Language selector :Japanese
Toshiba regards all information, such as its customer information, management information, technical and production information, handled during the course of business activities, as its important assets. In view of this, Toshiba has a fundamental policy "to manage and protect such information assets properly, with top priority on compliance." The policy is stipulated in the chapter "Company Information and Company Assets" of the Standards of Conduct, and managerial and employee awareness on the same is encouraged.
To respond to changes in applicable laws or the social environment, Toshiba constantly reviews its regulations concerning information security. In fiscal 2006, Toshiba conducted an across-the-board review and revision of its regulations concerning information security in order to strengthen the information management throughout the Toshiba Group, in accordance with the revised Unfair Competition Prevention Act. Also, in 2007, Toshiba established and revised regulations to emphasize the supervision of outside contractors, and Toshiba is now rolling out these activities to group companies inside and outside Japan.
Toshiba is now rolling out these activities to group companies in Japan and overseas. In fiscal 2008, in order to ensure the thorough enforcement of the rules and regulations, we revised the guidelines.
As for overseas, Toshiba is engaged in the preparation and implementation of regulations that take into account local circumstances.
Addressing information security as a management priority, Toshiba Group maintains, under the supervision of the Chief Information Security Officer, an information security management structure in which the head of each organization, such as head of corporate staff division, president of each in-house company as well as president of each group company are responsible for information security.
The Chief Information Security Officer convenes meetings of the Corporate Information Security Committee to engage in deliberations necessary for reliable implementation of Group-wide information security. The head of the Information Security Center serves as the Secretariat of the Corporate Information Security Committee, assists the Chief Information Security Officer, and formulates and implements policies and measures to ensure that internal regulations related to information security are implemented smoothly, efficiently, and reliably.
The CRO (Chief Risk-Compliance Management Officer) and the head of the Information Systems division, Legal Affairs division, Human Resources division, Intellectual Property division, and other concerned divisions serve as committee members and are responsible for matters necessary for thorough implementation of information security in the business processes under their control.
The Corporate Information Security Committee is held periodically, and in March 2009, a review of the implementation was conducted for the 3-yearly plans formulated in fiscal 2006, mid-term plan for the next 3 years and action policies for fiscal 2009 were discussed.
At the in-house companies, the company presidents serve as Information Security Management Executive, bearing full responsibility for information security at their respective companies. The Information Security Management Executive appoints Information Security Implementation Managers who are responsible for operation of the information security control system. The Information Security Management Executives provide guidance and assistance to the group companies under their control to ensure that they implement information security of a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure  |
Toshiba, with its wide portfolio of businesses, considers the autonomous implementation of PDCA (Plan-Do-Check-Action) cycle by each business or division to be vital for ensuring information security of the company. With this in view, every Toshiba division conducts an annual self-audit in terms of compliance with internal rules, for the purpose of formulating their own improvement plan.
Toshiba Information Security Center monitors the results of these self-audits and the related improvement activities, provides guidance and assistance where necessary and reports the status to the Chief Information Security Officer. In fiscal 2008, all divisions at Toshiba Corp., Japan conducted self-audit by the end of January 2009 and are working to improve the non-conformities found.
In addition, these self-audits are applied throughout Toshiba Group worldwide. About 235 group companies in Japan and 192 companies overseas conducted this self-audit in fiscal 2008 to improve the level of information security.
Furthermore, particularly those business units which handle important and confidential information have acquired ISMS (Information Security Management System) Certification. As of May 2009, 28 companies including Toshiba Corp. have already acquired the certification.
| Category | Description |
|---|---|
| (1) Organizational measures: Establish an organizational structure and rules. |
|
| (2) Personal and legal measures: Ensure adherence to rules |
|
| (3) Physical measures: Support implementation of rules in terms of physical security |
|
| (4) Technical measures: Support implementation of rules in terms of technology |
|
The Information Security Center incorporates these measures into regulations and guidelines, notifies them throughout Toshiba, provides briefings at company-wide meetings every half year, and enables their access through a company-wide information sharing database. The center is also undertaking similar implementation at group companies.
To ensure strict compliance with internal regulations, each year Toshiba provides education on information security and protection of personal data to all executives, employees, and temporary staff on an annual basis. In fiscal 2008, nearly 160,000 employees of Toshiba Group, including 30,000 Toshiba Corp. employees, received education through e-learning or other educational programs.
In addition to periodic education, Toshiba provides specialized course, namely, IT version and Management version of information security to concerned security implementation staff. In fiscal 2008, 370 concerned staff received such education. Also, introductory education on information security is provided to newly hired employees, and in fiscal 2008, all new employees received orientation on information security.
To Top
