Material Issues / Governance

Information Security

Approach and Policy

In order to promote information security management throughout the SMM Group, we have established and implemented a security policy consisting of the “Information Security Regulations” and “Groupwide Standards for Information Security.”

Management Framework

The Information Security Committee regularly deliberates Group-wide strategies and basic policies regarding information security, as well as Group-wide policies concerning information security. The Information Security Committee consists of the Executive Officer in charge of the Information Systems Department as the Chair, the General Manager of the Information Systems Department as the Deputy Chair, the General Manager of the Business Divisions, the General Manager of the Technology Division, the General Manager of the Engineering Division, and the heads of operational divisions in the Head office as committee members, and the secretariat is set up as the Information Systems Department.
Measures to improve the level of information security are primarily led by the Information Systems Department, and are specifically implemented with the cooperation of Information Security Promotion Managers who are the heads of the organizational units (plants, offices, branches, etc.) and the information security personnel at each site. In addition, to smoothly implement and follow up on these countermeasures, the Information Systems Department serves as the Secretariat for the meetings of personnel in charge of information security held regularly.
The implementation status of measures is communicated to the Information Security Committee, which takes necessary actions based on the feedback.

■ Management Framework Chart
Management Framework Chart

Response to Information Security Risks

To protect internal information assets against increasingly sophisticated cyberattacks, we are taking countermeasures encompassing both system and human safeguards.
In order to counter threats such as external cyberattacks, we monitor newly detected malware, targeted emails, and other threats 24 hours a day, 365 days a year, primarily through an outsourced SOC1. If an anomaly is detected, the Information Systems Department is promptly notified, and we have a system in place to enable rapid and appropriate response jointly with SMM-CSIRT2.
We also aim to prevent cyberattack damage by providing employee education and training through e-learning and targeted attack e-mail drills.

Management Framework Chart
  • 1Security Operation Center (SOC): An organization specializing in monitoring and analyzing information from security devices and implementing countermeasures, etc.
  • 2Computer Security Incident Response Team (CSIRT): A generic term for an organization that, when a computer security issue arises, investigates the cause, assesses the scope of impact, and implements countermeasures

Main System Countermeasures

  • Critical information is stored on servers at an external data center with advanced accident countermeasures, and the data center is protected by a special security system.
  • Internal and external networks are separated by a firewall to protect against cyberattacks from outside (the Internet).
  • For work-from-home and other remote connections, a cloud security gateway with a high level of security is used to ensure an environment where third-party connections and unauthorized intrusions are impossible.
  • All PCs are equipped with EDR1 software in addition to anti-virus software. EDR software logs are monitored 24 hours a day, 365 days a year by an external SOC, enabling rapid detection and response to malware infections.
  • We have introduced e-mail and web filters to ensure secure use of email and the internet by our employees.
  • Of the above countermeasure systems, critical ones are monitored by an external SOC that operates 24 hours a day, 365 days a year to ensure a system capable of promptly detecting and responding to anomalies.
  • 1EDR: Endpoint Detection and Response

Main Human Security Countermeasures

  • To deepen understanding of the ever-evolving cyberattack methods and enhance security awareness, we conduct annual information security training using specialized e-learning services in the cybersecurity field with global language support, including staff based overseas.
  • To prevent targeted attacks, which can easily lead to malware infection, we conduct targeted attack e-mail drills, in which users are sent simulated e-mails that look like actual attack e-mails, to increase their security sensitivity through first-hand experience.

Main Countermeasures Against Information Leaks

In order to ensure the security of customer information containing personal data and internal confidential information, all electronic data is protected through the following countermeasure in addition to those mentioned above.

  • The use of USB flash drives is generally prohibited. When their use is required, it is permitted solely under a controlled system environment and with prior notification.
  • Mobile PCs and other devices that may be taken outside the Company have their disks encrypted so that in the event they are stolen or lost, a third party cannot access the data.
  • We use dedicated file servers and external cloud storage services for storing internal company data, and their access rights are strictly managed.
  • Our system monitors communication path logs to promptly detect and respond to unauthorized communications.
  • Our system is designed to prevent malware infections from suspicious e-mails by sharing information with the users about such emails that slips through the filtering system.

The outcomes of these measures are analyzed to deliver feedback to departments and management and to guide the development of future plans.

Response to Security Incidents

The SMM-CSIRT, consisting of the Information Systems Department and representatives of user departments, has been established to respond promptly and prevent the spread of damage in the unlikely event of a serious security incident despite the security countermeasures.
The primary incident response processes are formally documented, allowing the Information Systems Department to work in collaboration with user departments. This framework ensures that incidents are addressed promptly while external communications are managed concurrently.
SMM-CSIRT is a member of the Nippon CSIRT Association (NCA), fostering external collaboration while annually participating in NCA-hosted incident response training to enhance its capabilities.

Response to Security Incidents

Results and Plans for Countermeasures

In FY2024, we implemented the following measures.

  • Reinforced countermeasures against email information leaks.
  • Identified and improved system vulnerabilities through simulated attacks.

For FY2025, the following measures are planned to bolster security operations.

  • Reinforcement of countermeasures against spoofing emails (DMARC Compliance.)
  • Elimination unmanaged devices through visualization of internal network-connected devices.
  • Identification of issues and implementation of countermeasures through information security audits.

Back to Material Issues and Governance