Information Security

To enhance information security and respond to the latest threats, support, commitment, and accountability from top management are essential. At Santen, the Chief Digital & Information Officer, who has a background in information security, serves as the Chief Information Security Officer (CISO) and is responsible for the global information security strategy and its execution.

The CISO's roles and responsibilities, as outlined in the "Information Security Policy" include maintaining the security governance and framework, focusing on information and business risks, protecting critical business processes and applications, managing information assets such as confidential information, maintaining and developing the information security system, and ensuring that new systems are developed and operated securely. In this role, the CISO reports to the board of directors on daily security efforts and the status of security risks.

Given the changing security threat landscape and the need for rapid incident response and recovery, Santen continuously reviews and improves its security management system, processes, and measures using a global standard security framework to further enhance security.

As an incident response organization, Santen has established a CSIRT(*), the Santen Security Incident Response Team (Santen-SIRT), centered around the CISO, to prepare for information security incidents in collaboration with relevant internal departments and external parties.

Based on the global security framework, we identify critical assets for business continuity, understand the impact of cyberattacks and system failures, review backup plans for recovery, document recovery procedures, and conduct training for recovery.

In collaboration with the Risk Management Committee, we continuously discuss the review of business continuity plans and the establishment of communication methods in the event of a security incident.

We regularly conduct vulnerability scans using vulnerability management tools on assets published to the external environment and continuously work to identify and remediate vulnerabilities.

We also use specialized threat intelligence tools to monitor Santen’s asset information for potential risks.

For systems published on the internet, vulnerability testing is mandatory prior to release, and external experts conduct tests based on the risk.

In collaboration with the internal Risk Management Committee and the Internal Auditing Group, we continuously review the implementation and management of various security initiatives.

We also regularly conduct external audits of information security using security vendors and external consultants, planning and implementing measures for findings.

Audits are conducted regularly using global security frameworks and best practices, adapting to new risks.

Suspicious emails, such as phishing emails, which are likely attack vectors for employees, can be reported to the information security team using a company-wide dedicated tool. We have also implemented a process in which reported content is automatically investigated.

For information security incidents, we raise awareness of how to report to the information security team as part of our security training. Incidents reported to the help desk are also escalated.

Information deemed high-risk for employees is communicated through company-wide portals, including specific attack examples and countermeasures.

Information security training for employees is conducted using a combination of the following three types of training: