Information Security Management

NSK’s Approach

Recent advances in information and communications technology (ICT) have dramatically enhanced the convenience of information handling. However, this has also dramatically increased the risks associated with digital information. In addition to the risk of mishandling information, there is a greater risk of information security incidents, such as sensitive information being stolen or leaked through sophisticated cyberattacks, or due to the growing number of people working from home. To mitigate these risks and remain in compliance with increasingly tighter regulations related to information security, the NSK Group views information security as an important management task and is taking steps to strengthen it. We maintain ISO 27001 certification, an international standard for managing information security. Moreover, we are building even more robust mechanisms and strengthening our network security measures and other organizational structures to address today’s increasingly sophisticated cyberattacks.

Basic Policy and Management Standards and Rules

In June 2003, the NSK Group issued the NSK Basic Policy on Information Security as well as the Rules of NSK Information Management. We subsequently established rules concerning information security and strengthened our Group-wide efforts. In June 2019, the NSK Group Basic Policy on Information Security was updated to clarify the need for continuous improvement of security activities and to revise the relevant rules that serve as specific action guidelines.

Main Information security policies and standards of the NSK Group

System

Information Security Management System (ISMS)

The NSK Group established the Information Security Enhancement Office under the Digital Transformation Division HQ in order to implement more comprehensive information security enhancement measures globally. Risks related to information security are linked to the corporate risk management system, and the Board of Directors discusses issues related to information security measures and oversees risk mitigation for the entire Group.

The Information Security Enhancement Office regularly holds global meetings, and plans and implements information security measures for the Group, working in cooperation with information security management committees in Japan, the Americas, Europe, China, ASEAN and Oceania, India and South Korea.

Information Security Management System (ISMS)

Targets and Performance

Sixth Mid-Term Management Plan Targets (FY2019–2021) and the FY2021 Targets and Performance
PolicySixth Mid-Term Management Plan targetsFY2021 targetsFY2021 performance
Respond to risks associated with the convenience of information handling due to the rapid development of information and communication technology and strengthen compliance with relevant laws and regulations
Build even more robust network mechanisms and organizational structures to counter increasingly sophisticated cyberattacks
Enhance information security infrastructureContinue to implement PDCA cycles for the Information Security Management System (ISMS), strengthen monitoring
  • Implemented ongoing ISMS activities
  • Implemented and expanded the scope of real-time monitoring
Obtain ISO 27001 certificationRenew ISO 27001 certification
  • Maintained ISO 27001 certification
  • Expanded acquisition of equivalent certifications
Strengthen incident response capability (including the C-SIRT* system)Strengthen SIRT system and continue incident response trainingConducted incident response training under the C-SIRT system and developed a security readiness system for manufactured products
Enhance ID and access managementEstablish and implement an ID and access management systemCompleted implementation of ID and access management system

* C-SIRT: Acronym for Computer Security Incident Response Team. An organization that responds to cyberattacks and other information security threats.

Mid-Term Management Plan 2026 (MTP2026) Targets (FY2022–2026) and the FY2022 Targets
PolicyMTP2026 targetsFY2022 targets
  • Respond to risks associated with the convenience of information handling due to the rapid development of information and communication technology and strengthen compliance with relevant laws and regulations
  • Establish a highly secure IT infrastructure to address today’s increasingly sophisticated cyberattacks and take initiatives to strengthen readiness for cyberattacks
Strengthen security governance management operations
  • Make efforts to improve security standards based on official guidelines*
  • Strengthen readiness against cyberattacks
Strengthen cyber security risk countermeasuresImprove cybersecurity response capability by providing education and training
Strengthen infrastructure securityEstablish a security-focused next-generation network and strengthen vulnerability management

* Official guidelines: Guidelines and frameworks developed by professional cybersecurity organizations that have been adopted worldwide

Information Security Initiatives

The NSK Group's main information security initiatives are as follows.

  • Enhancing information security management
  • Having an external expert conduct security assessments to evaluate the security of NSK’s critical internal computer systems and public website
  • Developing an incident response system
  • Raising the information security awareness of NSK’s officers, employees, and business partners
Status of Security Certifications

NSK maintains ISO 27001 certification at previously certified sites (Japan, Korea, and India). In addition, based on demands from customers, we acquired TISAX, a security certification broadly adopted in Germany’s automobile industry, in Europe in fiscal 2021, and in China and Japan in fiscal 2022.

Training and Countermeasures against Cyberattacks

NSK provided targeted threat e-mail training to all NSK Group employees, including those at overseas sites, and training that assumes the occurrence of incidents was conducted in cooperation with system management divisions. Some of the technological measures we have promoted in order to prevent damage from recent ransomware attacks include enhancing phishing e-mail monitoring and strengthening monitoring and countermeasures for vulnerabilities using external security evaluation services. In addition, given the growing risk of attacks against the supply chain, we have enhanced security systems at factories and implemented risk assessments and management for control equipment. Furthermore, assessments of critical systems have been conducted by an external expert contractor, and we are continuing to identify and address problem areas.

We have established a system and operation manual to ensure swift and appropriate response in the event of a security incident, and we conduct training and evaluate and improve our response readiness.

Prevention of Information Leaks and Information Security Education

The NSK Group takes meticulous care in the handling of confidential information and works hard to prevent the leakage of information. We are deploying tools that enhance security across the Group and are taking steps to mitigate the risk of information leaks from not only PCs but also paper documents. We also categorize information according to its level of confidentiality and set rules for proper handling.

As part of the NSK Group’s information security education and awareness activities, the Group provides education on information security via e-learning programs for all officers, employees, and temporary employees who use PCs. We conduct regular security inspections to determine the degree of compliance with rules on information handling and document classification according to confidentiality. In addition, we provide rank and function-specific training on information security, including executive training, training for system personnel, training for mid-career hires, and training before international assignment. We also provide information security education to the contractors who perform work on NSK premises.