This document has been created to define and help communicate the common policies for information confidentiality, integrity and availability to be applied across the entire Hutchison China MediTech Group, which includes Hutchison China MediTech Limited ("HCML"), its subsidiaries and jointly controlled entities ("HCML Group"). The purpose of this policy is to ensure business continuity by preventing and minimizing the impact of security risks within the HCML Group.
This Information Security Policy applies to all members of the HCML Group, including all business entities across all countries.
It applies to the creation, communication, storage, transmission and destruction of all different types of information within the HCML Group. It applies to all forms of information, including but not limited to electronic copies, hardcopy, and verbal disclosures whether in person, over the telephone, or by other means.
Not within the scope of this document is any information that is public knowledge.
Each person within the HCML Group has a responsibility to protect information.
Information security controls should be proportionate to the risks of modification, denial of use, or disclosure of the information.
Access to corporate information shall be restricted with the effect that only those who have an evident business reason to access the information shall be granted access.
Organizational roles and responsibilities shall be identified in order to create, communicate, implement and govern the policy.
In addition to the specific roles and responsibilities identified here, it is the responsibility of each business entity management to see that the policies contained within this document are implemented within their domains.
The Head of Group Information Security (Senior Group Finance Manager of HCML) shall be responsible for:
1. Establishment and improvement of the information security culture across the HCML Group.
2. Management of the development, deployment and maintenance of the HCML Group information security policies.
3. Assurance of the status of information security across the HCML Group, including the status of the proper deployment of and compliance to the HCML Group's information security policies.
4. Coordination of activities related to significant security matters.
In particular, the Head of Group Information Security shall:
The management of each business entity shall appoint an Information Security Custodian (the Financial Controller of each business unit). The Information Security Custodian shall be responsible for:
1. Establishment and improvement of the information security culture in a business entity.
2. Ensuring the development & deployment of additional procedures and standards to support the HCML Group Information Security Policy and related policies, procedures and standards.
3. Assurance of the status of information security in a business entity, including the status of the proper deployment of and compliance with the HCML Group's Information security policies, procedures and standards.
4. Coordination of activities related to significant security matters.
The Information Security Custodian shall:
The management of each business entity shall ensure that every piece of HCML information is assigned an owner, referred to as "Information Owner". The term Information Owner in this document only applies to information security matters as related to this policy, and does not imply any form of legal ownership over the information.
In general, unless otherwise designated,
1. The creator of a piece of information shall be assumed to be the Information Owner.
2. For information received from external parties, the designated recipient shall be the default Information Owner.
The Information Owners are responsible to:
The Human Resources (HR) Department plays an essential role in managing security. HR has the responsibility to:
To manage and control access to information, business entity executives should consider formal classification and labeling of information, but having due regards to the needs of the business, cost (both internal and external) and practicality. Guidelines for Data Classification and Labeling are given in Appendix 1.
Information must be protected consistently, irrespective of where it resides, what form it takes, or what purpose it serves.
The management of each business entity, in consultation with the Information Security Custodian and in compliance with standards issued by the Head of Group Information Security, will establish and implement specific rules and guidelines for disclosure and receipt of any sensitive information, e.g., the issuance or signing of Non Disclosure Agreements, and handling of sensitive information received from external parties.
Changes related to information security processes, including system and procedural changes, must be properly approved, documented, and communicated to appropriate parties. Formal change control procedures should be implemented for confidential information.
Appropriate controls shall be established to balance access to information and supporting information resources against the associated risk.
The risks to information and information systems shall be periodically assessed.
Malicious code or software such as Trojans, logic bombs, and blended threats can cause serious damage, all employees must take care when accessing the Internet and using any forms of removable media to transfer information in/from HCML Group’s workstations, in order to mitigate the related risks.
All parties, with a need to know should have access to applied or available principles, standards, conventions, or mechanisms for the security of information and information systems, and should be informed of applicable threats to the security of information.
This Information Security Policy shall be communicated to all personnel to ensure that they understand this policy and their responsibilities under it.
All information security incidents shall be responded to expeditiously and effectively to ensure that any business impact is minimized and that the likelihood of experiencing similar incidents is reduced.
Information systems shall be designed and operated in such a way as to preserve the continuity of organizational operations.
All legal, regulatory, and contractual requirements pertaining to information security must be considered and addressed.
Each business entity shall take due care in implementing information security measures to comply with applicable laws and information privacy policies of the HCML Group.
Policies and supporting standards, baselines, procedures, and guidelines shall be developed and maintained to address all aspects of information security. Such guidance must assign responsibility, the level of discretion, and the level of risk each individual or organizational entity is authorized to assume.
Exceptions to this policy may sometimes be required for business or practical purposes. This must be authorized by the person in charge of the business entity on the advice of the Information Security Custodian and after approval by the Head of Group Information Security.
Violations of the Information Security Policy are considered to be serious infractions and will be dealt with appropriately, with an emphasis on prevention of future infractions.
All information should be classified according to its level of sensitivity. Five default categories are suggested. They are:
These classifications have been designed to protect information from unauthorized disclosure, use, modification or deletion, based on 'need to know' policy, i.e. access to corporate information shall be restricted with the effect that only those who have an evident business reason to access the information shall be granted access.
Information which is not specifically classified should be scrutinized to ascertain the classification, and if this cannot be done then the information should by default be deemed to be classified as Internal Use, and therefore should be treated accordingly.
In this appendix:
"Public" classification applies to information that has been explicitly approved by the management of the relevant business entity for disclosure to the public outside of the HCML Group.
"Internal Use" classification applies to information that, if disclosed inadvertently or without authorization, could have negative consequences for the business unit, the sub-group or HCML Group and may induce costs in redressing those consequences.
Internal Use information shall not be disclosed to anybody outside of the HCML Group without prior approval by the Information Owner. If the Internal Use information has any access control list, it shall not be disclosed to any other persons outside such access restriction without prior approval by the Information Owner. Internal Use information without an access control list may be disclosed within the HCML Group.
Information Owner may also impose additional disclosure or handling restrictions to Internal Use information. Additional restrictions must not weaken the basic disclosure rules stated in this document.
"Departmental" information can be freely shared with members of the owning department. Sharing such information with individuals outside of the owning department requires authorization by the appropriate Information Owner.
"Confidential" classification applies to information that, if disclosed inadvertently or without authorization, could have significant negative consequences for the business unit, the sub-group or HCML Group and may induce significant costs in redressing those consequences.
Confidential information should always have a distribution list or access control list, and should not be disclosed to any persons outside such distribution list or access control list without prior approval by the Information Owner. In the absence of an access control list, the distribution list is deemed to be the access control list. In the absence of both the distribution and access control lists, Confidential information shall not be disclosed to anybody without prior approval by the Information Owner.
Information Owner may also impose additional disclosure or handling restrictions to Confidential information. Additional restrictions must not weaken the basic disclosure rules stated in this document.
In addition, Confidential information must be further protected against deliberate and inadvertent unauthorized disclosure in its handling, including display, storage, transmission and disposal.
"Highly confidential" information can only be shared on a "need to know" basis with a limited number of individuals who have been identified by the appropriate Information Owner.
Due to the diversity of HCML Group business and local legislative, HCML Group business units should further take into the account of their business needs, the compliance to various legislation and industry requirements to set up the desirable categories. However, the ultimate categories shall be able to be mapped into the 5 default categories and shall not violate or contradict to the principles set out in this policy.
Management of business entities is responsible for assessing, designing and implementing applicable specific procedures for information labeling for their respective business entities. However, such activity should be justified and supported by the following criteria:
1. It is required by local legislation, or
2. Without other alternatives, individual labeling is the only way that stakeholders could aware of the sensitive of the information, and:
If a business entity does decide to go ahead with labeling, the following rules should apply: