Transcription
Information Security Report 2020Hitachi Group
INDEXCISO on Security �・・・・・・・4Information Security �・・・・・・5Editorial Enhancing Cyber Resilience to Support the New �・・ 10CSIRT Activity in the Hitachi �� 11Cybersecurity ・・・・・・・・ 14Global Information Security �・・・・・・・・・・・・・・・・ 16Initiatives for Security Human Resource ・・・・・・・・・・・・・ 18Cybersecurity Management �・・・・・・・・・・・・・・・・ 20Initiatives Related to Personal Information ��・・・・・・・・・・・・・ 26Editorial PrivacyMark-Related Initiatives of the Hitachi ・・・・・・・・・・33Privacy Protection ��・・・・・・・・・・・ 34Research and Development of Security Cooperation �・・・ 36Across Organizational Boundaries・External Activity Related to Information �・・ 39Third-Party Evaluation and ・・・・・・・・・・・・・41Overview of the Hitachi Group ・・・・・ 44Summary of this report: Scope and time period covered by this report: Hitachi Group information security initiatives up to and including FY 2019 Publication date: December 2020
CISO InterviewEnhancing Information Security Amid AcceleratingBusiness Reforms and Under Global Management— From the perspective of a chief information securityofficer (CISO), what impact have recent changes inthe IT arena had on business?The move towards the cloud and growing digitalizationof information mean that our legacy information securityprocesses need to evolve to keep up with the times. Thejump in COVID-19 infections has led to rapid adoption ofremote working and the associated technology. Thesechanges have created new vectors for information securitythreats, and the latest security is needed to protect peopleworking under varied conditions.— Besides the security risks to individuals, what doesthe risk environment look like for increasinglydiversified businesses?The system integration that takes place to enhancecompetitiveness when advancing management strategiessuch as M&A and carve-outs can give rise to unexpectedsecurity risks. When taking a new business entity underyour wing, the new entity will have its own set of securitystandards which might differ from those of the HitachiGroup. Measures like providing a transition period andmonitoring integration from an early stage are nowessential. In the case of a carve-out, we must bear fullresponsibility until firmly under the security management ofthe new owner. When talking about business managementstrategy at a global level, the potential for risk does notrespect borders, but our approach remains the same.̶ Many Japanese businesses have been the victim ofcyberattacks. How do we deal with this trend?̶ A yogurt container lid? How does this analogy relateto security?̶ What future course of action do you see the HitachiGroup taking?No enterprise is immune to cyberattacks. Originally athreat to business, cyberattacks are now seen as a threatto global order. It's no longer enough to think in terms ofbuilding a wall so high that the attacker can't get over it.We're at the stage where our approach to defendingagainst the ever-present threat of cyberattacks needs toconsider a certain amount of risk inevitable.Imagine that the yogurt is ransomware and the lid is asecurity system. Recently, the underside of the lids ofcommercially packaged yogurt are textured in a way thatstops the yogurt from clinging to it. This idea can beapplied to how we think of cybersecurity. Rather than aone-size-fits-all approach to countermeasures, introducingvariety gives us the best chance of avoiding risk. We don'trun from risk; we face it head on.There's only so much a single company can do toprotect itself against constantly evolving threats. We needto work together closely not only with Group companiesinside and outside Japan but also with our outsidepartners, and share information about cyberattacks so wecan put up a broad line of defense. By acting in this way,we can give the Hitachi Group the best chance to preventinformation security incidents, and with daily effort andingenuity, minimize the impact on business of any attacksthat get past our defenses. With momentum growing inrelation to global business activity, we hope to enhance thepresence of the Hitachi Group in the information securityarena through strategic activity.̶ What defense strategies do you envisage beingused going forward?We will need to build environments that use the latesttechnology. With attackers constantly chipping away atvulnerabilities, the idea is not just to hinder this activity butto have frameworks in place that, if an attack were to besuccessful, let it be resolved quickly. The issues are howquickly we can discover the breach and the extent to whichwe can mitigate its impact. The key to our response is thediversity of our security. If we rely too much on a single setof standards or standardized behaviors, a breach ofsecurity can create widespread damage. It is important thatwe take a wide variety of measures, perhaps thinking ofsecurity like the lid of a yogurt container.̶ It seems like the nature of security itself isundergoing a change. What holds the key?I would say it's people. We need to foster humanresources within the Hitachi Group who keep themselvesinformed on the latest trends, conduct trend analysis, andshare information in a timely manner. Security might have anegative image, but we intend to grow a workforce whocan proactively support business operations while takinggreat pride and joy in their mission of repelling cyberattackswhatever form they might take.Hitachi, Ltd.Vice President and Executive Officer, CTrO/CISOMasashi MurayamaMr. Murayama joined Hitachi in 1985. Drawing on hisexperience as the leader of the Project ManagementPromotion Office Smart Transformation Project InitiativesDivision, between 2016 and 2019, Murayama drovestrategic and structural reform as CPO and generalmanager of Value Chain Integration. Appointed to role ofManaging Executive Officer in 2019 and CISO in 2020.23
Information Security GovernanceInformation Security ManagementThe following gives an overview of Hitachi's policy, promotion frameworks, rules, management cycle, and other mattersin relation to information security.Basic philosophy of information security governanceThe advancement of IoT has created new value through theinterconnection of all manner of "things". However, cyberattacksgrowing more sophisticated every day and their range of targetshas expanded from traditional IT to the Internet of Things (IoT)and to OT which encompasses control and operationaltechnology. To minimize risks such as information leakage andbusiness shutdowns that impact the continuation of businessitself, risk management as it pertains to information security isone of the most important issues a business faces.Hitachi endeavors to be a global leader in social innovationInformation security initiativesHitachi is duty-bound to protect its diverse information assetsincluding information kept on customers' behalf, the systems thathold this information, and the information systems that underpinsocial infrastructure services. To this end, Hitachi engages ininformation security from four perspectives grounded on theassumption that incidents will inevitably occur. By maintaining thePDCA cycle for the information security management systems ofbusiness. In this role, Hitachi deems cybersecurity one of its keybusiness challenges from dual perspectives of value creation andrisk management, and is honing its expertise in informationsecurity governance.Information assetsto be protectedTraining administrators and workers(5) Preventing incidents and taking action when they occurHitachi endeavors to prevent information security incidents,and if such an incident were to occur, to take appropriate actionwithout delay including preventing its recurrence.(6) Ensuring business processes are optimized within thecorporate groupAccording to (1) to (5), Hitachi will endeavor to buildframeworks that ensure proper business processes within thecorporate group consisting of Hitachi and Hitachi Groupcompanies.(2) Protection and ongoing management of information assetsHitachi implements safe management measures thatappropriately protect information assets from threats to theirconfidentiality, integrity, and availability. Hitachi also implementsappropriate control measures to ensure business continuation.Identifying information assets and performing risk analysisProviding security training materialsAs an organization that contributes to Japan's reputation on the global stage, Hitachi acknowledges that security risks are businessrisks, and makes every effort to ensure information security by defining a security policy that meshes with the wider management policyof the enterprise.(1) Formulating administrative rules for information security andensuring their continual improvementHitachi acknowledges that information security initiatives are akey issue for management and business operations, and willformulate administrative rules for information security that complywith the law and other regulations. Hitachi will also establish acompany-wide information security management framework withthe Hitachi Group under the guidance of Hitachi, Ltd., we areHitachi, Ltd. executives at its core, and ensure its enforcement.improving the security level of Hitachi Group companies aroundHitachi will maintain information security from organizational,日立グ ルー プにおけ る情報セキュリティへの取り組みthe world.personal, physical, and technical perspectives, and ensure itscontinuous improvement.Clarifying the assets that need to be protectedImproving user literacyInformation security policyEstablishing policyEnforcing administrative measuresImplementing technical measuresEstablishing an information security framework(3) Legal and regulatory complianceHitachi complies with laws and other regulations related toinformation security, and ensures its administrative rules forinformation security conform to these laws and regulations. In theevent of a legal or regulatory violation, Hitachi takes theappropriate punitive action as defined in the employee work rulesand other relevant policies.(4) Education and trainingHitachi aims to improve information security awareness amongits executives and workers and conduct education and training inrelation to information security.Imposing a system of rules (security policy)Establishing a management frameworkEstablishing auditing and follow-up protocolsEnforcing feedback for preventive processes and incident response processes by expanding the PDCA cycle45
Information Security ManagementInformation Security ManagementInformation security promotion frameworkSystem of rules for information securityWithin the Hitachi Group, Hitachi, Ltd. HQ (corporate) isresponsible for governance of the group as a whole.Governance is instituted by way of instructions passed downthrough lines of control to each Hitachi, Ltd. business unit(hereinafter BU and office and to each Group company. Groupmanagement is achieved through similar controls implemented byBUs and Group companies with respect to its subsidiaries. Thisframework applies not only within Japan but also overseas.The company president nominates a chief information securityofficer who has authority and responsibility in relation toinformation security, and an information security audit officer whohas authority and responsibility in relation to information securityaudits.The chief information security officer establishes an informationsecurity committee which guides policy regarding informationsecurity, personal information protection policies, training plans,and various measures.The matters decided by the information security committee aredisseminated to each organization through information securitypromotion meetings attended by representatives of all BUs andoffices.In principle, the head of the BU and the office manager serveas the information security officer of the BU and office.An information security promotion division is also establishedto handle its personal information protection, information security,c o n fi d e n t i a l i n f o r m a t i o n m a n a g e m e n t , e n t r y a n d e x i tmanagement, and order management processes, and to educateworkers. An information asset manager is placed in all divisions,and allocates responsibilities in relation to the handling ofinformation assets including personal information.Similar organizations are established in Group companieswhich act to promote information security through cooperation.Group companyHitachi, Ltd.Individual regulationsRules for managing entry and exit and restricted access areasCriteria for consignment of personal information handlingGroup companyGroup company Basic regulationsThe General rules for information security management definethe basic matters that must be complied with in relation to theformulation, implementation, maintenance, and ongoingimprovement of information security management systems. TheGeneral rules for handling of information and informationequipment define basic guidelines regarding the handling andmanagement of information and information equipment. Theserules are intended to prevent incidents of general informationleakage and unauthorized use of information.The Rules for managing confidential information define thehandling procedures used to protect confidential information. Individual regulationsThe Rules on website creation and information disclosuredefine the matters that must be complied with in order todisclose and use information correctly on websites.The Rules for managing information security systems definethe procedures for maintaining the security of informationsystems.The Rules for managing entry and exit and restricted accessareas define measures to maintain physical security, such as rulesgoverning building access.Group companyInformation security audit officerCompany presidentInformation security officerAudit officerChairperson (and CISO)Information security education directorCommittee members: Representatives of businessoffices and heads of HQ management divisionsInformation security promotion meetingInformation security officerGeneral rules for handling of information and information equipmentRules for managing confidential information日立グ ルー プにおけ る情報セキュリティへの取り組みGroup companyInformation security committeeBUOfficeBasic regulationsRules for managing information security systemsGroup companyCEOChief information security officer (CISO*)General rules for information security managementRules on website creation and information disclosureHQ (corporate)BUName of regulationCategoryRules for managing personal informationHitachi, Ltd.BUHitachi has established the rules in the following table based on its information security policies.Group companies have established similar regulations to promote information security.Chief information security audit officerPerson responsible for implementinginformation securityInformation security promotion divisionInformation security management cycleHitachi has established a framework that subjects informationsecurity management including personal informationmanagement to the PDCA (Plan-Do-Check-Action) cycle. In thePlan stage of the PDCA cycle, Hitachi formulates informationsecurity management rules and measures. In the Do stage,Hitachi implements those rules and measures. The Check stageentails raising awareness of and monitoring of the activity in theDo stage, which leads to the Action stage in which ongoingimprovements are made. This cycle takes six months from startto finish.External liaison divisionCybersecurity officerInformation systems managerInformation asset manager*CISO: Chief Information Security Officer67
Information Security ManagementInformation Security ManagementEducating workers on information security Information security educationAn organization's ability to maintain information security andprotect personal and confidential information depends on itsworkers understanding the importance of information securityand making it part of their personal ethos as they go about theirdaily tasks.Hitachi conducts annual training by e-learning of all executives,workers, and temporary employees on the subjects ofinformation security and personal information protection.Approximately 40,000 employees and other workers of Hitachi,Ltd., receive this education each year, and attendance hasreached 100%. Hitachi also formulates an annual informationsecurity training plan, and implements it using a diverse range ofCategoryTarget audience・All employeesAll staff educationOn-site security risk assessmenteducation programs tailored to specific subjects and purposes.For example, one program might target specific group of peoplelike newly hired employees and another those in new managerialpositions, while another might offer specialized education topeople in roles such as personal information protection manager.Hitachi, Ltd., makes its educational content available to Groupcompanies inside and outside Japan, and works towardsdeepening the understanding of information security andpersonal information protection of the Hitachi Group as a whole.With an ever-expanding global presence, the Hitachi Groupmakes its home in many countries and regions, countingheadquarters, sales offices, service centers, and manufacturingsites among its business entities. This environment inevitablygives rise to diverse in-Group network environments and facilitiesand varied installation and usage environments for IT equipment.There is also communication with outside parties via internetconnections, removable media (USB storage) and other means.Preparing for security risks such as spear phishing and malwareinfection is very important.(1) Carry out assessments of all products and internal facilitiesthat connect to the network of the Hitachi Group based onthe latest developments.(2) Identify issues that might present a security risk and proposeeffective countermeasures on site.To address the risk that comes with changes to the businessenvironment, Hitachi has strengthened its assessment frameworkthat uses expert security teams. Specifically, a security team willDescription・Temporary employeesThe importance of personal information protectionand confidentialinformation �グルー プにおけmanagement, and the latest trends in information securityExecutives and managersTrends in personal information protection and the latest Hitachi initiatives・Employees on secondmentvisit the workplace of a BU or Group company and implementenhancements from the following perspectives:Operational status(Surveys, standards, records)Status reportWrittenreportOn-siteTiered educationSection manager or equivalentNew employeesSpecialized educationKnowledge someone in a management position must possess in relation topersonal information protection, confidential information management, andinformation security, and Hitachi's initiatives in relation to personal information protection.The fundamentals of personal information protection, confidential informationmanagement, and information security.People responsible forprotecting personal informationPractical exercises and the specialized knowledge a person responsible forprotecting personal information must possess, such as internal and managementrules and real-world operating procedures.Information asset managerKnowledge required for an information asset manager to carry out their role asa manager of information assets including personal information in their division.The specialized education related to information systems and information security is described in Initiatives for Security HumanResource Development.Incident trendsChecklistLatest securitytechnologyAssessorSummarization ofperspectivesCountermeasures,recommendationsSite checkOfficeIn FY 2019, Hitachi carried out on-site assessments ofdomestic and overseas offices of 19 companies, identifyingnumerous security risks and advising companies on thenecessary countermeasures. Issues with broader implications arefed back and incorporated into company countermeasures.ImprovementWith COVID-19 putting a stop to site checks in FY 2020,Hitachi is planning various alternative means of assessment suchas remote checks. Drill-based education for spear phishing email attacksCyberattacks based on spear phishing emails are a dailyoccurrence. Every employee must be trained in how to respondappropriately when targeted by such an attack.Since 2012, Hitachi has conducted drill-based education toeducate all its employees including those of Group companies inhow to deal with spear phishing attacks. These drills involvesending emails that approximate those sent by actual spear8phishing attackers, giving employees insight into the nature ofsuch emails and how to respond if they receive one. Thispractical approach to education enhances the ability of Hitachiemployees to respond appropriately in the event of a real attack.9
EditorialEnhancing Cyber Resilience to Support the New NormalCSIRT Activity in the Hitachi GroupThe cybersecurity environment of a modern organizationmust confront all manner of issues. With the number ofpotential vectors for cyberattacks growing and the attackst h e m s e l v e s b e c o m i n g m o re n u m e ro u s a n d m o resophisticated, cybersecurity has never had to fight somany battles on so many fronts. Security policies thatallow business to be conducted efficiently and safely areemerging from the need to keep up with the new trend ofdigital transformation and rapidly accommodate the shiftThe Hitachi Incident Response Team (HIRT) is a CSIRT (Cyber Security Incident Readiness/Response Team) that supportsHitachi's activity in relation to cybersecurity countermeasures. By preventing the occurrence of security incidents andpromptly responding to them if they do occur, the HIRT contributes to the realization of a safe and secure networkenvironment for our customers and society.1Building a security ecosystem3Raising security awarenessawareness as the last bastion against security threats. Hitachihas begun activity to raise security awareness from a newemployee-focused perspective that recognizes that people are asimportant as IT when it comes to security. Specifically, byproviding the opportunity for workers to proactively learn andpractice security, this information will then be shared with otherworkers in a virtuous cycle leading to greater and greaterawareness.Security through collaborationTo build a line of defense strong enough to protect theorganization, Hitachi aims to foster a correct understanding ofsecurity among all workers and build an awareness thatencourages ideal ways of working.Hitachi also promotes the creation of a security ecosystemamong wider society by collaboration among industry,10connections with others. This activity forms connections amongpeople and organizations.(3) Connections within societyConnections need not only form within Hitachi. It is nowessential to share threat information and issues encounteredwhen implementing countermeasures with governments,schools, enterprises, and other entities engaged in cybersecurityinitiatives to create a community not bound by traditionalconstraints. Hitachi encourages each enterprise and organizationto feed back the knowledge it gains from the community into itsown security management cycle, creating further connections insociety.The security awareness of each and every person fortifies their organizations against threatsThe COVID-19 pandemic has given rise to new work styles outof necessity. Hitachi has rapidly increased teleworkingopportunities and is considering initiatives to normalize workingfrom home.However, with growth in cybersecurity threats showing nosigns of abating, adequate security measures are essential tounlock the potential of teleworking. Until now, the primary targetof an attacker has been IT infrastructure, but with work stylesincreasingly based on teleworking, attackers are beginning totarget lapses in security awareness. Working outside the office inan unfamiliar environment can lower your defenses, and withnobody around to act as a voice of reason, risk is ever present.For this reason, Hitachi considers the individual's securityWhat is an incident response team?A security incident (hereinafter incident) is an artificialcybersecurity-related occurrence, examples of which includeunauthorized access, denial of service, and destruction of data.An incident response team is a group of people who leadincident operations to resolve issues through inter-organizationaland international cooperation. The skill set of an incidentMaking security more reliable through three types of "connections"(1) Connections among "things"Digital transformation aims to create value and solve societalissues by making connections. The environment that underpinsdigital transformation requires connections among devices andsystems as typified by IoT.Hitachi is engaged in the implementation of comprehensivecybersecurity measures in all manner of environments.(2) Connections among people and organizationsMaintaining security in a world where connections are madebetween hitherto unconnected things requires that differentorganizations work together to promote security measures.As well as enforcing measures through internal controls,Hitachi engages in community-building across positions andorganizations, reaffirms individual responsibility, and deepens2to new work styles amid the COVID-19 crisis.To maintain and grow its business operations, Hitachi isbuilding a security ecosystem that brings together entitiesacross organizational boundaries with a singular focus onsecurity. Hitachi will also begin a new initiative thatfocuses on raising security awareness to turn eachemployee into a proactive advocate for security.government and academia through awareness-raising activitythat transcends corporate boundaries, ultimately enhancingcyber resilience.To allow people to live a pleasant life safely and securely underthe new normal and to avoid its latent risks, Hitachi will continueto seek and promote new security initiatives.response team includes understanding and communicatingthreats from a technical perspective, coordinating technicalactivity, and liaising with external parties on technical matters. Ateam with these skills can prevent (through readiness) and resolve(through responsiveness) various issues that might arise.Model of HIRT activityThe role of the HIRT is to provide ongoing support for Hitachi'scybersecurity countermeasures through vulnerability handling,which eliminates vulnerabilities that threats might exploit, andincident response which involves evading and resolvingcyberattacks. The team approaches these tasks from theperspective of intra-organizational activity and collaborativeactivity. Intra-organizational activity covers information securityinitiatives targeting Hitachi's corporate information systems, andcollaborative activity covers initiatives intended to ensure thecybersecurity of products and services targeting our customers'information systems and control systems. HIRT's mission alsoincludes helping to realize a safe and secure internet society bycatching the early signs of nascent threats and taking preventivemeasures at the earliest possible stage.The HIRT has adopted a model that consists of four IRTs(Incident Response Teams) to advance vulnerability handling andincident response. The four IRTs are:(1) Product vendor IRT, responsible for developing productsrelated to information systems and control systems(2) SI (System Integration) vendor IRT, responsible for buildingsystems and providing services using these products(3) In-house user IRT, responsible for managing the operation ofHitachi's information systems as an internet userPlus the fourth:(4) The HIRT/CC (HIRT center) which coordinates among theseIRTs, combining to create a model that makes the role of eachIRT clear and promotes efficient and effective securitycountermeasures through inter-IRT cooperation.Information securityinitiativesInitiatives to bolster cybersecurity ofproducts and servicesEnsuring the security ofcustomer systemsAddressing vulnerabilitiesin Hitachi productsEnsuring the security ofin-house infrastructureSI vendor IRTDivisions that provide SIservices to third partiesProduct vendor IRTProduct developmentdivisionInternal user IRTDivisions managingin-house infrastructureHitachiHIRT center (HIRT/CC)Liaison and coordination among IRTsBuilding a global networkwith external IRT communitiesInformation Security EarlyWarning PartnershipCategoryExternal IRT communitiessuch as FIRST*RoleHIRT/CC*Applicable division: HIRT centerPromotes vulnerability countermeasures and incident response activity throughcoordination with external IRT groups such as FIRST, JPCERT/CC* and CERT/CC*,and cooperation with SI vendor IRTs, product vendor IRTs, and in-house user IRTs.SI vendor IRTApplicable division: SI/service divisionSupports vulnerability handling and incident response for customer systems byensuring their security in the same way as in-house systems in relation to knownvulnerabilities.Product vendor IRTApplicable division: Product development divisionSupports vulnerability countermeasures for Hitachi products by investigating froman early stage whether any products are affected by known vulnerabilities, andtaking action to resolve any issues found by pa
information security, and an information security audit officer who has authority and responsibility in relation to information security audits. The chief information security officer establishes an information security committee which guides policy regarding information security, personal
