Cyber-attacks targeting customer information and vital technical information owned by companies are increasing. Accordingly, the appropriate and timely decision on investments in IT and security, as well as prompt response in the event of a major security incident that affects corporate management, is essential as a corporate strategy. We, at Toshiba Tec and Toshiba Tec Group, are reinforcing and promoting security governance through the building of a group-wide security system and the development of security personnel.

Toshiba Tec responds to security incidents under its internal CSIRT/PSIRT cooperation system and has built a system for information sharing centered on the CISO. We promote prompt and consistent security measures against cybersecurity risk concerning information systems, products, and services and work on the enhancement of cybersecurity governance under the CISO’s command.

• CRO: Chief Risk Officer
• CISO: Chief Information Security Officer
• CSIRT: Computer Security Incident Response Team
• PSIRT: Product Security Incident Response Team

●Protection of corporate information

We recognize all information including sales and technical data handled while carrying out our tasks as important property, and have established a basic policy to prevent and protect against inappropriate disclosure, leakage or improper use of such information.
We define this policy in the Information Security section of the Toshiba Tec Standards of Conduct so that all executives and employees are fully informed.

●Establishment of security management system

We have established Toshiba Tec Group’s security rules and CSIRT system to prepare for information security, and constantly revise them in response to changes in the social environment.

●Acquisition of security certifications

The Shizuoka Business Center (Mishima and Ohito), our main product development sites, obtained the ISO/IEC 27001:2005 certification in fiscal 2007 and 2012, and updated to the ISO/IEC 27001:2022 certification in fiscal 2024. In fiscal 2022, the e-BRIDGE SKY Suite system was also certified in accordance with ISO/IEC 27017:2015, the security management standard for cloud services.

●Cyber-attack response

In terms of technical measures, we are strengthening measures to protect the public server, in order to prevent cyber-attacks and other forms of unauthorized access from the outside, which are becoming more and more sophisticated year by year, as well as to avoid information leakage. We have also established a system to enable a quick response in the event of a virus infecting an internal computer.

●Voluntary audit and security education

Each division continuously makes improvements by voluntarily auditing the status of compliance with the internal rules.
We constantly provide education to executives, employees, and staff dispatched from subcontractors, in order to prevent accidents in handling information and widely disseminate the security measures.

●Offering of products and services that take security into account

Toshiba Tec Group prioritizes customers’ safety and security and strives to offer products and services that take security into account. We implement security measures against cyber-attacks throughout the product lifecycle of planning, development, operations, maintenance, and disposal. By analyzing threats to information assets and evaluating their risks, we implement measures that take cost-effectiveness into account. We evaluate risks throughout supply chains, implement measures in cooperation with our suppliers and partners, and constantly make improvements to ensure safety.

●Response to vulnerabilities relating to products and services

To ensure product and service security, Toshiba Tec Group collects a wide range of information about vulnerabilities and promptly addresses the vulnerabilities that are found. We thoroughly evaluate security before shipments to ensure no critical vulnerabilities. We are registered as a product developer in Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), which is Japan’s organization in charge of coordinating efforts for vulnerability handling. Toshiba Tec addresses vulnerabilities internationally in cooperation with the U.S. CERT/CC and other coordination organizations in various countries. Moreover, to promptly respond to vulnerability information, which is transmitted daily from Open Source Software (OSS) and other sources, we have introduced Toshiba PSIRT Assistance System to seek the enhancement of our system.

●Response to security incidents for products or services

In the event of a product or service security incident by a cyber-attack, we promptly establish a response system and report the incident internally and externally, striving to disclose information, identify its cause, and prevent recurrence of similar incidents. Specifically, we deal with security incidents using Toshiba Tec PSIRT system. Toshiba Tec also periodically holds product security risk response training together with its domestic and overseas group companies, seeking improvements so that security incidents can be promptly reported and addressed.

●Provision of information about product and service security

Concerning information about our response to vulnerabilities or security incidents, we provide such information to customers in cooperation with government agencies, etc. as necessary. We disclose information about vulnerabilities and how to deal with them to the public in Japan and abroad in a timely manner through channels such as our website and Japan Vulnerability Notes (JVN), the national vulnerability database. In cases in which the disclosure of such information can affect specific customers, we will provide such information individually through our sales window, etc.

● Security personnel development activities

Toshiba Tec focuses on developing security personnel to improve its information security and product security. The Group provides all employees with education on proper information management and product security using e-learning. We recommend that our engineers acquire security-related certifications, providing training programs to enable them to acquire an up-to-date knowledge of security. In addition, we use Toshiba Group’s security qualification and certification system to systematically improve our employees’ security skills. Through these initiatives, we develop human resources who possess expertise and the ability to put it into practice to strengthen our product security.

●Cooperation with Toshiba Cyber-Security Center (CSEC) and Toshiba Group

Toshiba Tec, as a member of the Toshiba Group, cooperates closely with Toshiba Cyber-Security Center (CSEC) under Toshiba Group’s cybersecurity management system. Through this cooperation, in addition to promoting the building of a cybersecurity system, Toshiba Tec seeks to develop and enhance its management system concerning information security and product security, working on prompt and proper response to vulnerability information and security incidents.