Goals and Achievements of Major Initiatives
Establish a global information security framework.
|Goals for fiscal year 2021||Reinforce the security infrastructure and set or update various standards in preparation for the full-scale transition to a cloud-based information system.|
|Achievements in fiscal year 2021||
|Goals for fiscal year 2022||In light of the results of the information security risk assessment, formulate and implement security measures, BCPs and emergency response drills appropriate for a cloud-based information system.|
- Evaluations are based on self-evaluations of current progress.
Key: ★★★= Excellent; ★★ = Satisfactory; ★= Still needs work
Basic Approach to Information Security
The DIC Group has positioned information security as a key management priority and established a Basic Policy on Information Security, which is founded on its recognition that protecting information assets that belong to or are managed by the Group is essential to its ability to conduct business. In line with this policy, DIC has formulated and implemented confidential information management regulations and information management guidelines. The DIC Group works to ensure that directors and employees use the Group’s information assets appropriately in the course of business and appropriately handle confidential information. The Group also pursues continuous improvements by conducting internal audits to confirm current issues and identify risks.
Globally Maintaining and Enhancing Information Security
The DIC Group’s approach to information security management rests on four pillars: Regulations and guidelines, management framework, infrastructure, and employee education and training. In response to increasingly diverse cyber threats, the Group currently plans to deploy measures implemented in Japan to reinforce information security by enhancing its intranet security infrastructure and updating endpoint security systems in key overseas markets (the Asia–Pacific region, the PRC, Taiwan and the ROK.)
Regulations and Guidelines
In line with its Basic Policy on Information Security, the DIC Group updates its confidential information management regulations, which stipulate the scope of
management and related standards, rules and responsibilities, as well as its information management guidelines, which outline implementation procedures, on a
regular basis and as required to ensure its ability to address new security risks in a timely manner.
The Group also creates new and revises existing rules as appropriate in response to the increasing prevalence of digital technologies and the shift to cloud-based computing. In fiscal year 2021, in response to widespread moves to discontinue the practice of sending password-protected encrypted attachments in an email and then sending a password to unzip the file in a second email (dubbed “PPAP”*), a security measure previously popular with Japanese companies, the Group revised related measures and corresponding guidelines. Enforcement of the new measures and guidelines commenced in January 2022.
- PPAP is an acronym for “Password-protected file,” “Password,” “Angoka (“encryption” in Japanese) and Protocol.” Japanese companies have been encouraged to discontinue the practice for security reasons.
The Information Security Committee, which is led by the chief information officer (CIO), meets regularly (twice annually) as part of a system to facilitate the timely update of rules and guidelines to accommodate new technologies and risks, and to ensure changes are communicated effectively across the DIC Group. The committee formulates annual targets and initiatives for strengthening information security with the approval of the Sustainability Committee and manages the progress of related efforts. The Group is currently exploring the idea of establishing a system for ensuring information security for the entire global DIC Group, including Sun Chemical.
Against a backdrop of increasingly active and sophisticated cyber attacks, including ransomware and targeted threats, the DIC Group is working to respond to rapid changes in working environments attributable to work style reforms, including the expansion of remote work and the increased use of cloud-based services. In fiscal year 2021, the Group contracted a third-party organization to conduct a risk assessment to evaluate the effectiveness and comprehensiveness of its information security measures from a multifaceted perspective. Based on the results of this assessment, the Group will formulate a road map for information security with the aim of responding flexibly and appropriately to emerging cyber risks, thereby permanently reducing risks to its businesses and management.
Employee Education and Training
The DIC Group offers an information security e-learning program to employees in Japan, the Asia–Pacific region, and the Americas and Europe, in which 90% of eligible employees take part. The Group also provides training dealing with targeted email attacks to increase employees’ awareness of security. In response to the post-pandemic “new normal,” the Group is currently formulating guidelines that accommodate various work styles, which it will work to disseminate to employees worldwide.