provides business continuity for critical processes by developing and maintaining business continuity framework, plans and systems,
  • Complies with and continuously seek to improve on all applicable information security related laws, market regulations, contractual obligations, industry standards and other related internal and external requirements,
  • Takes appropriate actions to manage and prevent information security policy violations,
  • Continually improves ISMS by setting security control objectives and performing regular internal audits and gap assessments,
  • Ensures that all employees comply with ISMS policies, detailed rules and controls.

Information Security Governance

Top Management's support, commitments, accountability is vital in ensuring information security implementation and achieving the Information Security Management System's intended results.

In Santen, Global Head of Digital & Information Technology acts as Chief Information Security Officer (CISO) and is accountable for the global information security strategy and its execution.

The responsibilities of this role vary from maintaining the security governance framework, focusing on information and business risks, concentrating on the protection of critical business processes and applications, protecting classified information from disclosure, taking responsibility for developing and maintaining an information security architecture, and ensuring that new systems are developed securely, as clearly stated in the 'Santen Global Information Security Policy'.

In this role, Global Head of Digital & Information Technology is supported by Global Head of Information Security, and he reports to the Chief Financial Officer, Chief Executive Officer, and Board of Directors.

To support the execution of ISMS, Global Head of Information Security meets with the critical technical and business stakeholders on a regular basis, to make strategic decisions and perform the key responsibilities listed below. Global Head of Information Security then reports the identified risks, and decisions to Global Head of Digital & Information Technology:

  • Approve enterprise wide, key decisions affecting the information security status of Santen,
  • Create a pragmatic, risk-aware culture where information security is subconsciously considered across all aspects of business,
  • Promote timely decision-making about information risks by monitoring Santen's exposure to information security threats, and making recommendations to the governance body,
  • Monitor security performance using information that is timely and accurate (Key Performance Indicators and Key Risk Indicators),
  • Report to stakeholders about risks identified and progress of information security-related projects and initiatives.

Security Awareness Trainings

Information technology (IT)

Our security education and awareness program expect all employees to take ownership of our security practices. we train all new employees on information security policies and detailed rules.

The online IT security awareness training in FY2023 has a completion rate of 95%. Below topics are some examples that are covered in the training:

  • Understanding the importance of 'information security'
  • Understanding the security threats and how to prevent information security incidents
  • The responsibilities of the employees
  • Specific information security measures that help employees in their daily activities
  • Understanding mobile device risks
  • Measures against malware
  • E-mail and internet acceptable usage
  • Information classification and handling

Operational technology (OT)

The online OT security awareness training in FY2023 has a completion rate of 99%. Below topics are some examples that are covered in the training:

  • Understanding the importance of 'information security' and difference between OT and IT
  • Understanding the security threats and how to prevent information security incidents
  • Business continuity
  • Physical and environmental security
  • Network isolation and access controls
  • Change management
  • Third party risks and management

Global Phishing Gamification

As phishing is one of the most effective and widespread techniques used by cyber criminals, Global Information Security innovated an AI based global phishing training approach to drive a more secure corporate culture, founded upon employee behavior that reduces risk of the human element.

The team provides an ongoing phishing gamification experience globally, to encourage our colleagues learn safer email habits in an engaging and playful way, while making sure they are part of the incident response process.

Security Policies and Procedures

The company aims to apply industry best practices as part of our information security policies, processes and invest in strategies that are commensurate with the changing nature of the security threat landscape. Some of the policies and procedures that provide guidance to our employees in their daily operations include the following: all are for global.

  • Information Security Policy
  • Information Security Detailed Rules
  • Security Incidents Management Procedure
  • Major Security Incidents Management Procedure
  • Data Classification and Handling Policy
  • Encryption Procedure
  • Backup and Restore Procedure
  • Access Management Procedure
  • Mobile Device Management Procedure
  • Data Transfer Procedure
  • Log Management Procedure
  • Information Security Risk Management Procedure
  • Patch Management Procedure
  • Generative AI Acceptable Usage Policy

Third Party Security Risk Management

In Santen, third parties are treated as an extension of our Information Security Management System (ISMS), i.e. when Santen provides or receives services from a third-party supplier, the scope of our ISMS extends to the third parties. Our information security policies, procedures, instructions enforced in Santen, are applicable to all third parties who hold a relationship with us.

Before engaging with third parties, information security risk assessments are performed. As third-party security risks are always evolving, and continuous monitoring at regular intervals is vital; we monitor the security risks via different tools and processes (such as Maturity Level Assessments, Cyber Risk Scorecards) throughout the entire vendor lifecycle, from onboarding to off-boarding.