Toppan has reinforced safeguards to prevent leaks and outflows of personal information in the diverse processes in which it is handled within the Group by restricting the handling of personal information to tightly secured areas that satisfy rigorous criteria for qualification audits. The Group has also worked for thorough security control in operation design and quality assurance with safe, secure systems and processes designed to manage personal information.
Toppan has also declared that “each of us at the Toppan Group carries out Group-wide information security management” in its basic policy on information security. Under the basic policy, Toppan has continuously upgraded the Group’s systemized rules formulated based on ISO/IEC 27001 (a stringent, globally recognized standard on information security management) in compliance with Japanese Industrial Standards (JIS) Q 15001 (standard for accrediting PrivacyMark Systems for personal information protection management).
■ Organizational Structure for Information Security Management
Companies today face wide-ranging information security risks, from careless mistakes and fraudulent acts committed in-house to cyber-attacks and hidden threats in new business fields.
The head office and every business division at Toppan work to strengthen cooperation with relevant departments throughout the Group. Toppan seeks to maintain the Group’s governance structure through cooperation that goes beyond existing organizational boundaries.
■ Reviewing Rules and Regulations to Enhance Information Management Systems
The Toppan Group’s rules and regulations on information management have been established based on the ISO/IEC 27001 standards for information security management systems (ISMS) and comply with the JIS Q 15000 standards for personal information protection management systems (PMS). To sustain its ISMS and PMS, Toppan needs to ensure robust corporate governance over the entire Group, including overseas sites, and to respond to emerging requirements in such areas as cyber security, data utilization, the IoT, and globalization.
Toppan therefore formulated a scheme to extensively review the Group’s existing rules and regulations in fiscal 2019. Updates based on this scheme will be effected in fiscal 2020.
■ Complying with International Laws and Regulations on Personal Information Protection
To address globalized business operations, Toppan specifies Group-wide standards on personal information protection in accordance with the core principles of the General Data Protection Regulation (GDPR) issued by the EU. Toppan seeks to handle personal information in conformance with the applicable legislation of every country where Group sites operate.
The People’s Republic of China, in particular, has established a Cyber Security Law (commonly referred to as the China Internet Security Law) that requires entities doing business in China to comply with various complex rules, including multifarious clauses on the handling of personal information. Toppan is closely checking the compliance status of Group subsidiaries in China, identifying issues to address, and setting priorities, with plans to make improvements by the end of fiscal 2021.
■ Tightly Secured Areas Designated for the Handling of Personal Information
Operations involving the use of confidential materials in the Toppan Group are conducted exclusively within a closed network environment in physically isolated, tightly secured workplaces where the comings and goings of employees through entrances and exits are monitored to minimize the risk of fraudulent acts and other forms of misconduct inside of the Group, and unauthorized accesses from outside of the Group. Strictly controlled operations include the handling of personal information (e.g., individual identification numbers under Japan’s Social Security and Tax Number System) and the production and handling of security printing products with monetary value.
The Group has been constantly and regularly monitoring and auditing these operations to respond to customer requests for strengthened procedures to prevent information leaks.
Toppan found no instances of unauthorized information removal in fiscal 2019, putting it on track to achieving the Group’s medium-term goal of zero unauthorized information-removal incidents through to the end of fiscal 2025.
■ Organizing Cyber-attack Reporting Drills
Toppan has introduced reporting drills as a defense against cyber-attacks, in addition to regular drills on the handling of virus-infected emails, to keep the Group on the alert for cyber security.
Toppan requested every Group employee using the Group’s email system to add a shortcut icon for reporting suspicious emails on their PCs and smartphones. One hundred percent of email-system users added the icon after receiving emails instructing and reminding them to do so.
These cyber drills were implemented in Toppan Printing Co., Ltd. and 12 Group entities to ensure that Group employees will more readily notice and report incidents of business email compromise (BEC) as soon as they occur.
Toppan found no instances of information leakage due to cyber-attacks in fiscal 2019. The Group’s medium-term goal is to maintain zero leakage incidents through to the end of fiscal 2025.
■ Preparing for the Tokyo 2020 Games
The Olympic and Paralympic Games, large-scale sporting festivals, are easy targets for organized criminals.
Toppan, a Tokyo 2020 Official Partner, gathers information to upgrade its safeguards against organized crime and takes part in anti-cyber-attack simulation drills organized by the National center of Incident readiness and Strategy for Cybersecurity (NISC) of Japan.
■ Group-wide Warnings on BEC
A surge of fraudulent emails posing as ordinary business emails has been causing extensive damage throughout the world. Toppan took action to combat business email compromise (BEC) incidents in fiscal 2019 by disseminating information on actual BEC cases and reminders to Group companies, including related domestic companies and overseas subsidiaries.