Sustainability / Governance Information Security

Basic Policies

The Daicel Group has established an Information Systems Security Policy as a master guideline for information security.

Article 1 (Principles and Purpose)
All employees of the Daicel Group will seek to maintain information system security in accordance with the Information Systems Security Policy and related regulations.
Article 2 (Rules)
Employees of the Daicel Group will comply with the following rules.
Information system assets are defined as all information system equipment, facilities, software, and information under the management of the Daicel Group.
  • Exercise appropriate management to prevent damage, theft, information leakage, and tampering with regard to information system assets.
  • Maintain public trust in the Daicel Group by using information system assets appropriately.
  • Ensure the smooth execution of operations by using information system assets appropriately.
  • Avoid causing damage both inside and outside the Daicel Group as a result of inappropriate use of information system assets, information leakage, or tampering.

Revised March 12, 2014

System for Maintaining Information Security and Responding to Security Incidents

To ensure compliance with our Information Systems Security Policy, Daicel has established a system for maintaining information security and responding to security incidents by appointing a supervisor or person in charge in every Daicel department and Group company under the chief information security officer (CISO).
An information security control team has been set up in the Information System Department to execute tasks such as managing normal information security operations and direct instructions/supports to the departments and IT asset owner faced with security incidents.

System for Maintaining Information Security and Responding to Security Incidents

System for Maintaining Information Security and Responding to Security Incidents

Information System User Rules have been established that stipulate information security rules to be observed when using systems. In an effort to maintain information security by all IT asset owners and users of information systems, the rules on information security and contact points to be applied in the event of system anomalies have been compiled in a handbook that is distributed to all employees, and the consequences for rule violations have been described in the Disciplinary Action Policy.
For overall information management matters not limited to the use of information systems, proper management is conducted according to the Information Management Regulations and Confidential Information Management Regulations.

Information Management

Countermeasure Policies

As we manage more information system assets, including enhancements to the teleworking environment for realizing diverse work styles and the introduction of AI and IoT technologies for raising productivity, we face an increasing number of sophisticated cyberattacks and other such factors that may cause information security incidents. Daicel is implementing the following measures to maintain the status of compliance with the rules laid out in our Basic Policies amid continuously changing internal and external circumstances.

  • Prevention, detection, and recovery of incidents
  • Revision based on the CAPD cycle*

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

Prevention, Detection, and the Recovery of Incidents

In parallel with measures for preventing incidents, we also seek to minimize damage by providing speedy detection and recovery of incidents, based on the philosophy of defense in depth. We are also taking gradual steps to implement measures in response to changes in communication channels and methods of information sharing, such as direct access to the cloud services from home and other remote workplaces.

Prevention and Detection of Problems and Recovery of Operations

Scroll left or right

Stage Main Measures
Prevention
  • Install firewalls to separate mutual access points between office networks, control networks, and external networks
  • Reject unauthorized communications and illegal communications that have been identified
  • Measures to improve our multifactor authentication for system logins
  • Prevent operations via private devices and unauthorized cloud services
  • Prevent information leakage caused by the loss of devices that are taken outside the Company
  • Obtain information from relevant institutions
  • Provide information to employees and periodically conduct education and training (drills designed to respond to targeted attacks and other training)
Detection
  • EDR* software usage and 24/7 monitoring and error reporting of unauthorized communications via special vendors

    *Endpoint Detection and Response

  • Implement long-term storage of logs of critical systems and automatically detect anomalies
  • Establish contact points to address anomalies, loss of devices, and other emergencies
Recovery
  • Respond in accordance with the system for maintaining information security
  • Regularly back up critical servers
  • Contract with a specialized vendor to receive support for incident responses

As in our response to information security incidents, we respond to natural disasters that may cause large-scale system suspensions by designating recovery targets for each system in accordance with their relative importance, and we take action to achieve those targets. These measures include reviewing the location and facilities of contracted data centers as well as efforts based on system design such as replication and operational design.

Strengthening BCP Management for Areas Other than Information Systems

Revision Based on the CAPD Cycle*

To prevent any loss in the effectiveness of measures due to outdated content and inappropriate operation, we regularly undergo internal and external checks and incorporate the resulting instructions and issues when planning and implementing the measures.

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

CAPD Cycle

CAPD Cycle

*Computer Security Incident Response Team

Status of Compliance with the Basic Policies

In FY2023/3, there were no information or cyber security violations of regulations by Daicel Group employees, including violations that would impact the Group’s business.