Information Security Policy

In order to ensure the confidentiality, integrity and availability of its information systems, the Sumitomo Forestry Group is raising the security level of its systems through the enhancement of both the operational rules and technology aspects of information security. Recognizing that the protection of customer information is of particular and utmost importance, the Group continues to conduct employee training to ensure dissemination of the rules and verifies their level of awareness.

Development of Security Operations System

In terms of operational rules, we have compiled guidelines and checklists covering Group companies in Japan. The person responsible for the department in charge of information systems at each Group company in Japan conducts checks of the information security level every year. Moreover, we developed guideline of the same level for overseas Group companies.

Increasing Employee Knowledge of Information Security

All employees of the Group companies in Japan, including temporary employees and part-time employees, are required to take education on information security every year through the intranet. Successful completion of the course is contingent upon passing a test to measure the effectiveness of the course. Furthermore, in fiscal 2023, we conducted information security audits in collaboration with the Internal Audit Department in order to investigate on-site compliance with the guidelines and strengthen security measures. The audit covered 40 branch departments of Sumitomo Forestry and 12 Group companies in Japan.

Strengthening Information Security Measures

For the technology aspects of information security, the Group has introduced encrypted computer start-ups and data export restrictions on computers that are taken outside the Company.

We responded to the dramatic increase in information security risks brought on by the promotion of telework system during the COVID-19 pandemic. Sumitomo Forestry enhanced a VPN^*1 environment employing strong information security measure, which were expanded to all of Group companies. Additionally, in fiscal 2023, we developed a support system for overseas Group companies in an effort to speed up the execution of measures for strengthening information security measures following the guidelines. We have already implemented measures at certain overseas group companies, and aim to raise the information security level of all overseas Group companies to the standard level before the end of fiscal 2024.

Sumitomo Forestry had no information leaks, cyberattacks or other such issues in fiscal 2023.

*1A Virtual Private Network (VPN) is technology to expand a private network by configuring a virtual tunnel between users who connect over the Internet, etc.

Systems for Protecting the Privacy of Customers (Protection of Personal Information)

Sumitomo Forestry has formulated internal rules to safeguard the personal information of customers, such as the Personal Information Protection Policy and the Personal Information Protection Regulations. In addition, the executive officer responsible for general administration is designated as the chief executive in charge of protection of personal information, the head of each department is assigned as the supervisor and an information security officer is placed in each department. In these ways, the Company has established a protection system that extends from the Head Office through to each office.

The Company has also established a help desk within the Customer Service Department for inquiries regarding the handling of personal information. In addition, collective training is provided for the head and general administration representative of each department. E-learning is provided for all other employees and efforts are made to increase awareness among subcontractors in order to prevent personal information leaks. It is also mandatory for employees at Group companies to undergo e-learning training.

Systems for Managing Information Security

Management System at the Executive Management Level

The General Manager of the IT Solutions Department, under the supervision of the executive vice president and executive officer in charge of IT solutions and information security, is responsible for promoting information security measures for the Sumitomo Forestry Group, such as the formulation and management of rules and regulations, the proposal and implementation of technical measures, the education and training of employees, and the investigation of accidents and implementation of countermeasures. The IT Strategy Committee, comprised of the President, officer in charge of the Administrative Division, and divisional managers, is convened by the director in charge of IT and the General Manager of the IT Solutions Department. At meetings, participants receive reports on social trends in information security and the status of implementation of Sumitomo Forestry Group's measures, and participants provide direction on measures.

Management System On-site

The person responsible as the information security supervisor in each department provides guidance and management for the execution of that department's operations and assigns an information security officer as the working-level manager for the department's information security.
Furthermore, the Group also holds regular meetings of the Information Security Promotion Personnel Council and the Affiliates IT Personnel Council, which are attended by the persons responsible for information security at departments of Sumitomo Forestry. The council raises awareness and ensures thorough compliance to the guidelines as well as promotes the introduction of information security systems.

The Risk Management Committee stipulates as one of its items for priority management the risk of confidential information leaks due to an outside attack. The committee shares information and discusses ways to prevent and reduce the impact of such leaks at committee meetings held regularly every quarter. These activities are reported to the Board of Directors and a system to reflect this in business execution is put in place.

The BCM Subcommittee installed under the Risk Management Committee conducts activities aimed to raise the efficacy of measures to mitigate Group-wide, IT-related business interruption risks.

Dalian Sumirin Information Technology Service (ITS) Co., Ltd., which provides housing CAD design both inside and outside the Sumitomo Forestry Group, system operation, back-office services, and other BPO services, has acquired ISO27001 certification for its information security management system.

In fiscal 2024, we intend to obtain ISO 27001 certification for the estimating service (Jucore Estimate) for the same industry business launched by the Timber and Building Materials Division.

Initiatives to Strengthen Information Security

With threats to information security growing because of the spate of incidents involving leaks of personal information, targeted email attacks and other incidents, in fiscal 2023, Sumitomo Forestry Group introduced EDR*¹ (next-generation security software) at Group companies in Japan including Sumitomo Forestry, and stepped up PPAP*² countermeasures following upgrades to email security infrastructure. In this manner, we continue to invest in solutions that will further enhance the information security of the Group. We have been executing information security diagnostics through simulated attack methods at least once a year on any system infrastructure with Internet access. In addition, a training program about targeted email attacks is implemented for all employees in Japan.

*1Abbreviation for Endpoint Detection and Response. A security solution that detects suspicious behavior on the user's computer or server (endpoint) and facilitates a quick response.

*2A method of sharing files where the sender first sends a password protected zip file by email and then follows up with a second email containing the password to access the file. An abbreviation for (P)assword, (P)assword, P(A)ssword protection, (P)rotocol.

Establishment of CSIRT

Sumitomo Forestry established a CSIRT*¹ in October 2022 to conduct monitoring for prevention of security incidents and to have an organization in place to implement appropriate response in case of an incident. In November 2023, we joined the Nippon CSIRT Association. In addition, we conduct practical training on response scenarios in case of an information security incident. We will continue to improve our incident response capabilities, mitigate information security risks, and promote information sharing and collaboration.

*1Abbreviation for Computer Security Incident Response Team. A dedicated team that addresses incidents considered to pose security threats.

Promotion of DX

The Sumitomo Forestry Group has established digital and innovation as keywords in “Striving for transformation and the creation of new value,” one of the business polices of Mission TREEING 2030, and has positioned the promotion of DX as an important initiative to achieve its long-term vision.

In implementing DX, we are advancing the development of IT human assets in order to enhance the mindset and skills to utilize digital (D) for business and business transformation (X). We are sharing our DX initiative policy as a message from the President on the company intranet to encourage employees to change their mindset and improve basic IT skills through e-learning and other means. In fiscal 2024, we will also establish a human assets development system for advanced IT skills.

In addition, we are working on Citizen Developer Project of RPA*¹ to improve the efficiency of work by employees themselves. In the field of generative AI, we have started operation of the Sumitomo Forestry AI Dialogue System and are actively utilizing digital technology to improve operational efficiency, such as using it to draft documents. In the field of design, we have also streamlined the housing production process by automating structural design using AI technology and shortening CAD input work from 5 hours to 10 minutes.

*1Abbreviation for Robotic Process Automation. Technology to automate PC operations using software robots.