A new "Corporate Information Security Division" was established under the direct control of the president, to oversee all the Group's information security management. Since April 2020, it has integrated three functions that were previously separate: management of confidential corporate information and personal data protection, information system security, and product security. On April 2021, we have enhanced the structure and add members of Corporate Information Security Division.
In addition, we will invest more than ¥50 billion to implement technical security measures and establish sustainable information security management system so that we can achieve Level 3 or higher*1 of the Cybersecurity Maturity Model.
The Executive Officer in charge of Information Security is responsible for the Group's overall information security management. Under this officer's direction, the Corporate Information Security Division is in charge of planning and implementing the Group's information security management structure and rules as well as activities to ensure the security of information systems. The Division is striving to ensure information security by working closely with each business group and office, which is the organization that actually utilizes and manages the data and systems.
As other companies suffered cyberattacks that affected their factory productivity, Mitsubishi Electric also formed a section to ensure factory security, thereby bolstering preparedness.
In addition, as part of PSIRT activities*2 to promote product security measures, we were accredited as a CNA*3 in November 2020 and we now assign CVE IDs*4 to vulnerabilities that affect Mitsubishi Electric products and publish them by ourselves. This has strengthened a framework to practice efficient vulnerability handling with external stakeholders.
In the event an incident were to occur, reports and instructions would be given in keeping with this framework and appropriate responses would be taken to prevent secondary damage.
Business groups and offices (offices, branches, works [production plants]) issue instructions and guidance on information security to affiliates in and outside Japan. Paying special attention to the circumstances and special characteristics of overseas affiliates, the Corporate Information Security Division will build close cooperative relations with overseas regional representative managers at sites in the Americas, Europe, China, and other Asian countries to ensure information security.
Framework (Mitsubishi Electric Group)
To maintain and improve the information security level of the Mitsubishi Electric Group as a whole, including overseas affiliates, various inspections are conducted under the above information security framework, as prescribed in the Guidelines to Information Security Management Rules for Affiliated Companies.
The Mitsubishi Electric Group practices confidential corporate information management and personal information protection utilizing a continuous improvement approach implemented using the Plan, Do, Check, Act (PDCA) cycle, and employs four security measures to ensure proper management and protection of confidential corporate information and personal information from the organizational, human, physical, and technological perspectives.
PDCA cycle to ensure information security
Four security measures
Committed to living up to its Declaration of Confidential Corporate Information Security Management and Personal Information Protection Policy, Mitsubishi Electric Corporation has established information security regulations and guidelines alongside the four security measures, and reviews them as necessary to stay in compliance with current laws. In addition, we have similar rules for personal information protection and affiliates.
|Security measures||Organizational security measures: Regulations on confidential corporate information security management|
|Human security measures: Regulations on the work of employees|
|Physical security measures: Physical security guidelines|
|Technological security measures: Regulations on information security management|
The Mitsubishi Electric Group performs the following inspections as part of the C (Check) stage of the PDCA cycle at head office management departments, business groups and offices, and affiliates. These inspections focus on checking whether confidential corporate information management and personal information protection activities are being implemented properly by the Mitsubishi Electric Group as a whole, and on confirming the status of those activities. We review measures based on the results, and this leads to the A (Act) stage of the PDCA cycle.
These inspections are set down in the Confidential Corporate Information Management Regulations, which cover Mitsubishi Electric Corporation, and in the Guidelines for Information Security Management Regulations, which cover affiliates in and outside Japan.
|Self-check||Self-check program for confidential corporate information management and personal information protection||Using a checklist, each Mitsubishi Electric Group company performs a self-inspection of its activities for information security.|
|Third-party check||Third-party check program for confidential corporate information management and personal information protection||Mitsubishi Electric’s business offices mutually check each other’s status of information security management. Mitsubishi Electric checks the status of information security at affiliated companies.|
|Personal information protection audits (Personal information protection management system audits)||At Mitsubishi Electric, the status of personal information protection is internally audited under the supervision of the Audit Manager for Personal Information Protection, who is appointed by the President & CEO of Mitsubishi Electric. In affiliated companies in Japan that have been granted the right to use the "PrivacyMark," the same internal audit is conducted by the audit manager at each company.|