Information Security and Protection of Personal Information

Implementing Rigorous Information Security

Hitachi Construction Machinery’s information security administrator is appointed by the company’s president and has the authority and responsibility to implement and operate an Information Security Management System (ISMS).

The Information Security Committee, chaired by the information security administrator determines policies and procedures for information security and personal information protection. The Information Security Committee conveys decisions internally and to other companies in the HCM Group. Information security officers at business sites and companies ensure that these decisions are implemented in the workplace.

The HCM Group emphasizes two points in information security and personal information protection:

1. Prompt security responses
   We classify assets and take safeguarding measures based on vulnerability and risk analyses. We also have an emergency manual for security breaches, based on the assumption that these are inevitable, and not just possible.
2. Promoting stronger ethical and security awareness among data users
   We have prepared a program tailored to various personnel levels and are working to raise the prevailing sense of ethics and security awareness through Group-wide e-learning. We are also conducting self-audits to identify and address problems early on.

Basic Approach to Information Security Governance

Information assets to be protected

1. Clearly designate assets to be protected
   • Evaluate information assets and conduct risk analysis
2. Improve user literacy
   • Supply security education materials
   • Educate managers and staff
3. Implement preventive techniques
   • Widely implement administrative measures
   • Deploy technological processes
4. Establish information security system
   • Develop rules (security policy)
   • Create managerial framework
   • Establish audit and follow-up system
   • Ensure solid feedback through extensive PDCA cycles for prevention and accident response

Education on Information Security

Consistently maintaining level of information security requires all parties to continually develop their knowledge of information handling and to remain strongly aware of the issues. For this reason, we hold annual e-learning programs on information security and personal information protection for all directors, employees, and temporary employees.

We offer a variety of courses that are tailored to different target audiences, including new employees, new managers, and information system administrators. In 2014, we also began simulation training to educate employees about the increasing trend toward malicious targeted e-mail attacks and other cyberattacks. Employees are sent examples of targeted e-mail to heighten their awareness of security through direct experience.

Our educational programs, available to HCM Group companies in Japan and other global regions, provide Group-wide education on information security and personal information protection. In FY2020 and beyond, we plan to expand our e-learning materials in response to requests from employees and also look to continue the implementation of our various training programs.

Preventing Information Leaks

Hitachi Construction Machinery Co., Ltd. has formulated the Three Principles for Preventing Leakage of Confidential Information to ensure the highest level of care for such information and to prevent leaks and other related incidents. Our policies ensure that if an incident does occur, damage is promptly minimized by contacting customers, investigating causes, and acting to prevent any recurrence.

We take the following IT steps to prevent information leaks: using encryption software and secure PCs; employing electronic document access control; maintaining ID management and access control by building an authentication infrastructure; and filtering e-mail and visited websites. In response to the recent spate of targeted e-mail attacks and other cyberattacks, we are also enhancing our IT organization by adding more layers to our leak prevention procedures, including both entry and exit countermeasures.

To ensure the secure exchange of information with our suppliers, we review their information security measures based on HCM’s own standards before allowing them access to confidential information. We have provided tools to suppliers (procurement partners) for security education and for checking business information on computers. In addition, we require suppliers to check and remove business information from personal computers to prevent leaks.

Three Principles for Preventing Leakage of Confidential Information

Principle 1 　As a general principle nobody can take Confidential Information out of the Company’s premises.
Principle 2　 Any person taking Confidential Information out of the Company’s premises due to business necessity shall obtain prior approval from the Information Assets Manager.
Principle 3　 Any person taking Confidential Information out of the Company’s premises due to business necessity shall put in place relevant and appropriate measures against information leakage.

Global Information Security Management

Hitachi Construction Machinery group companies worldwide have revised the regulations based on the cyber security framework issued by the National Institute of Standards and Technology (NIST), responding to cyber threats and reinforcing their information security. These rules are distributed from the parent company in Japan to Group companies around the world. We are taking security measures by thoroughly enforcing security governance in our group companies.

Hitachi Construction Machinery has established the “Products and Services Data Governance Subcommittee” as a subordinate organization of Information Security Committee and started its activities in 2021. This aims to globally promote protection and utilization of the data owned by ourself, including the operational data of our products.

In this organization, we are trying to work on establishment of global policies, development of unified standards for data protection safeguards to be implemented in products and services, and monitoring their operation status, and evaluating their effectiveness.

Through these activities, we will continue to strive to develop products and provide solution services by utilizing data as well as to ensure appropriate data risk management and the continued trust of stakeholders.

Thorough Information Security Audits and Inspections

The Hitachi Construction Machinery Group has developed its approach to security based on the “plan-do-check-act” (PDCA) cycle for information security management system. We conduct annual information security and personal information protection audits at our Group companies and business units.

For Hitachi Construction Machinery Group companies outside Japan, we use a “common global self-check” approach to ensure Group-wide auditing and inspections. We implement Confirmation of Personal Information Protection and Information Security Management annually for the voluntary inspection of business unit workplaces.

Information Security Business Continuity Plan (IT-BCP)

Preparing for future cyber attacks and damages caused by natural disasters which have been increasing in recent years, we at Hitachi Construction Machinery have been developing Information Security Business Continuity Plan (IT-BCP). In order to minimize the possible harm caused by disasters, we have been working on integration of core systems and migration to virtual servers or the cloud. Furthermore, we design the operation to allow us to restore the systems within a predefined timeframe and conduct a system-recovery-drill one a year, in case of cyber attacks and disasters.

Also, aiming at enhancing resilience of our information systems against cyber attacks, we have been supporting initiatives such as server enhancement and separation of factory networks. In FY2021, we have implemented a solution which can detect and isolate viruses by their behaviors to all group companies in Japan as well as overseas.