Maintaining an Effective Management System to Address Various Information-related Risks
Cyber Management SystemBuilding a Cyber Management System with Personnel Responsible Assigned to Each Business Site
Headed by the CSR Committee, which is chaired by the president, the Network Management Center that has been established under the Cyber Security Committee has set up a monitoring system, carries out the monitoring and recording of information and, having also posted at least one cyber system administrator at each business site, has established a comprehensive Group-wide cyber management system. Even in the case of organizational changes or cyber system administrator reassignments, the Company is constantly aware of the presence or absence of the cyber system administrators at each of its business sites through its registry management system.
Cyber Security Organizational Chart（～fiscal 2019）
Roles of Cyber System Administrators
(1)Cyber security measures in general including those relating to anti-viruses
(2)Management and stable operation of information systems, personal computers, software, etc.
(3)General network-related management
(4)Giving of guidance on proper use of cyber systems to employees at each company / department
(5)Acting as points of contact for, and responding to, other general matters relating to cyber systems
Measures to Address Information Leakage RisksImplementing Every Measure Possible from Both System and Human Aspects
The Company takes every measure possible, from both system and human aspects, in order to maintain the security of customer (including personal) and internal (including confidential) information. As for external treats, the Company quickly identifies and responds in an appropriate manner to unknown viruses using SIEM (Security Information and Event Management) log analysis and next-generation anti-virus systems based on AI technologies. We are also taking measures aimed at preventing leaks information due to human error, including security audits and employee e-learning courses.
The Company also holds an Information Security Committee meeting once every two months to evaluate risk countermeasures and our training for potential information security incidents allows us to be fully prepared for information security emergencies.
Key System-related (Tangible) Measures
(1)Establish firewalls to completely separate external networks from internal intranet and control networks
(2)Monitor and record data through network management centers
(3)Next-generation virus protection, as well as log collection and analysis for all servers and PCs.
(4)Enhance BEC (business email compromise) countermeasures through the use of multiple e-mail filters and prohibit the use of personal devices in business
Key Human-related (Intangible) Measures
(1)Conduct security audits as needed at business sites in Japan and overseas
(2)Adopt entry / exit ID authentication and secondary (photographic, etc.) verification when entering major domestic offices
(3)Conduct regular e-learning programs (those who do not attain a pass grade will be unable to access the Internet → Japan only)
(4)Conduct regular e-learning programs and incident-training programs by the network management center.
Measures to Address Natural Disaster-related RisksDuplication and Dispersing of Systems, as well as Earthquake Resistance and Seismic Isolation Measures
We have confirmed the adequate provision of fuel reserves for emergency power generators, as well as earthquake resistance, seismic isolation and other measures being applied to contracted data centers so that business operations can be continued even in the event that backbone systems are damaged by a major earthquake or other disaster. In addition, by dispersing data centers among multiple locations, we have established a system that will not cause work to be disrupted even if a particular data center becomes unavailable. By taking steps to completely duplicate mission-critical systems, the Company is working to shorten the lead-time needed up to the completion of repairs and recovery of business operations.
Protecting Personal Information
Sekisui Chemical has formulated its Personal Information Policy, which is available on the Company’s website. Based on this policy, the Company complies with legal regulations and norms regarding personal information, and in the case of a security incident, the network management center conducts a thorough analysis of the effects from the incident while cooperating with the Emergency Response Headquarters established in line with criteria in Sekisui Chemical Group Crisis Management Guidelines.
Improving the sophistication of our security measuresLaunching the creation of a CSIRT* entity
With the goal of better understanding and improving the sophistication of our security measures, Sekisui Chemical Group uses third-party assessments and promotes the creation of rules and systemic processes aimed at maintaining operational continuity.
Since cyber security is an issue requiring action throughout the Company, we conducted workshops for senior managers in fiscal 2018 that were focused on recent cyber security trends and reinforcement measures.
In addition to these measures, we have launched efforts to create a CSIRT entity headed by the executive officer in charge of the Information Systems Group. The establishment of a CSIRT entity will allow us to provide accountability in our cyber security operations to our stakeholders and clarify the promotion of cyber security measures in line with the Ministry of Economy, Trade and Industry’s revised Cybersecurity Management Guidelines (Ver. 2).
- CSIRT is an abbreviation of Computer Security Incident Response Team. This title is given to teams at organizations such as companies that specialize in receiving reports, conducting surveys and enacting response measures related to computer security incidents.