Maintaining an Effective Management System to Address Various Information-related Risks
Formulation of Cyber Security Policy
Our operations are based on the principle of formulating a Companywide cyber security policy, and sharing it internally and externally. This will work to strengthen our cyber security efforts throughout Sekisui Chemical Group.
We, Sekisui Chemical Group, recognize that cyber assets—such as personal information of our customers, information received from our suppliers, confidential corporate information, and systems for managing this information—are an increasingly important management resource and a source of our competitiveness. We believe that the preparation against cyber-attacks threatening these cyber assets are an important management responsibility, and strive to continually undertake cyber security measures as defined in the basic policy, to ensure a stable management foundation.
Cyber Management SystemInstalling CSIRT*, and building a system that posts information system administrators at each business site,
Headed by the Sustainability Committee, which is chaired by the president, we have established a cyber security subcommittee as a policy-making body for the cyber security area. The subcommittee is led by the Chief Information Security Officer (CISO) and it deliberates and sets policy with regard to Companywide cyber security measures or significant security incidents. To advance measures based on subcommittee decisions we have established the Cyber Security Promotion Committee, and have also created the Cyber Security Incident Response Team (CSIRT) as a lower-branch task force.
Having posted at least one cyber system administrator on site at each business, we have established a comprehensive Group-wide cyber management system. Even in the case of organizational changes or cyber system administrator reassignments, the Company is constantly aware of the presence or absence of the cyber system administrators at each of its business sites through its registry management system.
- Computer Security Incident Response Team, or CSIRT, is the title given to specialized teams that receive reports, conduct surveys and enact response measures related to computer security incidents at companies and other organizations.
Cyber Security Organizational Chart
Measures to Address Information Leakage RisksImplementing Every Measure Possible from Both System and Human Aspects
The Company takes every measure possible, from both system and human aspects, in order to maintain the security of customer (including personal) and internal (including confidential) information. To combat external treats, the Company has positioned its Security Operation Center (SOC)* as its primary entity to consistently identify new threats, such as newly reported cases of viral infections or targeted e-mail attacks, while Sekisui Chemical’s CSIRT swiftly takes action to implement appropriate countermeasures. We are also taking preventive measures such as employee education based on e-learning courses and by conducting audits.
CSIRT operations are executed based on regularly held Cyber Security Promotion Committee meetings and assessments of risk countermeasures. It also makes activity reports on cyber security at every meeting.
- The Security Operation Center, or SOC, is a specialized entity devoted to monitoring and analyzing threats to information systems. It works to detect threats as soon as possible, and plays a role in supporting CSIRT with its response and recovery efforts.
Key System-related (Tangible) Measures
(1)Establish firewalls to completely separate external networks from internal intranet and control networks
(2)Monitor and record data through the Security Operation Center
(3)Next-generation virus protection, as well as log collection and analysis for all servers and PCs.
(4)Enhance BEC (business email compromise) countermeasures through the use of multiple e-mail filters and prohibit the use of personal devices in business (excluding emergency situations)
Key Human-related (Intangible) Measures
(1)Conduct security audits as needed at business sites in Japan and overseas
(2)Adopt entry / exit ID authentication and secondary (photographic, etc.) verification when entering major domestic offices
(3)Conduct regular e-learning programs (those who do not attain a pass grade will be unable to access the Internet → Japan only)
Measures to Address Natural Disaster-related RisksDuplication and Dispersing of Systems, as well as Earthquake Resistance and Seismic Isolation Measures
We have confirmed that measures are in place for earthquake resistance, seismic isolation and to counter other problems encountered by contracted data centers so that business operations can be continued even in the event that backbone systems are damaged by a major earthquake or other disaster. In addition, by dispersing data centers among multiple locations, we have established a system that will not cause work to be disrupted even if a particular data center becomes unavailable. By taking steps to completely duplicate mission-critical systems, the Company is working to shorten the lead-time needed up to the completion of repairs and recovery of business operations.
Protecting Personal Information
Sekisui Chemical has formulated its Personal Information Policy, which is available on the Company’s website. Based on this policy, the Company complies with legal regulations and norms regarding personal information, and by voluntarily putting in place rules and systems, strives to appropriately protect such information. We have also formulated “Guidelines for Web Server Construction and Management,” and endeavor to protect servers managed at each company and each work site.
The creation of a CSIRT led by an executive officer
We have launched a CSIRT entity with the executive officer of the Information Systems Group as general manager.
The establishment of a CSIRT entity will allow us to provide accountability in our cyber security operations to our stakeholders and clarify the promotion of cyber security measures in line with the Ministry of Economy, Trade and Industry’s revised Cybersecurity Management Guidelines (Ver. 2). Together with entrenching operations in Japan, going forward we are advancing the development of CSIRT at Group companies overseas.