Check Sheet for Business Partners on ISM Criteria （Ver 1.9）
d Answer Remarks Score
1 Establishment of Information Security Management Structure
1-1 An organizational structure for information security management is established. 3 Not filled
1-2 Rules for information security are established and clearly documented. 3 Not filled
1-3 Regarding implementing items on information security in an organization, manager is identified and his/her roles and responsibilities are clarified. 2 Not filled
2 Confidential Control for Information Assets
(1) Confidential information specified by Our Company and any confidential information created with this information are clarified by making an
Clarification of 2-1-1 3 Not filled
information assets list (inventory list).
Confidential 2-1-2 Appropriate security controls to the confidential information listed in management ledger are implemented. 1 Not filled
2-1-3 The information assets list (inventory list) and actual state of information management are regularly checked (reviewed) by a person in charge. 2 Not filled
(2) 2-2-1 A management ledger for any vendor that you share confidential information with, is prepared. 2 Not filled NA
2-2-2 Nondisclosure agreement (or any signed document for confidentiality obligation), including the articles defined as follows, is made with the 3
a) Confidentiality obligation
b) The scope of information to be subject to non-disclosure
c) The period of compliance (including unlimited)
d) The purpose of the usage of the information
e) That parties accessing is limited to those who need to know about the task
f) Controls on specified important confidential information to be applied Not filled NA
g) Restriction on copies of specified important confidential information.
h) Return or disposal of information upon termination of the compliance agreement
i) Rights to check the situation under which the information is stored or handled, such as a hearing or audit by Panasonic
j) Rights in case of breaches of confidential obligation by the third party (to include articles for damage compensation and the right for
k) Prohibition of re-commissioning by vendors without consent
Control for l) Prohibition of using a personally owned PC for business
Exchanging 2-2-3 Rules for exchanging confidential information between you and your vendors are established as being the same as between Our Company 2
Confidential and you.
a) All information passing to you from Our Company is handled as internal use only (nondisclosure to third parties) in principle.
Not filled NA
Information b) When exchanging/disclosing confidential information is necessary, our approval is sought in advance.
c) When sending confidential information formatted in an electronic file, it is encrypted.
2-2-4 Actual status of information security for your vendors is regularly surveyed. 1 Not filled NA
2-2-5 Passing confidential information between you and vendors are recorded. 2
a) Rules are determined and made a statement of mutual agreement with any party when passing information assets between you and Not filled NA
them. record of actual communication (passing) is kept and managed.
2-2-6 Rules for returning/collecting information is determined between you and Our Company. 2
a) A method of returning/collecting, detailing the time limit and person in charge, is clarified when an operation ends.
2-2-7 Confidential information is exchanged/ returned/ collected based on the rules determined between you and Our Company. 2 Not filled
When exchanging information constantly via an e-commerce system or electronic system for passing drawings, an agreement is concluded
between you and Our Company regarding measures of confidentiality such as procedures and operating methods and they are implemented.
a) Procedures for sending/ receiving, shipping/ receiving, and their notification Not filled NA
b) Methods of recording/ reading information, and transmitting
c) Responsibility and guaranty in case of data loss
(3) 2-3-1 Areas are sectionalized so that entrance by persons who are not concerned with a site /building/room can be limited. 1 Not filled
2-3-2 There is a physical system to limit entrance. 1 Not filled
2-3-3 Entrance is granted only to persons who need to know certain information. 2
a) Permission to enter the room is given only to persons/in occasions judged necessary for business reasons by the manager . Not filled
b) Logs are kept of all who are both or either of entering/exiting a room.
2-3-4 Wall, ID card authentication systems, surveillance cameras, sensors, etc are installed when strengthening security. 1
Not filled NA
Physical Controls Business Zone: Logs are kept for all entries/ exits with ID card authentication.
Important Zone: Entry/ exit are monitored by a surveillance camera. Logs are kept for all entries/ exits with ID card authentication.
2-3-5 Entry/ exit logs (including their images) are regularly inspected. 1 Not filled
2-3-6 There is a system to distinguish between employees and visitors. 1
a) Your employees wear name tag/ ID card in order to be able to distinguish them from visitors.
2-3-7 There is a system that only persons who need to know confidential information can access it. 1
a) Confidential information is kept in a locker, locked with a key. Not filled
b) The quantity of prototypes is managed and the number of accesses to them is kept at a minimum.
(4) Control for Taking- Bringing PCs, mobile phones with built-in camera, PDAs, music player, recording media (SD card, USB memory), etc into areas where 2
out/Bringing-into of confidential information is handled is prohibited, except for business reasons. Not filled
Confidential a) Permission from a person in charge is required when bringing such items into those areas.
Information/Recordin 2-4-2 A personally-owned PC is not used for business. Also, such PCs are prohibited to be brought into the workplace. 1 Not filled NA
g Media/ PCs, and 2-4-3 A management ledger for recording media/ PCs that are necessary for business is made. 1 Not filled NA
their Disposal. 2-4-4 Rules for taking-out electronic media/ PCs that are necessary for business are established and implemented. 3
Not filled NA
a) In principle, it's prohibited to take out a PC. Hard disk of taken-out PCs are encrypted, multiplex passwords for log in are set.
Confidential information is encrypted, etc.
2-4-5 A procedure for the disposal of paper (documents) on which confidential information is included has been established. 2
a) Confidential documents are shredded, dissolved or burned in an incinerator.
A procedure for the disposal of confidential information and items in which confidential information is embodied such as prototypes has been
a) Items in which design information is embodied are destroyed so that the information can no longer be understood.
b) An NDA (nondisclosure agreement) contract is made with industrial waste disposal contractors.
(5) 2-5-1 When accessing digitized information, individual ID/password are used and a record of the person who accesses confidential information 2 Not filled NA
shared with Our Company is obtained.
2-5-2 There is rules for issuing an ID. 1
a) Users does not share their ID with others. Not filled NA
b) An ID issuing procedure and a person who is in charge of giving permission are determined.
Management of User
IDs and Passwords of 2-5-3 There are management rules for passwords. 1
IT Systems a) Passwords which are not easily predicted are set. They consist of at least 6 digits or longer and include alphanumeric characters.
Not filled NA
b) Passwords are changed periodically. These are made at least once every 30 days.
c) Passwords are kept private.
2-5-4 Management status of IDs is checked regularly. 1
Not filled NA
a) Unused ID, unauthorized ID such as ID issued to resigned staff, temporary ID, etc. are checked.
(6) 2-6-1 Internal networks are separated from external network such as internet by installing router/ firewall. 1 Not filled NA
2-6-2 A procedure has been established for the installation of an IT system. 1 Not filled NA
2-6-3 Controls for IT systems have been established. 2
a) Information is stored on servers instead of individual PCs for business use and security control for servers are conducted.
When storing information from Our Company, please confirm the following b) to g);
b) Laptop PCs are locked away in a drawer or cabinet when the owner is not present.
Control of Installing c) Desktop PCs are wired to firm objects such as desk. Not filled NA
and Discarding d) When taking PC out, data on PC are encrypted in order to prevent leakage of information when stolen.
Information Systems e) While taken out, PCs is carried by the user at all times.
such as PCs and f) Passwords are set for BIOS (starting up PC), OS (logging in Windows) and screen saver.
Servers g) When leaving your desk, your screen is locked or logged off, or setting is made so that the screen is locked if there is no activity for a
certain period (around 5 minutes are recommended).
1 / 2 ページ
Control of Installing
Information Systems 949f28a4-6a96-43e4-bf9e-5aaff9b3613e.xls
such as PCs and Allocate
Servers d Answer Remarks Score
2-6-4 Establishment of Information Security established.
Rules for the disposal/ reuse of IT systems (including exchange due to their failure) have beenManagement Structure 2
Not filled NA
a) These include that all information on the hard disk is completely deleted or physically destroyed.
2-6-5 Servers have been installed in appropriate places where security can be ensured. 1 Not filled NA
2-6-6 Entrance to server management places is restricted.
1 Not filled NA
a) Servers containing confidential information are located in security-managed zones and stored in racks with locked doors or an
equivalent control are applied.
(7) 2-7-1 Countermeasures and rules against computer viruses and malicious programs have been established. 3
Not filled NA
a) A system administrator (or a provider) has properly specified the types and versions of anti-virus software and installed it already.
2-7-2 Countermeasures and rules against computer viruses and malicious programs have been conducted. 2
a) Anti-virus software is permanently installed on each specific PC and fully enabled in an active protection environment.
Not filled NA
b) Pattern files are regularly updated. (more than once a day is recommended).
c) All stored files are regularly scanned. (more than once a week is recommended)
2-7-3 There is a self inspection check sheet and an arrangement to check the implemented situation of anti-virus countermeasures. 1 Not filled NA
2-7-4 Rules are established in order to minimize damage by viruses. 1
Not filled NA
a) Physical approach and how to report/ notice at the time of virus infection are included.
2-7-5 Installing/ using file-sharing software such as Winny / Share are prohibited. 2 Not filled NA
2-7-6 Management regularly confirms that prohibited software is not installed. 2
Not filled NA
a) Checks are made by ISM Manager, or by using an automatic detection tool.
(8) 2-8-1 Rules for backup are established. 2
a) The necessity/frequency of backup for important systems are discussed. Not filled NA
b) Business continuity is secured.
Backup 2-8-2 Backup is regularly implemented according to the rules. 1 Not filled NA
2-8-3 Storage rules are established for backup data and implemented according to the rules. 1
a) Proper management for all backup media for information systems that handle confidential information are confirmed in accordance with
Not filled NA
3 Personnel Controls
(1) 3-1-1 An educational program for information security is established. 1
a) Regarding information security, there is a system for educating all staff (by use of videos, guide books, training, etc.) and there is an actual plan to educate
Information security education for managers, including the organizational managers and project leaders, is provided regularly and an attendance record is
3-1-2 1 Not filled
Information security education for all staff including temporary employees is provided. Your vendors should implement the same information security education for
Information Security their staff. An attendance record is maintained.
Awareness, a) Information security education and regular education are implemented at every opportunity -- when entering a company, being transferred, being promoted, Not filled
and so on.
b) Such education is implemented at the time of acceptance and at other times on later occasions.
3-1-4 A self check sheet for self inspection is prepared and it is implemented by all staff. 2 Not filled
3-1-5 A system to improve nonconformity, based on the results of self check, is established. 1
a) The Manager checks the results of self check, and where any nonconforming items are found, provides instructions for improvement and thereafter records
Rules for clear desks (prohibit leaving confidential documents on desks) and clear screens (introducing a non-display screen and a screen saver with a password
3-1-6 1 Not filled
when leaving his or her desk) are included in the self check sheet.
(2) 3-2-1 An item of confidentiality is included in employment regulations or other rules —a signed document for nondisclosure should be obtained from staff. 1 Not filled
Signed document for 3-2-2 An NDA is obtained from temporary staff when arriving. 1
Not filled NA
confidentiality a) An equivalent confidentiality management to regular employees is implemented and their NDAs are filed in their agency.
obligation from staff 3-2-3 In case of business outsourcing, outsourcing company obtains a signed document for nondisclosure from their staff. 2
Not filled NA
a) An equivalent confidentiality management to regular employees in outsourcing company is implemented and their NDAs should be filed.
4 Information Security Incidents and Accidents Handling
4-1 There is a person in charge of communication/ handling when an accident occurs and an accident reporting structure is established.
a) When a problem related to information security is discovered or danger of its occurrence is felt or when an incident/accident or its trace is discovered, 1 Not filled
immediate reporting structure to Our Company has been established.
Regarding confidential information shared with Our Company, when the problem mentioned above and/ or the incident/ accident are discovered or danger of their
occurrence is felt, there are rules to immediately inform Our Company of it. Not filled
a) A route for reporting and a time limit until reporting have been established, and they are shared with all staff.
4-3 A manual is maintained to clarify procedure when information security incidents occur, highlighting the following points; 1
a) The damage is grasped and emergency measures are taken to minimize effects.
b) The cause is investigated and tentative measures are taken. Not filled
c) Measures are taken to enable related persons to take self defense measure in case of information leakage.
d) If necessary, public relations response/ report to governments is made.
4-4 There are rules for recording details and actions on the incidents when an incident occurs. 1 Not filled
4-5 There is a system to promptly conduct preventive measures against the incident and sharing it with all staff when an incident occurs. 1 Not filled
5 Implementation of Information Security Management
5-1 Contents of self check regarding organizational information security activity have been determined . 3
a) The contents enable you to check whether the rules for information security have been observed. Not filled
b) It also includes items written on a check sheet of the supplementary clause.
5-2 Self check is implemented regularly on an organizational basis. 2
a) The self check is implemented once or more times every six months.
5-3 An improvement plan for nonconforming items based on result of self check is developed. 2
a) An ISM leader set out an improvement plan which includes descriptions, person in charge and timing, and implement it after obtaining approval from Not filled
Total 0 0
2 / 2 ページ