IT 27 AV & IT 28 AV Policies Refresh Presentation 2017

By clicking ‘Yes’ at the end of this document, I attest that I
assisted either in-person or by web-ex conference the IT.27.AV &
IT.28.AV policies refresh presentation conducted during the months of
April thru June, 2017. I agree to comply with the content outlined
until superseded by any new materials on which I am trained.

Business Technology
Solutions

IT27.AV & IT28.AV Policies Refresh

April 2017

IT28.AV Policy Highlights

• The Data Classification policy provides a schema for defining the sensitivity, or classification level,
of AbbVie data

• This policy applies to all AbbVie employees, contractors, consultants, 3rd party suppliers and
business partners (for the purposes of this policy defined as “Data Users”) who are responsible for
creating, collecting, storing, processing, using, sharing, and/or otherwise accessing electronic
forms of AbbVie Data

• Data User: All AbbVie employees, contractors, consultants and authorized 3rd Parties who create,
collect, store, process, use, share, and/or otherwise access electronic forms of AbbVie Data are
responsible for classifying and handling AbbVie Data appropriately, including ensuring that the
required security controls are in place. Data Users are also responsible for communicating the
sensitivity of AbbVie Data when transferring, storing or otherwise disclosing AbbVie Data

• PII : Personally Identifiable Information or SPII : Sensitive PII

The Business System Owner and IT System Owner are responsible for ensuring the controls are applied,
based on the data classification. These controls may be included in IT Security Policies, other AbbVie
documents or applicable regulations (e.g. local privacy regulations).

Q2 – Q3 2017 3 2017 IT28.AV Policy Highlights – For internal use Only

IT28.AV

Why are we having this discussion……?

The Business System Owner and IT System Owner are responsible for
ensuring the controls are applied, based on the data classification. These
controls may be included in IT Security Policies, other AbbVie documents or
applicable regulations (e.g. local privacy regulations).

IT27.AV : AbbVie Third Party Data Security Policy

This policy is intended for AbbVie business and staff who work with and

oversee Third Party relationships. Any Third Parties with access to AbbVie

Data must handle, treat, and otherwise protect AbbVie Data in accordance

with all requirements set forth in this policy and pursuant to any contractual

agreement with AbbVie.

Q2 – Q3 2017 4 2017 IT28.AV Policy Highlights – For internal use Only

IT28.AV Policy - Restricted Data

Data Description Impact Example
Classification

Restricted All non-public information in Unauthorized disclosure, • Personnel file

AbbVie’s possession that is loss of availability and/or information including

considered to be PII or that might integrity would have a performance reviews,

be of specific use to competitors or significant adverse impact job evaluations,

harmful to the financial stability or to the individual(s) disciplinary actions

competitive position of AbbVie if identified and/or • Key-coded clinical trial

disclosed. Personal Information that AbbVie’s brand data

could not be used to assume an reputation, competitive • De-identified patient

individual's financial or health advantage, market share, information

identity. The company must obtain business operations, • Marketing/Sales plans

permission from an individual to and/or incur compliance • Manufacturing

use, store, transmit or process such failure. Control Processes

information to perform business In some cases, such /Instructions

functions in lieu of obtaining formal information may include

certification that a company-wide AbbVie trade secrets

program is in place to protect the

information.

Q2 – Q3 2017 5 2017 IT28.AV Policy Highlights – For internal use Only

IT28.AV Policy – Secret Data

Data Description Impact Example
Classification

Secret Information that is considered Unauthorized disclosure, • Sensitive Personally Identifiable
to represent a major
competitive advantage. loss of availability and/or Information of employees and
Sensitive Personally
Identifiable Information (SPII) integrity would have a individual customers (SPII)
that could be used to assume
an individual’s personal, catastrophic adverse • Protected Health Information (PHI)
financial or health identity.
impact to the as defined in the HIPAA Privacy

individual(s) identified Regulation

and/or to AbbVie’s brand • Health information, including

reputation, competitive genetic and biometric information

advantage, market and disease state

share, business • Payment Card Information

operations, and/or incur • Financial institution account number

compliance failure. • Payroll data Government issued ID

In some cases, such and Social Security Numbers

information may include • Biometric Information

AbbVie trade secrets • Merger and Acquisition Plans

Q2 – Q3 2017 6 2017 IT28.AV Policy Highlights – For internal use Only

IT28.AV Data Handling

Activity Public Internal Restricted Secret

Email No additional AbbVie Email • AbbVie Email • AbbVie Email
(External) requirements Confidentiality Confidentiality Confidential
disclaimer disclaimer included disclaimer included
Q2 – Q3 2017 included
• Verify distribution to • Verify distribution

authorized recipients to authorized

recipients

• Only send information

required/necessary for • Only send

the business information

transaction required/necessar

y for the business

• Encrypt Restricted data transaction

(whole email or

attachment) • Encrypt Secret

data (whole email

or attachment)

7 2017 IT28.AV Policy Highlights – For internal use Only

Impacted Documents :

Inbound – Outbound Communications
• Patient or Physician Rx Utilization from Specialized Pharmacies, PBM’s or IMS
• Pharmacovigilance Reports from Third Party Suppliers, Spec. Pharmacies, Call Center
• Personal Identifiable Information collected at Websites

Shared Folder Restrictions
• Documents can be stored at Shared Folders where access is restricted
• Shared Folder recertification is made annually to ensure who has access to Shared

folders

June 19, 2017 8 2017 BTS Projects & Updates

How to Secure Documents

1. From the Save options, press on Protect Document, Encrypt with Password

2. Send an email to the recipient as ussual.
3. Send the Password in a second email separate from the protected document.
4. Applicable documents originated from the Vendor or Third Party must be secured from
their end as well to you or AbbVie recipient(s).

June 19, 2017 9 2017 BTS Projects & Updates

Questions …..?

June 19, 2017 10 ©2016 | TITLE

June 19, 2017 11 ©2016 | TITLE