Information Security Policy

In order to ensure the confidentiality, integrity and availability of its information systems, the Sumitomo Forestry Group is raising the security level of its systems through the enhancement of both the operational rules and technology aspects of information security.

Recognizing that the protection of customer information is of particular and utmost importance, the Group continues to conduct employee training to ensure dissemination of the rules and verifies their level of awareness.

In terms of operational rules, we have formulated Sumitomo Forestry Group Information Asset Protection Guidelines for all Group companies in Japan and at the same time, created a checklist based on these guidelines.

The person responsible for the department in charge of information systems at each Group company conducts checks of the information security level every year. In 2012, the Group also formulated guidelines for Group companies outside of Japan.

For education on information security, Sumitomo Forestry has made it compulsory for all Group employees with access to its intranet, including temporary and part-time employees, to take an e-learning course on an annual basis.

For the technology aspects of information security, the Group has introduced encrypted computer start-ups and data export restrictions on computers that are taken outside the Company.

Systems for Protecting the Privacy of Customers
(Protection of Personal Information)

Sumitomo Forestry has formulated internal rules to safeguard the personal information of customers, such as the Personal Information Protection Policy and the Personal Information Protection Regulations. In addition, the executive officer responsible for general administration is designated as the chief executive in charge of protection of personal information, the head of each department is assigned as the supervisor and an information security officer is placed in each department. In these ways, the Company has established a protection system that extends from the Head Office through to each office.

The Company has also established a help desk within the Customer Service Department for inquiries regarding the handling of personal information. In addition, collective training is provided for the head and general administration representative of each organization. E-learning is provided for all other employees and efforts are made to increase awareness among subcontractors in order to prevent personal information leaks. It is also mandatory for employees at Group companies to undergo e-learning training.

Page Top

Systems for Managing Information Security

The executive officer and general manager of the IT Solutions Department, who has specialized knowledge and experience and under the supervision of the executive vice president and executive officer in charge of IT solutions, is responsible for promoting information security measures for the Sumitomo Forestry Group, such as the formulation and management of rules and regulations, the proposal and implementation of technical measures, the education and training of employees, and the investigation of accidents and implementation of countermeasures.

The person responsible as the information security supervisor in each department provides guidance and management for the execution of that department's operations and assigns an information security officer as the working-level manager for the department's information security.

Furthermore, the Group also holds regular meetings of the Affiliated Companies IT Managers Council, which is attended by the persons responsible for departments in charge of information systems at Group companies in Japan. The council checks the content of the guidelines and promotes the introduction of security systems.

The Risk Management Committee, for which all executive officers serve as standing members, stipulates as one of its items for priority management the risk of confidential information leaks due to an outside attack. The committee shares information and discusses ways to prevent and reduce the impact of such leaks at committee meetings held regularly every quarter. These activities are reported to the Board of Directors and a system to reflect this in business execution is put in place.

The BCM Subcommittee installed under the Risk Management Committee conducts activities aimed to raise the efficacy of measures to mitigate Group-wide, IT-related business interruption risks.

Page Top

Initiatives to Strengthen Information Security

With a growing number of incidents involving leaks of personal information, targeted email attacks and other threats to information security, the Sumitomo Forestry Group continued to make investments in information security in fiscal 2019 to strengthen security by building a multi-layer defense system. In addition, a training program about targeted email attacks was implemented for all employees in Japan.

Through the Information Security Office at Sumitomo Forestry Information Systems Co., we are also enhancing our ability to respond to employee inquiries regarding cyberattacks and reinforcing security training programs for employees.

Page Top

Sustainability Report