Information Security Management

Relevance to our business

Risk management is important for the Fuji Oil Group’s business activities and its contribution to society. In the context of the growing value of digital data, an essential aspect of risk management is information security management. Information security management is important to rigorously protect not only the company’s management data but also the data from customers and employees.

Basic approach

The Fuji Oil Group works to improve its security level in order to safeguard its information systems against surrounding threats, and to protect and maintain the confidentiality, integrity and availability of its information assets. We formulated the Information Management and Information Security Regulations. Employees are trained on a continual basis to ensure that they understand and follow these regulations. On a technical level we are taking multilayered measures to prevent unauthorized access from outside the Group’s information systems and to protect against computer viruses. We will further raise our information security level through a process of review, verification and improvement.

Management system

The Chief Financial Officer (CFO) oversees initiatives in this area. A Chief Information Management Officer and a Computer Security Incident Response Team (CSIRT) were established under the CFO. The CSIRT also appointed a person in charge of information management and a person in charge of information security for each Group company. We aim to systematically raise the information security level of all Group companies, with the advice of external experts.
The ESG Committee,^*1 an advisory body to the Board of Directors, has been monitoring the progress and results of initiatives as a material ESG issue.^*2 The ESG Committee reports insights to the Board of Directors for review.

• *1 Follow the link below to learn more about the ESG Committee.

  https://www.fujioilholdings.com/en/sustainability/approach/

• *2 Follow the link below to learn more about material ESG issues.

  https://www.fujioilholdings.com/en/sustainability/materiality/

Goals / Results

• * Control Objectives for Information and Related Technologies. A framework for assessing the maturity level of IT governance on a scale of 0 to 5. The highest maturity level is 5 (Optimizing). We were at Level 3 as of April 2020.

Analysis

COBIT Level 4 requires the ability to demonstrate implementation of activities that guarantee IT security, to measure the status of information asset protection and IT security assurance compliance, and to be ready to implement improvements when necessary. The internal security audit was adopted to meet these requirements. It clarified operational issues that could not be found through security measures other than auditing. We were also able to confirm its effectiveness as a measure for enhancing the level of security.

Next step

We recognize the existence of systems outside the control of the IT Division in some Group companies and the lack of security management for these systems as our issues for IT security management. To address these issues, we set the following goal for FY2021.

Education

Since FY2018, we have been conducting IT security awareness training for Group company employees mainly by e-learning. The participation rate in FY2020 was 97.5%. We will work to develop the content of the training and encourage participation with the aim of achieving 100% participation in the future.

Internal security audit

Since FY2020, we have been conducting internal security audits at Group companies in order to assess the state of compliance with security requirements together with explicit evidence, and to set up a PDCA cycle for correction. Eight companies were audited in the first year, from a 15-point perspective. Going forward, we will increase the number of target companies and broaden the perspective for auditing.