Information Security
Approach and Policy
To promote information security management throughout the SMM Group, we have established and implemented a security policy consisting of the “Information Security Regulations” and “Groupwide Standards for Information Security.”
FY2024 information security policy: “Strengthening responses to changing information security threats.”
- We will strengthen measures against ransomware, which has been causing numerous incidents of harm in Japan and overseas.
- We will review systems and work to strengthen security.
Management Framework
The Information Security Committee regularly deliberates Group-wide strategies and basic policies
regarding information security, as well as Group-wide measures for information security. The Information
Security Committee consists of the executive officer in charge of the Information Systems
Department as the Chair, the General Manager of the Information Systems Department as the Deputy
Chair, the general managers of divisions, the General Manager of the Technology Division, the
General Manager of the Engineering Division, and the heads of operational divisions in the Head
office as committee members, and the secretariat is set up as the Information Systems Department.
Measures to improve the level of information security are led by the Information Systems
Department, and are specifically promoted with the cooperation of the information security
promotion managers, who are the heads of the organizational units (plant, division, branch, etc.),
and the information security personnel at each site. In order to facilitate promotion and follow up
of the measures, the Information Systems Department serves as the secretariat for the meetings of
personnel in charge of information security, which are held regularly.
The implementation status of the measures is fed back to the Information Security Committee
and actions are taken as necessary.
■ Management Framework Chart
Response to Information Security Risks
To ensure the safety of in-house information assets from increasingly sophisticated cyber security
attacks, we are taking countermeasures on both a system and human level.
For threats such as cyber-attacks from outside, the SOC1 to which we are outsourced, monitors
newly detected malware, targeted attack e-mails, and other threats 24 hours a day, 365 days a
year. When an abnormality is detected, we have a system in place where the Information Systems
Department is promptly contacted and, together with the SMM-CSIRT2 quickly implements an
appropriate response.
We also educate and train employees through e-learning and targeted attack e-mail drills to
prevent damage from cyber-attacks.
- 1Security Operation Center (SOC): An organization specializing in monitoring and analyzing information from security devices, taking countermeasures, etc.
- 2Computer Security Incident Response Team (CSIRT): The generic name for the organization that analyzes the causes of computer security problems, investigates the scope of impact, and responds
Main System Countermeasures
- Critical information is stored on servers in an external data center with advanced accident countermeasures, and the data center is protected by a special security system.
- Internal and external networks are separated by a firewall to protect against cyber-attacks from the outside (Internet).
- For work-from-home and other remote connections, we use a cloud security gateway with a high level of security, rendering third-party connections or unauthorized entries impossible.
- All servers and PCs are equipped with EDR1 software in addition to anti-virus software. We have a system where EDR software logs are monitored 24 hours a day, 365 days a year by an external SOC to promptly detect and respond to malware infection.
- We have introduced e-mail and web filters to ensure safe use of e-mail and the Internet by our employees.
- Of the above countermeasure systems, important ones are outsourced to an external SOC that operates 24 hours a day, 365 days a year to promptly detect and respond to any anomalies.
- 1EDR: endpoint detection and response
Main Human Security Measures
- We conduct annual information security education using an e-learning service specialized in the field of cyber security, which is available in various languages, for the purpose of deepening employees’ understanding of ever-changing cyber-attack methods and enhancing security awareness, including staff at our overseas sites.
- To prevent targeted attacks, which can easily lead to malware infection, we conduct targeted attack e-mail drills, in which users are sent simulated e-mails that look like actual attack e-mails, to increase their security sensitivity through first-hand experience.
Main Countermeasures Against Information Leaks
To ensure the security of customer information, including personal information, and confidential internal information, the following countermeasures are taken in addition to the above to protect electronic data.
- In principle, the use of USB memory devices is prohibited, but work environments are equipped with systematic controls to allow use upon the provision of notice.
- Mobile PCs and other devices that may be taken outside the Company have their disks encrypted so that even if they are stolen or lost, a third party cannot view the data.
- We use a dedicated file server and an external cloud storage service to store in-house data, and strictly control rights to access.
- Our system monitors communication path logs to promptly detect and respond to unauthorized communications.
- Our system is designed to prevent malware infections from suspicious e-mails by sharing information about suspicious e-mails that slip through the filtering system with users.
We analyze the results of the above measures to provide feedback to each department and management and to incorporate the results into future plans.
Response to Security Incidents
The SMM-CSIRT, consisting of the Information Systems Department and representatives from user
departments, has been established to respond promptly and prevent the spread of damage in the
unlikely event of a serious security incident despite the security measures taken.
We codify the main response processes in the event of an incident, and the Information Systems
Department and the relevant user departments work together to respond to incidents and
bring them to an early end, while also working along with external responses.
SMM-CSIRT is a member of the Nippon CSIRT Association (NCA), cooperates with external organizations,
and is enhancing responsive capabilities by participating in the annual incident response
training held by NCA.
Results and Plans for Measures
In FY2023, we implemented the following measures.
- Replaced our anti-virus software with deep learning software with high detection capability against unknown malware
- Introduced a globally compatible authentication infrastructure to create a zero-trust network
In FY2024, we plan to implement the following measures to bolster security operations.
- Reinforce countermeasures against spoofed e-mails and leaks of e-mail information
- Replace device management tools and expand the scope of management to overseas
- Identify issues through information security audits and implement countermeasures