Information, Product, and Cyber Security Policy
Article1: Purpose
¶¶Òõpro is committed to providing products and services that are essential to healthcare services and that help make people¡¯s lives healthier, safer, and more fulfilling.
To help make this possible, ¶¶Òõpro strengthens the cyber resiliency of ¶¶Òõpro¡¯ products and services throughout the product life cycle, and the cyber resiliency of ¶¶Òõpro¡¯ business operations including enterprise systems.
The purpose of the "Information, Product and Cyber Security Policy" (hereinafter referred to as the "Policy") is to clarify the principles for ¶¶Òõpro to strengthen cyber resiliency.
Article2: Scope of application
This policy shall cover the ¶¶Òõpro¡¯ information, product, and cyber security. It shall apply to all ¶¶Òõpro¡¯ products, services, all information assets related to information security, and all users authorized to access ¶¶Òõpro¡¯ systems and data, including but not limited to employees, contractors, subcontractors, and other third parties.
Article3: Definition of terms
| Terminology | Definition | |
|---|---|---|
| 1 | Cyber resiliency | The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resource. |
| 2 | Information assets | Systems, programs, data, or other knowledge that are valuable to ¶¶Òõpro. E.g., processes, trade secrets, data used in development and manufacturing, customer data, and personal data; created by ¶¶Òõpro or received from third parties in business activities. |
Article4: Information, product, and cyber security risk awareness and leadership
¶¶Òõpro shall recognize information, product, and cyber security risk as one of the key risks that could seriously impact our business and healthcare services in which our products and services are involved.
Article5: Establishment of a management system for information, product, and cyber security risks
¶¶Òõpro shall establish an information, product, and cyber security management system based on the corporate strategies. In doing so, it shall be consistent with the risk management systems of other functions of the ¶¶Òõpro.
¶¶Òõpro will follow industry best practices to continuously improve Information, product, and cyber security levels.
Article6: Implementation of information, product, and cyber security management
¶¶Òõpro shall conduct information, product, and cyber security risk assessments, and establish and implement a security management process to develop plans to reduce identified security risks, monitor implementation status, and improve plans.
¶¶Òõpro¡¯ employees shall be knowledgeable about information, product, and cyber security and take appropriate actions to protect the information assets of the ¶¶Òõpro group.
Article7: Supply chain security
¶¶Òõpro shall identify information, product and cyber security risks in the supply chain and cooperate with supply chain partners to implement security risk management that does not stop healthcare services.
Article8: Establishment a structure to prepare for and respond to incidents
¶¶Òõpro shall organize a structure and management process to proactively detect and discover vulnerabilities in our products or services.
¶¶Òõpro shall organize a management system to provide appropriate distribution of remediation or mitigation and information disclosure in timely manner whenever vulnerability identified in our products and services.
¶¶Òõpro shall organize an emergency response structure in case of an incident.
¶¶Òõpro shall develop a recovery plan and response process for rapid business recovery and confirm and review its effectiveness through exercises.
Article9: Communication with healthcare industry
¶¶Òõpro shall collaborate with customer healthcare institutions, business partners, as well as industry associations and government agencies, to proactively disclose and share information and conduct training to strengthen our ability to resist cyber threats.