Sustainability / Governance Information Security / Information Management

Information Systems Security Policy

The Daicel Group has established an Information Systems Security Policy as a master guideline for information security.

Article 1 (Principles and Purpose)
All employees of the Daicel Group will seek to maintain information system security in accordance with the Information Systems Security Policy and related regulations.
Article 2 (Rules)
Employees of the Daicel Group will comply with the following rules.
Information system assets are defined as all information system equipment, facilities, software, and information under the management of the Daicel Group.
  • Exercise appropriate management to prevent damage, theft, information leakage, and tampering with regard to information system assets.
  • Maintain public trust in the Daicel Group by using information system assets appropriately.
  • Ensure the smooth execution of operations by using information system assets appropriately.
  • Avoid causing damage both inside and outside the Daicel Group as a result of inappropriate use of information system assets, information leakage, or tampering.

Revised July 6, 2022

System for Maintaining Information Security and Responding to Security Incidents

To ensure compliance with our Information Systems Security Policy, Daicel has established a system for maintaining information security and responding to security incidents. The Executive Officer responsible for the Information Systems Departments serves as the overall supervisor and the head of the Information Systems Departments serves as the company-wide information security supervisor. A supervisor or person in charge of security is also appointed in every Daicel department and at each Group company.
An information security control team has been set up in the Information System Department to execute tasks such as managing normal information security operations and direct instructions/supports to the departments and system administrators faced with security incidents.
In the event of a cyber incident, we will promptly set up a response headquarters and organize a Computer Security Incident Response Team (CSIRT) in accordance with the response manual. At the same time, we will carry out the work of “temporary recovery” and “main recovery” through isolation to prevent the spread of virus infections, understanding the current situation to grasp the state and extent of the damage, formulation of policies for recovery, and investigation and eradication, conducting investigations and responses according to the state of the damage in accordance with the response policy.

System for Maintaining Information Security and Responding to Security Incidents

System for Maintaining Information Security and Responding to Security Incidents

Information System User Rules have been established that stipulate information security rules to be observed when using systems. In an effort to maintain information security by all IT asset owners and users of information systems, the rules on information security and contact points to be applied in the event of system anomalies have been compiled in a handbook that is distributed to all employees, and the consequences for rule violations have been described in the Disciplinary Action Policy.
In addition, for overall information management matters not limited to the use of information systems, we strive for proper management and handling of all information in accordance with the Document Management Regulations, Information Management Regulations, Confidential Information Management Regulations, Personal Information Protection Regulations, and Specifically Designated Personal Information Handling Regulations.
The status of information system security operations of each division and each Daicel Group company is confirmed through the internal audit conducted every fiscal year, and the results are reported from the Auditing Office to the Board of Directors and the Audit & Supervisory Board.

Information Management

Countermeasure Policies Regarding Information Security

As we manage more information system assets, including enhancements to the teleworking environment for realizing diverse work styles and the introduction of AI and IoT technologies for raising productivity, we face an increasing number of sophisticated cyberattacks and other such factors that may cause information security incidents. Daicel is implementing the following measures to maintain the status of compliance with the rules laid out in our Basic Policies amid continuously changing internal and external circumstances, with information from public external organizations and cooperation from security companies.

  • Prevention, detection, and recovery of incidents
  • Revision based on the CAPD cycle*

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

Prevention, Detection, and the Recovery of Incidents

In parallel with measures for preventing incidents, the Daicel Group has implemented ordinary and emergency measures to minimize damage by providing speedy detection and recovery of incidents, based on the philosophy that it is impossible to prevent them completely. We have established a response system to anticipate the occurrence of cybersecurity incidents, have prepared response manuals, and regularly conduct incident response drills. In FY2025/3, we conducted two incident response drills with security companies and internal stakeholders, and will also conduct them in FY2026/3. In addition, we will fully implement vulnerability detection tools to check for vulnerabilities in each information system and begin operation in FY2026/3. We are also taking gradual steps to implement measures in response to changes in communication channels and methods of information sharing, such as direct access to cloud services from home and other remote workplaces.

Prevention and Detection of Problems and Recovery of Operations

Scroll left or right

Stage Main Measures
Prevention
  • Implement a zero trust network
  • Install firewalls to separate mutual access points between office networks, control networks, and external networks
  • Reject unauthorized communications and illegal communications that have been identified
  • Improve our multifactor authentication for system logins
  • Prevent access from unauthorized devices
  • Apply the latest OS and software versions
  • Enhance management of system privileged IDs
  • Strengthen attack surface management (ASM)
  • Prevent information leakage caused by the loss of devices that are taken outside the Company
  • Obtain information from relevant institutions
  • Provide information to employees and periodically conduct education and training (drills designed to respond to targeted attacks and other training)
Detection
  • Use EDR* software and 24/7 monitoring and error reporting of unauthorized communications via special vendors

    *Endpoint Detection and Response

  • Implement long-term storage of logs of critical systems and automatically detect anomalies
  • Establish contact points to address anomalies, loss of devices, and other emergencies
Recovery
  • Respond in accordance with the system for maintaining information
  • Regularly back up critical servers and communications equipment
  • Contract with a specialized vendor to receive support for incident responses

As in our response to information security incidents, we respond to natural disasters that may cause large-scale system suspensions by designating recovery targets for each system in accordance with their relative importance, and we take action to achieve those targets. These measures include reviewing the location and facilities of contracted data centers, but also consolidating servers into data centers with high disaster preparedness levels, as well as efforts based on system design such as replication and operational design.

Strengthening BCP Management for Areas Other than Information Systems

Revision Based on the CAPD Cycle*

To prevent any loss in the effectiveness of measures due to outdated content and inappropriate operation, we regularly undergo internal and external checks and incorporate the resulting instructions and issues when planning and implementing the measures.

*Instead of a Plan, Do, Check, and Act (PDCA) cycle, the most widely known approach to continuous improvement, Daicel has adopted a CAPD improvement cycle to avoid the risk of overlooking crucial facts and realities that often lie hidden in the initial planning stage.

CAPD Cycle

CAPD Cycle

*CSIRT:Computer Security Incident Response Team

Status of Compliance with the Information Systems Security Policy

In FY2025/3, there were no information or cyber security violations of regulations by Daicel Group employees, including violations that would impact the Group’s business. In June 2024, a cyber security incident occurred at one of our overseas Group companies. There was no impact on business activities, despite some damage being sustained. We are continuously working on preventing recurrence and strengthening information security with the cooperation of external specialized organizations.

Information Management

The Ethical Standards of Daicel Group stipulates that we will “commit to the safeguarding of our company’s and third parties’ confidential information, including personal data, by maintaining an effective information security system.” In accordance with these standards, we have formulated Information Management Regulations and other rules that stipulate the basic handling of information, and we are managing information properly and appropriately.

In addition to the details of the duties of officers and employees for information management, these regulations stipulate that the heads of SBUs, corporate divisions, plants, and sites must establish and maintain the information management system of their respective areas as the person responsible for information management.

We have established the Confidential Information Management Regulations for the purpose of maintaining the confidentiality of confidential information and managing confidential information properly and appropriately while preventing leakage. These regulations define the basic handling of other confidential information in our business activities, including technical, operational, management, and personal information held by us, and are administered by each department under the person responsible for information management. Furthermore, we have separately established the Personal Information Protection Regulations and Specific Personal Information, etc. Handling Regulations, and operate them appropriately in the same manner as other regulations.