Change
Location

Currently Using The English Site.

Information Security

Approach

The IHI Group has established the IHI Group Information Security Policy to ensure the protection of confidential information of customers and business partners as well as corporate management and technical information. The Group strives to properly manage information while maintaining and improving information security.

Policy

IHI Group Information Security Policy

The IHI Group hereby sets the following IHI Group Information Security Policy for the purpose of ensuring the security of information assets in its possession and thereby further solidifying its trust-based relationship with customers, users and society.

(Basic Activities)

  1. The IHI Group will take appropriate measures with technology, organization and employees, in order to protect information assets against any leakage, theft, loss, destruction, illegal access, and disaster.
    In the event of any security problem regarding this information, the IHI Group will locate the cause as quickly as possible, and exert every possible effort to minimize the damage incurred.

(Information Assets)

  1. “Information assets” refer to the information the IHI Group handles in the course of business activities, regardless of the type of media, and the equipment, facilities and services necessary for handling such information.

(Scope)

  1. This Information Security Policy applies to all those using the information assets of the IHI Group, including but not limited to officers and employees of the IHI Group companies and temporary staff.

(Compliance with Laws, Regulations, etc.)

  1. The IHI Group will strictly observe the laws, regulations and codes pertaining to the protection of information assets, and the requirements and obligations regarding information security provided for in the agreements with the customers.

(Training)

  1. The IHI Group companies will provide all those using the information assets of the IHI Group with the necessary education on information security to enhance and maintain their awareness thereof.

(Management of Information Security)

  1. The IHI Group companies will establish a mechanism of implementing and managing information security by taking measures such as establishing rules concerning information security and appointing persons in charge of information management, thereby conducting, maintaining and improving information security activities on a continual basis.

(Responsibilities of Senior Management)

  1. The Senior Management of the IHI Group will set the example of enforcing this Information Security Policy. In the event of any infringement of this Policy, senior management will address the situation properly by defining their authorities and responsibilities, and do their utmost to resolve the problems, diagnose their causes, and prevent their recurrence.

(Punishment)

  1. Any action in violation of the rules of information security will incur punishment according to the employment regulations of IHI Group companies.

(Announcement)

  1. This Information Security Policy will be announced and notified to all those using the information assets of the IHI Group as well as being announced to the public.

Governance

The IHI Group has established an Information Security Promotion Framework, chaired by the Officer in charge of Intelligent Information Management Division as its Chief Information Security Officer. The Information Security Subcommittee operates within the DX Promotion Committee as an organization in charge of promoting the company’s information security activities overall. An Information Security General Manager is appointed at each IHI corporate division, Business area, Business Unit, and affiliated company to accelerate activities under this framework. Matters of particular importance regarding operation and management are discussed by the Board of Directors.

Information Security Activity Promotion Framework

Information Security Subcommittee

Chairperson

General Manager of Intelligent Information Management Division

Subcommittee members

Business areas, Business Units, and corporate divisions

Secretariat

Information Security Department

Number of meetings convened in FY2024

3

Risk Management

Information Security Management System

The IHI Group has established a Group-wide information security promotion system, and is prepared to respond quickly under this framework in the event of an information security incident or accident, including a cyber attack. The Information Security Subcommittee, consisting of IHI’s corporate divisions, business areas, and Business Units, meets three times a year as a council for promoting information security measures, and plans, implements, and checks information security measures on an annual cycle. Taking into account the internal and external environment, such as an increase in telecommuting and the growing threat of cyber attacks, key measures were set for each fiscal year and implement measures accordingly. In addition, each organization evaluates security risks based on the information assets and business processes they handle, and reflects these in their own organization’s countermeasure plans.
In fiscal 2019, the Group built a three-stage auditing framework for information security consisting of three types of audits by its own organizations, corporate divisions, and Internal Audit Division from different auditors to strengthen checks (“C”) in the PDCA cycle. Each organization (IHI divisions and affiliated companies) conducts its own internal audit, the corporate division executes documentation audits and on-site audits, and Internal Audit Division implements audits.
Divisions and affiliated companies involved in highly sensitive national projects in the IHI Group must undergo annual reviews by an external specialized agency to renew the ISO 27001 international information security certification for maintaining a high level of security.

Establishing the SOC and CSIRT

In order to respond to the growing threat of cyber attacks, the IHI Group has set up a SOC (Security Operation Center) and conducts security monitoring of PCs, servers, and network equipment. Additionally, the Group has established a CSIRT (Computer Security Incident Response Team) and put a framework into place for quickly responding to incidents detected through security monitoring. The Group has also prepared a response procedure manual for ensuring its ability to appropriately respond to cyber security incidents, outlining response procedures such as identifying the scope of breach and taking containment measures. Furthermore, response training assuming a cyber security incident is conducted at least once a year and appropriateness of the procedures is assessed.

Measures to Prevent Information Leakage During Remote Work

Remote work throughout the IHI Group as a measure to prevent the spread of the COVID-19 virus has gained traction as one of many work styles. However, remote work increases information security risks such as improper use, loss, or theft of information devices due to the higher number of information devices taken outside of the office.
To prevent the improper use of information devices, the IHI Group works to raise employee awareness through e-learning and internal newsletters covering security compliance rules for work done outside the office. These rules specifically prohibit personal use of company computers and prohibit business data from being stored on personal IT devices of the individual and/or family.
In addition, as a general rule when performing work outside of the company, the Group has implemented measures to make use of computers that do not store business data, reducing information leakage upon loss or theft of these devices.

Information Security Measures

The IHI Group takes steps to address information security risks from three perspectives: rules, tools, and education.
The rules include the IHI Group Information Security Policy, IHI Group Information Security Measure Standards, and Information System User Rules. The Group has adopted antivirus software and other security tools, which are always kept up to date. The services of specialized security firms are being used to investigate public servers, and any vulnerabilities found are fixed.

Evaluation of Information Security Measures

The IHI Group assesses the information security measures of the entire Group quantitatively every year based on the benchmark for information security measures implemented by companies offered by the Information Technology Promotion Agency, Japan (IPA).
The level of information security measures in fiscal 2024 was 3.8 out of 5. The Group will strive to achieve a score of 4, and further continue to improve our level of information security in fiscal 2025.

Employee Education

The IHI Group provides e-learning on a yearly basis, targeting all employees to deepen their understanding of information security rules and tools, and to maintain and raise employee information security awareness.

Metrics and Targets

Evaluation of Information Security Measures

(Unit: Score, Scope: IHI and consolidated subsidiaries)

Item FY2021 FY2022 FY2023 FY2024
Evaluation (out of 5) 3.7 3.7 3.8 3.8

Rate of Participation in e-Learning Related to Information Security

(Unit: %, Scope: IHI Corporation)

Item FY2021 FY2022 FY2023 FY2024
Participation rate 96.8 96.9 98.9 99.1

Governance Top