Information Security Management

Basic Approach and Policy

Basic Approach and Policy

In response to the increasing information security risks in recent years, our Group has established an information security management system, developed various information security regulations, and ensured their thorough communication to all employees.
All employees submit a pledge to comply with these regulations and are responsible for adhering to them. In addition, we provide regular education and training to all employees to promote the proper management of information assets.
To prevent unauthorized access, leakage, alteration, loss, destruction, or disruption of information assets, we implement strict system management, including access controls that limit data access on a per-user basis.
Furthermore, by conducting periodic internal and external audits of our information security initiatives, we are committed to the continuous improvement of our information security management.

System

Information Security Management System

To address a recent increase in cyber security risks and enhance the information security level of the entire group, the Nabtesco Group has established the Information Security Committee, created a basic information security policy, enhanced the level of security measures, and promptly addressed serious security incidents. This committee consists of a chairperson and committee members appointed by the CEO, reports its activities periodically to the CEO, and if directed, reports to the Board of Directors. The Nabtesco Group also has Chief Information Administrators and Chief Supervisors assigned to facilities, and the Information System Department plans information security measures, provides advice, instruction and cooperation during implementation, verifies the adequacy of information security, and provides support such as correction instructions across the Nabtesco Group as a department dedicated to information security.

Organization chart of the Information Security Committee

Figure

Members of the Information Security Committee

Chairperson Director,
Executive Officer in charge of information systems
Committee members
  • Representative Director, Managing Executive Officer in charge of General Administration, Human Resources and Legal & Compliance
  • Executive Officer, General Manager, Innovation Strategy Division
  • Executive Officer, General Manager, Production Innovation Division
  • Executive Officer, Senior General Manager, Technology and R&D Division
  • Executive Officer, General Manager, Human Resources Department
  • Executive Officer, General Manager, Corporate Planning Department
  • Corporate Officer, General Manager, Information System Department
  • General Manager, General Administration Department
  • General Manager, Corporate Communication Department
  • General Manager, Intellectual Property Department
  • General Manager, Digital Transformation Promotion Department
  • General Manager, Legal & Compliance Department

Chairperson of the Information Security Committee: Hiroshi Usui
Director, Executive Officer

[Career and Roles in Information Systems]
Mr. Usui, Director and Executive Officer, has served as General Manager of the Engineering Department and General Manager of the Planning Department at the Aerospace Company of Nabtesco Corporation, and is a Director with a background in information security. He currently serves as the Officer in charge of Information Systems and as a member of the Risk Management Committee.

[Executive in Charge of Information Security (CISO)]
Mr. Usui, Director and Executive Officer, serves as Chairperson of the Information Security Committee, overseeing IT security and cybersecurity. He is responsible for IT security and cybersecurity strategy and reports to the CEO and the Board of Directors.

Measures

Establishment of Management Rules and Regulations

Through the Nabtesco Group’s intranet, we share rules and regulations established regarding information management and security, such as the Basic Rules on Information Management, Information Security Management Standards and Information Security Incident Response Standard.

Response to Information Security Incidents

We have standards in place to take action in the event of information security incidents, and following these standards, the computer security incident response team (CSIRT). stands by to address them. When a security incident or suspicious situation is identified, the employee who discovers it must immediately disconnect the PC from the network and report the matter to their supervisor and the Information Systems Department. The CSIRT then takes action to prevent further damage and to ensure the swift restoration of business operations.

We conduct incident response verification at least twice a year, once to simulate an actual incident according to the procedure manual, and after the simulation, we verify the response measures and reflect them in the procedure manual. Another time, during annual disaster drills attended by all employees, we evaluate the response status from the perspective of IT security and reflect it in the procedure manual.

Furthermore, we regularly conduct information security vulnerability assessments and implement corrective measures to reduce the risk of information security incidents.

Information Security Audits

Our Group conducts both internal and external audits with the aim of maintaining and enhancing information security.
Internal audits are carried out fairly and objectively by auditors belonging to departments independent of the audited organizations, based on the international standard ISO 27001.
For external audits, we select independent third-party organizations to ensure objectivity, and the audits are conducted in accordance with ISO 27001.

When issues are identified through these audits, we formulate concrete improvement plans, assign priorities, and address them promptly. Furthermore, by regularly reviewing the implementation status and results, we strive for continuous improvement of our information security management.

Education on Information Security

We provide all employees with education on information security every year as an awareness-raising measure. Moreover, we mandate new employees and mid-career hires to receive training on information security upon joining the company. The content of training materials is revised every year to reflect recent trends in information security.

In fiscal 2024, our main focus was on reinforcing internal rules regarding information security, raising awareness of recent trends in information security incidents, and informing employees about security risks associated with business operations. In addition, to prevent business email compromise, we conducted email training for all employees and shared the results company-wide to further enhance vigilance.

Our Group has reported zero major information security violations for this fiscal year.