3.4 Cybersecurity and data privacy The Information Security Policies define the mandatory high- Siemens is one of the industry leaders in cybersecurity. Our level requirements and general rules for information security. cybersecurity performance is highly regarded, as evidenced The policies serve as blueprints for establishing and managing by our sustainability ratings and rankings. For example, the information security at Siemens. The requirements are based Dow Jones Sustainability Index (DJSI) has ranked Siemens as on the domains defined in Annex A of the international a leading company in cybersecurity relative to our peers. standard ISO/IEC 27001. Siemens’ cybersecurity governance has been ISO 27001-certified since November 2017. Siemens products, solutions, and services Siemens is implementing a company-wide Product and Our commitment to cybersecurity is further reinforced by Solution Security (PSS) initiative. The objectives of the initia- Siemens’ participation in founding the “Charter of Trust”1 tive are to formulate PSS recommendations and binding initiative to protect data and promote cybersecurity in a requirements and to apply and continuously improve them trustworthy digital world. in all the businesses. Targets The PSS initiative is managed by the PSS Maturity model, a Our DEGREE sustainability framework addresses the topic of proprietary, standards-based model. It shows the extent to cybersecurity under “E” for Ethics. We are proactively working which the established business and design processes are toward safeguarding and promoting cybersecurity at being expanded and constantly improved in terms of their Siemens. To achieve this, Siemens employees need to - security activities and requirements. Evaluations are per complete a web-based training on cybersecurity on an formed annually at the organizational level, the results are annual basis. discussed with each unit’s management team, and corre- sponding improvement programs are initiated. Actions and results The Corporate Cybersecurity department and the cybersecurity To further strengthen Siemens’ cybersecurity business, our departments in our businesses manage the following issues businesses offer selected high-maturity security services to and activities: external customers in collaboration with the Corporate Cybersecurity department. → Developing and implementing proactive cybersecurity strategies adapted to the business Continuing education and young talent → Proactive and reactive measures for product and solution development security and to safeguard information technology and In fiscal 2023, 95% of our employees completed the manda- operational technology tory cybersecurity awareness training. The training cycle → Risk management framework as a part of the Enterprise began in January 2023 and ran until the end of September Risk Management system with clearly defined roles 2023. → Monitoring and reporting on the status and progress of cybersecurity measures and checks In addition, we offer the training “Driver’s License” to a target → Cybersecurity-readiness and second-line-of-defense2 group of approximately 8,000 employees who are trained to → Developing mandatory global cybersecurity awareness apply all of Siemens’ IT/OT security guidelines. All of our measures, annual IT cybersecurity global awareness train- employees also have access to continually updated training ings, and specific cybersecurity expertise courses and learning opportunities on product and solution security through My Learning World, the Siemens global learning platform. 1 https://www.charteroftrust.com/. 2 https://www.siemens.com/global/en/company/digital-transformation/cybersecurity/ governance.html#SecondLineofDefense. SIEMENS SUSTAINABILITY REPORT 2023 50