Fiscal 2011 Activities Review and Plan for Fiscal 2012
1. Maintaining Unified ISMS Certification for the Group
We passed the annual audit for unified ISMS certification for the Group, and maintained our ISMS certification.
Among overseas companies, Ricoh Denmark A/S, Ricoh Ireland Ltd., Ricoh Rus, Ltd. and Ricoh Logistics Corp. [USA] underwent the audit for the first time and were added to the unified certification. (In total, 66 companies worldwide are certified: 21 in Japan and 45 overseas.)
We are thus able to confirm that information security is managed in an appropriate manner.
Plan for Fiscal 2012
We will undergo the annual audit to maintain our certification.
2. Continual Improvement and Deployment of Ricoh Family Group Information Security
In light of changes to the business environment, such as the spread of new IT devices, we have added control items related to the business use of smart devices and cloud systems and revised the Ricoh Family Group Information Security Measures. Also, to optimize risk assessment, we have set control items for the daily processing of information (specifically, transport, transmission and the removal of information), thereby making it possible to perform baseline risk assessments.
Plan for Fiscal 2012
We will set criteria suitable for new work styles with field workers while continuing to implement the Ricoh Family Group Information Security Measures.
In addition, to promote even more effective information security activities, we will work to achieve innovation and improvement in the methods for implementing and operating IT technology.
3. Enhancing the Ricoh Group’s Business Continuity Plan and Management
In our BCM we included maintenance services and supplies of consumables because they are essential to enabling the ongoing utilization of equipment installed on customer premises by the imaging solutions business. In fiscal 2011, we expanded the scope of assumed risks and business fields included in BCM based on experience we gained from the Great East Japan Earthquake.
In fiscal 2011, we took the following actions in relation to IT systems:
- Identified IT systems important for the continuity of each business
- Examined communication means to be used between top executives immediately following a disaster
- Reviewed action guidelines for IT staff
Plan for Fiscal 2012 (IT systems)
We will continue to improve, upgrade and expand our efforts on two fronts, namely disaster-prevention measures (measures to anticipate disasters and minimize damages) and BCP (planning and preparation for continuation of important operations).
BCM: business continuity management
BCP: business continuity plan
4. Continuous Education to Raise Awareness of Information Security Issues
We created educational materials targeting all Ricoh Group employees.
Ricoh Group companies in Japan used this material to provide employees with a self-assessment-based online education program.
In the program, examples of misconduct and actions that might lead to incidents were introduced to help employees take action based on appropriate judgment, and the understanding level of participants was checked.
Regarding actual examples to be shared in information security activities such as issues pointed out in internal and external audits and incidents that could have resulted in serious or fatal accidents, we created check items based on which employees had increased their awareness of information security, and subsequently worked to improve security.
Plan for Fiscal 2012
We will continue to provide education for all Ricoh Group employees to raise awareness of information security issues.
In consideration of the impact to daily business operations caused by changes in the business environment such as the spread of new IT devices, we will improve our ability to make appropriate information security decisions.
5. Using IT to Prevent Recurrence of Information Security Incidents
There were no major incidents announced publicly or reported to auditing and supervising organizations in fiscal 2011.
Regarding events considered to have a high possibility of occurrence based on past and predictive information on incidents and accidents continually collected within the Group, an outline of the events was introduced widely across the Group as a first step in preventing their occurrence, not only through communication of the outline to each organization but also to employees at educational sessions.
Moreover, we unified the reporting routes for information security incidents and total risk management (TRM) incidents in the fields supervised by the internal control department, aiming to provide consistent responses and decisions in response to incidents.
Plan for Fiscal 2011
We will work on a continual basis to reduce the number of serious accidents to zero. Based on the recognition that even relatively minor incidents might be signs of serious accidents to come, we will strive to prevent the (re)occurrence of such incidents.
Also, we will improve the incident management database, and make more adjustments to the system in order to manage the removal of external storage media and the inventory management system for PCs and other devices, with a view to completely preventing the (re)occurrence of incidents in a more efficient manner.