Information Security

Approach to Information Security

The progress of digitization has brought new opportunities for creating value, but this progress also amplifies the risks that businesses face, including information leaks and operational disruptions caused by increasingly sophisticated cyberattacks that impede business continuity. To minimize these risks, risk management related to information security has become one of the most crucial challenges for companies. Against this backdrop, Hitachi High-Tech recognizes cybersecurity measures as a crucial management challenge that addresses both value creation and risk management, and is engaged actively in information security initiatives. In our response, we are implementing measures in accordance with security standards common to the Hitachi Group.

Information Security Policy

Hitachi High-Tech created an information security policy to protect information assets, including information entrusted to us by our customers, the systems that store that information, and more. We established various rules and implementation systems based on this policy, and we address the challenges of information security management on an active basis.

1. Formulating administrative rules for information security and ensuring their continual improvement
2. Protection and ongoing management of information assets
3. Legal and regulatory compliance
4. Education and training
5. Preventing incidents and taking action when they occur
6. Ensuring business processes are optimized within the corporate group

Framework for Information Security

The Chief Digital Officer (CDO) has overall responsibility and authority for implementing and operating information security and personal information protection, and oversees information security for all Hitachi High-Tech products, services, and internal facilities. Headed by the CDO, the Information Security Committee determines all policies and measures for information security and personal information protection. These policies and measures are announced to all Business Units (BUs) and Group companies through channels such as the Information Security Promotion Council. This framework is also implemented at Group companies to promote information security across the group through mutual cooperation.

Information Security Management

Hitachi High-Tech established a framework for information security management based on the ISO/IEC 27001 international standard. In addition, we enhance information security by reviewing our rules and regulations in accordance with the United States government standard SP800-171. Our standards are communicated globally, and we also actively make use of shared security services and related information security support provided by regional headquarters in the Americas, Europe, ASEAN countries, and China.

Hitachi High-Tech engages in a number of IT-related measures such as device encryption, ID management and access control via authentication infrastructure, e-mail and website filtering, etc. to prevent information leaks. In response to the recent proliferation of targeted e-mails and other cyberattacks, we not only participate in an initiative to share information between the private sector and the government, but also strengthen various IT measures that include defense-in-depth strategy. To prevent leaks from procurement partners, we review their information security measures based on Hitachi’s own standards before allowing them to access to confidential information.

Hitachi High-Tech holds annual e-learning programs on information security and personal information protection for all executive officers and employees. The participation rate in Hitachi High-Tech in FY2023 was 100% (excluding those who could not attend due to personal leave, etc.). Besides, Hitachi High-Tech offers a variety of programs depending on the target and aims, such as those for new employees, new managers, and lectures for information system administrators. Hitachi High-Tech also implements simulation training to educate employees about phishing attacks and other cyberattacks. Employees receive deceptive e-mails as phishing simulations to heighten their awareness of security through direct experience. Hitachi High-Tech actively implements training on information security and personal information protection.

Hitachi High-Tech implements information security and privacy protection initiatives based on the PDCA cycle of the information security management systems stipulated by Hitachi. We conduct regular audits and inspections to monitor and evaluate whether management and measures for information security and data protection are implemented properly in each department. Hitachi High-Tech requires Group companies outside Japan to use a common global self-check approach to ensure groupwide inspections. All departments perform self-directed personal information protection and information security operation checks annually. Further, we also participate in Hitachi's security risk reduction activities through regular on-site assessments of the status of information security measures. A team of in-house security specialists is responsible for identifying any deviations arising from self-checks.

Cyber-Security Initiatives

To address the risks posed by the increasing diversification of cyber-attack methods, origins, and impacts, Hitachi High-Tech is expanding the scope of our security risk management. Traditionally, we focused risk management on response measures for internal IT environments. To reduce business risks going forward, we will include the development and verification environments used to create products and services, production and manufacturing environments, and the supply chain and product/service development process.

Hitachi High-Tech established standards for internal IT environment-related vulnerability response measures and network security. We require regular status assessments of these measures and the performance of corrective actions. As a companywide measure, we launched an initiative to monitor vulnerability mitigation for each device and follow up with users/administrators to expand the application of such measures. In the development/test and production/manufacturing environments, we established standards and guidelines for infrastructure construction and operations to ensure security compliance in each environment, and we pursue measures based on these guidelines within the Hitachi High-Tech Group. We also share information security requirement standards established by Hitachi with our procurement partners, working cooperatively to enhance security. We established management guidelines to address and maintain the security of products and services, and we follow measures based on these guidelines within the Hitachi High-Tech Group.

Hitachi High-Tech utilizes the Hitachi Security Operation Center (SOC), which monitors security on an around-the-clock basis to ensure global-scale cyberattacks are detected and response measures initiated immediately. The Incident Response Team (IRT) collects and develops threat information and manages our response to any security incidents. Cyber-attack methods are becoming more sophisticated every year, with an increasing number slipping past detection systems. More often, these attacks tend to go undetected for long periods, resulting in increased damage. In this context, Hitachi High-Tech strengthens cyber surveillance through Endpoint Detection and Response (EDR)^*1 to monitor device behavior and perform authentication protection. We continue to improve and strengthen our cyber monitoring environment using the latest technology.

Data Protection Initiatives

As digital technology continues to advance, the global trend toward leveraging data only accelerates. This situation has led to heightened interest in the protection of personal information and cross-border data exchange. In such an environment, Hitachi High-Tech places significant importance on personal information protection initiatives to ensure the secure management of personal information received from customers and personal information involved in business operations. As a member of the global community, Hitachi High-Tech is committed to protecting personal information in accordance with our vision for personal information protection, which is to provide safety and trustworthiness, and to value individual rights.

Hitachi High-Tech established the Personal Information Protection Policy which is announced to all executive officers and employees, and is also publicly available. Hitachi High-Tech created a personal information protection management system based on this policy. This system ensures the protection of personal information by such means as appropriate management of personal information, educational programs for all employees, and periodic audits. We do not share personal information with third parties without data subject’s prior consent. Even in cases where prior consent is obtained, Hitachi High-Tech requires the third party to whom the data is provided to comply with Hitachi High-Tech’s Personal Information Protection Policy. Hitachi High-Tech also strives to safeguard personal information globally based on each company’s personal information protection policy, and we ensure that these companies comply with all applicable laws and regulations in each country and region, as well as to the expectations of society at large.

With the increasing risk of privacy violations, lawmakers are actively seeking to create and modify relevant laws and legislation in countries and regions around the world. Hitachi High-Tech ensures thorough global compliance with legal frameworks, continues to monitor related legal frameworks and social trends, and implements appropriate measures. In Japan, Hitachi High-Tech complies with the Amended Act on the Protection of Personal Information, and in the event that a leak may result in a situation that would harm the rights and interests of individuals, Hitachi High-Tech promptly reports said leak to the Personal Information Protection Commission and notifies the affected individuals. Hitachi High-Tech also formulated a groupwide internal code of conduct concerning the protection of privacy, which takes into consideration international legal frameworks such as the European General Data Protection Regulation (GDPR). This code of conduct became effective as of April 2022.

Third-Party Evaluations and Certifications

Hitachi High-Tech encourages the acquisition of third-party evaluations and certifications for information security management. Our solution centers have obtained certification from the ISMS Accreditation Center (ISMS-AC) in accordance with the ISO/IEC 27001 Information Security Management System international standard.

Related Links