|
 |
ISMSs in Action Case 4:
Ricoh Imaging Technology (Shanghai) Co., Ltd.
[RITS]
|
Ricoh Imaging Technology (Shanghai) Co., Ltd. [RITS] is an offshore* development and evaluation center accepting projects commissioned by Ricoh and Ricoh Group companies. And as a product business base for the China region, it also develops products for China (and other BRICs) and contributes to cost reduction.
With its firm commitment to security at the core of all information security activities, the company overcame the challenge of integrating three organizations each with a distinct ISMS (Information Security Management System) base, and successfully obtained ISMS certification in a short period of time.
| * |
Contracted out development and operation/management of systems to business operators and subsidiaries overseas |
|
|
Building containing RITS |
| |
 |
As an offshore development and evaluation base, RITS is commissioned with projects involving the development, design and evaluation of mechanisms, electronics, software and solutions. As a key business base, it works with manufacturing, sales and service-related affiliates in the areas of product development of and technological support for products geared to the Chinese market. In concerted efforts with the manufacturing companies, it also carries out cost-cutting initiatives.
| Location of RITS |
 |
Events leading to ISMS Certification |
 |
|
|
Originally established in Shanghai in May 2002 as a software development company, RITS created a Product Quality Evaluation Department in May 2004. In a parallel move, the Office of ISMS Promotion and the Information Security Committee were formed in April 2005. They initiated a series of actions leading to certification. RITS embarked on activities aimed at the development of an ISMS (BS7799) and its certification, which ran parallel to the eff ort to develop a quality management system (QMS). It obtained BS7799 certification in 2006 and ISO 27001 in March of the following year after it underwent an assessment for transition to ISO 27001.
With the expansion of its business, RITS merged with the Design Office of Ricoh Asia Industry (RAI) and the former Shanghai Ricoh Facsimile Development Center, and a new RITS was established in December 2006. This coincided with the ISMS renewal audit period, which required RITS to complete the post-merger ISMS within six months of the certification for transition to ISO 27001 and be ready for the surveillance audit. RITS met the difficult challenge of integrating the three organizations with diff erent ISMS bases and completed a unified ISMS base in a limited period of time thanks to all employees, who understood the significance of this endeavor, and to Ricoh Headquarters and IT/S Division, which provided needed support. It went through an assessment for renewal involving the sites of all three former organizations and was certified in November 2007.
| Details of ISMS activities and events leading to certification |
 |
Initiatives for ISMS Operations |
|
|
|
|
Temperature control of
server rooms administered |
| |
 |
At RITS, a broad range of initiatives is in place to support the “integrity in corporate activities“ and “harmony with society“ declared in the Ricoh Group CSR Charter. Examples include environmental conservation activities (Environmental Management System-EMS), actions ensuring stricter information security (ISMS), actions to boost product quality (Quality Management System-QMS), Capability Maturity Model Integration (CMMI) for software development aimed at higher product quality based on QMS, and Integrated Product Development (IPD) for product development. ISMS-oriented initiatives include training of IT specialists to enable voluntary management of servers in addition to efforts for daily management and continual improvement.
Initiatives for Daily ISMS Management |
|
|
|
(1) Use of ISMS Handbook
|
Verification of ISMS internal rules |
| |
 |
At RITS, an ISMS Handbook was prepared by the Information Security Committee and the ISMS Promotion Office and was distributed to all employees. The ISMS Handbook explains in an easy-to-understand format the 20 points of RITS’s code of business conduct, including employees’ code of conduct required for ISMS operation. It is used not only as a textbook for ISMS education but is also used in conjunction with the Notes-based self-checks (with new checks available each period), and electronic declaration, to the immediate supervisor, of strict compliance with the code of conduct, and periodic workplace patrolling, during which the handbook functions as a checklist. In addition, RITS also uses an incident-forecast database and requires all employees to report any potential security-related incident in order to trigger spiraling-up effects.
| Workplace patrolling by chief ISMS advocates |
 |
(2) Information Security Committee
|
Information Security Committee
and ISMS Promotion Office |
| |
 |
The Information Security Committee holds meetings following the weekly RITS Operation Conference to exchange reports of IT incidents, the status of IT operation and the state of progress in building ISMS, and to conduct in-depth discussions of matters requiring further scrutiny for the prevention of incidents.
(3) Measuring eff ectiveness in 16 key areas
The effectiveness of the measures proposed through ISMS development is measured once every six months. Administered by the ISMS Promotion Office and others based on a 16-point checklist, the check is designed to bring continual improvement for the benefit of the entire organization by reflecting them in future actions.
RITS is preparing for the introduction of the RFG ISMeasures launched previously in Japan in fiscal 2007. It is also redoubling its efforts to strengthen its culture of information security by refining the ISMS base. A review will be made to realign it with the RFG ISMeasures stated in the RGS (Ricoh Group Standard) to build an ISMS base that works in sync with Ricoh’s ISMS.
|
|
|
|
