- Strengthen Cyber Resilience
Toshiba Group is engaged in businesses centered on energy, social infrastructure, electronic devices, and digital solutions, helping support people’s lives. We consider it our responsibility to leverage the knowledge and experience we have acquired through manufacturing since our founding, not just in the physical world but also in the online connected society that extends into all areas, in order to strengthen cyber security, protect society, and deliver peace of mind.
KPIs and Achievements
Self-assessment of cyber security management maturity*
FY2022 Achievement | 3.4 |
---|---|
FY2023 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
FY2023 Achievement | 3.58 |
FY2024 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
FY2022 Achievement | 3.4 |
---|---|
FY2023 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
FY2023 Achievement | 3.58 |
FY2024 Target | Higher than previous fiscal year (upon reaching 4, remain at 4 or higher) |
- At key Group companies, Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, Toshiba Plant Systems & Services Corporation, and Toshiba Development & Engineering Corporation
Toshiba Group’s cybersecurity visions
Toshiba Group has adopted a concept of “cyber resilience,” which encompasses information, product, control, and data security. The word “resilience” means the ability to bounce back or recover quickly. The term “cyber resilience” means the ability to minimize negative impact and recover quickly in preparation for security incidents such as cyberattacks. To realize cyber resilience, we have defined a set of parameters that contribute to the minimization of the security incident impact on IT systems: 1) P, or preparation for security incidents, 2) M, or mitigation of loss due to security incidents, and 3) R, or the time required to respond to and recover from security incidents. It is required to enhance P and M and reduce D.
Information Security Management
Policy on Information Security
Toshiba Group regards all information, such as personal data, customer information, management information, technical and production information handled during the course of business activities, as its important assets and adopts a policy to manage all corporate information as confidential information and to ensure that the information is not inappropriately disclosed, leaked or used. In view of this, Toshiba has a fundamental policy “to manage and protect such information assets properly, with top priority on compliance.” The policy is stipulated in the chapter “Corporate Information and Company Assets” of the Standards of Conduct for Toshiba Group, and managerial and employee awareness on the same is encouraged.
In response to regulatory changes and changes in the social environment, Toshiba Group revises the related rules on an ongoing basis so as to rigorously manage its information security.
When providing personal information and confidential information to outsourcing contractors, we request them to maintain confidentiality and comply with relevant laws and regulations in the same manner as Toshiba does, and to implement thorough training for employees handling the information.
We include in the contract terms the possibility of terminating contract and seeking damages in case of violations of confidentiality obligations or personal information protection obligations as stipulated in the contract.
Structure of Information Security Management
Addressing information security as a management priority, Toshiba Group appointed the Chief Information Security Officer (CISO) and each corporate staff division and Toshiba Group company has established, under the supervision of the CISO, an information security management structure.
The Cyber Security Committee deliberates matters that are necessary to ensure information security throughout Toshiba Group. The CISO formulates and enacts measures in order to make sure that internal rules related to information security are enforced in a problem-free, effective, and definitive manner.
At each division inside Toshiba, key Group companies, and subsidiaries and affiliates*1, the head of the organization serves as Information Security Management Executive, bearing responsibility for information security at their respective organization. The Executives provide guidance and assistance to Group companies in Japan and overseas under their control to ensure that they implement information security at a level equivalent to that of Toshiba.
Toshiba Group Information Security Management Structure
- Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
- CSIRT: Computer Security Incident Response Team
Information Security Measures
Toshiba Group implements information security measures from four perspectives (see the table below). The Corporate Technology Planning Division incorporates these measures into regulations and guidelines and makes them fully known to all Toshiba Group companies through notices and briefings.
Implementation of Information Security Measures from Four Perspectives
Category | Description |
---|---|
(1)Organizational measures: Establish an organizational structure and rules |
|
(2)Personal and legal measures: Ensure adherence to rules |
|
(3)Physical measures: Support implementation of rules in terms of physical security |
|
(4)Technical measures: Support implementation of rules in terms of technology |
|
Category | Description |
---|---|
(1)Organizational measures: Establish an organizational structure and rules |
|
(2)Personal and legal measures: Ensure adherence to rules |
|
(3)Physical measures: Support implementation of rules in terms of physical security |
|
(4)Technical measures: Support implementation of rules in terms of technology |
|
- EDR:Endpoint Detection and Response
To protect against cyber-attacks, which are becoming more sophisticated with every passing year, we introduced a function to block suspicious e-mails, enhanced our anti-virus measures for information equipment such as IoT devices, and trained all employees in handling targeted attack e-mails. We also utilize external threat intelligence to understand terminal vulnerabilities and prevent attacks before they occur. In addition, we enhanced the monitoring for our network and in-house systems to quickly cope with a virus invasion into the company systems.
In addition, with the expansion of remote work due to the COVID-19 pandemic, the number of areas targeted by cyber-attacks is increasing. We are working to strengthen internal and external countermeasures, including by collecting and analyzing information on servers and network devices available on the internet, introducing mechanisms to understand vulnerabilities and configuration errors, and using attack simulation tools to assess the risk of security products introduced by the Company.
Under our information security management structure, we annually verify that all internal systems, such as systems that manage customer data, are being operated in accordance with the rules, including setting of access privileges and implementation of vulnerability countermeasures.
Education, Inspection, and Audit of Information Security Management
Toshiba Group covers a diverse portfolio of businesses. To ensure Group-wide information security, it is vital for each Group company to rotate the PDCA (Plan-Do-Check-Act) cycle independently. Accordingly, Toshiba Group carries out an annual self-audit of its compliance with internal rules to identify issues and plan improvements. The Corporate Technology Planning Division evaluates the results of the audits and related improvements carried out by each Toshiba division, key Group companies, and subsidiaries and affiliates*1, and provides support and guidance where necessary.
In FY2023, the following key points were identified: (1) ID/Password management, (2) classification of information and systems by importance, (3) network operation and management, and (4) manufacturing system security. Overall, security was well maintained and well managed. We will continue to review our basic approach. In addition, with regard to key point (4), to promote the development of smart factories*2, we visited several factories to conduct on-site checks of the status of security countermeasures implemented in their manufacturing systems and to identify any problems.
Toshiba Group companies in Japan have obtained the Information Security Management System (ISMS) certification*3 and PrivacyMark certification*4 according to their business areas and have undergone external audits from ISMS certification bodies and Japan Institute for Promotion of Digital Economy and Community (JIPDEC). Fifteen Toshiba Group companies in Japan have obtained ISMS certification. The departments covered by the certification and the certification bodies are listed in Table A.
Moreover, Toshiba Group conducts yearly training for all officers, as well as permanent and temporary employees, in order to enforce strict compliance with in-house regulations. There are also programs about information security such as basic training, and introductory training for new graduate employees.
- Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
- Business process innovation that introduces technologies such as IoT and AI. Sensors are attached to equipment throughout the factory, and data is collected and analyzed in real time to optimize production processes.
- A third-party certification system for the information security management system compliant with ISO/IEC 27000 series
- A certification mark granted through third party assessment to businesses that have a system to ensure appropriate handling of personal information in compliance with Japan Industrial Standards (JIS) Q 15001: Personal Information Protection Management System–Requirements
Table A Toshiba Group companies in Japan that have obtained ISMS certification
No. | Certification Registration No. | Company Name | Certification Body |
---|---|---|---|
1 | JQA-IM0111 | Toshiba IT-Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
2 | IC09J0282 | Toshiba Infrastructure Systems & Solutions Corporation (Komukai Complex, Security & Automation Systems Division) |
Japan Audit and Certification Organization for Environment and Quality (JACO) |
3 | JQA-IM0130 | Toshiba Information Systems (Japan) Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
4 | JQA-IM1860 | Toshiba Digital Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
5 | JQA-IM0308 | Toshiba Digital Solutions Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
6 | IC15J0407 | Toshiba Digital Marketing Initiative Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
7 | JQA-IM0513 | Toshiba Tec Corporation (Shizuoka Business Center (Mishima)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
8 | JQA-IM1163 | Toshiba Tec Corporation (Shizuoka Business Center (Ohito)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
9 | JVAC-IM0006 | Toshiba Tec Solution Services Corporation | Japan Value-Added Certification Co., Ltd. (J-VAC) |
10 | JQA-IM0653 | Toshiba Development & Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
11 | IC21J0538 | Toshiba Business Expert Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
12 | JQA-IM1692 | Toshiba Lifestyle Products & Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
13 | IC11J0335 | TEC Information Systems Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
14 | JQA-IM0418 | Enterprise Business System Solutions Corporation (EBSS) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
15 | IS 681336 | SBS Toshiba Logistics Corporation | BSI Group Japan K.K. |
No. | Certification Registration No. | Company Name | Certification Body |
---|---|---|---|
1 | JQA-IM0111 | Toshiba IT-Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
2 | IC09J0282 | Toshiba Infrastructure Systems & Solutions Corporation (Komukai Complex, Security & Automation Systems Division) |
Japan Audit and Certification Organization for Environment and Quality (JACO) |
3 | JQA-IM0130 | Toshiba Information Systems (Japan) Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
4 | JQA-IM1860 | Toshiba Digital Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
5 | JQA-IM0308 | Toshiba Digital Solutions Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
6 | IC15J0407 | Toshiba Digital Marketing Initiative Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
7 | JQA-IM0513 | Toshiba Tec Corporation (Shizuoka Business Center (Mishima)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
8 | JQA-IM1163 | Toshiba Tec Corporation (Shizuoka Business Center (Ohito)) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
9 | JVAC-IM0006 | Toshiba Tec Solution Services Corporation | Japan Value-Added Certification Co., Ltd. (J-VAC) |
10 | JQA-IM0653 | Toshiba Development & Engineering Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
11 | IC21J0538 | Toshiba Business Expert Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
12 | JQA-IM1692 | Toshiba Lifestyle Products & Services Corporation | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
13 | IC11J0335 | TEC Information Systems Corporation | Japan Audit and Certification Organization for Environment and Quality (JACO) |
14 | JQA-IM0418 | Enterprise Business System Solutions Corporation (EBSS) | Management Systems Sector, Japan Quality Assurance Organization (JQA) |
15 | IS 681336 | SBS Toshiba Logistics Corporation | BSI Group Japan K.K. |
Response to Incidents Such as Leakage of Confidential Information
In the event an information security incident such as the leakage of confidential information, Toshiba responds promptly in accordance with the Information Security Incident Reporting Structure.
When an employee becomes aware of an incident or potential incident involving the leakage of corporate information, the employee immediately reports to the CSIRT. In response, the CSIRT Leader devises necessary measures, such as an investigation into the cause and review of actions to prevent recurrence. In the event of a serious leakage or potential leakage of confidential information that may constitute a violation of laws and ordinances, Toshiba implements measures such as disclosure following discussion among the related corporate staff divisions in accordance with the applicable laws and ordinances.
Information Security Incident Reporting Structure
- Key Group companies and Toshiba Elevator and Building Systems Corporation, Toshiba Lighting & Technology Corporation, and Toshiba Plant Systems & Services Corporation
Status of Incidents Such as Leakage of Confidential Information
In FY2023, there were no leaks of important information held by Toshiba Group.
There were also no personal data-related complaints or appeals filed by regulatory authorities or other external parties. We will continue to take every precaution to prevent incidents related to information security.
For details on information security management, please refer to our Cyber Security Report.
Strengthening privacy governance
Toshiba Group has formulated the "Toshiba Group Privacy Statement" as a declaration of its management stance on the use of privacy information across its data service businesses, towards promoting the trust of society and the realization of a trusted data society.
As digital transformation (DX) becomes a global trend, we are strengthening privacy governance, at that same time as we seek to make full use of the power of data to create valuable products and services.
Toshiba Group positions respect for privacy as part of respect for human rights.
Sharing Security Policies with Suppliers and Business Partners
When selecting suppliers and business partners, we evaluate their ability to manage data appropriately. If contracts involve data sharing, we require specific information security management measures and conduct compliance audits as necessary.
We also hold regular cyber security seminars for our suppliers and business partners. We communicate the matters described in the Toshiba Group Cyber Security Policy and Guidelines and demand stronger security response capabilities. In addition, we have established a contact point for security-related consultations, and both Toshiba and our suppliers and business partners are working to improve their security levels.
These security and privacy policies are published externally as the Standards of Conduct for Toshiba Group and the Privacy Policy, and any changes are immediately posted on our website. When Toshiba Group rules and policies change, we provide explanations and notices within the Toshiba Group and update each company's rules and policies accordingly.
AI Governance
Toshiba Group formulated the Toshiba AI Governance Statement to promote the development, provision and use of trustworthy AI. The statement is based on Toshiba Group's management philosophy and summarizes the philosophy regarding AI from seven perspectives, which include “Respect for human dignity,” “Developing AI and cultivating talent,” and “Emphasis on fairness.” For example, “Emphasis on fairness” states “Respecting human rights, Toshiba will work to research, develop, provide and operate AI with consideration given to fairness to avoid unjustified discrimination.”
Toshiba Group is accelerating digital transformation (DX) and is promoting the resolution of various social issues by applying AI to infrastructure systems important to society. Based on the ideas in this statement, we will expand the range of human resources who can develop, provide, and operate AI, strengthen the creation of mechanisms to maintain the quality of AI systems, and proceed with the construction of Toshiba Group's AI governance.
See below for details of cyber resilience and information security initiatives.