common_css

information-security_title

Information SecurityBusiness Foundation

information-security_main

Policies on Information Protection

ROHM Group has established an information security policy and confidential information management policy to ensure thorough management of confidential information and personal information of ROHM Group and stakeholders obtained in the course of business activities.

ROHM Group Information Security Policy

1.Compliance

ROHM Group complies with domestic and international laws, regulations, norms, and contractual obligations related to information security. In addition, ROHM Group shall establish internal regulations related to information security that comply with and conform to such laws, regulations, and contractual obligations, and shall ensure thorough compliance with such regulations.

2.Information Security Management System

ROHM Group recognizes that information security is one of the most important issues in management and business, and under the direction of top management, has established an information security management system to maintain and continually improve organizational, personnel, physical, and technical information security.

3.Protection of Information Assets

ROHM Group shall appropriately protect information assets from threats to the confidentiality, integrity, and availability of the information assets handled by ROHM Group, and shall take appropriate control measures.

4.Prevention of Accidents and Response when They Occur

ROHM Group shall strive to prevent information security incidents, and in the event of an incident, minimize the impact by promptly implementing appropriate initial responses, and investigate the cause of the incident to prevent recurrence.

5.Education and Training

ROHM Group will continuously educate and train its top management and employees on information security in order to raise their awareness of information security.

6.Ensure Information Security throughout the Supply Chain

ROHM Group will maintain and improve information security throughout the entire supply chain, including suppliers and contractors.

ROHM Group Confidential Information Management Policy

ROHM Group (referred to as “We” or “ROHM Group”) recognizes that our information assets and the information assets entrusted to us by our stakeholders (collectively referred to as “Confidential Information”) are the important foundation for conducting our global business activities. We have the social responsibility to rigorously maintain and protect such Confidential Information as confidential.
We affirm that we will establish a management policy as follows and will appropriately manage and protect the Confidential Information.

  • 1. When using and maintaining the Confidential Information, ROHM Group will comply with various laws, regulations, standards, contracts, and other ethical standards, applicable to our business activities.
  • 2. ROHM Group has established its own confidential information management system (referred to as “ROHM Group CIMS”) for the purpose of appropriately managing Confidential Information under the leadership of top management. ROHM Group will operate ROHM Group CIMS proactively and continuously.
  • 3. To protect all Confidential Information, ROHM Group will implement appropriate management measures for the protection and proper control of Confidential Information. “Management measures” means organizational, human, technological and physical measures that are strictly enforced according to the confidentiality level of the applicable Confidential Information.
  • 4. To increase the awareness of appropriate management, ROHM Group will provide continuous education and training programs for all (executives, employees, contract employees, partner company employees, etc.) who can access the Confidential Information.
  • 5. ROHM Group will make best efforts to prevent the leakage of Confidential Information and any other incidents .If any incident should happen, we will immediately investigate the causes of the incident and take proper countermeasures to prevent its recurrence.
  • 6. ROHM Group will conduct regular risk assessments and internal audits in order to examine the operation of ROHM Group CIMS and explore its continuous improvement.

Information Management System

ROHM Group has identified the establishment of an information security system that enhances business continuity and the development, provision, and utilization of IT tools that support the medium-term management plan as key issues in Information Security Governance, Cyber Security, and IT Governance, and the Information Management Committee takes the lead in the operation of the information management system.
This committee is established as a subordinate organization of the EHSS General Committee*1, in which directors with executive authority and divisional managers participate, and is responsible for the appropriate management of information security risks, cyber security risks, and IT governance risks in ROHM Group.
The Chairman of the EHSS General Committee delegates the management of these risks to the Board of directors in charge of IT, who has a deep knowledge of IT and provides guidance with a high degree of expertise.
Information Management Committee is chaired by the corporate officer, and its subordinate organizations are the Confidential Information Management Committee, the ISMS*2 Committee, the Cyber Security Committee, the IT Promotion Committee, and the Digital Architecture Design Committee. Each committee formulates goals, implements measures, and conducts evaluations for each theme, and reports progress and results to the Information Management Committee on a regular basis. The EHSS General Committee also evaluates and confirms that the PDCA cycle of the Information Management Committee is properly implemented, and reports and consults with the Board of Directors as necessary, and checks that a system is in place to maintain and improve the accuracy of the management system. The Board of Directors works in conjunction with the Sustainability Management Committee to discuss sustainability-related policies, directions, and long-term targets, and incorporates the decisions made into the EHSS General Committee and supervises whether activities are being carried out to achieve these targets.

ROHM Co., Ltd., ROHM Hamamatsu Co., Ltd., ROHM Wako Co., Ltd., ROHM Apollo Co., Ltd. and LAPIS Semiconductor Co., Ltd. have acquired ISO/IEC 27001 certification, an information security management system certification, and the scope of registration includes planning, development, maintenance, and operation for internal information systems of ROHM Group companies and development, manufacturing, and sales of semiconductor and electronic components, etc. In addition to ISO/IEC 27001 certification, ROHM Co., Ltd., LAPIS Semiconductor Co., Ltd. and ROHM Semiconductor GmbH have obtained TISAX*3 certification, an information security assessment by the German Association of the Automotive Industry because of the growing importance of information security in the automotive industry.(For the details of TISAX certification, please check ENX portal.)

By continuously expanding the scope of operation and certification in addition to conventional internal and external audits and assessment, ROHM is promoting appropriate information management to prevent the leakage of important confidential business information and to eliminate unauthorized use of such information.

1 EHSS General Committee : A committee composed of the executive officers of management that oversees the eight management systems (Risk management BCM, Supply Chain, Labor, Ethics, Health and Safety, Environment, Information, Quality) and ensures that the PDCA cycle for each is properly implemented.

2 ISMS(Information Security Management System): A system or framework for managing information security in an organization, the standard of which is defined as "ISO/IEC 27001.

3 TISAX(Trusted Information Security Assessment Exchange): A mechanism for suppliers to undergo information security audits by an external audit organization at the request of German automobile manufacturers and others in order to assess the appropriate level of information security within the entire automobile supply chain.

Overall Governance Structure

Overall Governance Structure

Information Management System Promotion Structure

Information Management System Promotion Structure
Key Issue Committee Priority Implementation Items Targets for FY2023 FY2023 Results Priority Implementation Items Targets for FY2024
Establishment of an information security system to enhance business continuity Confidential Information Management Committee Establishment of a management system for the appropriate protection and use of confidential information
  • ・Deploy the Head Office's management structure to the four overseas affiliates
  • ・Conduct education and awareness-raising activities for employees not only at the Head Office and domestic locations in Japan, but also at overseas locations (all locations)
  • ・The Head Office's confidential information management system was deployed to seven overseas affiliates (Germany, the U.S., and Thailand), and the responsibility structure, internal regulations, and confidentiality pledges of each company were reorganized to raise the level of confidentiality management.
  • ・ROHM conducted education and awareness-raising activities widely among directors and employees at all locations of ROHM Group.
Strengthen the confidential information management structure of entire ROHM Group
  • ・Deploy the confidential information management system of the head office to seven affiliated companies in Greater China and Korea, and to improve the level of confidentiality management by reorganizing the responsibility structure of each company and the content and operation of internal rules and confidentiality pledges.
  • ・Conduct wide-ranging education and awareness-raising activities for directors and employees of all locations of ROHM Group.
  • ・Conduct internal audits on the status of the confidential information management system and implement improvement activities to establish the PDCA cycle.
ISMS Committee

Expanded ISMS activities to 4 domestic plants

Obtained ISMS expansion certification June 2024 (continued) Obtained TISAX certification July 2023

Conduct ISMS education and awareness activities at four domestic plants to raise their ISMS certification to a level that will enable them to obtain ISMS certification by March 2024. Evaluations will be conducted through internal audits. ISMS activities were initiated at four domestic plants, and internal audits at the end of the fiscal year confirmed that the plants had achieved the level necessary to obtain ISMS certification.
Obtained TISAX certification.
Strengthen the information security structure of entire ROHM Group
  • ・Achievement of zero major information security incidents
  • ・Halve the number of information security incidents compared to the previous year.
  • ・To improve awareness of information security by deploying ISMS activities to the information system divisions of all ROHM Group locations.
Cyber Security Promotion Committee Raise the level of cyber security measures for the entire Group and reduce the occurrence of major incidents to zero. Conduct internal audits of affiliates on the status of cyber security measures and establish a PDCA cycle. Internal audits of 15 Japanese and overseas affiliates identified areas of nonconformity and provided guidance on corrective action plans. Raise the level of cyber security measures for the entire Group and reduce the occurrence of major incidents to zero.
  • ・Conduct internal audits of affiliated companies on the status of cyber security measures and establish a PDCA cycle.
  • ・Enhance vulnerability management and improve the cyber attack resistance of the entire group.
Development, provision and utilization of IT tools to support mid-term management plan IT Promotion Committee Collect and share the status of company-wide initiatives to promote shift to IT Establish a foundation for sharing information on the status of shift to IT initiatives throughout the company to prevent the proliferation of similar tools. A foundation for sharing the status of the shift to IT initiatives was established using Viva Engage, and information sharing was initiated. - -
Recommendations and proposals during IT tool deployment Early detection of potential problems in the implementation of IT tools to be applied throughout the company, and recommendations and proposals to the implementing department. Conducted status survey interviews with department personnel using Linux throughout the company due to the end of Cent OS support, and shared information on alternatives such as Oracle Linux. Promote the introduction of tools such as Cent OS, HPC, Copilot, etc. Early detection of potential problems in the implementation of IT tools to be applied throughout the company, and recommendations and proposals to the implementing department.

Information Security Activities

Proper management of information about stakeholders, as well as information held by ROHM Group, is essential for providing better products and services to society and for reliable corporate management.
ROHM Group is promoting information security measures through the following continuous efforts. In the unlikely event of an accident, we will immediately investigate the cause and take appropriate measures including recurrence prevention measures.

IT Assets Management

ROHM strictly manages its IT assets by centralizing the purchase and disposal of IT assets (PC terminals, software, USB memories and other storage media, and internal communication devices), monitoring usage with an IT asset management tool, and taking monthly inventories. Through these efforts, we prevent and manage compliance and security risks such as illegal use of IT assets, cyber attacks, and security breaches.

Enforcement of IT Asset Management

Kitting : Setting up PCs and installing software to make them usable for business

Security Measures for Information Devices

We have implemented anti-virus and Windows vulnerability countermeasures for PCs and other information devices used by employees. Furthermore, we have constructed and been maintaining an environment where information leakage does not occur by introducing multi-factor authentication and mechanisms to remotely perform a factory reset of a computer in case of loss.

In response to the recent increase in the risk of cyber attacks, ROHM has established a system in which computers used by employees are monitored 24 hours a day, 365 days a year by an external specialized organization for signs of cyber attacks, to detect and respond to threats as early as possible.

Enforcement of IT Asset Management

Number of Information Security Incidents

No serious information security incidents occurred in FY2023.

Emergency response procedures and measures

ROHM Group strives to prevent information security incidents through a variety of management measures, including thorough implementation of information security rules.
We have established an escalation process when an information security incident or suspicious event is detected, so that if an incident should occur, we can promptly take appropriate initial actions to minimize damage and losses.

Emergency response procedures and measures are tested once a year.

Emergency response procedures and measures

1 CIM: Confidential Information Management

2 CSIRT: Computer Security Incident Response Team

Vulnerability Status

Changes in work styles, such as the shift to cloud computing and the normalization of remote work, have expanded the IT environment for business. In addition, the risk of cyber-attacks targeting Japanese and overseas affiliates, business partners, and outsourcing companies is increasing year by year, and security risk management in the supply chain is becoming increasingly important.
Against this backdrop, ROHM Group is strengthening its cyber attack resistance by combining external attack surface management (attack target area management) service with a penetration testing (simulated attacks) in addition to vulnerability management using conventional asset management tools.

Vulnerability Status

Education and Training

Many of the causes of information leakage are mishandling, mismanagement of devices and information, and lack of awareness of information security, all of which correspond to human error.
In order to prevent and reduce security risks caused by humans, ROHM requires employees to sing an information security-related pledge when they join the company to make their responsibilities for information clear, and also continuously provides them with training and education to improve their security literacy.

[Education and Training Achievements]

Education/Training Theme/Purpose Year Target Number of People Trained Attendance Rate (%)
Second Targeted Email Attack Training Conduct drills simulating phishing e-mails that fraudulently steal account information to raise employee awareness and establish an initial response FY2021 ROHM Group 11,126 98%
Confidential Information Management Education E-learning Ensure that all employees are aware of internal regulations revised to strengthen confidential information management ROHM 3,587 99%
Cyber Security Basic Measures Check Reconfirming PC settings and re-enforcing basic operations to improve cyber-attack resistance ROHM 3,536 95%
Cyber Security Education E-learning Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity ROHM 3,518 97%
Cyber Security Education E-learning Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity FY2022 ROHM Group 7,625 97%
ISMS Education To acquire basic knowledge of "ISO/IEC27001" and promote understanding of information security management in order to expand the scope of ISMS certification ROHM Group
(Japan)
902 100%
Confidential Information Management Education E-learning Ensure that all employees are aware of internal regulations revised to strengthen confidential information management ROHM Group
(Japan)
7,267 100%
Cyber Security Education E-learning Ensure that all employees are aware of internal regulations revised to ensure cybersecurity FY2023 ROHM Group 12,455 98%
ISMS Education To acquire basic knowledge of "ISO/IEC27001" and promote understanding of information security management in order to expand the scope of ISMS certification ROHM Group
(Japan)
866 100%
Confidential Information Management Education E-learning Ensure that all employees are aware of internal regulations revised to strengthen confidential information management ROHM Group
(Japan)
7,607 100%

Privacy Information Protection Management Efforts

ROHM Group recognizes the protection of personal information as an important management issue and complies with the "Act on the Protection of Personal Information" and other national guidelines and implements the following measures for the purpose of safe and appropriate management of personal information of customers, business partners, shareholders, investors, and others.

Formulation and Disclosure of Privacy Policy

ROHM Group clarifies the purpose of use of personal information, contact point for inquiries, safety control measures, etc.

Privacy Policy

Privacy Information Protection Regulations

ROHM Group has established basic rules for the proper handling, management, operation, and protection of personal information held by ROHM Group, and has made these rules available to all employees. The Rules specifies that the head of the department that handles personal information shall be assigned responsible for the matter. In addition, the rules specify a reporting system in the event of a leakage or threat of leakage of personal information in order to quickly identify the situation and prevent the spread of damage.
Employees who violate the personal information protection rules may be subject to disciplinary actions.

Provide Training for Employees

All employees are provided with training on the handling of personal information to improve their understanding of such matters. Through this education, we are working to spread our privacy policy and personal information protection rules throughout the Group.

[Education and Training]

Education and Training Purpose and Contents Year Target Number of People Trained Attendance Rate(%)
Labor and Ethics e-learning Acquire knowledge of compliance (competition law compliance, anti-bribery, compliance hotline, privacy protection) FY2023 ROHM Group (Japan) 3,941 98.5%

Information Security Certification

ISO27001:2013(ISMS)Certification

Organization Certificate (Registration Date)
Last Renewal Date/Last Revision Date
Certificate Number Scope of Registration
ROHM Co.,Ltd. (2013/07/19)
2022/7/19
/2025/7/18
JQA-IM1197 Planning, Development, Maintenance and Operation for Internal Information Systems of ROHM Group Companies and Development, Manufacturing and Sales of Semiconductor and electronic components, etc.
【Scope of Registration】 ROHM Co.,Ltd. Headquarters Planning, Development, Maintenance and Operation for Internal Information Systems of ROHM Group Companies and Development and Sales of SiC
ROHM Co.,Ltd. Yokohama Technology Center Planning, Development, Maintenance and Operation for Internal Information Systems of ROHM Group Companies
ROHM Co.,Ltd. Kyoto Business Center Sales of SiC
ROHM Hamamatsu Co.,Ltd. Planning, Development, Maintenance and Operation for Internal Information Systems and Manufacuturing of Wafer for Semiconductor and Semiconductor Integrated Circuit of ROHM Hamamatsu
ROHM Wako Co.,Ltd. Planning, Development, Maintenance and Operation for Internal Information Systems of ROHM Wako and Manufacuturing of Wafer of Diodes and Wafer of Power LSIs
ROHM Apollo Co.,Ltd. Planning, Development, Maintenance and Operation for Internal Information Systems of ROHM Apollo Chikugo Factory as well as Manufacuturing of Discrete elements(SiC)
Lapis Semiconductor Co.,Ltd. Planning, Development, Maintenance and Operation for Internal Information Systems of Lapis Semiconductor
Lapis Semiconductor Co.,Ltd. Miyazaki Plant Maintenance and Operation for Internal Information Systems of Lapis Semiconductor and Manufacturing of SiC
Lapis Semiconductor Co.,Ltd. Miyazaki Plant Maintenance and Operation for Internal Information Systems of Lapis Semiconductor

questionnaire.html

Questionnaire

We want to hear
your opinion.

Click Here

New_company localNavi.js

New_company common.js