Information SecurityBusiness Foundation
Policies on Information Protection
ROHM Group has established an information security policy and confidential information management policy to ensure thorough management of confidential information and personal information of ROHM Group and stakeholders obtained in the course of business activities.
ROHM Group Information Security Policy
ROHM Group complies with domestic and international laws, regulations, norms, and contractual obligations related to information security. In addition, ROHM Group shall establish internal regulations related to information security that comply with and conform to such laws, regulations, and contractual obligations, and shall ensure thorough compliance with such regulations.
2.Information Security Management System
ROHM Group recognizes that information security is one of the most important issues in management and business, and under the direction of top management, has established an information security management system to maintain and continually improve organizational, personnel, physical, and technical information security.
3.Protection of Information Assets
ROHM Group shall appropriately protect information assets from threats to the confidentiality, integrity, and availability of the information assets handled by ROHM Group, and shall take appropriate control measures.
4.Prevention of Accidents and Response when They Occur
ROHM Group shall strive to prevent information security incidents, and in the event of an incident, minimize the impact by promptly implementing appropriate initial responses, and investigate the cause of the incident to prevent recurrence.
5.Education and Training
ROHM Group will continuously educate and train its top management and employees on information security in order to raise their awareness of information security.
6.Ensure Information Security throughout the Supply Chain
ROHM Group will maintain and improve information security throughout the entire supply chain, including suppliers and contractors.
ROHM Group Confidential Information Management Policy
ROHM Group (referred to as “We” or “ROHM Group”) recognizes that our information assets and the information assets entrusted to us by our stakeholders (collectively referred to as “Confidential Information”) are the important foundation for conducting our global business activities. We have the social responsibility to rigorously maintain and protect such Confidential Information as confidential.
We affirm that we will establish a management policy as follows and will appropriately manage and protect the Confidential Information.
- 1. When using and maintaining the Confidential Information, ROHM Group will comply with various laws, regulations, standards, contracts, and other ethical standards, applicable to our business activities.
- 2. ROHM Group has established its own confidential information management system (referred to as “ROHM Group CIMS”) for the purpose of appropriately managing Confidential Information under the leadership of top management. ROHM Group will operate ROHM Group CIMS proactively and continuously.
- 3. To protect all Confidential Information, ROHM Group will implement appropriate management measures for the protection and proper control of Confidential Information. “Management measures” means organizational, human, technological and physical measures that are strictly enforced according to the confidentiality level of the applicable Confidential Information.
- 4. To increase the awareness of appropriate management, ROHM Group will provide continuous education and training programs for all (executives, employees, contract employees, partner company employees, etc.) who can access the Confidential Information.
- 5. ROHM Group will make best efforts to prevent the leakage of Confidential Information and any other incidents .If any incident should happen, we will immediately investigate the causes of the incident and take proper countermeasures to prevent its recurrence.
- 6. ROHM Group will conduct regular risk assessments and internal audits in order to examine the operation of ROHM Group CIMS and explore its continuous improvement.
Information Management System
ROHM Group has identified the establishment of an information security system that enhances business continuity and the development, provision, and utilization of IT tools that support the medium-term management plan as key issues in Information Security Governance, Cyber Security, and IT Governance, and the Information Management Committee takes the lead in the operation of the information management system.
This committee is established as a subordinate organization of the EHSS General Committee*1, in which directors with executive authority and divisional managers participate, and is responsible for the appropriate management of information security risks, cyber security risks, and IT governance risks in ROHM Group.
Information Management Committee is chaired by the corporate officer, and its subordinate organizations are the Confidential Information Management Committee, the Information Security Management System (ISMS) Committee, the Cyber Security Committee, and the IT Promotion Committee. Each committee formulates goals, implements measures, and conducts evaluations for each theme, and reports progress and results to the Information Management Committee on a regular basis. In addition, the EHSS General Committee has established a system to evaluate and confirm whether the PDCA cycle of the Information Management Committee is being properly implemented, and to maintain and improve the accuracy of the management system.
ROHM Co., Ltd. and LAPIS Semiconductor Co., Ltd. have acquired ISO/IEC 27001 certification, an information security management system certification, and the scope of application includes planning, development, maintenance, and operation of the ROHM Group's internal information systems, as well as planning, development, manufacturing, and sales of SiC and other products. By continuously expanding the scope of operation and certification, ROHM is promoting appropriate information management to prevent the leakage of important confidential business information and to eliminate unauthorized use of such information.
1. EHSS General Committee : A committee composed of the executive officers of management that oversees the eight management systems (environment, health and safety, labor, ethics, information, supply chain, quality, and risk management BCM) and ensures that the PDCA cycle for each is properly implemented.
Overall Governance Structure
Information Management System Promotion Structure
|Key Issue||Committee||Priority Implementation Items||Target for FY2022||FY20022 Actual||Priority Implementation Items||Target for FY2023|
|Establishment of an information security system to enhance business continuity||Confidential Information Management Committee||Establishment of a management system for the appropriate protection and use of confidential information||Deploy the management system of the head office to domestic affiliates||Completed the establishment of a confidentiality management system for domestic affiliates (7 companies) (e.g., determined the person responsible for managing confidential information and the person in charge, established internal regulations, and conducted employee training).||Establishment of a management system for the appropriate protection and use of confidential information||
|ISMS Committee||Obtain new TISAX*2 certification to expand ISMS certification for business continuity and expansion||Acquired by related organizations with a focus on SiC business requested by European OEMs||Underwent TISAX audits at organizations related to SiC business. (The improvement plan is underway and certification is scheduled to be obtained in July 2023.)||Expanded ISMS activities to 4 domestic plants
Obtained ISMS expansion certification June 2024 (continued) Obtained TISAX certification July 2023
|Conduct ISMS education and awareness activities at four domestic plants to raise their ISMS certification to a level that will enable them to obtain ISMS certification by March 2024. Evaluation will be conducted through internal audits.|
|Cyber Security Promotion Committee||Establish a system for early action in the event of a cyber security incident||Launch of a CSIRT*3 organization that functions throughout the group||Completed establishment of a global CSIRT and local CSIRTs for each affiliated company (31 organizations).||Raise the level of cyber security measures for the entire Group and reduce the occurrence of major incidents to zero.||Conduct internal audits of affiliates on the status of cyber security measures and establish a PDCA cycle.|
|Development, provision and utilization of IT tools to support mid-term management plan||IT Promotion Committee||Establish a system for sharing IT policies, information, and activities||Share and align IT policies across the group||Established a system to convene members from each ROHM Group company and share the details of IT implementation activities.||Gathering and sharing the status of company-wide IT promotion efforts||Establish a company-wide information sharing platform on the status of IT initiatives to deter the proliferation of similar tools.|
|Develop group-wide IT utilization plan to improve CX*4 and E*5||Devise customer-centric and employee-oriented IT utilization strategies through dialogue with frontline departments||Collect information on IT utilization in the ROHM Group, including the perspectives of customers and on-site needs, and identify and share issues.||Recommendations and proposals during IT tool deployment||Early detection of potential problems in the implementation of IT tools to be applied company-wide, and recommendations and proposals to the implementing departments.|
2. TISAX(Trusted Information Security Assessment Exchange) : A mechanism for suppliers to have information security audits conducted by an external auditor at the request of German automakers and others in order to assess the appropriate level of information security within the entire automotive supply chain.
3. CSIRT(Computer Security Incident Response Team) : Team dedicated to responding to cyber security incidents
4. CX(Customer Experience) : Favorability and satisfaction at customer contact points
5. EX(Employee Experience) : Employee Engagement
Information Security Activities
Proper management of information about stakeholders, as well as information held by ROHM Group, is essential for providing better products and services to society and for reliable corporate management.
ROHM Group is promoting information security measures through the following continuous efforts. In the unlikely event of an accident, we will immediately investigate the cause and take appropriate measures including recurrence prevention measures.
IT Assets Management
ROHM strictly manages its IT assets by centralizing the purchase and disposal of IT assets (PC terminals, software, USB memories and other storage media, and internal communication devices), monitoring usage with an IT asset management tool, and taking monthly inventories. Through these efforts, we prevent and manage compliance and security risks such as illegal use of IT assets, cyber attacks, and security breaches.
Kitting : Setting up PCs and installing software to make them usable for business
Security Measures for Information Devices
We have implemented anti-virus and Windows vulnerability countermeasures for PCs and other information devices used by employees. Furthermore, we have constructed and been maintaining an environment where information leakage does not occur by introducing multi-factor authentication and mechanisms to remotely perform a factory reset of a computer in case of loss.
In response to the recent increase in the risk of cyber attacks, ROHM has established a system in which computers used by employees are monitored 24 hours a day, 365 days a year by an external specialized organization for signs of cyber attacks, to detect and respond to threats as early as possible.
Education and Training
Many of the causes of information leakage are mishandling, mismanagement of devices and
information, and lack of awareness of information security, all of which correspond to human error.
In order to prevent and reduce security risks caused by humans, ROHM requires employees to sing an information security-related pledge when they join the company to make their responsibilities for information clear, and also continuously provides them with training and education to improve their security literacy.
[Education and Training Achievements]
|Education/Training||Theme/Purpose||Year||Target||Number of People Trained||Attendance Rate (%)|
|E-learning for Targeted attack email||The awareness of each employee toward security will be boosted to prevent attacks targeting people – something that cannot be prevented simply through system-based measures||FY2018||ROHM||2,808||83%|
|Online Information Security Training||Increasing Security Awareness Through a Renewed Awareness of the Risk of Confidential Information Leakage||Employees using laptops||1,094||92%|
|Online Information Security Training||With the expansion of the remote environment, in order to reaffirm the importance of information security for employees, education about the rules for leaking confidential information and specific precautions when using and managing notebook PCs||FY2019||Employees using laptops||1,465||92%|
|Information Security Test||Implementation of tests to understand the level of information security-related knowledge of all employees and to formulate future education plans||FY2020||ROHM||3,157||85%|
|Information Security Education E-learning||Education focused on the prevention of information leaks during telecommuting and the precautions for using online communication tools such as web meetings and e-mails, as telecommuting becomes more regular||ROHM||2,823||80%|
|Education at the Time of Grade Promotion||In order to foster awareness of the role of promoting the development of a security defense system, educate those promoted to higher rank using examples of past damage and videos regarding increasingly sophisticated targeted attacks||Seminars for promoted employees||272||100%|
|Second Targeted Email Attack Training||Conduct drills simulating phishing e-mails that fraudulently steal account information to raise employee awareness and establish an initial response||FY2021||ROHM Group||11,126||98%|
|Confidential Information Management Education E-learning||Ensure that all employees are aware of internal regulations revised to strengthen confidential information management||ROHM||3,587||99%|
|Cyber Security Basic Measures Check||Reconfirming PC settings and re-enforcing basic operations to improve cyber-attack resistance||ROHM||3,536||95%|
|Cyber Security Education E-learning||Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity||ROHM||3,518||97%|
|Cyber Security Education E-learning||Ensure that all employees are aware of newly established internal regulations to ensure cybersecurity||FY2022||ROHM Group||7,625||97%|
|ISMS Education||To acquire basic knowledge of "ISO/IEC27001" and promote understanding of information security management in order to expand the scope of ISMS certification||ROHM Group
|Confidential Information Management Education E-learning||Ensure that all employees are aware of internal regulations revised to strengthen confidential information management||ROHM Group
Privacy Information Protection Management Efforts
ROHM Group recognizes the protection of personal information as an important management issue and complies with the "Act on the Protection of Personal Information" and other national guidelines and implements the following measures for the purpose of safe and appropriate management of personal information of customers, business partners, shareholders, investors, and others.
ROHM Group clarifies the purpose of use of personal information, contact point for inquiries, safety control measures, etc.
Privacy Information Protection Regulations
ROHM Group has established basic rules for the proper handling, management, operation, and protection of personal information held by ROHM Group, and has made these rules available to all employees. The Rules specifies that the head of the department that handles personal information shall be assigned responsible for the matter. In addition, the rules specify a reporting system in the event of a leakage or threat of leakage of personal information in order to quickly identify the situation and prevent the spread of damage.
Employees who violate the personal information protection rules may be subject to disciplinary actions.
Provide Training for Employees
[Education and Training]
|Education and Training||Purpose and Contents||Year||Target||Number of People Trained||Attendance Rate(%)|
|E-learning on the Revised Privacy Information Protection Law||Review and understand the basics and important amendments to the Personal Information Protection Law||FY2022||ROHM Group (Japan)||6,806||98.8%|