CSR Activity Report (CSR Guideline Activity Reports) - Risk Management
Addressing Information Security Risks
Addressing Information Security Risks
Toray Group has formulated its Confidential Information Management Regulations and Regulations for the Management of Personal Information for the purpose of protecting confidential information and personal information owned by the Group and of appropriately managing the confidential information and personal information entrusted by suppliers and stored by the Group.
Based on these regulations, Toray Industries, Inc. established the position of Corporate Information Security Officer (held by the Senior Vice President, General Administration & Communications Division1) as the officer responsible for the Toray Industries. The Corporate Information Security Officer discusses and coordinates measures related to enhancing information security with related departments, and promotes their deployment. Under the Corporate Information Security Officer, the Group is working to enhance information security by defining the roles and responsibilities of each division and department, and by establishing an Information Security Committee in each department for their promotion.
The Toray Group Information Security Basic Policy was established in April 2022. While strengthening governance, its purpose is to ensure appropriate management of confidential information across Toray Group in order to reduce information security risks such as data leaks.
As is the case at Toray Industries, each group company in and outside Japan also establishes various rules and promotes information security measures in accordance with the Toray Group Information Security Basic Policy.
Moreover, information security has been included in the fifth three-year set of priority risks for Toray Group (fiscal 2021–2023), and more comprehensive initiatives will be taken group-wide. Plans for addressing priority risks and progress reports on steps taken are reported to the Board of Directors on a regular basis.
- 1 As of July 2022, a senior vice president serves as general manager of the General Administration & Communications Division.
Toray Group Information Security Basic Policy:Established in April 2022
Toray Group prioritizes information security as an important management issue. In order to fulfill the Group's social responsibility, all officers and employees (including contract, part-time, and dispatched employees) take thorough measures based on the Information Security Basic Policy.
- Ethics and compliance
We will prohibit ourselves from collecting, moving or using any information assets illegally in violation of the regulation or law where Toray group engages their duties.
- Development and operation of systems and rules
In order to promote information security measures and to respond promptly to information leaks, we have established an information security system. We will establish a system and rules for security and apply them appropriately.
- Protection of information
We will protect the information of our customers and the Toray group companies in accordance with the significance of risk. From the perspective of the protection of personal information, we will protect the personal information of our employees, customers, and Toray group companies from being used for any purpose other than its original intent.
- Availability of information assets in support of business continuity
We will secure the availability of information assets necessary to pursue and fulfill our social responsibility.
- Continuous Improvement and Maintenance of Information Security
We will continuously improve the information security management system by prioritizing identified issues, by continuously conducting risk analysis of emerging threats, changes to the business, and or the evolution of information technology.
Combating Cyber Attacks
Toray Group is taking the following initiatives to respond to today’s increasingly sophisticated cyberattacks.
- Thoroughly implementing and enhancing existing initiatives
Standardizing and automating the settings and security measures of PCs owned by the Group
- Enhancing network security
- (1) Constant monitoring and analysis of communications between the outside (Internet) and the corporate network, and within the corporate network
- (2) Periodic external expert vulnerability assessments of connections with the outside (Internet) and reviews of appropriate responses
- Enhancing education and training
Because IT measures alone may not be sufficient to address today’s increasingly sophisticated cyberattacks, the Group also conducts education through regular e-learning (once a year) and several unannounced rounds of suspicious e-mail response training for all employees.
Prevent Employees from Leaking Confidential Information
In addition to providing information security education for all employees on an annual basis, Toray Group conducts grade-specific training for employees, including new employees and newly appointed managers, in aims of improving security awareness and skill-levels. At the same time, an e-mail magazine is sent out regularly and a series on information security is carried in an in-house magazine to encourage the improvement of information security literacy among all employees.
Before removing a computer or smartphone from an office, for example, employees must receive permission from a manager. In addition, the actual device must be inspected monthly, and an inventory of assets is taken once every six months. Moreover, the Group has established approaches to dealing with the loss of such devices and other similar incidents, and has built channels for reporting and other mechanisms to minimize damage thereof.
Click here for the main initiatives for CSR Guideline 5, “Risk Management” in CSR Roadmap 2022.