Basic Concept
The Nisshinbo Group regards information security as one of the most important risks, and in April 2023, the Group revised the "Guidelines for Information Security" to be achieved by the Group and deployed them to group companies to improve information security and establish an information security operation system. These guidelines consist of human and organizational management, physical management, and technical management, and the following three points were particularly emphasized in the revision.
- ① When outsourcing operations, the responsibilities of the outsourcer regarding information security and the measures to be implemented should be clarified.
- ② In preparation for the event of an information security incident, an emergency response system and recovery procedures should be established.
- ③ For backups of important information, backups should be stored in a secure environment and restoration procedures should be established.
In addition, The Group recognizes that one of its key corporate responsibilities is to ensure that all important information related to stakeholders is protected and managed appropriately. In order to fulfill this responsibility, the Group handles personal information in accordance with its "Privacy Policy."
Promotion System
About Information Security
In order to ensure the continuation of safe and stable business activities of Nisshinbo Group companies, under a system in which the Director and the Deputy Chief of the Corporate Strategy Center of Nisshinbo Holdings, Inc. is the supreme authority, the Nisshinbo Group has established a meeting of information system managers, which is overseen by the Information System Group of the Finance, Accounting & IT Service Department of the Corporate Strategy Center, to confirm the status of information system update plans and management of security measures.
Personal Information Protection
The Group has established a personal information protection secretariat and is working on personal information protection activities under a system in which its managing officer is the chief privacy officer and personal information protection officers are appointed for each department unit. The Group has also established a personal information consultation service to handle consultations and inquiries regarding personal information from outside the group that is received by telephone, fax, or inquiry form.
In addition, a management review of information security and personal information protection is conducted at the Board of Management of Nisshinbo Holdings Inc. and is directed by the president, who is the chief executive officer of the group. Management reviews are also reported to the Board of Directors.
Specific Initiatives of The Nisshinbo Group
Under the Fifth Sustainability Promotion Plan, the Nisshinbo Group has designated the strengthen information security measures as key action items, and is working to strengthen its response to external threats and to provide ongoing information security education to employees.
Strengthening Responses to External Threats
Along with subsidiary inspections covering the entire Nisshinbo Group, vulnerabilities in servers and network equipment are checked and systematic vulnerability countermeasures are implemented. Going forward, the Group will promote comprehensive countermeasures that take into account early detection, response, and recovery, assuming that it is difficult to completely defend against attacks.
Cyber Security Framework
Initiatives to Ensure Information Security
The Nisshinbo Group has established the "Guidelines for Information Security" to set forth rules to be followed by all group companies in Japan and overseas. To prevent the leakage of confidential information, including customers' personal information, the Group is continuously promoting education and other measures to enhance information security based on these guidelines.
Compliance with Rules / Implementation of Information Security Education and IT Internal Audits
The Group has compiled rules to be kept by information system users into educational materials and is working to raise awareness of information security measures among all Group users through a Learning Management System that includes periodic education and comprehension tests. At the same time, group training is provided for new employees and those dispatched overseas.
In addition, IT internal audits are regularly conducted on Japan and overseas subsidiaries to confirm compliance with the information security guidelines and to ensure continuous improvement.
Prevention of Internal Fraud
The Group uses an information security management system to monitor access to important data and restrict network access to unauthorized information devices.
Prevention of External Attacks
To counter cyber-attacks, the Group monitors e-mails through its e-mail security system, installs antivirus software on information equipment, and applies security correction programs thoroughly.
Targeted e-mail drills are conducted once a year for employees of domestic and overseas Group companies with the aim of raising cyber security awareness and cultivating response capabilities. In the FY2023 training, training e-mails simulating five targeted e-mail drills were prepared for 7,339 participants from 26 Group companies and sent to the targets at random. The open rate varies greatly depending on the pattern of training e-mails, and the Group will use this as an opportunity to identify future issues, enhance security education, and continue targeted e-mail training.
Countermeasures in the Event of a Large-Scale Disaster
From the standpoint of business continuity in the event of a large-scale disaster, the Group promotes the use of external data centers and cloud systems.
Support for New Normal Lifestyles
To enhance security during telework, the Group eliminated traditional VPN connections and switched to using a cloud-based firewall system. The group is moving from a traditional perimeter security model that keeps the company secure internally to a zero trust security model that monitors the overall status with the same security from outside the group.
Initiatives to Protect Personal Information
To ensure every one of its employees maintains awareness of personal information protection, the Nisshinbo Group conducts training when employees join the company and when they are promoted as well as training at each of its business sites based on its annual plan. The Group also conducts regular internal audits to check the management status of listed personal information (registration, deletion, storage methods, training status, etc.), and is committed to thorough and continuous improvement in preventing external leakage.
Initiatives Related to Generative AI
Generative AI services available to the public are useful for improving operational efficiency and generating new ideas, but concerns about authenticity and copyrights, as well as the risk of leaking confidential information, have also been raised. Therefore, guidelines for the use of generated AI were established on July 1, 2023, and deployed to Group companies. Each company will tune and customize the guidelines to optimize them for their own needs and prohibitions and to ensure appropriate use and management.
Specific Activities of the Group Companies
Inventory of Accounts
Ueda Japan Radio Co., Ltd. sets account privileges for each individual according to the position and role and then deletes, changes, and adds accounts in a timely manner to reflect personnel changes. In addition, in order to prevent omissions, an annual inventory is conducted to reconfirm whether any unnecessary accounts remain.
Data for internal use is stored on the company-wide file server, and each folder is operated with reference and write privileges set for each user and group in Active Directory*. Access is made from a PC logged in with each individual's ID, and only folders authorized by that user can be referenced or updated.
Special care is taken when dealing with temporary and outsourced employees, and when registering Active Directory accounts, account expiration dates are set according to the period of the outsourced contract to prevent unauthorized access or information leaks after the outsourced contract ends. The company also conducts an annual inventory to check for any omissions.
* Active Directory: A system for managing information on users, computers, and shared folders available on Windows Server.
TISAX® Certification Activities
Nisshinbo Brake Inc., Nisshinbo Automotive Manufacturing Inc. in the United States, and Nisshinbo Saeron (Changshu) Automotive Co., Ltd. and Saeron Automotive (Yantai) Co., Ltd. in China underwent a TISAX® (Trusted Information Security Assessment Exchange) certification audit. TISAX® has established an information security management system (ISMS) in accordance with ISO 27001.
TISAX® is an information security assessment established by the German Association of the Automotive Industry. The four companies have officially obtained this certification, and the TISAX® certification label is registered on the portal operated by the ENX Association*. As a company that provides environmentally friendly brake products in the mobility field of the Nisshinbo Group, which aims to become an environment and energy company, the importance of maintaining the confidentiality of information handled in the course of business at a high level and ensuring the stability of such information is reflected in all business activities.
* ENX Association: The governance organization of TISAX®, responsible for further development of TISAX®, monitoring of audit providers, implementation of audits, and quality assurance.
Cyber Attack Response Training and Awareness
Nisshinbo Somboon Automotive Co., Ltd. in Thailand conducted emergency drills in April and October 2023 to prepare for damage from information leaks and system problems caused by cyberattacks.
The training was based on actual cases of attacks to learn the magnitude of damage, risks related to recovery, and countermeasures. At the same time, the company is conducting educational activities to raise awareness of risks and defenses by regularly disseminating information on cybersecurity damage to employees.
Reinforcement of Information Security Through Establishment of Information Security System
Saeron Automotive Corporation in Korea operates an information security system to effectively protect critical data and assets.
The main systems include ① real-time central control of all document files used throughout the company through a document centralization solution, ② a system called NAC (Network Access Control) to block access to the internal network for unauthorized persons and unauthorized PCs, and the ③ Data Loss Prevention (DLP) system blocks internal document files from being carried out to the outside, and controls and manages their history in real time.
In addition, the company undergoes an annual IT audit by Nisshinbo Holdings Inc. to ensure compliance with information security guidelines, thereby safeguarding the organization's information assets and creating a better security environment.
Creation of Security Guidelines for Use of Generated AI
Generative AI contributes greatly to improving operational efficiency and generating new ideas, but issues of authenticity, copyright, and protection of confidential information have been pointed out. Therefore, Nisshinbo Mechatronics Inc. created its own guidelines in addition to the Guidelines for the Use of Generated AI deployed by Nisshinbo Holdings Inc. by limiting the use of generated AI to those with an opt-out function* to restrict its functions and providing education to employees before the start of use.
The company also started using AI based on these guidelines ahead of others, conducted surveys on its usage status and usability, and held information exchange meetings.
From 2024, the company has determined that it is possible to deploy the system to its subsidiaries and is promoting the use of generated AI by holding explanatory meetings using Teams within its subsidiaries, including those overseas.
* Opt-out function: A function that does not allow input information to be used for AI learning.
Dissemination of Guidelines for Use of Generated AI
Nisshinbo Chemical Inc. regularly provides education on information security and disseminates topics related to information systems to all employees through its in-house magazine to raise awareness of the use of IT and risks.
In 2023, following the establishment of the Nisshinbo Group's Guidelines for the Use of Generated AI in July, the company newsletter included an introduction to the guidelines, notes on the use of generated AI, and examples of use.
In addition to explaining not only the convenient aspects of generated AI but also the internal rules for its use, the company explained that easy use could lead to the leakage of confidential information of trade secrets and personal information and that there is a risk that the products output by AI could infringe on the rights of others.
To ensure proper use of IT, Nisshinbo Chemical will continue to disseminate internal rules and provide education on information security.
Implementation of Information Security Education
Nisshinbo Textile Inc. conducts annual information security education for all employees who use personal computers.
The company provides education on rules regarding information equipment, management methods for PCs taken outside the company, and how to deal with increasingly sophisticated targeted e-mails using an in-house training site (L-Click) and Web videos. In addition, the company conducts real-life drills on how to deal with targeted e-mails with the aim of improving the importance of information management and crisis management.
Information Security Training at Sales Outlets
Every year, Tokyo Shirts Co., Ltd. conducts training on information security for all employees, including store sales staff.
The target population for the training is spread across stores nationwide, and the employees' work histories range from experienced employees with more than 20 years of service to part-time employees who have been with the company for only a few months. Therefore, the training is conducted first with the head office employees and sales managers, and then the managers visit each store and meet with each staff member to read the material together. The training is conducted by visiting each store and meeting with each staff member to read and discuss the materials. The content of the training is based on the company's information equipment management rules, precautions for managing user IDs and passwords, and how to respond to suspicious e-mails, while at the same time providing education on personal information protection in response to the incident of customer information leakage from the order site in 2022.
This has further raised staff awareness of information management, and the company plans to continue to provide education as appropriate.
