Information Security Management

Material Issue

GRC

Management information

Relevance to our business

The Fuji Oil Group recognizes information security as a risk category directly tied to our business, and is working to strengthen our information security management.
We fulfil our corporate social responsibilities by providing reliable products and services, and properly managing all critical information we receive from customers, business partners and various stakeholders involved in our business operations.
As information technology and digital data security become increasingly vital to our operations, we ensure to safeguard against unauthorized access and cyber attacks, and promote the digital transformation (DX) of the Fuji Oil Group. This will further increase our corporate value.

Basic approach

The Fuji Oil Group works to improve our security level in order to safeguard our information systems against surrounding threats, and to protect and maintain the confidentiality, integrity and availability of our information assets. We formulated the Information Management and Information Security Regulations. Employees are trained on a continual basis to ensure that they understand and follow these regulations. On a technical level we are taking multilayered measures to prevent unauthorized access from outside the Group’s information systems and to protect against computer viruses. We will continue to raise our information security level through a process of review, verification and improvement.

Management system

The Chief Financial Officer (CFO) oversees initiatives in this area. An Information Officer and a Computer Security Incident Response Team (CSIRT) were established under the CFO at each Group company. The CSIRT also appointed an Information Management Director and an Information Security Manager for each Group company. We aim to systematically raise the information security level of all Group companies, with the advice of external experts.
The Sustainability Committee,*1 an advisory body to the Board of Directors, monitors the progress and results of initiatives as a material ESG issue.*2

Goals / Results

At least 90% complete At least 60% complete Less than 60% complete

FY2022 Goals FY2022 Results Self-assessment
Review and update the Group’s Information Security Regulations to reflect the latest risk trends
  • Regulations revision completed
  • On-site evaluation of measures taken by companies in line with revised content (5 companies)
  • No serious security incidents occurred, thanks to the increased internal awareness of security risks.

Analysis

COBIT* Level 4 requires the ability to demonstrate implementation of activities that ensure IT security, to measure the status of information asset protection and IT security assurance compliance, and to be ready to implement improvements when necessary. To meet these requirements, we introduced an evaluation system by the Computer Security Incident Response Team (CSIRT), including internal security audits. In FY2022, checks were conducted for five Group companies. This system ensures a robust PDCA process for information security management.
When the evaluation identifies areas requiring improvement, each Group company devises measures with assistance from the CSIRT and implements them after approval from the Information Management Director at each company.

  • * A framework to measure the maturity of IT governance, evaluated on a scale of 0 to 5. Level 5 indicates the process is “optimized”.

Next step

We will continue providing support for both IT and OT* security measures in order to raise awareness of the Group's Information Security Regulations revised in FY2022; and ensure compliance in all our companies.

  • Continue conducting measure evaluations by CSIRT, which include internal security audits (FY2023 plan: IT evaluation for six companies, OT evaluation for four companies)
  • * Operational technology (OT) comprises the systems and their associated technologies which control and operate control devices in factories and other facilities.

Specific initiatives

Education

Since FY2018, we have been conducting IT security training for Group employees to raise awareness, mainly by e-learning. The completion rate in FY2022 was 96.2%.* We will work to develop the content of the training and encourage participation with the aim of achieving 100% participation in the future.

  • * Targeted at officers, executive officers and employees who have a company email address and use a computer in their day-to-day operations.

Internal security audit

Since FY2020, we have been conducting internal security audits within the Fuji Oil Group in order to assess the state of compliance with security requirements together with explicit evidence, and to set up a PDCA cycle for correction. In FY2023, we will update the evaluation items covered by the audit to include OT security measures and cloud services used by business divisions, as we continue conducting internal audits and self-assessments.