Ensuring Information Security in Sumitomo Chemical Group

Transcription

1 Ensuring Information Security in Sumitomo Chemical Group Sumitomo Chemical Systems Service Co., Ltd. Solution Department Tatsuhiro SUZUKI Sumitomo Chemical Group treats ensuring information security as one of its business issues, and has promoted information security management in the whole group. When managing information security in the group, points to ponder and approaches to take are different from when managing it in a single company. This article will discuss the approaches, issues, solutions for the issues and future efforts regarding ensuring security management in Sumitomo Chemical Group, by using some case examples in Sumitomo Chemical Group. IT CSRCorporate Social Responsibility ISO/ IEC :2005 1) ISO/IEC : 2005 Table 1 ISO/IEC : )

2 Table 1 3 concepts of information security 3 Confidentiality Integrity Availability Definition of 3 concepts of information security based on ISO/IEC 27001:2005 ISO/IEC 27001: Definition The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. The property of safeguarding the accuracy and completeness of assets. The property of being accessible and usable demand by an authorized entity. IT IT 1 ISMS Information Security Management System ISO/IEC : ISO/IEC : ) ISO/IEC : 2006 ISO/IEC : ) Table 2 11 Table 2 Category of controls to ensure information security (ISO/IEC 27002:2006) ISO/IEC 27002:2006 Category of controls to ensure information security 1. Security Policy 2. Organization of information security 3. Asset Management 4. Human Resource Security 5. Physical and environmental security 6. Communications and operations management 7. Access Control 8. Information systems acquisition, development and maintenance 9. Information security incident management 10. Business continuity management 11. Compliance Fig. 1Fig. 1 ISO/IEC : ) Plan Do Check ActPDCA

3 International standard ISO/IEC 27001:2005 ISO/IEC 27002:2006 Refer Business Strategy Ensure consistency Information Security Management System Act Plan Continuous development Check Do Result Ensuring Information Security (Maintaining Confidentiality, Integrity, and Availability) Fig. 1 Image of actions in companies for ensuring information security ISO/IEC : ) ITIT ) 3 IT IT IT IT ISO/IEC :2005 1) 2009-

4 PDCA Fig. 2 PDCA Do 1 2 Fig. 3 Information Security Management System in Sumitomo Chemical Group Information Security Management System in each group company Information System Security Regulations Promotion rules Introduction and operation rules Policy Act Plan Do Act Plan Do Standards Introduction and operation standard Use standard Technical standard, etc. etc. Standard Fig. 2 Check Check Information security management structure in Sumitomo Chemical Group Fig. 3 Implementation procedures Procedure documents Design documents, Settings specifications Ledgers, Diagrams, etc etc. Implementation procedure Plan

5 3) 3 3 Fig. 4 3 Grouping Criteria Type of Group Company Type-Based Baseline Security Measure Level Companies with sales of more than 30 billion* 300* Companies with sales of 10 billion to 30 billion* * Companies with sales of less than 10 billion* 100* Companies are categorized taking corporate structures and risks into consideration, in addition to the grouping criteria. Group 1 Group 2 Group 3 Group 1 Group 2 Group 3 High Low * calculated before consolidated accounting Fig. 4 Sumitomo Chemical CB (North America area)* * CB (Europe area) CB (Asia area) CB (China area) Sumitomo Chemical Systems Service Foreign group company Domestic group company * Will be established Fig. 5 Information security management promotion structure in Sumitomo Chemical Group 2009-

6 2006 IT Corporate Branch CB IT Fig. 5 Do IT IT IT 2 Check ) ) Act 2009-

7 Information Security Management Process in Sumitomo Chemical Group Plan Establishment of security management Establishing Policy Risk assessment Approval by management Do Introduction and operation of security management Check Monitoring and review of security management Act Maintenance and improvement of security management Issue1 It is difficult to make the necessity of ensuring information security be understood. Issue2 How to implement is not still understood although the necessity is well-known. Issue3 Group category can not be applicable to some small-scale companies. Fig. 6 Issues of information security management in Sumitomo Chemical Group Fig. 6 Fig IT IT why whathow IT Fig. 7 IT IT IT IT 2009-

8 Explanation at the planning stage Policy Ensuring information security Support Security Measures Measures for ensuring security For example: Implementation of periodical backup Group Companies Support Meaning Meaning of each security measure (what risk can it deal with?) For example: In order to recover rapidly from incidents and continue company s business Added after review Points of Security Measures Points for implementing each security measure For example: Check if backup being done properly Create recovery procedure Giving training to enable rapid incidents handling, etc. etc. Fig. 7 Review of support for group companies to implement security measures 3 IT IT IT IT ISO/IEC : ) 3 IT 2009-

9 IT 3 IT IT IT PC IT IT IT IT IT 1) ISO/IEC : ) ISO/IEC : ) 21 6,. 4) 15 4,

10 PROFILE Tatsuhiro SUZUKI 2009-