Secure Processes and Procedures
Information security is more than just installing the latest security tools or patching systems. Secure business processes and procedures are paramount to the security of our environment. Thermo Fisher Scientific maintains robust procedures in several key areas including: change management, data backup, and security incident management.
All changes to production systems, whether they are software, hardware, or network, are required to utilize a standardized change management process. The process is maintained within a change management system validated to 21 CFR Part 11 Electronic Document Management standards.
Performing backups is an effective way to safeguard against the risk of losing data due to technical, human, or environmental factors. All critical systems are regularly backed up according to industry best practices based on the criticality and security requirements of the information involved. Backups are comprised of a combination of on-site, off-site, and cloud-based solutions providing a comprehensive backup strategy for our data.
Security incident management
100% prevention of security incidents is the ideal standard, but the reality of information security today is security incidents can occur due to new or unforeseen circumstances. Our fully staffed Security Operations Center continuously monitors our environment through a variety of automated and analyst-driven processes, resulting in quick detection and response to potential security incidents. Our security incident management processes include:
- Threat intelligence gathering and analysis
- Aggregation and analysis of system logs
- Emergency response management
- Email/phone support for reporting incidents
- Proactive threat hunting
Governance and monitoring
The information security program and its policies are aligned with the International Organization for Standardization (ISO) framework. Input has also been incorporated from the National Institute of Standards and Technology (NIST) Cyber Security framework. Audits are conducted both internally and externally on an annual basis to ensure program adequacy.
Regulatory responsibility and program compliance
Thermo Fisher Scientific has information security compliance requirements that span several regulations, regions, and countries, and include the following:
- The Sarbanes-Oxley Act of 2002 (SOX)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Regulation (EU) 2016/679 of The European Parliament and of the Council (General Data Protection Regulation)
- Payment Card Industry (PCI) Data Security Standard, Version 3.2