Information Security

Information Security at ORIX and Information Security Governance Structure

ORIX recognizes that risks related to information security are an important management issue, and strives to ensure appropriate protection of information and safe management of information assets. These ideas and policies on information security are stipulated in the Information Security Policy. We established information security management rules as internal regulations, which stipulate appropriate use of information and information systems by officers and employees, as well as information security management systems, basic policies, and management standards.

Information Security Governance Structure

Information Security Governance Structure

Compliance with International Standards and Security Rating Services

ORIX’s information security controls conform to the following international standards: ISO31000, ISO27001, COBIT, NIST.

Information Security Management Policies

In order to manage information security risks, ORIX has established an information security standard and minimum security standards.
The information security standard sets 16 management domains and establishes necessary management practices to ensure a certain level of security is achieved in each domain. Each company and department in ORIX Group considers these measures based on their own risks, taking into account the nature of the business, information possessed, threats, and regulatory expectations.
In addition, minimum security standards set out 14 management policies that must be carried out by all ORIX Group companies both within Japan and overseas (regardless of size) within the information security standard.

Response to Information Security Incidents

The CSIRT of each ORIX Group company and department establishes a reporting system and procedures for responding to information security incidents and conducts drills in accordance with the reporting procedures. In the event of an incident, the CSIRT of each ORIX Group company and department shall respond to the incident with the support or instructions of the Information Security Control Department. In addition, a communications framework has been established, whereby (depending on the seriousness of the incident) the status of response, measures to prevent recurrence, and improvement measures are reported to the CEO and the Executive Committee.

Cyber Security Training

Cyber security training is available to all Group officers and employees throughout the year. In the fiscal year ended March 31, 2023, 30,689 people received training.