Information Security

Purpose

The Information Security statement outlines how Norgine places significant importance on information security, which encompasses cybersecurity measures aimed at protecting Norgine assets against external threats and potential insider threats. The company’s cybersecurity strategy focuses on the identification, analysis, and response to known, expected, unknown and unforeseen cyber threats, effective management of cyber risks, and resilience in the face of cyber incidents.

 

Scope

This document applies to all Norgine issued and BYOD mobile devices managed by Intune including but not limited to laptops, smartphones and tablets.

This document, developed in accordance with international information security standards and recommendations (e.g. ISO 27001), outlines the essential information security principles that must be followed by all Norgine personnel and assimilated personnel (contractors, third parties, trainees, consultants).

The primary objective of Norgine’s Information Security approach is to determine “what requires protection” and “what protective measures need to be implemented” at the highest level and across all business operations. This statement articulates the perspectives, goals, regulations, and procedures related to information security, data privacy, and the supervision of how information and information assets are handled, safeguarded, and utilised. These controls and processes apply to both technical and non-technical aspects.

 

 

Definitions & Abbreviations

Also refer to the Glossary for standard definitions and abbreviations.

IR Incident Response
SOC Security Operations Centre
ERT Emergency Response Team
CSIRT Computer Security Incident Response team
BYOD Bring your own device
IS27001 International standard to manage information security

 

Responsibilities

Incident Response Team Owns the Incident triage to resolution
Service Desk First line responders in acknowledging and engaging ERT and CSIRT teams

 

Procedure

Compliance

Norgine has implemented appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements related to the use of proprietary software products. Norgine is subject to EU and UK General Data Protection Regulation (GDPR) and has committed to improving security compliance in accordance with ISO 27001.

Physical Security

Norgine defines security perimeters to protect areas containing sensitive or critical information and information processing facilities, whether onsite, at outsourced data centres or offices. These perimeters are determined by the security needs of the assets and risk assessments. Physically robust measures, such as solid construction of roofs, walls, and floors, protection of external doors, and window security, especially at ground level, are used. Access to sites and buildings is restricted to authorised personnel only.

Network Security

Norgine employs network segregation as a security measure. This segregation is based on trust levels (e.g., public access, desktop, server), organisational units (e.g., HR, finance, marketing), or a combination of both. Physical or logical networks (e.g., virtual private networking) may be used for this purpose, with well-defined perimeters for each domain. Access between domains is permitted but controlled through gateways like firewalls or filtering routers.

Data Encryption

Norgine uses data encryption technologies based on security standards to secure our backups. networks and communication where appropriate and feasible. Encryption keys and related to encrypted archives or digital signatures are stored to enable record decryption during the retention period. Controls are also in place for compliance with all relevant agreements, legislation and regulations including restrictions on import or export of computer hardware and software for performing cryptographic functions.

Logging and Monitoring

Norgine has established a Security Operation Centre (SOC) dedicated to the logging and monitoring of critical events, such as unsuccessful login attempts, administrative actions, and changes in user activity. The management of log files strictly follows the principle of granting the “write” access privilege solely to application processes, while system accounts are limited to “read” access. Logs are retained in accordance with Norgine’s records retention policy, as well as in compliance with legal and regulatory obligations, with a minimum retention period of 30 days.

Personnel

Norgine performs pre-employment background checks in compliance with relevant laws and regulations. Furthermore, the company shares its information security guidelines with worldwide personnel, who are required to read and understand these policies. Norgine also conducts training on data protection and security for its employees.

Operational procedures and responsibilities

Norgine has established formal procedures governing a range of operational activities related to information processing and communication facilities, encompassing functions like backup, equipment maintenance, media handling, computer rooms and mail management, and safety. These procedures provide detailed instructions for system installation, configuration, information processing, backup, scheduling, error handling, support contacts, special output and media handling, system restart, recovery, and the monitoring of audit trails and system logs. Considered formal documents, any changes to these procedures require relevant management authorisation, with the Vice President of Information Technology holding ultimate responsibility for maintaining operational security.

Asset Management

The infrastructure team and appointed partners are responsible for maintaining an up-to-date inventory of the company’s information processing assets including websites and associated chat bots. Management teams, whose assets are managed by the Service Desk, have delegated responsibilities for acquiring, managing, and reporting on their IT assets and utilising a central IT asset management system. This inventory encompasses all equipment purchased with company funds, excluding consumables, and is considered firm property. The IT Operations team keeps a record of critical assets essential for the company’s effective operation, facilitating the risk assessments by the Norgine Cyber Security Team.

Information Security Incident Management

Information security incidents at Norgine are addressed following established procedures, which involve promptly collecting evidence, conducting forensic analysis when needed, escalating the incident as necessary, ensuring thorough logging of response activities and communicating relevant incident details to internal and external parties with a need-to-know basis. Additionally, any identified information security weaknesses contributing to the incident are addressed, and once the incident is resolved, it is formally closed and documented. Post-incident analysis is conducted as required to pinpoint the incident’s source and prevent future occurrences.

Breach Notification

Although no method of online transmission or electronic storage is without risk, Norgine is dedicated to informing affected users of security breaches that may affect them without undue delay. Norgine’s breach notification procedures align with legal requirements and industry standards. Norgine is committed to keeping interested stakeholders well-informed about account security matters and helping them meet regulatory reporting obligations.

Information Security Aspects of Business Continuity Management

Norgine has established its information security requirements and ensures the continuity of information security management in adverse situations, such as crises or disasters. Key stakeholders within the organisation integrate information security continuity into the business continuity management and disaster recovery processes. Information security needs are addressed when planning for business continuity and disaster recovery

Vulnerability Management and Penetration Tests

Norgine has a comprehensive vulnerability management program in place. This program involves routine scans to detect and address security vulnerabilities across servers, workstations, network equipment, and applications. Norgine engages trusted third-party vendors to scan all networks, including both test and production environments. Priority is given to applying critical patches on servers and desktops, and other patches are applied as needed. Additionally, Norgine performs regular external penetration tests and take appropriate actions to address any identified issues based on their severity.

 

Related Documents

 

Document ID Document Title
POL-000015 IT Security Policy

 

 

References

 

  • NIST SP 800-61: Security Incident Handling Guide – Norgine use the computer incident categories which are defined in this industry-recognised standard.
  • ISO27035: 2011 – Information technology – Security Techniques – Information Security Incident Management
  • Association of Chief Police Officers (ACPO – now the NPCC) Good Practice Guide for Computer-Based Electronic evidence

http://www.cert.org/incidentmanagement/publications/

 

Appendices

Not applicable

 

 

Document History

Version

Effective Date
(superseded versions)

Summary of Changes

1.0

 

New document