Sustainability / Governance Information Security / Information Management

Information Systems Security Policy

The Daicel Group has established an Information Systems Security Policy as a master guideline for information security.

Article 1 (Principles and Purpose)
All employees of the Daicel Group will seek to maintain information system security in accordance with the Information Systems Security Policy and related regulations.
Article 2 (Rules)
Employees of the Daicel Group will comply with the following rules.
Information system assets are defined as all information system equipment, facilities, software, and information under the management of the Daicel Group.
  • Exercise appropriate management to prevent damage, theft, information leakage, and tampering with regard to information system assets.
  • Maintain public trust in the Daicel Group by using information system assets appropriately.
  • Ensure the smooth execution of operations by using information system assets appropriately.
  • Avoid causing damage both inside and outside the Daicel Group as a result of inappropriate use of information system assets, information leakage, or tampering.

Revised July 6, 2022

System for Maintaining Information Security and Responding to Security Incidents

To ensure compliance with our Information Systems Security Policy, Daicel has established a system for maintaining information security and responding to security incidents by appointing a supervisor or person in charge in every Daicel department and Group company under the chief information security officer (CISO).
An information security control team has been set up in the Information System Department to execute tasks such as managing normal information security operations and direct instructions/supports to the departments and IT asset owner faced with security incidents.
In the event of a cyber incident, we will promptly set up a response headquarters and organize a Computer Security Incident Response Team (CSIRT) in accordance with the response manual. At the same time, we will carry out the work of “temporary recovery” and “main recovery” through isolation to prevent the spread of virus infections, understanding the current situation to grasp the state and extent of the damage, formulation of policies for recovery, and investigation and eradication to conduct investigations and responses according to the state of the damage in accordance with the response policy.

System for Maintaining Information Security and Responding to Security Incidents

System for Maintaining Information Security and Responding to Security Incidents

Information System User Rules have been established that stipulate information security rules to be observed when using systems. In an effort to maintain information security by all IT asset owners and users of information systems, the rules on information security and contact points to be applied in the event of system anomalies have been compiled in a handbook that is distributed to all employees, and the consequences for rule violations have been described in the Disciplinary Action Policy.
For overall information management matters not limited to the use of information systems, proper management is conducted according to the Information Management Regulations and Confidential Information Management Regulations.
The status of information system security operations of each division and each Daicel Group company is confirmed through the internal audit conducted every fiscal year, and the results are reported from the Auditing Office to the Board of Directors and the Audit & Supervisory Board.

Information Management

Countermeasure Policies Regarding Information Security

As we manage more information system assets, including enhancements to the teleworking environment for realizing diverse work styles and the introduction of AI and IoT technologies for raising productivity, we face an increasing number of sophisticated cyberattacks and other such factors that may cause information security incidents. Daicel is implementing the following measures to maintain the status of compliance with the rules laid out in our Basic Policies amid continuously changing internal and external circumstances.

  • Prevention, detection, and recovery of incidents
  • Revision based on the CAPD cycle*

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

Prevention, Detection, and the Recovery of Incidents

In parallel with measures for preventing incidents, the Daicel Group has implemented measures to minimize damage by providing speedy detection and recovery of incidents, based on the philosophy that it is impossible to prevent them completely. We have established a response system to anticipate the occurrence of cybersecurity incidents, have prepared response manuals, and regularly conduct incident response drills. In FY2024/3, we conducted two incident response drills with security companies and internal stakeholders, and will also conduct them in FY2025/3. We also began using vulnerability detection tools for evaluation to check for vulnerabilities in each information system in FY2024/3. In FY2024/3, this was carried out in conjunction with tool selection assessment. We are also taking gradual steps to implement measures in response to changes in communication channels and methods of information sharing, such as direct access to the cloud services from home and other remote workplaces.

Prevention and Detection of Problems and Recovery of Operations

Scroll left or right

Stage Main Measures
Prevention
  • Install firewalls to separate mutual access points between office networks, control networks, and external networks
  • Reject unauthorized communications and illegal communications that have been identified
  • Measures to improve our multifactor authentication for system logins
  • Prevent operations via private devices and unauthorized cloud services
  • Prevent information leakage caused by the loss of devices that are taken outside the Company
  • Obtain information from relevant institutions
  • Provide information to employees and periodically conduct education and training (drills designed to respond to targeted attacks and other training)
Detection
  • EDR* software usage and 24/7 monitoring and error reporting of unauthorized communications via special vendors

    *Endpoint Detection and Response

  • Implement long-term storage of logs of critical systems and automatically detect anomalies
  • Establish contact points to address anomalies, loss of devices, and other emergencies
Recovery
  • Respond in accordance with the system for maintaining information security
  • Regularly back up critical servers
  • Contract with a specialized vendor to receive support for incident responses

As in our response to information security incidents, we respond to natural disasters that may cause large-scale system suspensions by designating recovery targets for each system in accordance with their relative importance, and we take action to achieve those targets. These measures include reviewing the location and facilities of contracted data centers as well as efforts based on system design such as replication and operational design.

Strengthening BCP Management for Areas Other than Information Systems

Revision Based on the CAPD Cycle*

To prevent any loss in the effectiveness of measures due to outdated content and inappropriate operation, we regularly undergo internal and external checks and incorporate the resulting instructions and issues when planning and implementing the measures.

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

CAPD Cycle

CAPD Cycle

*Computer Security Incident Response Team

Status of Compliance with the Information Systems Security Policy

In FY2024/3, there were no information or cyber security violations of regulations by Daicel Group employees, including violations that would impact the Group’s business. As a result of an investigation into the unauthorized access incident against our Group companies that occurred in July 2023, we confirmed there was no leakage of personal information or confidential information of customers or business partners to the outside.
With the cooperation of external specialized organizations, we are working to prevent recurrence and strengthen information security.

Information Management

The Ethical Standards of Daicel Group stipulates that we will “commit to the safeguarding of our company’s and third parties’ confidential information, including personal data, by maintaining an effective information security system.” In accordance with these standards, we have formulated Information Management Regulations that stipulate the basic handling of information, and we are managing information properly and appropriately.

In addition to the details of the duties of officers and employees for information management, these regulations stipulate that the heads of SBUs, corporate divisions, plants, and sites must establish and maintain the information management system of their respective areas as the person responsible for information management.

We have established the Confidential Information Management Regulations for the purpose of maintaining the confidentiality of confidential information and managing confidential information properly and appropriately while preventing leakage. These regulations define the basic handling of other confidential information in our business activities, including technical, operational, management, and personal information held by us, and are administered by each department under the person responsible for information management.