Information Security Policy

In order to ensure the confidentiality, integrity and availability of its information systems, the Sumitomo Forestry Group is raising the security level of its systems through the enhancement of both the operational rules and technology aspects of information security. Recognizing that the protection of customer information is of particular and utmost importance, the Group continues to conduct employee training to ensure dissemination of the rules and verifies their level of awareness.

In terms of operational rules, we have formulated Sumitomo Forestry Group Information Asset Protection Guidelines for all Group companies in Japan and at the same time, created a checklist based on these guidelines. The person responsible for the department in charge of information systems at each Group company conducts checks of the information security level every year. In 2012, the Group also formulated guidelines for Group companies outside of Japan.

In fiscal 2021, new security guidelines will be formulated which can respond to the latest threats, and we are in the process of planning drastic revisions to relevant Group company regulations worldwide.

For education on information security, Sumitomo Forestry has made it compulsory for all Group employees with access to its intranet, including temporary and part-time employees, to take an e-learning course on an annual basis.

For the technology aspects of information security, the Group has introduced encrypted computer start-ups and data export restrictions on computers that are taken outside the Company.

We responded to the dramatic increase in security risks brought on by the promotion of telework system during the coronavirus disease (COVID-19)pandemic. Sumitomo Forestry enhanced a DaaS*1 environment in addition to building a VPN*2 environment employing strong security measure, which were expanded to all of its Group companies.

Sumitomo Forestry had no information leaks, cyberattacks or other such issues in fiscal 2020.

*1 Desktop-as-a-Service (DaaS) is a virtual desktop environment provided by companies for users to connect to and use remotely.

*2 A Virtual Private Network (VPN) is technology to expand a private network by configuring a virtual tunnel between users who connect over the Internet, etc.

Systems for Protecting the Privacy of Customers (Protection of Personal Information)

Sumitomo Forestry has formulated internal rules to safeguard the personal information of customers, such as the Personal Information Protection Policy and the Personal Information Protection Regulations. In addition, the executive officer responsible for general administration is designated as the chief executive in charge of protection of personal information, the head of each department is assigned as the supervisor and an information security officer is placed in each department. In these ways, the Company has established a protection system that extends from the Head Office through to each office.

The Company has also established a help desk within the Customer Service Department for inquiries regarding the handling of personal information. In addition, collective training is provided for the head and general administration representative of each organization. E-learning is provided for all other employees and efforts are made to increase awareness among subcontractors in order to prevent personal information leaks. It is also mandatory for employees at Group companies to undergo e-learning training.

Page Top

Systems for Managing Information Security

The executive officer and general manager of the IT Solutions Department, who has specialized knowledge and experience and under the supervision of the executive vice president and executive officer in charge of IT solutions, is responsible for promoting information security measures for the Sumitomo Forestry Group, such as the formulation and management of rules and regulations, the proposal and implementation of technical measures, the education and training of employees, and the investigation of accidents and implementation of countermeasures. The IT Strategy Committee comprised of directors and divisional managers who meet regularly on the progress of information security measures receives reports and gives instructions on measures.

The person responsible as the information security supervisor in each department provides guidance and management for the execution of that department's operations and assigns an information security officer as the working-level manager for the department's information security.

Furthermore, the Group also holds regular meetings of the Affiliated Companies IT Managers Council, which is attended by the persons responsible for departments in charge of information systems at Group companies in Japan. The council raises awareness and ensures thorough compliance to the guidelines as well as promotes the introduction of security systems.

The Risk Management Committee, for which all executive officers serve as standing members, stipulates as one of its items for priority management the risk of confidential information leaks due to an outside attack. The committee shares information and discusses ways to prevent and reduce the impact of such leaks at committee meetings held regularly every quarter. These activities are reported to the Board of Directors and a system to reflect this in business execution is put in place.

The BCM Subcommittee installed under the Risk Management Committee conducts activities aimed to raise the efficacy of measures to mitigate Group-wide, IT-related business interruption risks.

Page Top

Initiatives to Strengthen Information Security

With a growing number of incidents involving leaks of personal information, targeted email attacks and other threats to information security, the Sumitomo Forestry Group will continue to make investments in information security in fiscal 2021. We have been executing security diagnostics through simulated attack methods at least once a year on any system infrastructure with Internet access. In addition, a training program about targeted email attacks is implemented for all employees in Japan.

Through the Information Security Office at Sumitomo Forestry Information Systems, we are also enhancing our ability to respond to employee inquiries regarding cyberattacks and reinforcing training to raise employee awareness about security (external lectures and on-site education programs).

Page Top

Sustainability Report