Information Security Management
NSK’s Approach
Recent advances in information and communications technology (ICT) have dramatically enhanced the convenience of information handling. However, this has also dramatically increased the risks associated with digital information. In addition to the risk of mishandling information, there is a greater risk of information security incidents, such as sensitive information being stolen or leaked through sophisticated cyberattacks, or due to the growing number of people working from home. To mitigate these risks and remain in compliance with increasingly tighter regulations related to information security, the NSK Group views information security as an important management task and is taking steps to strengthen it. We maintain ISO 27001 certification, an international standard for managing information security. Moreover, we are building even more robust mechanisms and strengthening our network security measures and other organizational structures to address today’s increasingly sophisticated cyberattacks.
Basic Policy and Management Standards and Rules
In June 2003, the NSK Group issued the NSK Basic Policy on Information Security as well as the Rules of NSK Information Management. We subsequently established rules concerning information security and strengthened our Group-wide efforts. In June 2019, the NSK Group Basic Policy on Information Security was updated to clarify the need for continuous improvement of security activities and to revise the relevant rules that serve as specific action guidelines.
System
Information Security Management System (ISMS)
The NSK Group established the Information Security Enhancement Office under the Digital Transformation Division HQ in order to implement more comprehensive information security enhancement measures globally. Risks related to information security are linked to the corporate risk management system, and the Board of Directors discusses issues related to information security measures and oversees risk mitigation for the entire Group.
The Information Security Enhancement Office regularly holds global meetings, and plans and implements information security measures for the Group, working in cooperation with information security management committees in Japan, the Americas, Europe, China, ASEAN and Oceania, India and South Korea.
Targets and Performance
Sixth Mid-Term Management Plan Targets (FY2019–2021) and the FY2021 Targets and Performance
| Policy | Sixth Mid-Term Management Plan targets | FY2021 targets | FY2021 performance |
|---|---|---|---|
| Respond to risks associated with the convenience of information handling due to the rapid development of information and communication technology and strengthen compliance with relevant laws and regulations Build even more robust network mechanisms and organizational structures to counter increasingly sophisticated cyberattacks |
Enhance information security infrastructure | Continue to implement PDCA cycles for the Information Security Management System (ISMS), strengthen monitoring |
|
| Obtain ISO 27001 certification | Renew ISO 27001 certification |
|
|
| Strengthen incident response capability (including the C-SIRT* system) | Strengthen SIRT system and continue incident response training | Conducted incident response training under the C-SIRT system and developed a security readiness system for manufactured products | |
| Enhance ID and access management | Establish and implement an ID and access management system | Completed implementation of ID and access management system |
* C-SIRT: Acronym for Computer Security Incident Response Team. An organization that responds to cyberattacks and other information security threats.
Mid-Term Management Plan 2026 (MTP2026) Targets (FY2022–2026) and the FY2022 Targets
| Policy | MTP2026 targets | FY2022 targets |
|---|---|---|
|
Strengthen security governance management operations |
|
| Strengthen cyber security risk countermeasures | Improve cybersecurity response capability by providing education and training | |
| Strengthen infrastructure security | Establish a security-focused next-generation network and strengthen vulnerability management |
* Official guidelines: Guidelines and frameworks developed by professional cybersecurity organizations that have been adopted worldwide
Information Security Initiatives
The NSK Group's main information security initiatives are as follows.
- Enhancing information security management
- Having an external expert conduct security assessments to evaluate the security of NSK’s critical internal computer systems and public website
- Developing an incident response system
- Raising the information security awareness of NSK’s officers, employees, and business partners
Status of Security Certifications
NSK maintains ISO 27001 certification at previously certified sites (Japan, Korea, and India). In addition, based on demands from customers, we acquired TISAX, a security certification broadly adopted in Germany’s automobile industry, in Europe in fiscal 2021, and in China and Japan in fiscal 2022.
Training and Countermeasures against Cyberattacks
NSK provided targeted threat e-mail training to all NSK Group employees, including those at overseas sites, and training that assumes the occurrence of incidents was conducted in cooperation with system management divisions. Some of the technological measures we have promoted in order to prevent damage from recent ransomware attacks include enhancing phishing e-mail monitoring and strengthening monitoring and countermeasures for vulnerabilities using external security evaluation services. In addition, given the growing risk of attacks against the supply chain, we have enhanced security systems at factories and implemented risk assessments and management for control equipment. Furthermore, assessments of critical systems have been conducted by an external expert contractor, and we are continuing to identify and address problem areas.
We have established a system and operation manual to ensure swift and appropriate response in the event of a security incident, and we conduct training and evaluate and improve our response readiness.
Prevention of Information Leaks and Information Security Education
The NSK Group takes meticulous care in the handling of confidential information and works hard to prevent the leakage of information. We are deploying tools that enhance security across the Group and are taking steps to mitigate the risk of information leaks from not only PCs but also paper documents. We also categorize information according to its level of confidentiality and set rules for proper handling.
As part of the NSK Group’s information security education and awareness activities, the Group provides education on information security via e-learning programs for all officers, employees, and temporary employees who use PCs. We conduct regular security inspections to determine the degree of compliance with rules on information handling and document classification according to confidentiality. In addition, we provide rank and function-specific training on information security, including executive training, training for system personnel, training for mid-career hires, and training before international assignment. We also provide information security education to the contractors who perform work on NSK premises.