• Sustainability
• Governance

• Information Security

• Corporate Governance
• Risk Management
• Compliance
• Privacy
• Information Security
• Intellectual Property

Information Security

• Basic Philosophy

• Management System

• Measures Against Information Leakage and External Attacks

• Implementation of Education

• Product Security

Basic Philosophy

To properly manage personal and confidential information, based on the Suzuki Basic Policy for Information Security, an information security officers’ committee was established under the Corporate Governance Committee to deal with information security in general including cybersecurity, and the Company is promoting the Suzuki Group’s information security measures.

Suzuki Basic Policy for Information Security

1. Legal Compliance

We shall comply with laws, regulations, national guidelines, contractual obligations, and other social norms related to information security.

2. Initiatives for information security and product security

To ensure that our customers can use our products and services with peace of mind, we shall address product security as part of our information security efforts.

3. Building of an information security management system

In addition to establishing an information security officers’ committee, we shall assign a person in charge of handling confidential information and an information security promoter to each internal department and organization.

4. Establishment of internal regulations

We shall establish internal regulations concerning information security and make them known to all employees.

5. Establishment of an audit system

We shall conduct information security audits regularly and as needed to verify that information security-related laws and regulations are complied with and that regulations and rules are functioning effectively.

6. Implementation of information security measures

We shall implement organizational, technical, physical, and personnel security measures to prevent damage such as information leaks or alterations.

7. Implementation of education

We shall provide information security-related education and training for all employees in order to raise their awareness of and ability to deal with information security.

8. Management of outsourced contractors

We shall examine the security level of outsourced contractors. For important outsourced contractors, the security level shall be audited on a regular basis.

9. Implementation of continuous improvements

We shall continuously improve the overall system to ensure information security by regularly evaluating and reviewing the above efforts.

Management System

We have established countermeasures subcommittees under the information security officers’ committee to build a system for implementing more appropriate information security management.

■ Information security management system promotion organization

Measures Against Information Leakage and External Attacks

We obtained ISO 27001 (information security management system) certification in 2020, and we continue to maintain this certification by conducting Company-wide assessment activities and internal audits every year.

We have organized a dedicated Computer Security Incident Response Team (CSIRT) to prevent information security incidents, detect and resolve them at an early stage when they occur, and prevent recurrence after they occur. In preparation for the occurrence of such incidents, the CSIRT collects and analyzes information on information security incidents and (2) conducts internal awareness-raising activities.

In addition, we conduct response training twice a year for CSIRT members on the assumption that an information security incident has occurred.

Implementation of Education

For information security, we provide the following training to all employees, including officers, as well as to all personnel in charge.

Implementation of information security education

We conduct the following education for all employees, including officers:

• E-learning training (once a year)
• Distribution of ISMS (information security) education cards (once a year)
• Education for new employees and for each level of training

Implementation of targeted attack e-mail response training

For all employees, including officers, we conduct targeted attack e-mail response training (once or twice a year) and distribute ISMS education cards to alert them to security issues and inform them of the contact information in case of a security incident.

Education for departmental information security officers

Twice a year, information security management education is conducted for personnel in charge of handling confidential information and information security promoters in each department.

Product Security

Product security countermeasures subcommittee

Under the information security officers’ committee, we have established a product security countermeasures subcommittee, an organizational body that manages security operations from product development to disposal, and conducts regular management of product security. By continuing these activities, we ensure the daily safety and security of our customers.

PSIRT

This countermeasures subcommittee has established a Product Security Incident Response Team (PSIRT) to collect industry information from organizations such as Auto-ISAC^*, a Japanese automotive cybersecurity organization that collects and analyzes product-related security information, to prepare against product security attacks.

* Japan Automotive Information Sharing and Analysis Center

Product security reporting and audits

We conduct audits every year to comply with and improve organizational systems, regulations, and procedures related to product security. The product security countermeasures subcommittee regularly reports on PSIRT progress and status, as well as objective status reports through audits, in order to rapidly deal with attacks related to product security.