Manual for Establishing

Information Security Management

for Our Business Partners

April 1, 2016 (Ver2.1)

Global Procurement Company

Information Security Enhancement Department
Panasonic Corporation

1
Objectives of this manual

 Objectives

• This manual (“Manual”) explains how to implement the Panasonic

group companies’ (collectively “Panasonic”) “Information Security
Management Criteria for Our Business Partners.”

• Business partners, who share Panasonic’s confidential information

(“Business Partners"), are recommended to refer to the examples
provided in this Manual ("Example") in order to establish and
promote Information Security Management.

• The company which does business with Panasonic (“Your

Company) should adopt necessary Information Security controls in
accordance with Your Company's business.

In referring to this Manual, the following points should be kept in mind:

1) The contents of the manual must not be disclosed without a prior approval by Panasonic.
2) The manual must be used only for the purposes specified by Panasonic.

2
Scope of Information to be Subject to the Criteria

 Scope of information to be subject to the Criteria (“Confidential

Information”)
1. Confidential information shared with Panasonic
(Paper, Digitized Information, Embodiments, etc.)
2. Confidential information originated from such confidential information
(Paper, Digitized Information, Embodiments, etc.)
Example: Molds, product prototypes, software, CAD, drawings, circuit diagrams, rejected products,
measurement data, etc.

• Confidential Information includes all information specified by Panasonic, such

as technical information, personal information, and marketing information.
Panasonic specifies confidential Information in either of the methods 1 to 3 below.
1. Information such as documents, drawing, files, digitized data, etc., marked as "Confidential.“
2. Electronic data with file name as "Confidential – [file name]", or "C – [file name]."
3. Information specified as Confidential Information by Panasonic by other means.

PCs Storage
media

-Molds
-Documents -Servers -Prototypes, etc.
-Drawings, etc. -Storage medium, etc.

Confidential information Digitized confidential Objects embodying

on Paper information confidential information
(Paper) (Digitized Information) (Embodiments)
3
Establishment of Information Security
 Panasonic requires Business Partners to establish Information Security Management by
following the steps specified in the "Information Security Management Criteria for Our
Business Partners."
 Your Company needs to confirm the achievement level of Information Security activities with
"Check Sheet."

Information Security Management Check Sheet

Criteria for Our Business Partners
 Confirm the achievement level of Information Security
1. Establishment of Structure for Information Security activities of Your Company with Check Sheet.
Management
Establish an organizational structure to promote Information  Actions for improvement must be taken for problems that are
Security. found by filling out Check Sheet.
* The items for Check Sheet correspond to the items in the
2. Confidentiality Management of Information Assets
Information Security Criteria.
Identify information assets and manage them according to the
rules.

3. Controls for Personnel Security

Implement controls for personnel security, such as an execution
of NDA.

4. Responses to Information Security Incidents

Clarify and implement procedures for responding to incidents.

5. Implementation of Information Security Management

Implement Information Security Management for continuous
improvement. 4
1. Establishment of Structure for
Information Security Management

1-1. Establishment of structure for Information Security Management

1-2. Establishment of basic policies and rules on how to manage
Information Security

5
 1. Establishment of Structure for Information Security Management -1

1-1. Establish an organizational structure for Information Security Management,

and clarify and document its responsibilities/assignments.

 An organizational structure shall be established so that systematic decision-

making on, and promotion of, Information Security, can be made.
The points to promote Information Security activities effectively are: to assign the
manager in charge of Information Security of Your Company, to identify
representatives of related departments and Information Security managers/leaders
of workplaces, to get determined to promote activities as the whole company, and
to establish an organizational structure for promotion.

[ Example of Information Security Organizational Structure ]

Top Management (President) ---- Responsible for the whole business management including Information Security.

CSO (Chief Security Officer) ---- Responsible for governing and implementing the company-wide Information Security
activities
Information Security
Committee --- Implement decision making on Information Security, comprised of the
representatives from related departments, such as Personnel
Workplace Department, General Affairs Department, and Technical Management
Department.
Manager in charge of Information
---- Responsible for Information Security activities at each workplace
Security

Employees
Reference: 1-1 Organizational Chart for Information Security Implementation.xls
6
1. Establishment of Structure for Information Security Management -2

1-2. Establish and document basic policies and rules on Information Security.

 Basic policies shall be established, and the top management shall declare the
promotion of Information Security activities.
The top management members must show their positive stance for promoting
Information Security activities, and document basic policies for Information
Security, in order to publicize, both internally and externally, the goals of the
activities as well as the actions to be taken.
They must clarify “why” Information Security activities need to be implemented,
“what” shall be protected and “how", and “who” will be responsible for
Information Security.

 Rules on Information Security shall be established and documented.

1. Establishment of Structure for Information Security Management
2. Confidentiality Management of Information Assets
3. Controls for Personnel Security
4. Responses to Information Security Incidents
5. Implementation of Information Security Management
Rules need to be established in light of the above aspects.

Reference: 1-2 ISM Policy.pdf

7
2. Confidentiality Management of Information
Assets

2-1. Identification of Confidential Information

2-2. Management of exchange/return procedure of Confidential Information
2-3. Physical security controls
2-4. Management of user IDs and passwords of the IT system users
2-5. Management of installation/usage/disposal of the IT systems, such as
PCs and servers
2-6. Countermeasures against malicious programs
2-7. Implementation of data backups
2-8. Management of outsourced companies which share Confidential
Information with your company
8
2-1. Identification of Confidential Information -1

2-1-1. Identify information assets and create a list of information assets for
Confidential Information, and update such list regularly.

 A list of information assets is created for each management unit to clarify which
information must be protected.
By whom or where Confidential Information is handled are clarified by identifying
such information to be protected. At the same time, threat level for the protected
information can be set up, necessary controls be selected, and the existence of
vulnerabilities or risks of such information can be confirmed.
 It shall be regularly confirmed that Confidential Information is identified properly,
and the list of information assets be updated.
The confidentiality of information may vary from time to time, so it needs to be
reviewed regularly.

Reference: 2-1-1 List of Information Assets.xls

Note

• Three "Risk" factors = "Values of information assets", "Threats", and "Vulnerabilities."

Threats can cause operational losses to information assets (e.g. leakage and theft of information, computer viruses,
human errors, etc.).
Vulnerabilities are weaknesses in information assets or in Information Security controls (e.g. improper entry/exit
controls, poor management of passwords, inadequate education and training, etc.).
• To reduce the risks, it is important to maintain the workplaces free from such vulnerabilities by practicing those controls
appropriately in the workplaces as well as establishing adequate Information Security controls.
9
 Article 2-1-2
Article is applied
2-1-2 appliesonly
onlyififthere
2-1. Identification of Confidential Information -2 is reproductions or copies
Confidential Info of out.
is taken
Confidential Info.

2-1-2. Manage the reproductions or copies of Confidential Information in the

same manner as the originals, in case such reproductions are made
pursuant to a contract with Panasonic.

 As a general rule, the reproductions or copies of Confidential Information are

prohibited. Such reproductions/copies may be made only when they are
authorized by Panasonic.

2-1-3. Distinguish Confidential Information clearly from other information, and

manage it separately.

 To appropriately identify and manage Panasonic’s Confidential Information, such

information shall be distinguished clearly from Your Company's or other
companies' information, and be managed separately.
 This means to limit the access to such information only to the personnel having the
access rights. For example, Paper must be grouped by each company, and locked
up securely in drawers. For Digitized Information, measures shall be implemented
in such a way as separating folders in a server and granting a separate access right
to each folder.

This is ABC-Company's
information. So, I have to
keep it in this cabinet.

10
2-2. Management of exchange/return procedure Article 2-2-2 applies only if
Confidential Info is taken out.
of Confidential Information -1
2-2-1. Exchange Confidential Information pursuant to the rules agreed upon
between Your Company and Panasonic.

 Confidential Information shall be exchanged based on the rules agreed upon

between Your Company and Panasonic. Prior approval by Panasonic shall be
obtained for any other methods than the ones which have already been agreed.
Methods to exchange Confidential Information include transmission by e-mail,
exchange via server, transportation, handover, etc. These methods must be
adopted not only for information exchange with Panasonic, but also for
information exchange within Your Company or with your outsourced companies.

2-2-2. Establish rules for taking Confidential Information out of the designated
areas, and implement all applicable procedures in a) to d) below.
a) When taking Confidential Information out, obtain an approval from the responsible
management personnel *.
Example: Records of take-outs, including such data as date and time, person's name,
document/file name, etc., are kept in a registration book.

Reference: 2-2-2 Application form for taking out PCs and recording media.xls

*The responsible management personnel means the person in charge of managing information in the
organization of Your Company. (the manager of a department, a project leader, etc.) 11
2-2. Management of exchange/return procedure ThisisArticle
Item 2-2-2 applies
excluded only if
if confidential
Confidential
information Infoout.
is not taken is taken out.
of Confidential Information -2
b) While being taken out, confidential information shall always be kept at hand.

c) When Digitized Information on PCs, PDAs or storage media is taken out, or sent by e-
mail, encrypt such information.

 When being sent by e-mail or through networks, Digitized Information must

be encrypted so that it is not intercepted or falsified.
 A password for encryption must be sent separately from Confidential
Information being sent, so that information leakage in case of erroneous
transmission can be prevented.
 Measures against erroneous transmission of information or e-mail.

Example: When transmitting Digitized Information, it is encrypted with file compression

software with encryption capability, such as WinZip, etc.

d) When Embodiments (molds, prototypes, etc.) are taken out, keep them out of sight of
outsiders.

Example: Embodiments are covered with cloth, etc., to make them invisible from outside
when being taken out.
12
2-2. Management of exchange/return procedure
of Confidential Information -3
2-2-3. Return Confidential Information to Panasonic in accordance with the
procedures agreed upon between Your Company and Panasonic at the
completion of the contracted business. When Your Company disposes of
Confidential Information, follow all applicable procedures described in a)
to d) below, pursuant to the agreement with Panasonic. Provide records
of the disposal upon request by Panasonic.
a) Completely delete Digitized Information that is stored on servers, PCs, PDAs, or
storage media.
b) Shred, dissolve or incinerate Papers (documents, drawings, etc.).
c) Destroy Embodiments (molds, prototypes, etc.) to make the original information
unrecognizable.
d) When outsourcing the disposition of waste to an industrial waste disposal contractor,
etc., require such a contractor to execute a non-disclosure agreement.

[Paper] [ Servers, PCs, Storage media ]

- To be shredded - Complete deletion of data,
including physical destruction

13
2-3. Physical Security Controls -1

2-3-1. Restrict the outsiders from entering the areas, including company
premises, buildings and rooms, where Confidential Information is handled,
by setting up physical measures.

 Zones are classified to restrict physical access to information.

[ Examples of Zone Classification ]

Important Zones: Important business operations are
Important Zones carried out, and Confidential Information and servers
• Server rooms, etc. are stored. The peripheries of an Important Zones are
• Locked all times surrounded by Business Zones, and visitors cannot
• Records of entry/exit enter Important Zones without passing through
• Use of surveillance cameras Business Zones. Thus, entry to important zones can
be severely controlled.

Business Zones Business Zones: Employees carry out daily business

• Offices, factories, etc.
• Confidential information is handled
• Locked all times
• Only authorized personnel can
enter
Common Zones
• Areas where visitors are accepted,
meeting rooms, etc.
operations in Business Zones. "Internal Use Only"
information, including Panasonic’s Confidential
Information must be stored in Business Zones or
Important Zones. Entry to Business Zones must be
controlled in such a way that only the employees
relevant to the jobs carried out in each Business Zone
are allowed entry.
Common Zones: Meetings with visitors, picking up of
parcels, etc. are done in common zones. Information
is not stored except for publicized information.

14
2-3. Physical Security Controls -2

2-3-2. Ensure that only the personnel who need to know the relevant information
for business purposes will be given a permission to enter the areas where
Confidential Information is handled.
 The zone manager identifies personnel who need to enter such areas for business
purposes, and give them permission to enter.

2-3-3. Establish a procedure to distinguish employees from outside visitors.

Example: Employees are distinguished from outside visitors by using name tags, ID
cards, etc.

2-3-4. Keep records, including the images of surveillance cameras, for both or
either entry to/exit from the areas where Confidential Information is
handled, and regularly review the status of such logs to confirm that they
are properly taken.
 Records shall be taken and kept in a registry book, etc. for a certain period (as
agreed by Panasonic), so that you can verify who had access to the area, when an
unauthorized access to some information is detected.

Example: Entry/exit records are taken in such forms of ID authentication log, images of
surveillance cameras, and entry/exit records.

Reference: 2-3-4 Physical Access Log.xls

15
2-3. Physical Security Controls -3

2-3-5 Prohibit anyone from bringing privately-owned PCs, mobile phones, PDAs,
storage media (SD cards, USB memories, etc.), communication devices
(wireless LAN, etc.) into the areas where Confidential Information is
handled. If bringing such devices into such areas is necessary, follow the
procedures a) and b) below.
a) Obtain an approval for bringing in such devices from the responsible management
personnel.
b) Establish and implement the rules to prohibit the connection of such devices with
company PCs and networks, and the use of the camera function of mobile phones or
PDAs, even if bringing in such devices is approved.

 Storage media having a large recording capacity enable taking out of a large
amount of data with ease.
 Bringing in storage media without permission must be prohibited. To fend against
easy bring-ins, prior approval must be obtained, even when needed for business
purposes.

Reference: 2-3-5 Application form for bringing in PCs and storage media.xls

I will take out data

Nobody will find out, with my private SD
if I don't tell. card.

16
 Article 2-3-6
ThisisArticle
applied only if only
applies YourtoCompany
Papers
2-3. Physical Security Controls -4 shares Paper/Embodiments
or Embodiments. with us.

2-3-6. Limit the accessibility to Papers (documents and drawings, etc.) and
Embodiments (molds, prototypes, etc.) to the personnel who need to
know such Confidential Information for business purposes, and
implement the anti-theft measures.

Example:
 Confidential Information is locked away securely in lockers.
 Confidential information is stored in lockable rooms, and the administrator of the
keys is appointed.

17
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -1 with Panasonic.

2-4-1 Establish rules to manage user IDs for the IT system, and follow all
measures in a) to d) below.
a) Prohibit sharing of user IDs with other users of the IT system.
b) Establish procedures to issue and approve user IDs.
c) Immediately delete unused IDs, such as the IDs issued to resigned, retired or
transferred staff and the temporary IDs.
d) Periodically verify that unmanaged IDs do not exist.

 Establish and implement the rules for applying, approving, issuing and deleting
IDs.
 When the user is retired, transferred, or his/her job is changed, the ID must be
appropriately deleted or updated.
 Periodical confirmation must be made to ensure that unused IDs do not exist.

Reference: 2-4-1 Ledger for Login IDs.xls

Mr. A was transferred. So,

please delete his user ID.

18
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -2 with Panasonic.

2-4-2. Establish rules to manage passwords for the IT system, and follow all
measures in a) to c) below.

a) Set a password which cannot easily be guessed by an unauthorized person.

Example: A password contains at least 6 characters, including both numbers and

alphabets.

b) Change passwords regularly.

Example: A password is altered more than once every month.

c) Manage passwords so that they will not be known to others.

A password must not be

posted to a place where
viewed by others.

Set a password which abcd1234

cannnot easily be guessed.
Do not tell others.

Change passwords regularly.

19
2-4. Management of user IDs and passwords This article applies only if Your
Company shares Digitized Info
of the IT system users -3 with Panasonic.

2-4-3. Implement access controls for the servers containing Confidential

Information, and establish a system to limit the access to only the
personnel who need to know the information for business purposes.

Example: A separate access right is set to each folder in servers, and the access is
controlled with user IDs.

Reference: 2-4-3 List of Server Access Authority.xls

2-4-4. Obtain records (logs) of personnel who accessed Confidential

Information, and properly store such records (logs) during the period
agreed upon with Panasonic.
 Records are kept on when and who had access to Confidential Information so
that unauthorized accesses can be verified afterward.
 Access records need to be managed in the same way as Confidential
Information.

Example: Access logs are taken, using the system logging function of Server OS
(capability).

20
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -1 with Panasonic.

2-5-1. Isolate the company’s internal network from external networks, including
the Internet, with router, firewall, etc.
 Information leakage caused by unauthorized accesses from outside the company,
virus infection, etc., can be prevented by shutting out the accesses to company
networks from outside networks.

2-5-2. Establish and implement procedures to introduce and install PCs, PDAs,
and servers.
 Procedures to introduce and install PCs, PDAs, and servers must be established.
 Places where PCs, PDAs, and servers are installed must be determined in
accordance with the confidentiality classification of the information stored.
 End connections of company networks must be installed in "Business Zones” or
“Important Zones.” If end connections need to be installed in "Common Zones,"
controls to prevent unauthorized connections, such as sealing those connections,
are implemented.
 Network facilities such as hubs and routers must be installed in "Business Zones"
or “Important Zones.” Storing such facilities in racks with lockable doors is
recommended.
(Please refer to zone classification on page 14.)

2-5-3．Store Confidential Information on servers. Protect the servers with

adequate security measures.
21
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -3 with Panasonic.

2-5-4. Prohibit the use of privately-owned PCs, PDAs, or storage media for
business purposes.

 Use of personally-owned PCs, PDAs, and storage media for business

purposes must be prohibited since it can not be controlled in the
company.
There are cases where information leakage is caused from privately-
owned PCs by virus infections and/or file-swapping software.

Virus infection Leaked through

networks

22
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -4 with Panasonic.

2-5-5. Establish and implement rules for disposing of and recycling PCs, PDAs,
servers and storage media, which include the following:
 Completely delete data on disks or storage media or physically destruct hardware in order
to prevent data recovery.
 Data must be completely deleted with software tools, or physically destructed.
Files deleted from the recycle bin on a PC become only invisible. The actual
data are not deleted from the PC, and can be restored easily with software
tools.

Example:
 In case of rental or leased PCs and servers, data are completely deleted before
returning to the vendors. Prior agreements are made with such vendors regarding
data deletion from servers upon return of such equipments.
 When PCs and servers get out of order and need repair by vendors, as a general
rule on-site repair by the vendors is made at Your Company. If the rental/lease
agreement requires sending the PCs to the vendors for repair, Your Company
executes non-disclosure agreements with them beforehand.

Data deletion
software 23
2-5. Management of installation/usage/disposal This article applies only if Your
Company shares Digitized Info
of IT system, such as PCs and servers -5 with Panasonic.

2-5-6. Install the servers storing Confidential Information in secure places, and
follow the procedures a) and b) below.
a) Limit the entry to areas where servers are installed only to the personnel who need
the access to such areas for business purposes.
b) Take anti-theft measures for the servers.

 Servers storing Confidential Information must be installed in "Business

Zones" or “Important Zones,” and anti-theft measures must be taken.
Servers storing strictly confidential information must be installed in
"Important Zones."

(Please refer to zone classification on page 14.)

Example: Servers are installed within racks with lockable doors.

24
 This article applies only if Your
2-6. Countermeasures against malicious programs -1 Company shares Digitized Info
with Panasonic.

2-6-1. Establish rules for countermeasure against malicious programs and

computer viruses, and follow all measures in a) to d) below.
a) Install anti-virus software of the type and version specified by the responsible
management personnel of the IT system.
b) Make anti-virus software resident and active at all times on the PCs and keep the
PCs defensible against computer viruses.
c) Regularly update virus pattern files.

Example: Virus pattern files are updated every day.

d) Scan all stored files regularly.

Example: A virus check is carried out once every week.

 Anti-virus software of the type and version specified by the manager of the IT
system must be installed so that appropriate and immediate actions can be
taken for all of the company's PCs when necessary.
 If virus pattern files are not updated appropriately, anti-virus software may
not be able to detect new viruses. For countermeasure against malicious
programs, it is also necessary to apply batch files (Windows Update, etc.) for
the OS.
25
 This article applies only if Your
2-6. Countermeasures against malicious programs -2 Company shares Digitized Info
with Panasonic.

2-6-2. Establish and implement procedures, including physical measures against

virus infection and reporting/notification/responding methods, to minimize
the damages caused by computer viruses.
Example: Procedures to disconnect PCs from the company network and report to the manager of
IT system are established.

2-6-3. Prohibit the installation and use of file-swapping software, including

software which poses high-risks of information leakage, such as Kazaa,
LimeWire, and verify regularly that such software programs are not installed.
 The installation of file-swapping software to PCs must be prohibited for any
reasons.
The incidents of information leakage frequently occur through file-swapping
software recently. In those incidents, data stored on PCs leak without the
user’s knowledge, and it is practically impossible to retrieve the leaked data.
 All PCs in Your Company must be checked for file-swapping software. If any
file-swapping software is installed, such software must be deleted
immediately.

2-6-4. Prohibit the transmission and sharing of Confidential Information by free

e-mail services (Yahoo mail, Gmail, etc.) or data storage services
(Google docs, etc.).
 Information Security controls implemented in the company are not
guaranteed in those services, so there could be higher risks of unauthorized
access or information leakage. 26
 Thisisarticle
This article appliedapplies
only ifonly
Yourif Your
2-7. Implementation of data backups Company share Digitized Info with Info
Company shares Digitized us.
with Panasonic.

2-7-1. Review the necessity for and frequency of taking backups together with
Panasonic, and if such backups are necessary, establish and implement
rules on taking backups of Digitized Information.

 Business continuity must be ensured, by enabling data recovery within the

period of time agreed with Panasonic, at the occurrence of data destruction
caused by natural disaster or fire, etc.

2-7-2. Establish rules to store backup data, and properly manage such data in
accordance with the confidentiality classification.

This back-up data is also

confidential information. So,
we have to deal with it
securely.

27
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -1 with Outsourced Companies.

2-8-1. Notify Panasonic in writing prior to sharing Confidential Information with

Outsourced Companies.
 Prior approval must be obtained from Panasonic for exchanging/disclosing
Confidential Information with/to Outsourced Companies.
 Your Company must create a control list of Outsourced Companies, and
confirm that there is no unintended sharing of Confidential Information with
them.
 Your Company must confirm the following before sharing Confidential
Information with outsourced companies;
- Confirm the security level of the outsourced companies whether they are
capable of managing Confidential Information in accordance with the
measures required by Panasonic.
- Execute a non-disclosure agreements with the outsourced companies.
- Check periodically how Confidential Information is stored or handled in the
outsourced companies.

Reference: 2-8-1 List of Outsourced Companies.xls

28
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -2 with Outsourced Companies.

2-8-2. Execute a non-disclosure agreement (or any signed document which

contains confidentiality obligation clauses) that includes the provisions
for a) to l) below, with Outsourced Companies, and establish and
implement rules on how to handle or exchange Confidential Information.
a) Confidentiality obligation
b) Scope of information subject to non-disclosure
c) Period of compliance (including unlimited duration)
d) Limitation on the intended use of Confidential Information
e) Limitation on the personnel with access to Confidential Information to those who
need to know such information for business purposes
f) Procedures for the management of Confidential Information
g) Restriction on the duplication and copying of Confidential Information
h) Rules on return or disposal of Confidential Information at the end of the
compliance period
i) Procedures for verification on how Confidential Information is stored or handled in
Outsourced Companies, such as a hearing or an audit.
j) Measures to be taken in case of a breach of the agreement, such as inserting
provisions for Your Company's right to seek injunction in the market as well as the
compensation for damages.
k) Prohibition of re-commissioning to the outsourced companies without Your
Company's prior consent
l) Prohibition of the use of privately-owned PCs for business purposes

 If any of articles a) to l) above are not included in your contracts with Outsourced Companies, it may
be regarded that Your Company is in violation of the agreements with Panasonic.
29
2-8. Management of Outsourced Companies This article applies only if Your
Company shares Confidential Info
which share Confidential Information with -3 with Outsourced Companies.

2-8-3 When Digitized Information is sent by e-mail to Outsourced Companies,

encrypt the files containing Confidential Information.

2-8-4 Keep records of the exchange of Confidential Information between Your

Company and Outsourced Companies and manage such records..
Reference: 2-8-4 Ledger of Information Management.xls

2-8-5 Require Outsourced Companies to obtain from their employees signed

agreements that are equivalent to the agreements signed by the employees
of Your Company.
2-8-6 Require Outsourced Companies to implement Information Security
Management, equivalent to that of Your Company, and verify the
implementation status of such periodically.
2-8-7 Require Outsourced Companies to conduct education and training on
Information Security for their employees.
 Your Company must require Outsourced Companies to implement Information Security
Management based on the same rules as You Company.
 Your Company are required to confirm the achievement level of the Information Security
activities of Outsourced Companies, referring to Check Sheet and this Manual.
 Your Company must require Outsourced Companies to take corrective actions based on
the confirmation results, and make sure that such actions have actually been taken.
 Please be sure to inform Panasonic, if Outsourced Companies’ security levels are not
sufficient and they do not take any actions for improvement. 30
3. Controls for Personnel Security

3-1. Conducting education and training on Information Security

3-2. Obtaining signed agreements for confidentiality obligation from
employees, etc.

31
3-1. Conducting education/training on Information Security -1

3-1-1. Regularly provide education and training on Information Security for all
employees.
Example:
 Information Security education/training for all employees is conducted on a regular basis as well as
whenever an employee is joining You Company, being transferred, being promoted, etc.
 An education system on Information Security, including preparations for videos, guidelines, training
programs, etc., is established and the annual schedule for educational programs is set up.

3-1-2. Regularly provide education and training on Information Security for all
responsible management personnel.

 The subjects on managers' responsibilities and assignments should be

included in the education/training program for managers.
 To promote Information Security activities effectively, it is important for the
managers to carry out Information Security education and training and to
stress the importance of Information Security Management repeatedly during
meetings and operational instructions.

Reference: Records of ISM Training.xls

32
3-1. Conducting education/training on Information Security -2

3-1-3. Conduct a periodical review of all employees on the compliance of

Information Security rules by self check, etc. If any non-compliance is
found, the responsible management personnel must provide
instructions for improvement to such employees.

 Employees must regularly confirm their own status with Self Check, etc., and
the manager must give instructions for improvements based on the results.

Example: A Self Check is implemented with the check sheet at least once every six months.

Reference: 3-1-3 Self-inspection Check List.xls

3-1-4. Conduct education/training on APT attacks for all employees.

Example:
 Conduct education/training at the timing of employment, transfer, or promotion.
 Information security education programs for employees (video, guidebook, training programs, etc.)
are in place and an annual education plan has been established.

33
3-2. Obtaining signed agreement for Article 3-2-2 applies only if Your
Company shares Confidential Info
confidentiality obligation from employees, etc. with Outsourced Companies.

3-2-1. Include a provision for confidentiality obligation in the employment

regulations, etc., and obtain a signed agreement for confidentiality
obligation from each employee.
3-2-2. Obtain signed agreements for confidentiality obligation from temporary
staff upon hiring.
 It must be understood that all personnel having access rights to Confidential
Information have responsibilities and assignments in maintaining confidentiality.
 There are cases where you may not be able to obtain signed agreements directly
from temporary staff. In such cases, confirm the temporary staff employment
agency whether it obtained agreements from the relevant staff.

Reference: 3-2-1 Signed agreements for confidentiality obligation.doc

34
4. Responses to Information Security Incidents

4-1. Establishment of an organizational structure for incident

reports/responses
4-2. Clarification of procedures for incident responses

35
4. Responses to Information Security Incidents -1
4-1. Appoint a manager in charge of communication and responses at the
occurrence of an incident, and establish the structure for incident reporting,
including the measures in a) to c) below.
a) Report immediately to the responsible management personnel upon discovery of a
problem with Information Security or a possibility of a problem, witnessing an incident, or
finding an evidence of such incident.
b) If a problem or a possibility of a problem as described above is discovered, report to
Panasonic within the time agreed with Panasonic.
c) If a device, which contains Panasonic’s information, is infected with a virus through an
APT attack, report it to Panasonic within the time period agreed with Panasonic.
 An incident reporting structure must be established and carried out by all employees, so that
any incident or a sign of incident is immediately reported to managers and relevant personnel.
An incident can be prevented from materializing, and the damages can be prevented from
spreading further.
 The structure must include the reporting routes from Your Company to Panasonic, and from
Outsourced Companies to Your Company.
An Information Security Incident <Examples of Information Security Incidents>
has just occurred! - Disclosure without permission or information leakage to third parties
5W/1H of Reporting - Theft/loss of PCs, storage media, etc.
• When? - Theft/loss of Embodiments
• Where? - Theft/loss of documents, containing Confidential Information
• Who?/To whom? - Erroneous transmission of FAX or e-mail
• What? - Unauthorized access to Confidential Information, etc.
• How?
• Why?
Reference: 4-1a) Information Security Incidents Reporting Structure.ppt

Reference: 4-1b) Information Security Incident Report.xls 36

4. Responses to Information Security Incidents -2

4-2. Thoroughly implement throughout Your Company the procedures for an

incident response, including all of the measures in a) to f) below.
a) Emergency response to grasp the damage and minimize its effects
b) Investigation on the cause and tentative measures
c) Measures to enable relevant personnel to take defensive actions and responses,
including reporting to the relevant third party, in case of information leakage
d) Procedures for public statements or reports to the relevant government offices, if
necessary
e) Recording of the background, development and progress of each incident
f) Implementation of preventive measures, and building a structure for publicizing and
raising awareness internally

 The further the action for an incident is delayed, the wider the damages will spread.
To take immediate and appropriate actions for incidents, it is necessary to
document the procedures for incident responses, and make sure that they are
carried out by all employees.
 Your Company must take appropriate actions for incidents involving Panasonic’s
Confidential Information, upon consulting with Panasonic.

37
5. Implementation of Information Security
Management

Plan
Plan Do
Do

ACT
ACT CHECK

38
5. Implementation of Information Security Management

5-1. Periodically verify the implementation of organizational activities for

Information Security.
 Establish procedures to regularly confirm the status of Information Security
Management with self check or internal audit, etc.
 Recognize nonconformity (e.g., facts that rules or procedures are neither
observed nor implemented) by the verifications.
 Report the results of the verifications to the management and the manager
responsible for Information Security.

Example: A Self check with the check sheet is conducted at least once every year.

5-2. Develop an improvement plan and take necessary actions for improvements
on nonconformity found upon verification.
 The threats to Information Security continuously change, along with the
changes in social and business environments. Therefore, the status of
Information Security must be confirmed regularly, and actions must be taken
whenever the nonconformity is found upon verification.
 The improvement plan must be reported to, and approved by the management
and the responsible management personnel.
 The promotion plan for Information Security for the next fiscal year is created
based on the confirmation results and the improvement plan.

Reference: 5-1 Improvement Plan.xls 39