As the importance of information security grows, it is necessary for all Group members, from management to the front line, to work together to improve the effectiveness of information security management and reduce security risks regarding the Group’s information assets.
Especially in the digital field, cyber-attacks, such as AI-based attacks, are becoming an ever-growing threat. We have been preparing a system to quickly respond to such threats by separating digital security from information security as IT security. We will also commit work to properly protect various types of confidential and personal information, including information entrusted to us by external parties.
Our group has established a promotion system for each area of IT security and confidential information/personal information management, and are working together to strengthen information security under the supervision of the CSR and Sustainability Committee (chaired by an external director).
Regarding IT security, we have established an IT Security Committees (with regular meetings twice a year and extraordinary meetings as necessary), to check the status of company-wide IT security activities and promote appropriate measures. This committee consists of the corporate officer in charge of the Digital Transformation Dept. as the chairman, Head of the Integrated Management Division, Head of Headquarters, planning divisions of each company, and other major divisions as members.Two regular meetings were held in FY2023 to report and discuss incidents, activities to strengthen IT security and ISMS activities.
Regarding the management of confidential information and personal information, the Confidentiality Management Subcommittee (with regular meetings once a year and extraordinary meetings as necessary) was established under the Risk Management Committee to promote the reduction of risks related to the management of confidential information and personal information. This committee consists of the executive officer in charge of the Business Management Dept. as sub-chairman and the heads of each department as members. In FY2023, the Confidentiality Management Sub-Committee met once, reporting incidents and issuing reminders. In addition, information security activities are led by department managers and department chiefs assigned to each department in the areas of IT security and confidential information/personal information management in each division.
Information Security Promotion SystemFor confidentiality management, we have a working group on confidentiality management that reports to the Risk Management Committee. The working group is tasked with identifying and reducing the risks related to the management of confidential information and protection of personal information.
In order to continuously respond to information security risks that threaten companies and organizations, we have set information security as a priority issue (materiality) and are building an information security management system equivalent to ISO 27001.
In FY2023, audits on IT security and IT systems were carried out at all sites, and deficiencies were identified and rectified. We will continue to conduct these audits every year to improve the level of security.
At the request of some automobile manufacturers, we have also acquired TISAX certification, which is an audit standard for information security covering the automobile industry supply chain.
We have established a Computer Security Incident Response Team (CSIRT).
When an incident occurs, the CSIRT promptly organizes and confirms the facts, determines the level of the incident, and then responds. We also accumulate and share knowledge as a measure to prevent recurrence.
In addition to responding after an incident occurs, we are also striving to defend in advance, and we are trying to improve the level and maturity.
In fiscal 2021, in response to the increase in damage caused by cyber attacks around the world, we conducted a comprehensive inspection of the servers used by our company and group companies. The servers with security concerns were extracted and countermeasures were taken.
Raising employee awareness of information security is essential to prevent information security incidents, and education and awareness-raising are provided through various training and educational tools.
The working group on confidentiality management annually inspects the company-wide status of confidentiality management based on the confidentiality management rules set by the company.
Regarding the self-inspection results by each department, the secretariat of the confidentiality management subcommittee confirms its validity for the enhancement of the checking function.
The inspection includes self-inspection by each department and mutual inspection between departments. The inspection items are reviewed according to the broader progress of informatization in society for the enhancement of the checking function.
Furthermore, in addition to the rules on the in-house handling of confidential information, we have also established rules on the use of confidential information outside the company in order to prevent the leaking of such information, including rules on the use of portable computers and cloud services, and we monitor compliance with the rules.
As exemplified by the General Data Protection Regulation (GDPR) enforced in Europe, measures to protect personal information have been enhanced globally. In response, the Niterra Group has set a range of internal rules to appropriately protect, manage and handle the personal information of its customers and employees.
In addition, as a response to the revised Personal Information Protection Law that came into effect in April 2022, we pre-assess risks based on the type and the number of personal information and take measures to reduce the risks.
See the policy regarding the handling of personal information (Privacy Policy) below.