Trust is the foundation of our relationship with our employees, patients, healthcare professionals, and suppliers.  That trust requires that we handle the information we obtain from these relationships with the highest degree of respect and care.

Amgen relies on information systems to operate its business, including the collection, compliant management, and retention of personal data entrusted to us by patients, customers, employees, and others. Helping to ensure our continued access to data allows Amgen to develop and deliver products and solutions that provide value to patients worldwide in terms of improved health outcomes.

Amgen is committed to complying with all applicable laws and regulations in the collection, management and use of personal information it receives, as well as taking appropriate steps to ensure that it is protected.

Our Chief Information Security Officer (CISO) is responsible for developing and executing our enterprise-wide information security strategy and our enterprise-wide cybersecurity and records and information management programs. Our strategy and programs are aligned with internationally recognized industry standards including ISO/IEC 27002 (Information Technology – Security Techniques – Code of practice for information security controls).  Our CISO also oversees the development, implementation, and maintenance of Amgen's information security infrastructure and monitoring, detection, analysis, event handling, and containment of security incidents.

Our CISO works closely with our Head of Global Privacy and Data Protection. This role oversees our Global Privacy Compliance team, which maintains policies and processes that guide how we collect, maintain, and protect personal information based on the legal and regulatory requirements where we operate. We audit our practices to help ensure compliance with applicable standards and legal requirements.

Examples of the practices we follow to support the integrity of our data protection processes include:

• Collecting and using the minimum amount of personal information necessary to achieve our business purposes.
• Sharing personal information only with individuals who have a legitimate need for it.
• Maintaining appropriate administrative, technical, and organizational security measures to protect personal information.
• Conducting supplier assessments to review third-party applications and technologies that contain personal and sensitive information.
• Monitoring technical and organizational measures to safeguard data through appropriate user access management, secure file transfers, and consent management.

Amgen senior management and Board of Directors receive regular updates on our information security and privacy programs and emerging threats.

Amgen is a member of the Health Information Sharing and Analysis Center, a community of critical infrastructure owners and operators within the healthcare and public health sector focused on sharing timely, actionable, and relevant information.

Training, Monitoring and Compliance

We require all Amgen staff and contractors to complete annual information protection and privacy training; employees in privacy-sensitive roles receive additional training specific to their position. Training for employees in such roles includes information on applicable data security and privacy laws and regulations – including the EU General Data Protection Regulation – and the appropriate handling of personal information. Training is available in 24 languages. We also regularly assess our suppliers to help ensure they maintain appropriate security and privacy controls.

We also host regular employee awareness events and campaigns on topics such as ransomware, identity theft, and mobile security, and conduct internal phishing exercises to help strengthen employee resiliency. To keep employees engaged, we offer a series of virtual cyber escape rooms where teams can compete to solve information security challenges.

 Supporting Business Resilience

We test our business continuity and incident response processes. Our information security controls also undergo assessment by a third-party to measure and manage control maturity. The outcome of these assessments are reviewed with senior management and informs control improvement initiatives. We also assess supplier cyber resiliency risk management and work with our suppliers to review risks and remediation actions.

Policies