For business activities, ensuring information security is the foundation on which Tokyo Gas Group maintains our brand value of "Safety, Security, and Reliability." In particular, we make it our social responsibility as a public utility company to prevent any leaks of confidential information, including, notably, information on our more than 11 million customers, and destruction of or tampering with systems.
In light of environmental changes such as sophisticated Internet use and the increased threat of cyber-attacks (such as unauthorized access from external connections and computer viruses), Tokyo Gas will establish a PDCA cycle to further strengthen our approach to ensuring information security.
Information Security Promotion System
To promote the proactive utilization of information, enhance the Group's brand value, and realize its sustainable growth, we have established an information security promotion system in each division/department with an eye to preventing information security incidents (such as leaks of confidential information and destruction of and tampering with systems), and minimizing the damage and impact caused by any such incidents. Furthermore, in order to make a concerted effort to ensure information security within the Group, the same information security promotion system is also in place at subsidiaries and affiliates, and around 250 companies that support the Group's business.
Tokyo Gas Group Information Security Promotion
Code of Conduct to Ensure Information Security
Even when everyone is being as careful as possible to ensure information security, a slip-up by just one person can bring things crashing down. Thinking that one can ease off because everyone else is being careful is the sort of thing that can give rise to an incident.
The Code of Conduct to Ensure Information Security provides guidelines on decision making and actions for every individual in the Group to follow to ensure information security.
Seven Good Habits for Information Security
The Seven Good Habits for Information Security encapsulate those elements of the Code of Conduct to Ensure Information Security that are especially important to practice as a matter of habit.
Every February, which has been designated "Information Security Month," this poster is displayed in workplaces to encourage everyone to think about their routine actions and develop a greater awareness of information security.
Practices to Ensure Information Security
To continuously ensure information security in a manner that reflects advances in information technology and the information security situation in the society, we implement both technical and personnel-related measures. On the technology side, we deploy multiple layers of security, including installation of hardware to protect against unauthorized access from external connections and use of equipment to detect and remove computer viruses. On the personnel side, we have developed arrangements to promote information security, provide education in information security, and perform self-checks. In fiscal 2015, we established a special unit called the Computer Security Incident Response Team (CSIRT) to deal with incidents rapidly.
In fiscal 2015, security education was provided to regular employees and temporary staffers at around 80 companies, including Tokyo Gas, our subsidiaries and affiliates, and Tokyo Gas LIVEVAL ("LIFEVAL"). In addition to learning about various issues, including removal of confidential information, the employees learned anew how to deal with emails from unidentified senders as well as points to use an ID and password, thus deepening their understanding of information leakage and virus infection risks.
For self-checks, employees verify whether they are acting in accordance with the knowledge and rules gained during their security education and feed the results back to relevant job sites so that employees can change their workplace behavior.
Our company, subsidiaries and affiliates, and LIFEVAL continue to implement education and self-check activities in order to maintain and improve the information security level of individual employees.
Protection of Personal Information
Policy on protection of personal information at Tokyo Gas
We recognize that properly protecting and handling personal information is at the foundation of our business activities and an important social responsibility. In fulfilling these responsibilities, we have established the following policies under which we make our best efforts to protect personal information:
(1) Observing laws
In addition to observing all applicable laws and regulations governing the protection of personal information and all relevant laws, regulations, and guidelines, Tokyo Gas establishes its company policy and internal rules for the protection of personal information, and strives to improve them.
(2) Managing personal information
Tokyo Gas takes necessary actions under relevant laws, regulations and guidelines and properly manages personal information in order to prevent any loss or leakage of or unauthorized changes to said information. In addition, a person responsible for the protection of personal information is assigned at each workplace to educate and monitor employees in relation to this issue.
(3) Obtaining and using personal information
Tokyo Gas obtains personal information in appropriate ways in order to properly and smoothly carry out its business activities. When obtaining such information, Tokyo Gas informs the person concerned in advance of the purpose of use of his or her information, and uses said information only within the scope necessary to achieve this purpose.
(4) Providing personal information to third parties
Tokyo Gas does not provide personal information to any third party without obtaining the agreement of the person involved, except when allowed to do so under relevant laws, regulations or guidelines, and in certain cases where, for example, parties receiving the entrusted information are not deemed by law to be third parties. When providing personal information to, for example, an entrustee, Tokyo Gas selects a party that can meet and fulfill the necessary standards and obligations for managing personal information, makes appropriate arrangements for the protection of the personal information, and exercises monitoring over said party.
(5) Disclosure, correction, etc. of personal information
When a person seeks to, for example, disclose or correct his or her personal information, Tokyo Gas endeavors to respond to the request promptly, within reasonable limits under relevant laws and guidelines, after confirming the person's identity.
Safety control of personal information
The Group collects and utilizes a large amount of personal information, including information on over 11 million customers. We established the personal information company-wide safety control system from April 1, 2005, ahead of the total enforcement of the Act on the Protection of Personal Information. We also reexamined our in-house rules and manuals in response to the requirements of the law and implemented awareness-raising activities for all employees of the Group. After the law took effect, personal information protection audits were performed by the Internal Audit Department in addition to self-inspections in order to ensure the proper functioning of personal information safety control.
Information Security Audit
The Internal Audit Department audits the company and its subsidiaries and affiliates to determine whether the audited organizations are taking proper steps to ensure information security, where there exist specific information security risks, and whether controls are being properly developed and implemented to manage these risks.