ISMS efforts and authorization, acquisition of privacy certification

Sharp established its own ISMS (Information Security Management System) in March 2003‚ thus giving the domestic Sharp Group a system for constant improvement of information security. Based on ISO/IEC 17799^(*1)‚ this ISMS is the basis for Sharp’s information security activities.

We have acquired third-party certification for BS 7799^(*2) and ISMS to ensure constant security improvements in divisions that require the highest level of security. Such divisions handle top-secret company information, such as cutting-edge Sharp technologies‚ as well as customer information. As of March 2005‚ we have third-party certification covering six areas including sales and service of information equipment‚ system development‚ and the IT that supports the foundation of the company (IT Strategy Planning‚ Sales and Marketing Group - Electronic Components and Devices‚ Sharp Engineering Corporation‚ Sharp System Products Co.‚ Ltd.‚ Sharp Document Systems Corporation‚ and Sharp Business Computer Software Inc.).

Sharp will work aggressively to achieve third-party certification for all divisions that must strictly control information.

Sharp is also working to acquire certification for the Privacy Mark^(*3) for divisions that handle large amounts of personal information. As of March 2005‚ a service division (Sharp Document Systems Corporation) has acquired the Privacy Mark.

Other divisions have achieved a level of management equivalent to Privacy Mark standards, and we plan to acquire Privacy Mark certification for these within fiscal 2005.

*1 ISO/IEC 17799: A code of practice for information security management published by the ISO.
*2 BS 7799: British Standard (BS) 7799 is an international standard for information security management.
*3 Privacy Mark: A seal that used by companies approved for the personal information protection standard developed by the Japan Information Processing Development Corporation.

Information security audits

In fiscal 2004‚ Sharp trained technicians and intracompany audit personnel with a high level of knowledge and skills related to information security measures. At the same time‚ Sharp established internal audit standards within the Sharp Group and carried out ISMS internal audits for 20 departments that retain large amounts of personal information. Sharp also conducted audits related to technical safety control measures in conformance with the Guidelines Targeting Economic and Industrial Sectors with Regard to the Law Concerning the Protection of Personal Information issued by the Japanese Ministry of Economy‚ Trade and Industry ("METI Guidelines").

The audits uncovered fundamental problems‚ including not changing passwords periodically‚ not deleting unneeded IDs‚ etc. Sharp took corrective action‚ such as shortening the list of persons issued IDs and developing processes for deleting IDs.

In addition‚ with respect to departments handling personal information‚ Sharp implemented internal audits aimed at acquiring the Japanese Privacy Mark‚ and it conducted training so that proper safety control and handling could be maintained.

In fiscal 2005‚ Sharp will implement ISMS internal audits for all departments‚ and plan to continue to push ahead with company-wide continuous improvement activities.

Employee security training

From fiscal 2004 to the present‚ the Sharp Group in Japan has been conducting a variety of training courses designed to make employees aware of where information-related risks lie‚ and to help them gain knowledge and learn the rules in order to respond appropriately to these risks.

Since fiscal 2004‚ Sharp has used e-learning to conduct training regarding information security in general with the intention of educating employees about the significance of information security. Sharp is also implementing training courses for newly hired employees with identical content. Specifically‚ since the beginning of 2005‚ Sharp conducted training courses using e-learning for all employees of the Sharp Group in Japan who use personal computers about compliance items related to handling of personal information. In addition‚ Sharp also thoroughly tested their comprehension‚ and required that participants re-study each item which was answered incorrectly.

Sharp is conducting basic training to develop a staff of security technicians with a high level of knowledge and skill related to information security measures‚ and who can design‚ manage and operate secure servers and networks. In fiscal 2005‚ we have plans to train 40 security technicians through application training courses.

Sharp set intracompany qualifications for auditing the implementation of ISMS and the protection of personal information‚ and trained 80 qualified individuals.

Information leak prevention measures using information technology

Improved cooperation with business partners

In fiscal 2004‚ Sharp made agreements with its business partners setting forth how personal information is to be handled‚ and it advanced measures for protecting personal information that include audits of business partners.

We will continue taking steps to ensure that both parties comply at the security management level according to the nature of the business relationship. Sharp will also proceed with creating mechanisms to develop management rules for the secure handling of information entrusted to us by our business partners in a manner similar to our own intracompany information.