Information Management Issues
To avoid the occurrence of serious information management-related incidents that impact the Group’s ability to improve and sustain business, SEKISUI CHEMICAL Group is putting in place a system and operational structure that ensures the confidentiality, integrity, and availability of its information system while at the same time working to increase employees’ literacy on information security through e-learning programs and incident response training.
Cyber Security Policy
To strengthen cyber security measures throughout SEKISUI CHEMICAL Group as a whole, we formulated the Group-wide Cyber Security Policy* and disclosed details both internally and externally.
For details, see SEKISUI CHEMICAL Group’s Cyber Security Policy.
With the aim of preventing damage to the Group’s corporate value resulting from a serious incident, we identified zero cyber security incidents as a KPI under the current Medium-term Management Plan. In an effort to achieve this KPI, we have continued to promote information management activities. Thanks to these endeavors, the number of cyber security incidents was zero. The results of major implementation measures are as follows.
| Major Implementation Measures | Management Indicators | Current Medium-term Management Plan Final Fiscal Year (FY2022) Targets | Fiscal 2022 Results |
|---|---|---|---|
| Rapid response in the event of a cyber security incident (Japan) | Recovery time following incidence occurrence | Ongoing monitoring to set a baseline | Continued monitoring |
| Overseas deployment of CSIRT | Formulation and rollout of overseas deployment plans | Formulation of detailed plans and start of deployment | Commenced monitoring and operation of three companies in North America* |
- Three companies in North America: SEKISUI AMERICA CORPORATION, SEKISUI VOLTEK, LLC, SEKISUI DIAGNOSTICS, LLC
Cyber Management System Headed by an Executive Officer
To provide a cyber security response system, we established a CSIRT*1, which reports to the Sustainability Committee chaired by the president.
Chaired by Futoshi Kamiwaki Representative Director and Senior Managing Executive Officer, who serves as the Chief Information Security Officer (CISO), the Cyber Security Subcommittee is a policy-making body that deliberates on Group-wide cyber security measures and significant security incidents. The Cyber Security Promotion Committee advances measures based on subcommittee decisions. We have also set up a Cyber Security Center as a working unit.
Acting in partnership with the SOC*2, the Cyber Security Center monitors the security of networks and devices 24 hours a day, 365 days a year, and strives for the early detection of and recovery from incidents. Having posted at least one cyber system administrator on site at each business, we have established a comprehensive Group-wide cyber management system. Even in the case of organizational changes or cyber system administrator reassignments, the Company is constantly aware of the presence or absence of the cyber system administrators at each of its business sites through its registry management system. Together with making our operations in Japan more sophisticated, going forward we will advance the development of CSIRT at Group companies overseas.
- Computer Security Incident Response Team, or CSIRT, is the title given to specialized teams that receive reports, conduct surveys and enact response measures related to computer security incidents at companies and other organizations.
- The Security Operation Center, or SOC, is a specialized entity devoted to monitoring and analyzing threats to information systems. It works to detect threats as soon as possible, and plays a role in supporting the CSIRT with its response and recovery efforts.
- 09-57
Diagram of Overall Management System
Measures Taken Against Information Leaks and Risks from Both System and Human Aspects
The Company takes measures, from both system and human aspects, to maintain the security of customer (including personal) and internal (including confidential) information. To combat external threats, the Company has positioned its SOC as its primary entity to consistently identify new threats, such as newly reported cases of viral infections or targeted e-mail attacks, while SEKISUI CHEMICAL’s CSIRT swiftly takes action to implement appropriate countermeasures. We are also working to prevent information leaks before they occur by, for example, employee education based on e-learning courses and by conducting audits.
CSIRT operations involve the holding of regular Cyber Security Subcommittee/Promotion Committee meetings, reporting the assessments of risk countermeasures at Subcommittee meetings and the content of risk countermeasure activities at Promotion Committee meetings. In addition, we conduct annual training for Subcommittee members on management decision-making in the event of a cyber security incident.
Key System-related Measures
-
(1)Store important information on data center servers and fortify data centers
-
(2)Establish firewalls to completely separate internal networks from external and control networks
-
(3)Install cloud firewalls that are effective even for direct Internet connections (including remote environments)
-
(4)Install next-generation virus protection, on all servers and PCs.
-
(5)Monitoring of the aforementioned three points 2-4 by SOC, 24 hours a day, 365 days a year
-
(6)Install e-mail filters and web filters, ensure the safe and secure utilization of employee e-mails and the Internet
-
(7)Upgrade authentication infrastructure for both convenience and security
Key Human-related Measures
-
(1)Thorough information management by degree of importance
-
(2)Thorough enforcement of duty of confidentiality for retiring employees and new hires
-
(3)Conduct regular e-learning programs for all employees
Augment implementation of e-learning sessions for important technology development workers -
(4)Conduct desk training for CSIRT members (encompassing such areas as the confirmation of communication flows and the questioning of management decisions)
Measures to Mitigate Risk from Natural Disasters by the Dispersal of Systems, etc.
So that business operations can be continued even in the event that backbone systems are damaged in a natural disaster, we have established backbone systems within data centers that have measures in place to deal mainly with earthquake resistance and seismic isolation.
In addition, by dispersing data centers across multiple locations, we have established a system that will not cause work to be disrupted even if a particular data center becomes unavailable. By taking steps to completely duplicate mission-critical systems, the Company is working to shorten the lead-time needed up to the completion of repairs and recovery of business operations.
Protecting Personal Information
SEKISUI CHEMICAL Group handles the personal information of its customers based on its Privacy Policy, which is available on the Company’s website. The Company complies with legal regulations and norms regarding personal information and, by voluntarily putting in place rules and systems based on internal confidential information management regulations, strives to appropriately protect such information.
We have also formulated Guidelines for Web Server Construction and Management, and endeavor to protect servers managed at relevant companies and each work site.
At the same time, we ensure thorough management by limiting access rights and other management authority according to the importance of the information handled.
Furthermore, we are strengthening governance over the handling of personal (customer) information by raising employee awareness and providing training, especially during the Compliance Reinforcement Month held annually.
Preventing Leakage of Technical Information
In 2019, a then-employee leaked technical information about the HPP Company’s conductive fine particles to an external third party. After this incident was discovered, information management and employee training were enhanced. In order to prevent recurrence, we not only take measures to prevent data leakage through IT technology, but also implement a wide array of measures such as introducing risk management activities in departments that handle confidential technical information, providing moral education and training for engineers, and thoroughly educating employees on confidentiality obligations upon hiring.
As for the overall progress of these recurrence prevention measures, we monitor information leak risks while consolidating the activities of both the Cyber Security Subcommittee and Compliance Subcommittee.