Specific initiatives to reinforce security

The Information Security Committee was established in the second half of fiscal 2022. It reports directly to the president and CEO to make decisions regarding the security of the Ricoh Group. The committee consists of Executive Officers who meet certain eligibility requirements and has, in principle, met quarterly beginning in fiscal 2023.

The committee mainly deliberates on the Ricoh Group’s security strategy, security governance, and security operations.

The risks to information security have been increasing rapidly in recent years. The scope of response by companies is also expanding due to the frequency of cyberattacks, the diversification and sophistication of malware technologies, such as ransomware, the tightening and diversification of laws and regulations in various countries, and the emergence of geopolitical risks.

In addition, as we transform ourselves into a digital services company, we must not only mitigate security risks in our digital services but also view them as investments for business growth in order to further solidify profitability in our existing businesses.

Recently, while companies are striving to improve their competitiveness through DX, there are also security issues that need to be resolved. To this end, the Security Promotion Department was established in fiscal 2022 under the direct control of the CEO, who is in charge of security management, to plan and implement security and privacy protection strategies for the Ricoh Group as a whole. The department supports the operation of the committee by making prompt management decisions on security and clarifying strategies to comply with the laws and regulations of various countries.

• Product security
• Corporate security
• Factory security
• Data privacy policy

Product security

Security by Design (SBD): We are committed to implementing SBD, which ensures information security from the planning and design stages. In-house regulations based on ISO/IEC 27034-1, the international standard for secure development, have been established and are being gradually applied.

Security risk initiatives: We take immediate action on vulnerability countermeasures in accordance with international standards ISO/IEC 29147 and 30111. Specifically, we notify the public on our response status and alerts to high cyberattack risks, set up a contact point to handle security researchers’ vulnerability reports, and provide information on countermeasures.

Corporate security

As cyberattacks targeting companies such as ransomware become more sophisticated and complex, the Ricoh Group is promoting cyber security measures globally.

Setting up and running Computer Security Incident Response Team: We created the RICOH-Computer Security Incident Response Team in fiscal 2013 to analyze threats based on incident reports from the Security Operation Center and external response team organizations, and information from security information websites. The team takes the lead in promptly and optimally responding to threats, such as by preserving evidence, analyzing attacks, investigating causes, and preventing and containing spreads.

Establishing and running Security Operation Center: It constantly monitors Group IT systems. The center quickly detects external unauthorized intrusions and internal unauthorized use, collaborating with the RICOH-Computer Security Incident Response Team to quickly detect incidents.

Factory security

We are bolstering the security of operational technologies in plant networks. Attackers generally attempt to gain entry through weak points. That makes it vital to strengthen security in factories, which are less secure than office IT setups.

We are constantly deploying initiatives to enhance organizational governance, with all plants proactively evaluating their situations situation through internal and third-party assessments while taking steps to address issues that come to light.

Data privacy policy

Progress with digitization and the growing use of big data have heightened concerns about data privacy and personal data protection. That said, rules for using personal data remain unclear, including as to the appropriate usage levels. Customers are concerned about personal data handling and privacy protection.

We manage information based on a data privacy policy for all customer personal data that complies with the Personal Information Protection Act and other laws and regulations. We will launch a full-fledged data business to create new value by drawing on AI to help customers grow and resolve their issues.

Cyberattacks are increasing and becoming more sophisticated, targeting all sorts of industries. We undertake security activities that primarily aim to safeguard customer information assets in line NIST SP 800-171 guidelines for protecting sensitive information. These activities are part of comprehensive efforts to reinforce corporate, product, factory and data privacy security.

For Group products and services, we focus on customers that seek secure business environments and require those environments to be NIST SP 800-171-compliant. We will accordingly supply offerings that enable such compliance.

Ricoh will continue deploying measures to comply with NIST SP 800-171 in its business environment to rigorously safeguard the information assets of customers.

Our initiatives to boost security meet the security requirements of customers, who consider implementing our product security services, and protect their information assets, thus lowering their business risks.