Language selector :Japanese
Toshiba regards all information handled in the course of business, including personal data, information concerning corporate management, and technical and business information of Toshiba and its customers, as an important asset. Toshiba's basic policy is to appropriately manage and protect this information, placing the highest priority on compliance of laws, ordinances, social norms, and ethics. This policy is laid down in the section Corporate Information and Company Assets of the Toshiba Group Standards of Conduct.
To respond to changes in the social environment, Toshiba constantly reviews its regulations concerning information security. In fiscal 2006, Toshiba conducted an across-the-board review and revision of its regulations concerning information security in order to strengthen the information management throughout the Toshiba Group, in accordance with the revised Unfair Competition Prevention Act. Also, in 2007, Toshiba established and revised regulations to emphasize the supervision of outside contractors, and Toshiba is now rolling out these activities to group companies inside and outside Japan. As for overseas, Toshiba is engaged in the preparation and implementation of regulations that take into account local circumstances.
Addressing information security as a management priority, Toshiba Group maintains, under the supervision of the Chief Information Security Officer, an information security management structure in which the head of each organization, such as head of corporate staff division , president of each in-house company as well as president of each group company are responsible for information security.
The Chief Information Security Officer convenes meetings of the Information Security Committee to engage in deliberations necessary for the reliable implementation of Group-wide information security. The CRO (Chief Risk-Compliance Management Officer) and the head of the Information Systems division, Legal Affairs division, Human Resources division, Intellectual Property division, and other organizations serve as committee members and are responsible for matters necessary for the reliable implementation of information security in the business processes under their control.
The Information Security Committee meets every half year in March 2007, the committee met to summarize the activities status for fiscal 2007, discuss a revision of internal regulations, with a focus on reinforcement of contractor supervision, and discuss the activities policy for fiscal 2008.
The General Manager of the Information Security Center serves as the Secretariat of the Information Security Committee, assists the Chief Information Security Officer, and formulates and implements policies and measures to ensure that internal regulations related to information security are implemented smoothly, efficiently, and reliably.
At the in-house companies, the company presidents serve as Information Security Management Executive, bearing full responsibility for information security at their respective companies. The Information Security Management Executive appoints Information Security Implementation Managers who are responsible for operation of the information security control system. The Information Security Management Executives provide guidance and assistance to the group companies under their control to ensure that they implement information security of a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure  |
Toshiba considers autonomous implementation of a Plan-Do-Check-Action (PDCA) cycle by each division to be vital for appropriate management of personal data and other confidential information. The heart of this activity is self-audits conducted by each organization. All Toshiba organizations, under the supervision of their Information Security Management Executives conduct annual self-audits of the state of compliance with internal rules and ensure continual improvements.
Toshiba Information Security Center, supervising Toshiba Group's protection and management of information, monitors the results of these self-audits and the related improvement activities, provides guidance and assistance if necessary, and reports the situation to the Chief Information Security Officer.
In fiscal 2007, all 55 divisions of both corporate staff and in-house companies, 6 key group companies and 235 other group companies in Japan conducted self-audits and implemented improvements to non-conformities found. This greatly contributed to raising the level of information security.
At Toshiba Group, especially the operating units which handle important confidential information have acquired ISMS (Information Security Management System) certification. As of May 2008, 25 companies, including Toshiba Corporation, have acquired this certification.
| Category | Description |
|---|---|
| (1) Organizational measures: Establish an organizational structure and rules. |
|
| (2) Personal and legal measures: Ensure adherence to rules |
|
| (3) Physical measures: Support implementation of rules in terms of physical security |
|
| (4) Technical measures: Support implementation of rules in terms of technology |
|
The Information Security Center incorporates these measures into regulations and guidelines, notifies them throughout Toshiba, provides briefings at company-wide meetings every half year, and enables their access through a company-wide information sharing database. The center is also undertaking similar implementation at group companies.
To ensure strict compliance with internal regulations, each year Toshiba provides information security and personal information protection education to executive officers, employees, and temporary employees. In fiscal 2007, instructions were provided to 138,000 employees of Toshiba Group, including 34,000 Toshiba employees, using e-learning, classroom lectures, and other methods.
In addition to periodic education, Toshiba provides IT version and Management version of basic course of information security to people whose work involves information security implementation. In fiscal 2007, 182 employees received such education. An information security curriculum is incorporated in the introductory education for newly hired employees, and as such, in fiscal 2008, all new employees were provided orientations on information security for about 2 hours.
To Top