Daikin's Group Conduct Guidelines state that we manage and use confidential information appropriately. Our Information Security Basic Policy was formulated to clarify our basic philosophy and action on information security. Daikin stipulates that information leaks from internal information systems, Daikin products and services, and plant equipment systems constitute a major company-wide risk. Therefore, information managers in each division lead efforts in making Basic Regulations of Information Security and Common Security Guidelines based on our Information Security Basic Policy. We also strictly manage confidential information we are holding that is the property of other companies.
And with the increasingly widespread problems of companies losing information over the Internet, we are striving to raise the awareness of employee regarding managing their information; for example, we have strict company policy regarding employees' use of social media.
In fiscal 2019, there were no incidents involving the inappropriate management of information or information leakages.
5. Proper Management and Utilization of Information
We shall properly manage and effectively utilize the confidential information of our company, the confidential information obtained from other companies, and the personal information of our customers and employees and shall not obtain any information through improper means. We shall thoroughly execute IT security management for our computer systems and the data-resources saved on them.
The Daikin Group recognizes that one of our most important management issues is to deliver safe and highly reliable products and services and protect our information assets as well as customers' information assets in our possession from various types of threats by addressing information security risks which increase on a daily basis. To deal with these issues, we establish the Group basic information security policy and unite as the Daikin Group to further reinforce information security.
Daikin's Information Security Committee, chaired by the officer in charge of information security, was established to strengthen the group-wide security management system. This committee is a cross-organizational information security deliberation body, and it revises and discusses group-wide information security strategy, policy measures, and common rules (regulations and guidelines). It operates under the Corporate Ethics and Risk Management Committee, to which it reports important information security matters, as well as notifications that must be sent to all employees and strictly followed. Matters decided on by the Corporate Ethics and Risk Management Committee are reported to the Internal Control Committee, chaired by the President, as well as to the Board of Directors. At overseas group companies, the results of information security inspections are used to prioritize bases most susceptible to major risk. At such bases, information security leaders are appointed and in-house rules are formulated in order to strengthen the security management system.
Furthermore, the officer in charge of information security also chairs the Corporate Ethics and Risk Management Committee.
Daikin Industries, Ltd. has put into place a system for reporting and addressing information security incidents to prevent them from occurring and to minimize damages should one occur. Employees who discover an incident or situation that could lead to a security threat are required to report to the information security leader of their department and then follow his/her instructions. Information security leaders in turn report to the IT Development Department, which serves as the secretariat of the Information Security Committee, following the incident response standards. The IT Development Department spearheads efforts to investigate the cause and prevent the recurrence of these incidents.
Daikin Industries, Ltd. strives to raise information security awareness among all members through training for officers, managers, and employees. General employees took courses on in-house rules in which they conducted self-assessments to confirm how well they are complying with the Group Conduct Guidelines. There were also articles in Daikin's in-house magazine aimed at raising security awareness. In addition to training and other educational sessions, once a year we send employees training emails that give them practice in dealing with malicious targeted email attacks.
In fiscal 2019, we held a training session for information security leaders led by an outside instructor about the steps they can take in their own departments to respond to a cyberattack.
Daikin Industries, Ltd. holds self-checks every year to determine the state of compliance with the Group Conduct Guidelines. These checks include Daikin's proprietary self-assessment system and information security matters.
We hire outside experts to diagnose the vulnerability of our servers and web applications inside and outside of Japan considered to have a high degree of information security risk. Based on the results, we implement countermeasures such as upgrading the version of servers or revising web applications.
We are also strengthening measures in other ways. We inspect how well our information leak measures are being implemented in line with the Ministry of Economy, Trade and Industry's Management Guidelines for Trade Secrets as well as conduct training and reviews of our incident response procedures.
Our IT division, legal division, and internal auditing division collaborate to conduct legal and internal audits to confirm and improve the state of compliance at all divisions.
As a result of audits and inspections, problems that have come to light and their countermeasures are reported to the Information Security Committee. As for major issues and matters that all employees must be notified of and strictly follow, these are reported to the Corporate Ethics and Risk Management Committee, the Internal Control Committee, and the Board of Directors.
Find out more in your region.