Information Security Policy
In order to ensure the confidentiality, integrity and availability of its information systems, the Sumitomo Forestry Group is raising the security level of its systems through the enhancement of both the operational rules and technology aspects of information security. Recognizing that the protection of customer information is of particular and utmost importance, the Group continues to conduct employee training to ensure dissemination of the rules and verifies their level of awareness.
Development of Security Operations System
In terms of operational rules, we have formulated Sumitomo Forestry Group Information Asset Protection Guidelines for all Group companies in Japan and at the same time, created a checklist based on these guidelines. The person responsible for the department in charge of information systems at each Group company conducts checks of the information security level every year. Moreover, we developed guideline of the same level for overseas group companies.
Increasing Employee Knowledge of Security
All employees of the Group, including temporary employees and part-time employees, are required to take education on information security every year through the intranet. Successful completion of the course is contingent upon passing a test to measure the effectiveness of the course.
Furthermore, in FY2023, we will conduct information security audits in collaboration with the Internal Audit Department in order to investigate on-site compliance with the guidelines and strengthen security measures.
Strengthening Security Measures
For the technology aspects of information security, the Group has introduced encrypted computer start-ups and data export restrictions on computers that are taken outside the Company.
We responded to the dramatic increase in security risks brought on by the promotion of telework system during the coronavirus disease (COVID-19)pandemic. Sumitomo Forestry enhanced a VPN*1 environment employing strong security measure, which were expanded to all of its Group companies. Additionally, in FY2023, we will develop a support system for overseas Group companies in an effort to speed up the execution of measures for strengthening security measures following the guidelines.
Sumitomo Forestry had no information leaks, cyberattacks or other such issues in fiscal2022.
*1 A Virtual Private Network (VPN) is technology to expand a private network by configuring a virtual tunnel between users who connect over the Internet, etc.
Systems for Protecting the Privacy of Customers (Protection of Personal Information)
Sumitomo Forestry has formulated internal rules to safeguard the personal information of customers, such as the Personal Information Protection Policy and the Personal Information Protection Regulations. In addition, the executive officer responsible for general administration is designated as the chief executive in charge of protection of personal information, the head of each department is assigned as the supervisor and an information security officer is placed in each department. In these ways, the Company has established a protection system that extends from the Head Office through to each office.
The Company has also established a help desk within the Customer Service Department for inquiries regarding the handling of personal information. In addition, collective training is provided for the head and general administration representative of each organization. E-learning is provided for all other employees and efforts are made to increase awareness among subcontractors in order to prevent personal information leaks. It is also mandatory for employees at Group companies to undergo e-learning training.
Systems for Managing Information Security
Management System at the Executive Management Level
The general manager of the IT Solutions Department, under the supervision of the executive vice president and executive officer in charge of IT solutions, is responsible for promoting information security measures for the Sumitomo Forestry Group, such as the formulation and management of rules and regulations, the proposal and implementation of technical measures, the education and training of employees, and the investigation of accidents and implementation of countermeasures. The IT Strategy Committee comprised of directors and divisional managers who meet regularly on the progress of information security measures receives reports and gives instructions on measures. Social trends in information security and status of implementation of Sumitomo Forestry Group's measures are periodically reported at the IT Strategy Committee, in which President, the officer in charge of the Administrative Division, and the General Manager of each Business Division participate, and are instructed to take measures.
Management System On-site
The person responsible as the information security supervisor in each department provides guidance and management for the execution of that department's operations and assigns an information security officer as the working-level manager for the department's information security.
Furthermore, the Group also holds regular meetings of the Affiliated Companies IT Managers Council, which is attended by the persons responsible for departments in charge of information systems at Group companies in Japan. The council raises awareness and ensures thorough compliance to the guidelines as well as promotes the introduction of security systems.
The Risk Management Committee, for which all executive officers serve as standing members, stipulates as one of its items for priority management the risk of confidential information leaks due to an outside attack. The committee shares information and discusses ways to prevent and reduce the impact of such leaks at committee meetings held regularly every quarter. These activities are reported to the Board of Directors and a system to reflect this in business execution is put in place.
The BCM Subcommittee installed under the Risk Management Committee conducts activities aimed to raise the efficacy of measures to mitigate Group-wide, IT-related business interruption risks.
Dalian Sumirin Information Technology Service (ITS) Co., Ltd., which provides housing CAD design both inside and outside the Sumitomo Forestry Group, system operation, back-office services, and other BPO services, has acquired ISO27001 certification for its information security management system.
Initiatives to Strengthen Information Security
With a growing number of incidents involving leaks of personal information, targeted email attacks and other threats to information security, Sumitomo Forestry Group will continue to make investments in information security in fiscal 2023, including endpoint security enhancement. We have been executing security diagnostics through simulated attack methods at least once a year on any system infrastructure with Internet access. In addition, a training program about targeted email attacks is implemented for all employees in Japan.
Establishment of CSIRT
Sumitomo Forestry established a CSIRT*1 in October 2022 to conduct monitoring for prevention of security incidents and to have an organization in place to implement appropriate response in case of an incident.
In addition, we conducted practical training on response scenarios in case of a security incident.
*1 Abbreviation for Computer Security Incident Response Team. A dedicated team that addresses incidents considered to pose security threats.
Promotion of DX
Sumitomo Forestry Group is promoting Digital transformation in four quadrants: digitalization of business, digitalization of organizations and work styles, digitalization of customer relationships, and digitalization of society and economy.
Digitization of business
We will continue to rationalize housing construction through CAD and digitalization of construction methods.
Digitalization of organization and working methods
We are promoting automation of simple operations such as slip input using technologies such as RPA*1 and AI-OCR*2.
Digitalization of customer relations
We will promote digital marketing by providing appropriate information and approaches to customers through integrated management of customer information in each business of Sumitomo Forestry Group.
Digitalization of society and economy
We will promote spread of structural calculation services provided by Home Express Structural Design, which started business in 2021.
*1Abbreviation for Robotic Process Automation. Technology to automate PC operations using software robots
*2Abbreviation for Artificial Intelligence-Optical Character Recognition (OCR). A technology that combines conventional OCR technology with AI to find rules based on learned content and recognize characters.