Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1
Objectives of this manual
Objectives
2
Scope of Information to be Subject to the Criteria
PCs Storage
media
-Molds
-Documents -Servers -Prototypes, etc.
-Drawings, etc. -Storage medium, etc.
5
1. Establishment of Structure for Information Security Management -1
CSO (Chief Security Officer) ---- Responsible for governing and implementing the company-wide Information Security
activities
Information Security
Committee --- Implement decision making on Information Security, comprised of the
representatives from related departments, such as Personnel
Workplace Department, General Affairs Department, and Technical Management
Department.
Manager in charge of Information
---- Responsible for Information Security activities at each workplace
Security
Employees
Reference: 1-1 Organizational Chart for Information Security Implementation.xls
6
1. Establishment of Structure for Information Security Management -2
1-2. Establish and document basic policies and rules on Information Security.
Basic policies shall be established, and the top management shall declare the
promotion of Information Security activities.
The top management members must show their positive stance for promoting
Information Security activities, and document basic policies for Information
Security, in order to publicize, both internally and externally, the goals of the
activities as well as the actions to be taken.
They must clarify “why” Information Security activities need to be implemented,
“what” shall be protected and “how", and “who” will be responsible for
Information Security.
7
2. Confidentiality Management of Information
Assets
2-1-1. Identify information assets and create a list of information assets for
Confidential Information, and update such list regularly.
A list of information assets is created for each management unit to clarify which
information must be protected.
By whom or where Confidential Information is handled are clarified by identifying
such information to be protected. At the same time, threat level for the protected
information can be set up, necessary controls be selected, and the existence of
vulnerabilities or risks of such information can be confirmed.
It shall be regularly confirmed that Confidential Information is identified properly,
and the list of information assets be updated.
The confidentiality of information may vary from time to time, so it needs to be
reviewed regularly.
This is ABC-Company's
information. So, I have to
keep it in this cabinet.
10
2-2. Management of exchange/return procedure Article 2-2-2 applies only if
Confidential Info is taken out.
of Confidential Information -1
2-2-1. Exchange Confidential Information pursuant to the rules agreed upon
between Your Company and Panasonic.
2-2-2. Establish rules for taking Confidential Information out of the designated
areas, and implement all applicable procedures in a) to d) below.
a) When taking Confidential Information out, obtain an approval from the responsible
management personnel *.
Example: Records of take-outs, including such data as date and time, person's name,
document/file name, etc., are kept in a registration book.
Reference: 2-2-2 Application form for taking out PCs and recording media.xls
*The responsible management personnel means the person in charge of managing information in the
organization of Your Company. (the manager of a department, a project leader, etc.) 11
2-2. Management of exchange/return procedure ThisisArticle
Item 2-2-2 applies
excluded only if
if confidential
Confidential
information Infoout.
is not taken is taken out.
of Confidential Information -2
b) While being taken out, confidential information shall always be kept at hand.
c) When Digitized Information on PCs, PDAs or storage media is taken out, or sent by e-
mail, encrypt such information.
d) When Embodiments (molds, prototypes, etc.) are taken out, keep them out of sight of
outsiders.
Example: Embodiments are covered with cloth, etc., to make them invisible from outside
when being taken out.
12
2-2. Management of exchange/return procedure
of Confidential Information -3
2-2-3. Return Confidential Information to Panasonic in accordance with the
procedures agreed upon between Your Company and Panasonic at the
completion of the contracted business. When Your Company disposes of
Confidential Information, follow all applicable procedures described in a)
to d) below, pursuant to the agreement with Panasonic. Provide records
of the disposal upon request by Panasonic.
a) Completely delete Digitized Information that is stored on servers, PCs, PDAs, or
storage media.
b) Shred, dissolve or incinerate Papers (documents, drawings, etc.).
c) Destroy Embodiments (molds, prototypes, etc.) to make the original information
unrecognizable.
d) When outsourcing the disposition of waste to an industrial waste disposal contractor,
etc., require such a contractor to execute a non-disclosure agreement.
13
2-3. Physical Security Controls -1
2-3-1. Restrict the outsiders from entering the areas, including company
premises, buildings and rooms, where Confidential Information is handled,
by setting up physical measures.
14
2-3. Physical Security Controls -2
2-3-2. Ensure that only the personnel who need to know the relevant information
for business purposes will be given a permission to enter the areas where
Confidential Information is handled.
The zone manager identifies personnel who need to enter such areas for business
purposes, and give them permission to enter.
2-3-4. Keep records, including the images of surveillance cameras, for both or
either entry to/exit from the areas where Confidential Information is
handled, and regularly review the status of such logs to confirm that they
are properly taken.
Records shall be taken and kept in a registry book, etc. for a certain period (as
agreed by Panasonic), so that you can verify who had access to the area, when an
unauthorized access to some information is detected.
Example: Entry/exit records are taken in such forms of ID authentication log, images of
surveillance cameras, and entry/exit records.
2-3-5 Prohibit anyone from bringing privately-owned PCs, mobile phones, PDAs,
storage media (SD cards, USB memories, etc.), communication devices
(wireless LAN, etc.) into the areas where Confidential Information is
handled. If bringing such devices into such areas is necessary, follow the
procedures a) and b) below.
a) Obtain an approval for bringing in such devices from the responsible management
personnel.
b) Establish and implement the rules to prohibit the connection of such devices with
company PCs and networks, and the use of the camera function of mobile phones or
PDAs, even if bringing in such devices is approved.
Storage media having a large recording capacity enable taking out of a large
amount of data with ease.
Bringing in storage media without permission must be prohibited. To fend against
easy bring-ins, prior approval must be obtained, even when needed for business
purposes.
Reference: 2-3-5 Application form for bringing in PCs and storage media.xls
16
Article 2-3-6
ThisisArticle
applied only if only
applies YourtoCompany
Papers
2-3. Physical Security Controls -4 shares Paper/Embodiments
or Embodiments. with us.
2-3-6. Limit the accessibility to Papers (documents and drawings, etc.) and
Embodiments (molds, prototypes, etc.) to the personnel who need to
know such Confidential Information for business purposes, and
implement the anti-theft measures.
Example:
Confidential Information is locked away securely in lockers.
Confidential information is stored in lockable rooms, and the administrator of the
keys is appointed.
17
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -1 with Panasonic.
2-4-1 Establish rules to manage user IDs for the IT system, and follow all
measures in a) to d) below.
a) Prohibit sharing of user IDs with other users of the IT system.
b) Establish procedures to issue and approve user IDs.
c) Immediately delete unused IDs, such as the IDs issued to resigned, retired or
transferred staff and the temporary IDs.
d) Periodically verify that unmanaged IDs do not exist.
Establish and implement the rules for applying, approving, issuing and deleting
IDs.
When the user is retired, transferred, or his/her job is changed, the ID must be
appropriately deleted or updated.
Periodical confirmation must be made to ensure that unused IDs do not exist.
18
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -2 with Panasonic.
2-4-2. Establish rules to manage passwords for the IT system, and follow all
measures in a) to c) below.
19
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -3 with Panasonic.
Example: A separate access right is set to each folder in servers, and the access is
controlled with user IDs.
Example: Access logs are taken, using the system logging function of Server OS
(capability).
20
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -1 with Panasonic.
2-5-1. Isolate the company’s internal network from external networks, including
the Internet, with router, firewall, etc.
Information leakage caused by unauthorized accesses from outside the company,
virus infection, etc., can be prevented by shutting out the accesses to company
networks from outside networks.
2-5-2. Establish and implement procedures to introduce and install PCs, PDAs,
and servers.
Procedures to introduce and install PCs, PDAs, and servers must be established.
Places where PCs, PDAs, and servers are installed must be determined in
accordance with the confidentiality classification of the information stored.
End connections of company networks must be installed in "Business Zones” or
“Important Zones.” If end connections need to be installed in "Common Zones,"
controls to prevent unauthorized connections, such as sealing those connections,
are implemented.
Network facilities such as hubs and routers must be installed in "Business Zones"
or “Important Zones.” Storing such facilities in racks with lockable doors is
recommended.
(Please refer to zone classification on page 14.)
2-5-4. Prohibit the use of privately-owned PCs, PDAs, or storage media for
business purposes.
22
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -4 with Panasonic.
2-5-5. Establish and implement rules for disposing of and recycling PCs, PDAs,
servers and storage media, which include the following:
Completely delete data on disks or storage media or physically destruct hardware in order
to prevent data recovery.
Data must be completely deleted with software tools, or physically destructed.
Files deleted from the recycle bin on a PC become only invisible. The actual
data are not deleted from the PC, and can be restored easily with software
tools.
Example:
In case of rental or leased PCs and servers, data are completely deleted before
returning to the vendors. Prior agreements are made with such vendors regarding
data deletion from servers upon return of such equipments.
When PCs and servers get out of order and need repair by vendors, as a general
rule on-site repair by the vendors is made at Your Company. If the rental/lease
agreement requires sending the PCs to the vendors for repair, Your Company
executes non-disclosure agreements with them beforehand.
Data deletion
software 23
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -5 with Panasonic.
2-5-6. Install the servers storing Confidential Information in secure places, and
follow the procedures a) and b) below.
a) Limit the entry to areas where servers are installed only to the personnel who need
the access to such areas for business purposes.
b) Take anti-theft measures for the servers.
24
This article applies only if Your
2-6. Countermeasures against malicious programs -1 Company shares Digitized Info
with Panasonic.
Anti-virus software of the type and version specified by the manager of the IT
system must be installed so that appropriate and immediate actions can be
taken for all of the company's PCs when necessary.
If virus pattern files are not updated appropriately, anti-virus software may
not be able to detect new viruses. For countermeasure against malicious
programs, it is also necessary to apply batch files (Windows Update, etc.) for
the OS.
25
This article applies only if Your
2-6. Countermeasures against malicious programs -2 Company shares Digitized Info
with Panasonic.
2-7-1. Review the necessity for and frequency of taking backups together with
Panasonic, and if such backups are necessary, establish and implement
rules on taking backups of Digitized Information.
2-7-2. Establish rules to store backup data, and properly manage such data in
accordance with the confidentiality classification.
27
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -1 with Outsourced Companies.
28
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -2 with Outsourced Companies.
If any of articles a) to l) above are not included in your contracts with Outsourced Companies, it may
be regarded that Your Company is in violation of the agreements with Panasonic.
29
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -3 with Outsourced Companies.
31
3-1. Conducting education/training on Information Security -1
3-1-1. Regularly provide education and training on Information Security for all
employees.
Example:
Information Security education/training for all employees is conducted on a regular basis as well as
whenever an employee is joining You Company, being transferred, being promoted, etc.
An education system on Information Security, including preparations for videos, guidelines, training
programs, etc., is established and the annual schedule for educational programs is set up.
3-1-2. Regularly provide education and training on Information Security for all
responsible management personnel.
32
3-1. Conducting education/training on Information Security -2
Employees must regularly confirm their own status with Self Check, etc., and
the manager must give instructions for improvements based on the results.
Example: A Self Check is implemented with the check sheet at least once every six months.
Example:
Conduct education/training at the timing of employment, transfer, or promotion.
Information security education programs for employees (video, guidebook, training programs, etc.)
are in place and an annual education plan has been established.
33
3-2. Obtaining signed agreement for Article 3-2-2 applies only if Your
Company shares Confidential Info
confidentiality obligation from employees, etc. with Outsourced Companies.
34
4. Responses to Information Security Incidents
35
4. Responses to Information Security Incidents -1
4-1. Appoint a manager in charge of communication and responses at the
occurrence of an incident, and establish the structure for incident reporting,
including the measures in a) to c) below.
a) Report immediately to the responsible management personnel upon discovery of a
problem with Information Security or a possibility of a problem, witnessing an incident, or
finding an evidence of such incident.
b) If a problem or a possibility of a problem as described above is discovered, report to
Panasonic within the time agreed with Panasonic.
c) If a device, which contains Panasonic’s information, is infected with a virus through an
APT attack, report it to Panasonic within the time period agreed with Panasonic.
An incident reporting structure must be established and carried out by all employees, so that
any incident or a sign of incident is immediately reported to managers and relevant personnel.
An incident can be prevented from materializing, and the damages can be prevented from
spreading further.
The structure must include the reporting routes from Your Company to Panasonic, and from
Outsourced Companies to Your Company.
An Information Security Incident <Examples of Information Security Incidents>
has just occurred! - Disclosure without permission or information leakage to third parties
5W/1H of Reporting - Theft/loss of PCs, storage media, etc.
• When? - Theft/loss of Embodiments
• Where? - Theft/loss of documents, containing Confidential Information
• Who?/To whom? - Erroneous transmission of FAX or e-mail
• What? - Unauthorized access to Confidential Information, etc.
• How?
• Why?
Reference: 4-1a) Information Security Incidents Reporting Structure.ppt
The further the action for an incident is delayed, the wider the damages will spread.
To take immediate and appropriate actions for incidents, it is necessary to
document the procedures for incident responses, and make sure that they are
carried out by all employees.
Your Company must take appropriate actions for incidents involving Panasonic’s
Confidential Information, upon consulting with Panasonic.
37
5. Implementation of Information Security
Management
Plan
Plan Do
Do
ACT
ACT CHECK
38
5. Implementation of Information Security Management
Example: A Self check with the check sheet is conducted at least once every year.
5-2. Develop an improvement plan and take necessary actions for improvements
on nonconformity found upon verification.
The threats to Information Security continuously change, along with the
changes in social and business environments. Therefore, the status of
Information Security must be confirmed regularly, and actions must be taken
whenever the nonconformity is found upon verification.
The improvement plan must be reported to, and approved by the management
and the responsible management personnel.
The promotion plan for Information Security for the next fiscal year is created
based on the confirmation results and the improvement plan.