Information Security Policy
ORIX Group recognizes that risks related to information security are important management issues and strives to manage information assets securely by establishing this information security policy and by protecting "information" appropriately.
Information security is the protection of information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, inaccuracy, inaccessibility and damage, or the absence of due care in its protection.
These risks come from threats such as external attacks (cyberattacks), intentional or accidental insider human acts, and natural disasters.
"Information Assets" contain "information" and all “business processes” and "information systems" that handle information. And “Information" includes that recorded on paper or media too.
“Information” is of vital importance to ORIX Group and therefore securing our technology to protect our customer, employee and ORIX Group information is a top priority.
The business processes rely on information that has an appropriate level of
- Availability, ensuring that information is available when required.
- Integrity, safeguarding the accuracy and completeness of information.
- Confidentiality, ensuring that information is accessible only to those authorized to do so.
Continuity, authenticity and nonrepudiation are important characteristics for certain information. If information is affected, either by accident or intentionally, ORIX Group may suffer financial, operational or reputation loss. For this reason, ORIX Group is committed to identifying and controlling information security risks.
Information security is a responsibility of all employees, contractors and employees of external parties that provide services to ORIX Group. Information security is achieved by implementing a suitable set of controls and behaviors focused on people, processes and technique. The implemented set of controls reflects the way ORIX works internally and also contributes to the quality of (information) services to customers. Controls are established, implemented and improved where necessary.
Information Security Principles
Information security is an integral part of the control environment of ORIX Group and integrated into strategy, concept, design, implementation, operation and monitoring. Effective information security requires senior management commitment, a security-aware culture, promotion of good security practices and compliance with the information security policy & standards. The following principles provide guidance and direction to
- －Define the security strategy.
- －Design the information security policy.
- －Select the appropriate information security standards.
- －Connect with ORIX Group employees who constitute the resilient organization.
- －Answer security related questions with an unambiguous answer.
- Security and stability are embedded in the design and throughout the complete life cycle of IT systems and services.
- Each employee is responsible for secure way of working and the protection of sensitive information.
- Security measures reduces security risk to an acceptable level and are proportionate to the related risk.
- Security controls are applied using a risk-based approach, and Security measures are applied the unique nature of the specific business, the regulatory controls imposed and nature of specific threats and the management's risk appetite towards them are all considered.
- Security policy is clear & practicable, enables a secure way of working and complies with law & regulations.
- Security policy includes new developments and actual insights and is appropriately modified.
- By timely anticipating on new security threats, actual insights and security developments and the use of good market and industry practices an optimal level of security is maintained.
- The impact and occurrence of security incidents are kept within ORIX's risk appetite levels.
- ORIX communicates open, transparent and in confidence with relevant stakeholders about security and expects the same transparency and confidentiality from their stakeholders.
- ORIX follows security developments pragmatically, teams up with peers and makes use of internationally recognized good security practices.
This information security policy has been approved by the Executive Committee of ORIX Corporation in May 2021.
Latest Modified：May 7, 2021