Tokyogasgroup csr report

Promotion of Compliance

Information Security Management

Basic Policies

For business activities, ensuring information security is the foundation on which Tokyo Gas Group maintains our brand value of "Safety, Security, and Reliability." In particular, we make it our social responsibility as a public utility company to prevent any leaks of confidential information, including, notably, information on our more than 11 million customers, and destruction of or tampering with systems.

In light of environmental changes such as sophisticated Internet use and the increased threat of cyber-attacks (such as unauthorized access from external connections and computer viruses), Tokyo Gas will establish a PDCA cycle to further strengthen our approach to ensuring information security.

PDCA Cycle in Ensuring Information Security


PDCA Cycle in Ensuring Information Security
DFF Inc., Corporate Social Responsibility Sect, General Administration Dept., Corporate Planning Dept., Resources & Global Business Division, Energy Solution Div, Power Buisiness Dept., Pipeline Network Division, IT Division, Residential Sales Div., Fundamental Technology Dept., Energy Solution Div, Environmental Affairs Dept., Purchasing Dept. , Health Insurance & Employees' Welfare Sect., Personnel Dept., Internal Audit Dept., Audit & Supervisory Board Member's Office, Compliance Dept., Regional Development Div., Finance Dept, TGES, TOKYO GAS COMMUNICATIONS, INC.

Information Security Promotion System

To promote the proactive utilization of information, enhance the Group's brand value, and realize its sustainable growth, we have established an information security promotion system in each division/department with an eye to preventing information security incidents (such as leaks of confidential information and destruction of and tampering with systems), and minimizing the damage and impact caused by any such incidents. Furthermore, in order to make a concerted effort to ensure information security within the Group, the same information security promotion system is also in place at subsidiaries and affiliates, and around 250 companies that support the Group's business.

Tokyo Gas Group Information Security Promotion System Chart
Tokyo Gas Group Information Security Promotion System Chart


Tokyo Gas Group Information Security Promotion
Code of Conduct to Ensure Information Security

Even when everyone is being as careful as possible to ensure information security, a slip-up by just one person can bring things crashing down. Thinking that one can ease off because everyone else is being careful is the sort of thing that can give rise to an incident.

The Code of Conduct to Ensure Information Security provides guidelines on decision making and actions for every individual in the Group to follow to ensure information security.

DFF Inc., Corporate Social Responsibility Sect, General Administration Dept., Corporate Planning Dept., Resources & Global Business Division, Energy Solution Div, Power Buisiness Dept., Pipeline Network Division, IT Division, Residential Sales Div., Fundamental Technology Dept., Energy Solution Div, Environmental Affairs Dept., Purchasing Dept. , Health Insurance & Employees' Welfare Sect., Personnel Dept., Internal Audit Dept., Audit & Supervisory Board Member's Office, Compliance Dept., Regional Development Div., Finance Dept, TGES, TOKYO GAS COMMUNICATIONS, INC.

Practices to Ensure Information Security

To continuously ensure information security in a manner that reflects advances in information technology and the information security situation in the society, we implement both technical and personnel-related measures. On the technology side, we deploy multiple layers of security, including installation of hardware to protect against unauthorized access from external connections and use of equipment to detect and remove computer viruses. On the personnel side, we have developed arrangements to promote information security, provide education in information security, and perform self-checks. A special unit called the Computer Security Incident Response Team (CSIRT) has also been set up to deal with incidents more rapidly.
In fiscal 2016, security education was provided to regular employees and temporary staffers at around 80 companies, including Tokyo Gas, our subsidiaries, and Tokyo Gas LIFEVAL ("LIFEVAL") companies. Participants learned about the proper handling of confidential information when removed from the premises, dealing with emails from unknown senders, and managing IDs and passwords in order to strengthen their understanding of the risks associated with the theft and loss of data and information leaks caused by computer viruses.
For self-checks, employees verify whether they are acting in accordance with the knowledge and rules gained during their security education and feed the results back to relevant job sites so that employees can change their workplace behavior.
Our company, subsidiaries, and LIFEVAL will continue to implement personnel-related and technical measures in order to maintain and improve the information security level of individual employees.
DFF Inc., Corporate Social Responsibility Sect, General Administration Dept., Corporate Planning Dept., Resources & Global Business Division, Energy Solution Div, Power Buisiness Dept., Pipeline Network Division, IT Division, Residential Sales Div., Fundamental Technology Dept., Energy Solution Div, Environmental Affairs Dept., Purchasing Dept. , Health Insurance & Employees' Welfare Sect., Personnel Dept., Internal Audit Dept., Audit & Supervisory Board Member's Office, Compliance Dept., Regional Development Div., Finance Dept, TGES, TOKYO GAS COMMUNICATIONS, INC.

Protection of Personal Information

Policy on protection of personal information at Tokyo Gas
We recognize that properly protecting and handling personal information is at the foundation of our business activities and an important social responsibility. In fulfilling these responsibilities, we have established the following policies under which we make our best efforts to protect personal information:
 

(1) Observing laws

In addition to observing all applicable laws and regulations governing the protection of personal information and all relevant laws, regulations, and guidelines, Tokyo Gas establishes its company policy and internal rules for the protection of personal information, and strives to improve them.

(2) Managing personal information

Tokyo Gas takes necessary actions under relevant laws, regulations and guidelines and properly manages personal information in order to prevent any loss or leakage of or unauthorized changes to said information. In addition, a person responsible for the protection of personal information is assigned at each workplace to educate and monitor employees in relation to this issue.

(3) Obtaining and using personal information

Tokyo Gas obtains personal information in appropriate ways in order to properly and smoothly carry out its business activities. When obtaining such information, Tokyo Gas informs the person concerned in advance of the purpose of use of his or her information, and uses said information only within the scope necessary to achieve this purpose.

(4) Providing personal information to third parties

Tokyo Gas does not provide personal information to any third party without obtaining the agreement of the person involved, except when allowed to do so under relevant laws, regulations or guidelines, and in certain cases where, for example, parties receiving the entrusted information are not deemed by law to be third parties. When providing personal information to, for example, an entrustee, Tokyo Gas selects a party that can meet and fulfill the necessary standards and obligations for managing personal information, makes appropriate arrangements for the protection of the personal information, and exercises monitoring over said party.

(5) Disclosure, correction, etc. of personal information

When a person seeks to, for example, disclose or correct his or her personal information, Tokyo Gas endeavors to respond to the request promptly, within reasonable limits under relevant laws and guidelines, after confirming the person's identity.

 

Secure control of personal information
The Group collects and utilizes a large amount of personal information, including information on over 11 million customers. We already had a company-wide personal information security control system in place before the Act on the Protection of Personal Information took full effect on April 1, 2005, and after it entered effect we developed in-house rules and manuals in compliance with the act and informed all group employees of the new requirements.

Alongside the voluntary checks conducted to confirm that information is being properly managed following the act’s entry into effect, personal information protection audits are performed by the Internal Audit Department to monitor compliance with the Act on the Protection of Personal Information, other applicable laws, ordinances, and guidelines, and our own policy on protection of personal information and internal regulations. In order to constantly foster awareness of information security, employees learn about protecting personal information as part of the level-specific training provided when they join the company, during their third year and qualification promotions, and on other appropriate occasions. Education on the subject is also provided through annual e-learning courses.

Ahead of the entry into effect of the revised Act on the Protection of Personal Information on May 30, 2017, members of Tokyo Gas Group were informed of details of the revised act from the second half of fiscal 2016, and preparations were made for new initiatives required to comply with the new requirements (regarding, for example, the clarification of personal information and handling of anonymized information). In April 2017, a booklet providing a practice-oriented explanation of the act was distributed to all employees of Tokyo Gas and its subsidiaries, Tokyo Gas LIFEVAL companies, and other partner companies to strengthen understanding and assist rigorous compliance.

Let’s Follow the Rules: A Guide for Protecting Personal Information

 Let’s Follow the Rules: A Guide for Protecting Personal Information
DFF Inc., Corporate Social Responsibility Sect, General Administration Dept., Corporate Planning Dept., Resources & Global Business Division, Energy Solution Div, Power Buisiness Dept., Pipeline Network Division, IT Division, Residential Sales Div., Fundamental Technology Dept., Energy Solution Div, Environmental Affairs Dept., Purchasing Dept. , Health Insurance & Employees' Welfare Sect., Personnel Dept., Internal Audit Dept., Audit & Supervisory Board Member's Office, Compliance Dept., Regional Development Div., Finance Dept, TGES, TOKYO GAS COMMUNICATIONS, INC.

Information Security Audit

The Internal Audit Department audits the company and its subsidiaries and affiliates to determine whether the audited organizations are taking proper steps to ensure information security, where there exist specific information security risks, and whether controls are being properly developed and implemented to manage these risks.
DFF Inc., Corporate Social Responsibility Sect, General Administration Dept., Corporate Planning Dept., Resources & Global Business Division, Energy Solution Div, Power Buisiness Dept., Pipeline Network Division, IT Division, Residential Sales Div., Fundamental Technology Dept., Energy Solution Div, Environmental Affairs Dept., Purchasing Dept. , Health Insurance & Employees' Welfare Sect., Personnel Dept., Internal Audit Dept., Audit & Supervisory Board Member's Office, Compliance Dept., Regional Development Div., Finance Dept, TGES, TOKYO GAS COMMUNICATIONS, INC.