GovernanceInformation Security

The Sawai Group retains a wide range of sensitive information, including personal data and trade secrets, gathered from both within and outside the organization. To safeguard and manage these information assets, we have established Information Security Management Regulations, under which we implement IT security measures and store data across multiple locations, including external data centers. In addition, we have established the Group Information Security Committee to promote company-wide information security initiatives, such as conducting employee training and awareness programs.

Information Security Policy

The Sawai Group recognizes information assets as a vital management resource and is committed to ensuring information security based on the following policy.

Information Security Policy (PDF: 326KB)Opens in a new window.

PLAN (Analysis & Planning)

Advancing Sawai DX

The Sawai Group aims to improve people's lives and health through business transformation powered by digital technology. Under our "Sawai DX" strategy, we are progressively advancing three key actions: transforming into a digital leader, pursuing digital health businesses, and strengthening our IT infrastructure. We position the enhancement of information security as a critical foundation for all these initiatives.

Sawai DXOpens in a new window.

* Japanese Language Website

Generative AI Utilization and Governance

The Sawai Group promotes the use of generative AI tools approved by the IT Department, with the goals of improving operational efficiency and creating new value.

Safe AI Use through Clear Guidelines

We limit our use of generative AI tools to business purposes and ensure the confidentiality of input data by using only tools approved for their effectiveness in prohibiting the use of those data for AI training and preventing external data leaks, thereby creating a secure environment where internal information assets can be used with confidence.

Key Initiatives
  • Defining the Scope of Use:
    Only approved tools are allowed to be used for business purposes only, in compliance with established rules for handling personal information, copyrighted material, and information subject to confidentiality obligations.
  • Preventing Rights Infringement:
    Any use of AI-generated content for commercial purposes must be preceded by a mandatory review process to verify that the content includes no similarities with existing copyrighted material, trademarks, and designs protected by design rights.
  • Ensuring Accuracy:
    We strictly enforce the operational rules so as not to blindly take AI-generated content at face value and to verify its accuracy against reliable sources.

Guideline Communication and Community Management

Generative AI guidelines, which clearly define legal compliance requirements and usage procedures, are communicated to all officers and employees, including temporary and contract staff. We have established an internal generative AI community website named the "Generative AI Portal" to share examples of generative AI applications and matters of note, as well as the latest technological trends and risk information, in a timely manner. Through these efforts, we aim to enhance organizational AI literacy and foster a culture of safe AI usage, thereby driving sustainable digital transformation.

Information Security Management Structure

The Sawai Group has built an organizational structure that ensures its compliance with laws, regulations, and other standards related to information security and protection of its information assets. We assign a responsible person in each department clearly defined roles and authority. We have also established an Information Security Committee, which comprises an Executive Officer, a Management Officer, and a Secretariat, to continue to maintain and improve information security in an organized manner.

The diagram below shows our information security management structure.

Under the Board of Directors, the Sawai Group has established an Information Security Management Structure. Within this structure, led by the Chief Information Security Officer, we position the Information Security Manager in charge of Physical and Paper Media and the Information Security Manager in charge of Electronic Media and Devices directly under the Chief Information Security Officer. We have also established the Information Security Committee and the Information Security Secretariat to collaborate with them. In each department, we assign a System Administrator, Information Security Staff, and a Confidential Information Manager under the direction of the Information Security Officer to conduct information sharing with employees. Additionally, the Information Security Audit Division conducts internal audits, and the Committee reports to this division.

In the event of an incident, the Information Security Committee will take the lead in establishing a Computer Security Incident Response Team (CSIRT) framework, as shown below.

Management gives instructions to the Risk Management Committee, Personal Information Protection Committee, Compliance Committee, and Information Security Committee, and each committee reports to Management. In normal operations, the Information Security Committee comprises the IT Department, Internal Control Division, General Affairs Department, and Legal Department. In an emergency response, we add the Public Relations Department and transition to the CSIRT Framework. Each department shares the responsibilities of communicating with internal and external parties and requesting responses according to their areas of expertise, and provides instructions and conducts information sharing with employees.

Risk Analysis

The Sawai Group conducts comprehensive risk assessments to identify threats to its information assets.

Vulnerability Analysis

We conduct regular vulnerability analyses of our information security to identify risks associated with our information assets. We also define a risk tolerance level and develop information security measures supported by actionable implementation plans to ensure that identified risks remain within this threshold. By continuously reviewing these countermeasures against identified vulnerabilities and their execution, we maintain and strengthen the security of our information systems.

Business Continuity Plan (BCP)

We are strengthening our IT-BCP framework in anticipation of any security incidents so that our critical operations, including maintaining a stable supply of pharmaceuticals as the most important, will remain resilient even in the event of emergencies, such as natural disasters or cyberattacks.

DO (Implementation)

Human Security Measures

The Sawai Group fosters a security-conscious culture through rigorous education and training.

Security Training

We conduct regular information security education and training programs to raise awareness across the organization, including e-learning modules and targeted phishing attack simulations regularly offered to all employees. Furthermore, we provide departmental information security staff with cybercrime prevention seminars taught by external experts.

Incident Response

We have established a clear escalation process to be initiated in the event of a security incident or suspicious activity being discovered by an employee, where the employee must immediately disconnect their PC from the network and report the incident to their supervisor and the IT Department. We not only communicate this process to all employees but also, to ensure its effectiveness, conduct regular targeted phishing attack simulation drills in which simulated phishing emails are sent to all employees for hands-on training in identifying suspicious emails and practicing the established escalation process.

Technical Measures

We have developed the Sawai Information Security Map and systematically implement measures against insider threats and unauthorized access, grounded in three perspectives: the assumption of malicious intent, the assumption of human fallibility,* and the assumption of good faith.

Furthermore, we are continuously evolving our information security measures to adapt them to the changing business and IT landscape, including the adoption of zero trust security models to address the diversification of work styles and the increased reliance on cloud services.

* The assumption of human fallibility (a concept defined by Sawai): This approach recognizes that humans are inherently imperfect and prone to error. Rather than relying solely on individual vigilance, we proactively build systemic safeguards to prevent employees from unintentionally causing data leaks (e.g., preventing data leaks by setting an automatic delay for outgoing external emails).

Physical Measures

We physically safeguard our buildings and facilities to prevent unauthorized access or damage to our information assets or losses thereof. We designate secure and restricted zones to which only authorized access is allowed through strict entry and exit control systems. Furthermore, we maintain robust physical security through the proper installation and ongoing protection of all critical equipment and facilities.

CHECK (Monitoring)

Information Security Assessment

The Sawai Group conducts regular third-party assessments and applies the PDCA (plan-do-check-act) cycle to continuously optimize and improve our information security practices.

Audits

The Sawai Group verifies that its information security consistently remains at an appropriate level through regular internal reviews, as well as external and internal audits.

External Audits

To verify that our information security is properly managed through appropriately implemented measures, we undergo regular assessments conducted by external parties. Furthermore, our IT Department, which is responsible for information security, has been certified to comply with ISO 27001 for information security management systems (ISMS) by the Japan Management Association Quality Assurance Registration Center (JMAQA) (certificate number: JMAQA-S257; date of certification: July 1, 2022).

Internal Audits

The Internal Inspection Office serves internal information security auditing functions. As part of our monitoring activities for our information security management system (ISMS), this office conducts regular internal audits of operations that involve handling information assets. To ensure the effectiveness of these audits, Sawai Group Holdings has the authority to access all information assets of the Sawai Group, including data created by officers and employees, ingoing and outgoing emails, and internet access logs.

ACT (Improvement)

Corrective Actions

If monitoring identifies any residual risks that exceed the Sawai Group’s defined risk tolerance level, the Information Security Committee will formulate a comprehensive improvement plan. Improvements may include revising measures to be implemented by each department and updating the Information Security Policy or other related arrangements. Revised documents are promptly distributed to all relevant personnel. Any residual risks that are currently difficult to mitigate are managed as exceptions.

Back to Sustainability Top