| |
 |
Ricoh's Approach to Information Security
|
The Ricoh Group CSR
Charter sets forth the principles of fulfilling corporate
social responsibilities in every aspect of operations to facilitate
Ricoh's growth as an enterprise respected by society.
In the first chapter, Ricoh's fundamental approach to the
information society is explained. It attempts to translate the
Charter's “integrity in corporate activities”
and “harmony with the environment” into practical
action through information security activities.
Information
Security Management as
Defined by Ricoh
|
 |
|
|
Ricoh defines information security management
as “a management system which, by leveraging technical,
human and physical elements, is designed to protect, against
a variety of threats, the confidentiality,1
integrity,2 and availability3
of sales, technical, personal and other information in electronic
or hard-copy formats used in the course of corporate activities.”
Its goal is information security management that facilitates
the Group's transformation into a secure enterprise with
firmly established risk management practices. Support is provided
by parallel initiatives to encourage information use and strengthen
information security. And the know-how gained in these efforts
is reflected in security products and solutions offered to customers,
as they embody the Ricoh Group's commitment to the creation
of a secure society.
1 Denial of information access to
unauthorized persons or organizations
2 Protection of the accuracy and integrity of information assets
3 Availability of information to all authorized parties on demand
Specific
Initiatives for Information
Security Management
|
|
|
|
Ricoh’s information security management
is based on an Information
Security Management System. Information security activities
carried out individually by organizations are part of an established
system and guided primarily by information security controllers.
Management activities include the formulation of the annual
plan, which specifies priority activities for information security.
They also include internal auditing of actions taken. Any non-conformance
or matters requiring remedial steps are reported to Headquarters,
where a database for this purpose is maintained, so that the
issues will be on the agenda for Group-wide discussion the following
fiscal year.
Three
Factors for Information Security Activities
|
 |
|
|
Ricoh's information security management
is supported by the following three factors.
(1)
Participation by all employees
In
the course of creating value for customers, all employees use
sales, technical, personal and other information. At Ricoh,
information security is not handled by a select group of departments
or task domains alone; rather, it is considered an all-out endeavor
that all employees from senior management to clerical workers as well as cooperating corporate partners must participate in.
(2) Daily management and ongoing
improvements
Information
security management is properly in place only if it is part
of daily business operations. Ricoh makes sure that standards
and rules are specified and education and training programs
are administered to encourage full familiarization. Through
office patrolling and employees reminding each other, Ricoh
confirms that employees follow the rule of clearing desks and
personal computer (PC) monitors when stepping out of or leaving
the office. And the rules for handling information devices are
also followed. Improvement is achieved whenever possible. During
internal audits, specialists check information security for
organizations and propose issues to management to further improve
following of rules.
(3) In-house application
Ricoh uses the security products and
solutions it develops in-house throughout the Ricoh Group to
solve a broad range of issues that get in the way of creating
a secure enterprise. The Ricoh belief is that the information
security products and solutions should be presented to customers
only after Ricoh has used them in-house, confirmed that they
are useful and made any needed improvements. In fact, a number
of new applications and product improvements have resulted from
the know-how gained from using such in-house applications.
Integration
with Other Management Systems
|
|
|
|
Social and other changes bring new legislation
and standards, and these are introduced in the area of information
security. When a code of conduct requiring compliance is introduced,
it takes the form of standards and rules. These are Ricoh's
unified information security management rules. For example,
the compliance requirements stated in the Personal Information
Protection Law came into force in April 2005. These have become
part of the rules and standards of the entire company and of
relevant departments to increase Ricoh's compliance with
laws as part of its ISMS activity. A similar approach is taken
to address the Japanese SOX Act and the new IT regulations stemming
from the newly introduced Financial Instruments and Exchange
Law in Japan. In integrating a new code into the system, Ricoh
reviews the information security management system and adds
appropriate improvements to refine it as a unique, distinctively
Ricoh code of conduct.
Ricoh's Information security (conceptual
model)
|
|
|
|
|
