INTRODUCTION
PEOPLE-FIRST CULTURE
OPERATIONAL EXCELLENCE
CUSTOMER-CENTERED INNOVATION
GRI INDEX
Enterprise Risk Management Our Enterprise Risk Management (ERM) program identifies, monitors, and manages internal and external business risks. Risk identification, assessment, and monitoring are designed to facilitate effective decision-making and drive business performance. In addition to our ERM, S&C’s information technology risk management team focuses on overseeing cybersecurity and protecting our operations, sensitive information, and customer data. The board reviews cybersecurity matters and strategy on a quarterly basis. The corporate cybersecurity council, with senior leadership representation, meets monthly to review all elements of our cybersecurity strategy, key risk indicators, and the latest cyber-related events. Cybersecurity S&C’s cybersecurity program governs the handling, storage, and deletion of all printed and digital information regarding business activities. Team members are required to manage private and confidential information with care and in accordance with our documented processes and all applicable laws and regulations. We require personal or confidential information to be properly safeguarded and used for business purposes only. This includes nonpublic or private information about S&C, as well as our team members, customers, suppliers, and contractors. All team members are also responsible for adhering to our privacy and cybersecurity policies. Each team member with access to external internet and email is required to complete cybersecurity awareness training. Formal, role-based training is provided to team members as needed.
In 2024, we worked to mature our management of cybersecurity risk and continue aligning our policies with the International Organization for Standardization (ISO) 27001. Specific areas of focus included improving our incident response plan (IRP), streamlining our security alert processing, mitigating our exposure to system vulnerabilities, and enhancing our processes and controls for access management and software updates. We also conducted an IT system audit to conform with ISO 27001 and validate enhancements to our information security management system (ISMS). To meet and exceed the requirements of ISO 27001, we instituted corrective action plans as needed to strengthen our supplier risk management process and data classification standards. In addition, we are conducting strict reviews of policies that govern our IT practices and processes.
S&C 2024 Sustainability Report
9
Made with FlippingBook - Online catalogs