Information Security

Purpose

The Information Security statement outlines how Norgine places significant importance on information security, which encompasses cybersecurity measures aimed at protecting Norgine assets against external threats and potential insider threats. The company’s cybersecurity strategy focuses on the identification, analysis, and response to known, expected, unknown and unforeseen cyber threats, effective management of cyber risks, and resilience in the face of cyber incidents.

 

Scope

This document applies to all Norgine issued and BYOD mobile devices managed by Intune including but not limited to laptops, smartphones and tablets.

This document, developed in accordance with international information security standards and recommendations (e.g. ISO 27001), outlines the essential information security principles that must be followed by all Norgine personnel and assimilated personnel (contractors, third parties, trainees, consultants).

The primary objective of Norgine’s Information Security approach is to determine “what requires protection” and “what protective measures need to be implemented” at the highest level and across all business operations. This statement articulates the perspectives, goals, regulations, and procedures related to information security, data privacy, and the supervision of how information and information assets are handled, safeguarded, and utilised. These controls and processes apply to both technical and non-technical aspects.

 

 

Definitions & Abbreviations

Also refer to the Glossary for standard definitions and abbreviations.

IR Incident Response
SOC Security Operations Centre
ERT Emergency Response Team
CSIRT Computer Security Incident Response team
BYOD Bring your own device
IS27001 International standard to manage information security

 

Responsibilities

Incident Response Team Owns the Incident triage to resolution
Service Desk First line responders in acknowledging and engaging ERT and CSIRT teams

 

Procedure

Compliance

Norgine has implemented appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements related to the use of proprietary software products. Norgine is subject to EU and UK General Data Protection Regulation (GDPR) and has committed to improving security compliance in accordance with ISO 27001.

Physical Security

Norgine defines security perimeters to protect areas containing sensitive or critical information and information processing facilities, whether onsite, at outsourced data centres or offices. These perimeters are determined by the security needs of the assets and risk assessments. Physically robust measures, such as solid construction of roofs, walls, and floors, protection of external doors, and window security, especially at ground level, are used. Access to sites and buildings is restricted to authorised personnel only.

Network Security

Norgine employs network segregation as a security measure. This segregation is based on trust levels (e.g., public access, desktop, server), organisational units (e.g., HR, finance, marketing), or a combination of both. Physical or logical networks (e.g., virtual private networking) may be used for this purpose, with well-defined perimeters for each domain. Access between domains is permitted but controlled through gateways like firewalls or filtering routers.

Data Encryption

Norgine uses data encryption technologies based on security standards to secure our backups. networks and communication where appropriate and feasible. Encryption keys and related to encrypted archives or digital signatures are stored to enable record decryption during the retention period. Controls are also in place for compliance with all relevant agreements, legislation and regulations including restrictions on import or export of computer hardware and software for performing cryptographic functions.

Logging and Monitoring

Norgine has established a Security Operation Centre (SOC) dedicated to the logging and monitoring of critical events, such as unsuccessful login attempts, administrative actions, and changes in user activity. The management of log files strictly follows the principle of granting the “write” access privilege solely to application processes, while system accounts are limited to “read” access. Logs are retained in accordance with Norgine’s records retention policy, as well as in compliance with legal and regulatory obligations, with a minimum retention period of 30 days.

Personnel

Norgine performs pre-employment background checks in compliance with relevant laws and regulations. Furthermore, the company shares its information security guidelines with worldwide personnel, who are required to read and understand these policies. Norgine also conducts training on data protection and security for its employees.

Operational procedures and responsibilities

Norgine has established formal procedures governing a range of operational activities related to information processing and communication facilities, encompassing functions like backup, equipment maintenance, media handling, computer rooms and mail management, and safety. These procedures provide detailed instructions for system installation, configuration, information processing, backup, scheduling, error handling, support contacts, special output and media handling, system restart, recovery, and the monitoring of audit trails and system logs. Considered formal documents, any changes to these procedures require relevant management authorisation, with the Vice President of Information Technology holding ultimate responsibility for maintaining operational security.

Asset Management

The infrastructure team and appointed partners are responsible for maintaining an up-to-date inventory of the company’s information processing assets including websites and associated chat bots. Management teams, whose assets are managed by the Service Desk, have delegated responsibilities for acquiring, managing, and reporting on their IT assets and utilising a central IT asset management system. This inventory encompasses all equipment purchased with company funds, excluding consumables, and is considered firm property. The IT Operations team keeps a record of critical assets essential for the company’s effective operation, facilitating the risk assessments by the Norgine Cyber Security Team.

Information Security Incident Management

Information security incidents at Norgine are addressed following established procedures, which involve promptly collecting evidence, conducting forensic analysis when needed, escalating the incident as necessary, ensuring thorough logging of response activities and communicating relevant incident details to internal and external parties with a need-to-know basis. Additionally, any identified information security weaknesses contributing to the incident are addressed, and once the incident is resolved, it is formally closed and documented. Post-incident analysis is conducted as required to pinpoint the incident’s source and prevent future occurrences.

Breach Notification

Although no method of online transmission or electronic storage is without risk, Norgine is dedicated to informing affected users of security breaches that may affect them without undue delay. Norgine’s breach notification procedures align with legal requirements and industry standards. Norgine is committed to keeping interested stakeholders well-informed about account security matters and helping them meet regulatory reporting obligations.

Information Security Aspects of Business Continuity Management

Norgine has established its information security requirements and ensures the continuity of information security management in adverse situations, such as crises or disasters. Key stakeholders within the organisation integrate information security continuity into the business continuity management and disaster recovery processes. Information security needs are addressed when planning for business continuity and disaster recovery

Vulnerability Management and Penetration Tests

Norgine has a comprehensive vulnerability management program in place. This program involves routine scans to detect and address security vulnerabilities across servers, workstations, network equipment, and applications. Norgine engages trusted third-party vendors to scan all networks, including both test and production environments. Priority is given to applying critical patches on servers and desktops, and other patches are applied as needed. Additionally, Norgine performs regular external penetration tests and take appropriate actions to address any identified issues based on their severity.

 

References

 

 

Norgine
Cookie Policy

Last update: 1 August 2023

What are cookies?

Cookies are small data files that websites download to a user’s computer, phone or tablet. Most web browsers automatically accept cookies. They help website providers, for example, to recognise a user that has visited a website previously. Further details on the cookies used on this Website and their purposes are set out below.

  • Helping you navigate the Website in the most easy way possible
  • Assisting in registering for our events, login and your ability to provide feedback
  • Analysing site usage (how many users visited a specific page for example)
  • Analysing the use of our products, services or applications
  • Assisting with our promotional and marketing efforts (including behavioural advertising)
  • Offering content of third parties (such as social media content)

Detailed information about each cookie can be found in the appropriate cookie category section of the banner as well as in the section below.

 

Cookie Category Description

STRICTLY NECESSARY COOKIES

The strictly necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You may be able to decline these cookies through your browser, but necessary parts of the site will not then work. These cookies do not store any personally identifiable information.

 

Detailed list of Strictly Necessary Cookies

First- and Third-party Cookies Name Provider Purpose Retention
Third Party moove_gdpr_popup mooveagency.com Records cookie settings. For user preferences only. No external interaction 1 year

 

FUNCTIONAL COOKIES

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

 

Detailed list of Functional Cookies

First- and Third-party Cookies Name Provider Purpose Retention
Third Party Various Youtube User preferences, consent, location and marketing 2 to 400 days

 

PERFORMANCE COOKIES

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

 

Detailed list of Performance Cookies

First- and Third-party Cookies Name Provider Purpose Retention
Third Party _ga_ google.com Record visitors cookie choice. 400 days
Third Party _gat_gtag_ google.com Records tracking code data 1 minute
Third Party _ga google.com Calculates visitor, session and campaign data and also keeps track of site usage. 400 days
Third Party _gid google.com Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 1 day

 

MARKETING COOKIES

These cookies are used to track our visitors’ browsing habits. They can be used to build up a profile of search and/or browsing history for every visitor. Identifiable or unique data is collected to show relevant/personalized marketing content to each user. The information that uniquely identifies users’ browsers and internet devices is used to display targeted advertising and/or share this data with third parties for the same purpose.

 

Detailed list of Marketing Cookies

First- and Third-party Cookies Name Provider Purpose Retention
Not applicable        

 

 

Refusing cookies

You do not have to accept cookies, but without accepting them you may experience reduced Site functionality. You can manage your preferences regarding cookies and other tracking technologies and revoke your consent in the banner. You can withdraw your consent at any time. If you would like more information about deleting, disabling and blocking cookies, please visit the website: https://knowcookies.com and check the “manage cookies” and “webmasters guide” sections.

 

Updating our Cookie Policy

There is a possibility that we will update our cookie policy on this website in accordance with legal and technical requirements, therefore we recommend that you read this policy occasionally so that you are adequately informed about how and for what we use cookies.

 

Contact

If you have any questions about this Cookie Policy or the collection, processing and disclosure of your personal data and your data protection rights, please see our Privacy Policy.