common_css
information-security_title
Information SecurityBusiness Foundation
information-security_main
Policies on Information Protection
ROHM Group has established an information security policy and confidential information management policy to ensure thorough management of confidential information and personal information of ROHM Group and stakeholders obtained in the course of business activities.
ROHM Group Information Security Policy
1.Compliance
ROHM Group complies with domestic and international laws, regulations, norms, and contractual obligations related to information security. In addition, ROHM Group shall establish internal regulations related to information security that comply with and conform to such laws, regulations, and contractual obligations, and shall ensure thorough compliance with such regulations.
2.Information Security Management System
ROHM Group recognizes that information security is one of the most important issues in management and business, and under the direction of top management, has established an information security management system to maintain and continually improve organizational, personnel, physical, and technical information security.
3.Protection of Information Assets
ROHM Group shall appropriately protect information assets from threats to the confidentiality, integrity, and availability of the information assets handled by ROHM Group, and shall take appropriate control measures.
4.Prevention of Accidents and Response when They Occur
ROHM Group shall strive to prevent information security incidents, and in the event of an incident, minimize the impact by promptly implementing appropriate initial responses, and investigate the cause of the incident to prevent recurrence.
5.Education and Training
ROHM Group will continuously educate and train its top management and employees on information security in order to raise their awareness of information security.
6.Ensure Information Security throughout the Supply Chain
ROHM Group will maintain and improve information security throughout the entire supply chain, including suppliers and contractors.
ROHM Group Confidential Information Management Policy
ROHM Group (referred to as “We” or “ROHM Group”) recognizes that our information assets and the information assets entrusted to us by our stakeholders (collectively referred to as “Confidential Information”) are the important foundation for conducting our global business activities. We have the social responsibility to rigorously maintain and protect such Confidential Information as confidential.
We affirm that we will establish a management policy as follows and will appropriately manage and protect the Confidential Information.
- 1. When using and maintaining the Confidential Information, ROHM Group will comply with various laws, regulations, standards, contracts, and other ethical standards, applicable to our business activities.
- 2. ROHM Group has established its own confidential information management system (referred to as “ROHM Group CIMS”) for the purpose of appropriately managing Confidential Information under the leadership of top management. ROHM Group will operate ROHM Group CIMS proactively and continuously.
- 3. To protect all Confidential Information, ROHM Group will implement appropriate management measures for the protection and proper control of Confidential Information. “Management measures” means organizational, human, technological and physical measures that are strictly enforced according to the confidentiality level of the applicable Confidential Information.
- 4. To increase the awareness of appropriate management, ROHM Group will provide continuous education and training programs for all (executives, employees, contract employees, partner company employees, etc.) who can access the Confidential Information.
- 5. ROHM Group will make best efforts to prevent the leakage of Confidential Information and any other incidents .If any incident should happen, we will immediately investigate the causes of the incident and take proper countermeasures to prevent its recurrence.
- 6. ROHM Group will conduct regular risk assessments and internal audits in order to examine the operation of ROHM Group CIMS and explore its continuous improvement.
Information Management System
ROHM Group has identified the establishment of an information security system that enhances business continuity and the development, provision, and utilization of IT tools that support the medium-term management plan as key issues in Information Security Governance, Cyber Security, and IT Governance, and the Information Management Committee takes the lead in the operation of the information management system.
This committee is established as a subordinate organization of the EHSS General Committee*1, in which directors with executive authority and divisional managers participate, and is responsible for the appropriate management of information security risks, cyber security risks, and IT governance risks in ROHM Group.
The Chairman of the EHSS General Committee delegates the management of these risks to the Board of directors in charge of IT, who has a deep knowledge of IT and provides guidance with a high degree of expertise.
Information Management Committee is chaired by the corporate officer, and its subordinate organizations are the Confidential Information Management Committee, the ISMS*2 Committee, the Cyber Security Committee, the IT Promotion Committee, and the Digital Architecture Design Committee. Each committee formulates goals, implements measures, and conducts evaluations for each theme, and reports progress and results to the Information Management Committee on a regular basis. The EHSS General Committee also evaluates and confirms that the PDCA cycle of the Information Management Committee is properly implemented, and reports and consults with the Board of Directors as necessary, and checks that a system is in place to maintain and improve the accuracy of the management system. The Board of Directors works in conjunction with the Sustainability Management Committee to discuss sustainability-related policies, directions, and long-term targets, and incorporates the decisions made into the EHSS General Committee and supervises whether activities are being carried out to achieve these targets.
ROHM Co., Ltd., ROHM Hamamatsu Co., Ltd., ROHM Wako Co., Ltd., ROHM Apollo Co., Ltd. and LAPIS Semiconductor Co., Ltd. have acquired ISO/IEC 27001 certification, an information security management system certification, and the scope of registration includes planning, development, maintenance, and operation for internal information systems of ROHM Group companies and development, manufacturing, and sales of semiconductor and electronic components, etc. In addition to ISO/IEC 27001 certification, ROHM Co., Ltd., LAPIS Semiconductor Co., Ltd. and ROHM Semiconductor GmbH have obtained TISAX*3 certification, an information security assessment by the German Association of the Automotive Industry because of the growing importance of information security in the automotive industry.(For the details of TISAX certification, please check ENX portal.)
By continuously expanding the scope of operation and certification in addition to conventional internal and external audits and assessment, ROHM is promoting appropriate information management to prevent the leakage of important confidential business information and to eliminate unauthorized use of such information.
1 EHSS General Committee : A committee composed of the executive officers of management that oversees the eight management systems (Risk management BCM, Supply Chain, Labor, Ethics, Health and Safety, Environment, Information, Quality) and ensures that the PDCA cycle for each is properly implemented.
2 ISMS(Information Security Management System): A system or framework for managing information security in an organization, the standard of which is defined as "ISO/IEC 27001.
3 TISAX(Trusted Information Security Assessment Exchange): A mechanism for suppliers to undergo information security audits by an external audit organization at the request of German automobile manufacturers and others in order to assess the appropriate level of information security within the entire automobile supply chain.
Overall Governance Structure
Information Management System Promotion Structure
Key Issue | Committee | Priority Implementation Items | Targets for FY2023 | FY2023 Results | Priority Implementation Items | Targets for FY2024 |
---|---|---|---|---|---|---|
Establishment of an information security system to enhance business continuity | Confidential Information Management Committee | Establishment of a management system for the appropriate protection and use of confidential information |
|
|
Strengthen the confidential information management structure of entire ROHM Group |
|
ISMS Committee |
Expanded ISMS activities to 4 domestic plants Obtained ISMS expansion certification June 2024 (continued) Obtained TISAX certification July 2023 |
Conduct ISMS education and awareness activities at four domestic plants to raise their ISMS certification to a level that will enable them to obtain ISMS certification by March 2024. Evaluations will be conducted through internal audits. | ISMS activities were initiated at four domestic plants, and internal audits at the end of the fiscal year confirmed that the plants had achieved the level necessary to obtain ISMS certification. Obtained TISAX certification. |
Strengthen the information security structure of entire ROHM Group |
|
|
Cyber Security Promotion Committee | Raise the level of cyber security measures for the entire Group and reduce the occurrence of major incidents to zero. | Conduct internal audits of affiliates on the status of cyber security measures and establish a PDCA cycle. | Internal audits of 15 Japanese and overseas affiliates identified areas of nonconformity and provided guidance on corrective action plans. | Raise the level of cyber security measures for the entire Group and reduce the occurrence of major incidents to zero. |
|
|
Development, provision and utilization of IT tools to support mid-term management plan | IT Promotion Committee | Collect and share the status of company-wide initiatives to promote shift to IT | Establish a foundation for sharing information on the status of shift to IT initiatives throughout the company to prevent the proliferation of similar tools. | A foundation for sharing the status of the shift to IT initiatives was established using Viva Engage, and information sharing was initiated. | - | - |
Recommendations and proposals during IT tool deployment | Early detection of potential problems in the implementation of IT tools to be applied throughout the company, and recommendations and proposals to the implementing department. | Conducted status survey interviews with department personnel using Linux throughout the company due to the end of Cent OS support, and shared information on alternatives such as Oracle Linux. | Promote the introduction of tools such as Cent OS, HPC, Copilot, etc. | Early detection of potential problems in the implementation of IT tools to be applied throughout the company, and recommendations and proposals to the implementing department. |
Information Security Activities
Proper management of information about stakeholders, as well as information held by ROHM Group, is essential for providing better products and services to society and for reliable corporate management.
ROHM Group is promoting information security measures through the following continuous efforts. In the unlikely event of an accident, we will immediately investigate the cause and take appropriate measures including recurrence prevention measures.
IT Assets Management
ROHM strictly manages its IT assets by centralizing the purchase and disposal of IT assets (PC terminals, software, USB memories and other storage media, and internal communication devices), monitoring usage with an IT asset management tool, and taking monthly inventories. Through these efforts, we prevent and manage compliance and security risks such as illegal use of IT assets, cyber attacks, and security breaches.
Kitting : Setting up PCs and installing software to make them usable for business
Security Measures for Information Devices
We have implemented anti-virus and Windows vulnerability countermeasures for PCs and other information devices used by employees. Furthermore, we have constructed and been maintaining an environment where information leakage does not occur by introducing multi-factor authentication and mechanisms to remotely perform a factory reset of a computer in case of loss.
In response to the recent increase in the risk of cyber attacks, ROHM has established a system in which computers used by employees are monitored 24 hours a day, 365 days a year by an external specialized organization for signs of cyber attacks, to detect and respond to threats as early as possible.
Number of Information Security Incidents
No serious information security incidents occurred in FY2023.
Emergency response procedures and measures
ROHM Group strives to prevent information security incidents through a variety of management measures, including thorough implementation of information security rules.
We have established an escalation process when an information security incident or suspicious event is detected, so that if an incident should occur, we can promptly take appropriate initial actions to minimize damage and losses.
Emergency response procedures and measures are tested once a year.
1 CIM: Confidential Information Management
2 CSIRT: Computer Security Incident Response Team
Vulnerability Status
Changes in work styles, such as the shift to cloud computing and the normalization of remote work, have expanded the IT environment for business. In addition, the risk of cyber-attacks targeting Japanese and overseas affiliates, business partners, and outsourcing companies is increasing year by year, and security risk management in the supply chain is becoming increasingly important.
Against this backdrop, ROHM Group is strengthening its cyber attack resistance by combining external attack surface management (attack target area management) service with a penetration testing (simulated attacks) in addition to vulnerability management using conventional asset management tools.
Education and Training
Many of the causes of information leakage are mishandling, mismanagement of devices and information, and lack of awareness of information security, all of which correspond to human error.
In order to prevent and reduce security risks caused by humans, ROHM requires employees to sing an information security-related pledge when they join the company to make their responsibilities for information clear, and also continuously provides them with training and education to improve their security literacy.
[Education and Training Achievements]
Education/Training | Theme/Purpose | Year | Target | Number of People Trained | Attendance Rate (%) |
---|---|---|---|---|---|
Second Targeted Email Attack Training | Conduct drills simulating phishing e-mails that fraudulently steal account information to raise employee awareness and establish an initial response | FY2021 | ROHM Group | 11,126 | 98% |
Confidential Information Management Education E-learning | Ensure that all employees are aware of internal regulations revised to strengthen confidential information management | ROHM | 3,587 | 99% | |
Cyber Security Basic Measures Check | Reconfirming PC settings and re-enforcing basic operations to improve cyber-attack resistance | ROHM | 3,536 | 95% | |
Cyber Security Education E-learning | Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity | ROHM | 3,518 | 97% | |
Cyber Security Education E-learning | Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity | FY2022 | ROHM Group | 7,625 | 97% |
ISMS Education | To acquire basic knowledge of "ISO/IEC27001" and promote understanding of information security management in order to expand the scope of ISMS certification |
ROHM Group (Japan) |
902 | 100% | |
Confidential Information Management Education E-learning | Ensure that all employees are aware of internal regulations revised to strengthen confidential information management |
ROHM Group (Japan) |
7,267 | 100% | |
Cyber Security Education E-learning | Ensure that all employees are aware of internal regulations revised to ensure cybersecurity | FY2023 | ROHM Group | 12,455 | 98% |
ISMS Education | To acquire basic knowledge of "ISO/IEC27001" and promote understanding of information security management in order to expand the scope of ISMS certification |
ROHM Group (Japan) |
866 | 100% | |
Confidential Information Management Education E-learning | Ensure that all employees are aware of internal regulations revised to strengthen confidential information management |
ROHM Group (Japan) |
7,607 | 100% |
Privacy Information Protection Management Efforts
ROHM Group recognizes the protection of personal information as an important management issue and complies with the "Act on the Protection of Personal Information" and other national guidelines and implements the following measures for the purpose of safe and appropriate management of personal information of customers, business partners, shareholders, investors, and others.
Formulation and Disclosure of Privacy Policy
ROHM Group clarifies the purpose of use of personal information, contact point for inquiries, safety control measures, etc.
Privacy Information Protection Regulations
ROHM Group has established basic rules for the proper handling, management, operation, and protection of personal information held by ROHM Group, and has made these rules available to all employees. The Rules specifies that the head of the department that handles personal information shall be assigned responsible for the matter. In addition, the rules specify a reporting system in the event of a leakage or threat of leakage of personal information in order to quickly identify the situation and prevent the spread of damage.
Employees who violate the personal information protection rules may be subject to disciplinary actions.
Provide Training for Employees
All employees are provided with training on the handling of personal information to improve their understanding of such matters. Through this education, we are working to spread our privacy policy and personal information protection rules throughout the Group.
[Education and Training]
Education and Training | Purpose and Contents | Year | Target | Number of People Trained | Attendance Rate(%) |
---|---|---|---|---|---|
Labor and Ethics e-learning | Acquire knowledge of compliance (competition law compliance, anti-bribery, compliance hotline, privacy protection) | FY2023 | ROHM Group (Japan) | 3,941 | 98.5% |
Information Security Certification
ISO27001:2013(ISMS)Certification
questionnaire.html
Questionnaire
We want to hear
your opinion.