Information Security

Approach and Policy

FY2023 information security policy: strengthening responses to changing information security threats

• We will strengthen measures against ransomware, which has been causing numerous incidents in Japan and overseas.
• We will work to strengthen the security of control system equipment and systems.

Promotion Structure

To promote information security management throughout the SMM Group, we have established and implemented a security policy consisting of the Information Security Regulations and Group-wide Standards for Information Security.
The Information Security Committee regularly deliberates Group-wide strategies and basic policies regarding information security, as well as Group-wide measures for information security. The Information Security Committee consists of the executive officer in charge of the Information Systems Department as the Chair, the General Manager of the Information Systems Department as the Deputy Chair, the general managers of divisions, the General Manager of the Technology Division, the General Manager of the Engineering Division, and the heads of operational divisions in the Head office as committee members, and the secretariat is set up as the Information Systems Department.
Measures to improve the level of information security are led by the Information Systems Department, and are specifically promoted with the cooperation of the information security promotion managers, who are the heads of the organizational units (plant, division, branch, etc.) positioned as subordinate structures of the Information Security Committee, and the information security personnel at each site.
In order to facilitate promotion and follow up of the measures, the Information Systems Department serves as the secretariat for the meetings of personnel in charge of information security, which are held regularly.
The status of implementation of the measures is fed back to the Information Security Committee and actions are taken as necessary.

■ Promotion Structure

Response to Information Security Risks

To ensure the safety of in-house information assets from increasingly sophisticated cyber security attacks, we are taking countermeasures on both a system and human level.
For threats such as cyber-attacks from outside, the SOC,¹ to which we are outsourced, monitors newly detected malware, targeted e-mails, and other threats 24 hours a day, 365 days a year. When an abnormality is detected, we have a system in place where the Information Systems Department is promptly contacted and, together with the SMM-CSIRT² quickly implements an appropriate response.
We also educate and train employees through e-learning and targeted e-mail drills to prevent damage from cyber-attacks.

• 1.Security Operation Center (SOC): An organization specializing in monitoring and analyzing information from security devices, taking countermeasures, etc.
• 2.Computer Security Incident Response Team (CSIRT): The generic name for the organization that analyzes the causes of computer security problems, investigates the scope of impact, and responds

Main System Countermeasures

• Critical information is stored on servers in an external data center with advanced accident countermeasures, and the data center is protected by a special security system.
• Internal and external networks are separated by a firewall to protect against cyber-attacks from the outside (Internet).
• For work-from-home and other remote connections, we use a cloud security gateway with a high level of security, rendering thirdparty connections or unauthorized entries impossible.
• All servers and PCs are equipped with EDR^* software in addition to anti-virus software. We have a system where EDR software logs are monitored 24 hours a day, 365 days a year by an external SOC to promptly detect and respond to malware infection.
• We have introduced e-mail and web filters to ensure safe use of e-mail and the Internet by our employees.
• Of the above countermeasure systems, important ones are outsourced to an external SOC that operates 24 hours a day, 365 days a year to promptly detect and respond to any anomalies.

EDR: endpoint detection and response

Main Human Countermeasures

• We conduct annual information security education using an e-learning service specialized in the field of cyber security, which is available in various languages, for the purpose of deepening employees’ understanding of ever-changing cyber-attack methods and enhancing security awareness, including staff at our overseas sites.
• To prevent targeted attacks, which can easily lead to malware infection, we conduct targeted attack e-mail drills, in which users are sent simulated e-mails that look like actual attack e-mails, to increase their security sensitivity through first-hand experience.

Results of the above measures are analyzed and fed back to each division and management, and are reflected in the next plan.

Response to Security Incidents

The SMM-CSIRT, consisting of the Information Systems Department and representatives from user departments, has been established to respond promptly and prevent the spread of damage in the unlikely event of a serious security incident despite the security measures taken.
The Information Systems Department and the user departments work together to respond to incidents and bring them to an early end, while also working along with external responses.
SMM-CSIRT is a member of the Nippon CSIRT Association (NCA) and cooperates with external organizations.

Information Leakage Countermeasures

To ensure the security of customer information, including personal information, and confidential in-house information, the following countermeasures are taken in addition to the above to protect electronic data.

• In principle, the use of USB memory devices is prohibited, but working environments have been designed to permit use when necessary, under systemic control and upon notification.
• Mobile PCs and other devices that may be taken outside the Company have their disks encrypted so that even if they are stolen or lost, a third party cannot view the data.
• We use a dedicated file server and an external cloud storage service to store in-house data, and strictly control rights to access.
• Our system monitors communication path logs to promptly detect and respond to unauthorized communications.
• Our system is designed to prevent malware infections from suspicious e-mails by sharing information about suspicious e-mails that slip through the filtering system with users.

FY2022 Results and FY2023 Plan

In FY2022, we introduced EDR software to PCs and servers connected to the SMM Group network, and also deployed it to our overseas sites. For overseas sites, we individually surveyed the operational status of cyber security measures and provided guidance for improvement. To strengthen human countermeasures, we introduced a multilingual cyber security training system and combined it with training about suspicious emails to improve users’ security awareness and skills.
In FY2023, we will switch our anti-virus software to deep learning software with high detection capability against unknown malware in order to strengthen endpoint security. In addition, to create a zero-trust network, we will introduce a globally compatible authentication infrastructure to strengthen the authentication function for users in Japan and overseas.