Basic Policy
We shall acquire and safely protect confidential business information and personal information, from either Shimadzu or other companies, in accordance with appropriate rules.
General Rule
(1) Building and Implementing Information Security Systems
Shimadzu shall establish an information security committee. The committee shall share the content and purpose of measures and promote their implementation.
(2) Acquiring Information in an Open and Fair Manner
We shall not acquire confidential or personal information using unethical means.
(3) Acquiring, Using, Managing, and Disposing of Information Appropriately
We shall acquire, use, manage, and dispose of information or data about business processes and technology received form customers, suppliers, or job applicants, and internal information or data about Shimadzu business processes or technology, appropriately in accordance with all applicable laws, regulations, contracts, and internal company rules.
(4) Defending Against Cyber-Attacks
We shall implement technical, physical, and human measures to increase our defenses against cyber-attacks.
Efforts
Improving Information Security Within the Shimadzu Group
The Shimadzu Group shall obtain personal information and confidential business information related to Shimadzu and other companies based on appropriate rules. We appropriately manage important information received from customers and business partners, and promote improvements in information security to prevent fraud and misuse.
It is essential for each and every person concerned to be aware of the cooperation of the entire Shimadzu Group and the appropriate management and utilization of information.
The "Information Security Committee" chaired by the director in charge of information systems, is held on a regular basis to establish a structure for deployment at the head office and Group companies. We hold regular global security meetings with overseas Group companies. The committee deliberates on the direction and content of initiatives, formulates relevant regulations that include human, organizational, and technical measures, and decides to introduce new management measures and tools. In order to minimize damage in the event of an accident, we have established a network of contacts with our subsidiaries in Japan and overseas, and have established procedures for responding to such incidents.
We distribute the "Information Security Guidebook" which summarizes the rules of information security, conduct information security education through e-learning, conduct email training to understand the threats of suspicious emails and fraudulent emails and to recognize responses, and engage in awareness raising of the importance of information security and ongoing education.
Our Group company, Shimadzu Business Systems (responsible for establishing systems for the Shimadzu Group) has acquired ISO 27001 certification for information security.
In order to prevent information leaks and the suspension of corporate activities due to cyber attacks, we implement measures against malware on networks and PCs, as well as diagnose and respond to vulnerabilities.
Systems for Improving Information Security
The Shimadzu Group periodically conducts Information Security Committee meetings chaired by the director in charge of information security and has established systems for deploying committee decisions throughout Shimadzu Corporation and Group companies. At the meetings, the committee discusses the direction and content of measures, creates relevant regulations that incorporate human, organizational, and technical countermeasures, and makes decisions regarding introducing new information management methods and tools. To minimize the damage from any accidents, we established a communication tree system for sharing information with subsidiaries in and outside Japan and specified a protocol for responding to accidents. Global security meetings are periodically held with Group companies outside Japan.