Information security is the most important issues for any company that wants to effectively utilize all the types of information in its possession. Konica Minolta treats information as a valuable asset, and is working to ensure information security. It does this by practicing proper information management to address risks such as loss, leakage, or destruction of data, while carrying out continual improvements.
Promoting Information Security
Based on the leadership of the President and CEO as well as the officer in charge of the IT planning and management organization, Konica Minolta has established a Group-wide information security management system and is promoting a higher level of IT security and continual improvements at Group companies worldwide. In fiscal 2020, information security activities were reported to the Audit Committee.
In order to ensure the security (confidentiality, integrity, and availability) of controlled information, including not only information handled using information technology, but also information on paper and information about services and personnel, all Group companies in Japan have continuously maintained ISO 27001 certification, which is the international standard for information security management, since fiscal 2009. In addition, once a year risk assessments of information security are conducted and a risk response plan is formulated. Meetings of information security promoters, with a representative from each business in attendance, are held every quarter. At these meetings, progress on risk response plans and actions taken — particularly incident summaries — are reported to the Information Security Control Officer and instructions for necessary responses are issued. In this way, the PDCA cycle is followed.
Furthermore, measures to prevent unauthorized use and information leakage are implemented through the enactment and operation of rules relating to the management of confidential information and the establishment of systems for restricting and monitoring access to confidential information and its removal off-site. Also, education on the protection of personal information and information security is given at least once a year to all officers and employees, including non-regular employees, of Group companies in Japan.
Outside Japan as well, Group companies work to obtain ISO 27001 certification. Also, all Group companies outside Japan are required to provide all employees with education on information security at least once a year.
Especially with respect to cyber-attacks, that have increased in recent years, by following the Cybersecurity Management Guidelines formulated by Japan's Ministry of Economy, Trade and Industry, our management team is aware of the importance of cyber security risk countermeasures and implements global security measures for IT, including establishing a Konica Minolta Computer Security Incident Response Team named KM-CSIRT, that responds to incidents throughout the Group.
Finally, Konica Minolta is putting in place IT security controls, which are a part of the IT controls required under the Financial Instruments and Exchange Act (Japanese Sarbanes-Oxley Act) while ensuring compatibility within the Group.
Protecting Personal Information
Konica Minolta takes full precautions to protect the personal information of customers.
Konica Minolta has established the Global Personal Data Protection Policy and regulations for protection of the personal data of the Konica Minolta Group, which address the EU’s General Data Protection Regulation (GDPR). In accordance with this policy and rules, the Group has established a worldwide system for protecting personal information and properly manages the personal information in its possession. Employees are also kept up-to-date on the policy and rules through e-Learning and other methods of training.
Moreover, a third party conducts an audit in line with the screening items for ISO/IEC 27001, the international standard for information security management. This confirms that laws, regulations and other norms are observed in line with the policy.
In the event of information leakage, including leakage of personal information held by Konica Minolta, is confirmed or likely has occurred, the information security management system will report it to the Personal Information Protection Officer. The Officer will immediately check the facts and degree of impact and submit the report to the Personal Information Protection Commission in Japan and other appropriate authorities in the respective countries.
In fiscal 2020, a minor leak of personal data occurred at a site outside Japan. Appropriate response measures were taken using an incident system already in place, and IT security was tightened to prevent a recurrence.