Information Management Issues
Maintaining an Effective Management System to Address Various Information-related Risks
Formulation of Cyber Security Policy
To strengthen our cyber security efforts throughout SEKISUI CHEMICAL Group we formulate a Companywide information security policy and share it internally and externally.
Please refer to the SEKISUI CHEMICAL Group’s policies
Cyber Management System Headed by an Executive Officer
To provide a cyber security response system, we established a CSIRT*1, which reports to the Sustainability Committee chaired by the president.
The policy-making body is the Cyber Security Subcommittee, led by the Chief Information Security Officer (CISO), which deliberates on Group-wide cyber security measures and significant security incidents. Cyber Security Promotion Committee advances measures based on subcommittee decisions, and we have also set up a Cyber Security Center as a working unit.
Acting in partnership with the SOC*2, the Cyber Security Center monitors the security of networks and devices 24 hours a day, 365 days a year, and strives for the early detection of and recovery from incidents. Having posted at least one cyber system administrator on site at each business, we have established a comprehensive Group-wide cyber management system. Even in the case of organizational changes or cyber system administrator reassignments, the Company is constantly aware of the presence or absence of the cyber system administrators at each of its business sites through its registry management system. Together with making our operations in Japan more sophisticated, going forward we will advance the development of CSIRT at Group companies overseas.
- Computer Security Incident Response Team, or CSIRT, is the title given to specialized teams that receive reports, conduct surveys and enact response measures related to computer security incidents at companies and other organizations.
- The Security Operation Center, or SOC, is a specialized entity devoted to monitoring and analyzing threats to information systems. It works to detect threats as soon as possible, and plays a role in supporting CSIRT with its response and recovery efforts.
Diagram of Overall Management System
Measures Taken against Information Leaks and Risks from Both System and Human Aspects
The Company takes measures, from both system and human aspects, to maintain the security of customer (including personal) and internal (including confidential) information. To combat external threats, the Company has positioned its SOC as its primary entity to consistently identify new threats, such as newly reported cases of viral infections or targeted e-mail attacks, while SEKISUI CHEMICAL’s CSIRT swiftly takes action to implement appropriate countermeasures. We are also working to prevents information leaks before they occur by, for example, employee education based on e-learning courses and by conducting audits.
CSIRT operations involve the holding of regular Cyber Security Subcommittee/Promotion Committee meetings, reporting the assessments of risk countermeasures at subcommittee meetings and the content of risk countermeasure activities at promotion committee meetings.
Key System-related Measures
1Store important information on data center servers and fortify data centers
2Establish firewalls to completely separate internal networks from external and control networks
3Install cloud firewalls that are effective even for direct internet connections (including remote environments)
4Install next-generation virus protection, on all servers and PCs.
5Monitoring of the aforementioned three points 2-4 by SOC, 24 hours a day, 365 days a year
6Install e-mail filters and web filters, ensure safe and secure utilization of employee e-mails and Internet
7Upgrade authentication infrastructure for both convenience and security
Key Human-related Measures
1Thorough information management by degree of importance
2Thorough enforcement of duty of confidentiality for retiring employees and new hires
3Conduct regular e-learning programs for all employees
Augment implementation of e-learning sessions for important technology development workers
Measures to Mitigate Risk from Natural Disasters by Dispersing of Systems, etc.
So that business operations can be continued even in the event that backbone systems are damaged in a natural disaster, we have established backbone systems within data centers that have measures in place to deal mainly with earthquake resistance and seismic isolation.
In addition, by dispersing data centers among multiple locations, we have established a system that will not cause work to be disrupted even if a particular data center becomes unavailable. By taking steps to completely duplicate mission-critical systems, the Company is working to shorten the lead-time needed up to the completion of repairs and recovery of business operations.
Protecting Personal Information
We have also formulated Guidelines for Web Server Construction and Management, and endeavor to protect servers managed at relevant companies and each work sites.
At the same time, we ensure thorough management by limiting access rights and other management authority according to the importance of the information handled.
Furthermore, we are strengthening governance over the handling of personal (customer) information by raising employee awareness and providing training, especially during the Compliance Reinforcement Month held annually.
Preventing Leakage of Technical Information
In 2019, a then-employee leaked technical information about HPP Company’s conductive fine particles to an external third party. After this incident was discovered, information management and employee training were enhanced. In order to prevent recurrence, we not only take measures to prevent data leakage through IT technology, but also implement a wide array of measures such as introducing risk management activities in departments that handle confidential technical information, providing moral education and training for engineers, and thoroughly educating employees on confidentiality obligations upon hiring.
As for the overall progress of these recurrence prevention measures, we monitor information leak risks while consolidating the activities of both the Cyber Security Subcommittee and Compliance Subcommittee.