UPONOR NORTH AMERICA
Cyber security policy
Purpose of this document
This policy sets the key responsibilities and activities on protecting Uponor business and information assets from cyber risks.
Cyber security means ensuring the confidentiality, integrity and usability of information, regardless of its mode of presentation. This policy defines the basic requirements for information security and provides a basis for planning and implementing policy activities. The cyber security policy is binding for all Uponor personnel.
Cyber security policy
Cyber security is implemented and developed by using risk management principles. The Cyber security policy is reviewed annually by ExCom or IT Steering Committee and approved by ExCom.
This Cyber security policy, together with Uponor's values, the Code of Conduct, risk management and personal data protection policies, is a key part of Uponor's corporate governance.
Objective
The objective of security management is to ensure the continuity of Uponor Corporation’s business operations in all circumstances and to protect confidentiality, integrity and availability of business critical information. Uponor’s services and internal operations must comply with local and other applicable legislation, and fulfil customer agreements and other interest group demands and expectations on safety and security.
Uponor will
- Preserve the confidentiality, integrity and availability of Uponor's and its customers’ information and other assets.
Each Employee is responsible for complying with required safety and security measures in their work assignments.
Continuity of services and compliance with customers’ industry specific requirements are essential for business. Due to these characteristics, additional guidelines and instructions have been issued to control cyber security risks in Uponor.
Key responsibilities relating to information and cyber security
Key roles and their responsibilities:
- CEO is responsible for ensuring that Uponor has effective cyber security as part of the risk management system and it is provided with adequate resources.
- Cyber Security Manager is responsible for the overall operational management, development and guidance on cyber security. This includes policies, guidelines, end user training and awareness. Cyber security will facilitate and conduct an annual cyber risk assessment and report results to Uponor Risk Management.
- Business Segment management teams are responsible for ensuring that risks management practises are implemented and executed within segment.
- Uponor Information Technology is responsible for designing and implementing the required security controls to Uponor IT infrastructure.
- Line managers are responsible for ensuring that their team members have received the cyber security training and that the required work instructions and access rights are in place and up to date.
- Every employee of Uponor is responsible to follow the given cyber security policies, guidelines and instructions and to report any suspicious activity they might encounter.
Cyber security controls
The key controls listed in this policy will be the principle domains for controlling the Cyber risks. These domains will be supplemented with additional guidelines and instructions to guide and to support the required risk mitigation work.
- Risk management
Cyber risks are regularly assessed and analysed based on their business impact. The risk assessment must also be prepared during the definition phase of new systems or whenever there is a major change within the system.
- Classification of information
Uponor has an information classification system. The classification level of the information sets the requirements on how information must be protected in transit and rest.
- Cyber security training
Every Uponor employee receives periodic cyber security awareness training. The completion of the training is monitored. In addition, cyber security training is provided for selected target groups.
- Processing of personal data
The personal data protection policy and guidelines define how customer, employee and other data subjects’ personal data are processed at Uponor.
- Security incident management
Uponor has procedures for managing security incidents. Security breaches are reported to the management.
- Security breaches
Acting against or failure to comply with the cyber security policy and applicable guidelines and instructions shall be considered and sanctioned as a security breach.