TechMatrix Group (“the Group”) supplies cutting-edge IT, network devices, and cyber security-related products and services. By helping customers to transform their business models and strengthen their competitiveness, the Group solves social issues and contributes to the creation of a sustainable society.
Increasingly sophisticated and malicious cyber attacks pose a threat to society, and the Group recognizes that the protection and proper safety management of all information assets in its possession, including information entrusted to it by customers, are of extreme importance. Based on that belief, in addition to complying with laws and regulations, TECHMATRIX CORPORATION (“the Company”) has established systems to continuously implement and improve its activities, based on the Information Security Policy through the introduction of Information Security Management Systems (ISMS).

> Information Security Basic Policy, ISMS Certification

The Group collects personal information in the course of conducting its Information Infrastructure business, Application Service business, and Medical Systems business, and recognizes that it has an important social responsibility to protect that information appropriately. In accordance with this belief, in addition to complying with the Act on the Protection of Personal Information, guidelines such as the Guidelines for Protection of Personal Information, and other relevant laws and regulations governing the protection of personal information, the Company has established a Personal Information Protection Policy to develop and maintain systems for protecting personal information, which it strives to continuously improve.
> Personal Information Protection Policy (TechMatrix)
Pursuant to the Personal Information Protection Policy, each Group company in Japan and overseas has established rules for handling personal information in line with the Group standards, complies with laws and regulations applicable in the individual countries where each business base of the Group is located, as well as to business activities, and handles personal information received from customers and stakeholders lawfully and appropriately.

The following matters can be confirmed in the Personal Information Protection Policy:
・ procedures for disclosure, etc., (disclosure, amendment, etc. [correction, addition, deletion], cessation of use, etc. [cessation of use, deletion]) of personal information;
・ supplying personal information to third parties; and
・ outsourcing of handling and joint use of personal information.

In line with its basic approach to corporate governance regarding the improvement of transparency and efficiency in management, the Company has established an information security governance structure in which the executive functions headed by the President and CEO and the supervisory functions of the Board of Directors are clearly separated.
In terms of executive functions, reports are made to the Board of Directors at least once a year on the matters confirmed in quarterly (*) meetings of the Information Security Committee (Chair: President and CEO), namely, the status of implementation of the PDCA cycle regarding information security management, matters related to issues and responses for the strengthening of security measures, and matters related to activities of the Information Systems Division, which implements internal security measures in coordination with the Information Security Committee.
In terms of supervisory functions, as part of corporate governance related to overall management, the Board of Directors, which has high transparency through the participation of Outside Directors, works to ensure sufficient supervision and auditing of business execution.
* Secretariat meetings led by employees of the Corporate Division are held monthly.

The Company newly established a Computer Security Incident Response Team (CSIRT) within its IT Promotion Department for the prevention of incidents from occurring through regular activities and the early detection of incidents and implementation of emergency responses. By enhancing predictions and monitoring from logs, developing response procedures for each incident level, and conducting training, the CSIRT has become an organization that is capable of responses, from detection to recovery, in a swift and accurate manner. Going forward, it will strengthen cooperation with related internal and external organizations.

＜Cycle of strengthening security for incident responses＞
Based on responses by CSIRT, the Company rotates the PDCA cycle by understanding the current status through periodical risk assessment and taking actions, in its efforts to improve ISMS operation and strengthen incident response capability. Specifically, the Company continuously strengthens security by implementing security enhancements for each matter based on detailed risk assessments conducted once a year and identifying and analyzing risks from infrastructure and operational aspects. In this way, it reviews its next security strategies.

＜Medium-to long-term security enhancement plan＞
With the promotion of CSIRT activities and the establishment of rules that are conscious of international standards such as ISO and NIST, the Company plans to achieve the strengthening of internal security by 2024, the strengthening of security for customers by 2026, and the establishment of a security monitoring system that covers all Group companies by 2028.

In an IT society where new technologies are being created and adopted every day, extremely wide-ranging and rapid responses to change are also required in terms of security measures. As a business operator that receives important personal information from stakeholders, the Group implements ongoing initiatives for the strengthening of system security, such as technical measures based on the latest information, including the strengthening of system operation and monitoring.
＜Physical measures: Support for actualization of rules from physical aspects＞
・Management of information equipment transfer
・Restrictions on access to facilities and management of entry and exit to rooms (buildings)
・Secure management of highly important information with locks Etc.
＜Technical measures: Support for actualization of rules from technical aspects＞
・Antivirus measures for information devices, hard disk encryption, and instalment of EDR tools
・Verification of vulnerabilities in public servers and strengthening of protection measures
・Monitoring and control of unauthorized access from outside and information leakage Etc.

The Group believes that, for information security responses and information asset protection, it must heighten awareness of information security among all officers and employees and ensure thorough compliance with various policies. With this belief, the Company and its Group companies conduct education and awareness-raising activities regarding information security at each company. The Company supports the activities of individual Group companies through measures such as provision of information for educational content. The Company continuously provides all officers and employees with training on targeted email attacks to encourage them new awareness as well as to clearly define the channels for reporting such attacks, in its efforts to raise the level of security literacy of individual employees.

With the growing incidence of cyber attacks targeting supply chains in Japan and overseas in recent years, companies are being called on to strengthen their security measures in consideration of the impact not only on their own companies but on their affiliated companies. Against this background, the Company has launched initiatives regarding security measures that consider the entire supply chain, including subcontractors and suppliers.
＜Monitoring and review of services provided by suppliers＞
The Company identifies the security status of supplier companies at least once a year.
When deemed necessary, the Company also conducts security surveys and audits through questionnaire surveys (*) of individual companies.
The survey for the fiscal year ended March 31, 2023 received responses from all surveyed companies. As a result of the questionnaire survey, companies found not to have taken the necessary measures or not to have applicable situations, were asked to submit reports explaining their current circumstances, reasons, and action plans.

* Survey of companies on external certifications obtained related to their protection of personal information and information security and on the status of their management of the protection of personal information (Questionnaire on Protection of Personal Information)

Overview of certifications

Acquisition of External Certifications for Services Provided
General Incorporated Association ASP-SaaS-AI-IoT Cloud Industry Association (abbreviation: ASPIC) has certified the cloud services we provide. This certification ensures that information on safety and reliability is properly disclosed for these services.