FEATURE II Toshiba Tec's Cyber Security Measures to Protect Systems and Products from Cyber Attacks

In recent years, cyber attacks, which target customer information and important engineering data obtained by companies, are increasing. Meanwhile, appropriate investment judgment on IT and security, as well as prompt action in the case of a major security incident that affects business management are essential as corporate strategies. In April 2018, we, Toshiba Tec, established a Chief Information Security Officer (CISO) and Product Security Incident Response Team (PSIRT) to implement cyber security measures in the aspect of product, along with Computer Security Incident Response Team (CSIRT) to implement cyber security measures in the aspect of information security. We added professional members from each division to build a cyber security system that can handle security matters in every aspect.

Cyber security system

We have established a network for information sharing with a focus on CISO as One Ttec, while dealing with incidents in accordance with our in-house network for PSIRT/CSIRT.
We promote security measures in a rapid and consistent manner for cyber security risks in information systems, products and services. Meanwhile, we enhance cyber security governance under CISO.

Cyber security system

Message from Takeshi Eguchi, CISO Vice President

As the first CISO, I endeavor to enhance the product security and information security of Toshiba Tec Group. Many of our products are connected to the network. Therefore, it is essential to promote measures to enhance security in order to protect our customers’ assets. The Cyber Security Management Guidelines were formulated by METI, in other words, security requirements are increasing in society. Accordingly, we have built a cyber security system to promote measures to enhance security. We hope to create products that our customers feel comfortable using while further enhancing security.

Toshiba Tec Cyber Security Measures

e-STUDIO Digital MFP Series

Digital MFPs incorporate data storage that allows the user to store document data as well as a document emailing function. Many office documents contain sensitive information, including personal data, privacy information, and corporate information. It is necessary to protect information assets from cyber attacks. Various security functions are required for digital MFPs to protect users' information assets, such as user/card authentication, access control, a self-encrypting HDD with a wipe-out function, network traffic encryption, firmware integrity assurance, secure printing, audit logging, and wrong transmission prevention.
The e-STUDIO series is certified under the Common Criteria (CC) for Information Technology Security Evaluation that is compliant with HCD-PP (Hard Copy Device- Protection Profile), the latest and highest security standard for MFPs.
CC is an international standard for information security certification and a recognized standard to evaluate if security functions have been properly developed. HCD-PP requires the use for cryptographic modules equivalent to the FIPS 140-2 standard that is very difficult to comply with. The HCD-PP-certified MFPs are expected to become increasingly disseminated since they are recognized as digital MFPs with robust security by third party organizations.

e-STUDIO Digital MFP Series

HCD-PP security features

・ User recognition and authentication ・ Access control ・ Encrypted communication
・ Self-test ・ Auditing ・ Update verification ・ Storage encryption
・ Fax/network separation ・ Overwrite erasure and complete wipe-out

CT-5100 Card Settlement Terminal Series

Payment and settlement methods are diversified and the typical one is credit card settlement with an IC card. For credit card settlement, sensitive data, such as credit card numbers and personal information, is handled. If some of the data were leaked and misused due to cyber attacks, credit card users would suffer significant damage. Therefore, the Japanese government designates credit card settlement services as one of the 14 critical infrastructure sectors that have a significant impact.
Manufacturers engaged in development and production had produced and marketed settlement terminals according to their own security standards, respectively. However, the Payment Card Industry Security Standard Council (PCI SSC) was established in 2006 and global security standards were developed. The Payment Card Industry PIN Transaction Security (PCI PTS) is one of the standards. PCI PTS is a high difficulty standard that is required for settlement terminals to enter PIN.
The PADCT-5100 PIN Pad connected to the CT-5100 card settlement terminal series is certified as conforming to the PCI PTS 4.1 standard to provide safe credit card settlement. PCI PTS specifies a wide range of requirements, such as security functions and product management for software and hardware, necessary for settlement terminals. In addition, the CT-5100 uses a closed operating system instead of an open one such as Android and Linux, and incorporates authentication and encryption functions into all built-in software, to maintain robust security against outside hacking. The supplied tamper-resistant function helps to protect sensitive data from external illegal attacks

決済端末 C T-5100シリーズ