１．Policy and Basic Concept

Information and Data Security

• We aim to reduce and avoid information and data security risks by taking a structured approach to ensure a high level of information security. The Information Security Policy is communicated to all of our executives and employees and serves as the overarching policy that guides our information management initiatives. We have also established the Basic Information Management Rules, which includes a code of conduct specific to information and data security to which our executives and employees must comply with. More specifically, rules and standards are strictly set regarding information management risk management, personal information protection and management, document management and IT security to prevent information leakage and breaches.
  • Information Security Policy

Personal Information Protection

• We have established a policy to protect the personal information and specific personal information which should be observed by all organizations and individuals involved in our operations based on our code of conduct including business partners. We thoroughly protect and manage information. We also make sure to comply with laws and regulations and protect all personal data, including in terms of privacy.
  • Personal Data Guiding Principles
  • Privacy Policy
  • Handling of Personal Information and Specific Personal Information

２．Organization and Systems

• The Risk Management Committee, an advisory body to the Board of Directors, manages risks over our entire group and sets the policies for measures against them in our company. It submits its determinations to the Board of Directors. The Board of Directors then votes on the final policy.
• We have a Information Security Committee as a dedicated board level committee to ensure unified information security across the entire group and to formulate policies for responding to cyber incidents. The Chairman of this committee is the Chief Risk Officer (CRO), who also chairs the Risk Management Committee, Director responsible for Corporate Planning, CIO, CISO, CCO, head of the Information Crisis Management Division, CSIRT, Legal & Compliance Division, and Risk Management Division participate as committee members. This committee collaborates with the information security management officers of each division, subsidiary and affiliate to accurately assess the state of information security management and to rapidly implement various measures to strengthen information security across the entire group.

  

３．Initiatives

Establishment of an Information Security Management System (ISMS)

• The Company has established an ISMS in accordance with the international standard ISO 27001 and implements the following initiatives.
  • Establishment of a reporting structure
    Procedures for reporting and escalating incidents and other matters are documented and centrally managed by the Security Committee.
  • Vulnerability assessment
    The Company collects vulnerability information, investigates the scope of impact, and prepares countermeasures.
  • Internal audit
    The Company audits the operational status of the ISMS and works toward continuous improvement.
  • External Audit
    In addition to the above initiatives, independent third-party audits are conducted in accordance with ISO 27001 to verify whether information security management is being appropriately implemented and operated, including compliance with various policies such as the Information Security Policy, Personal Data Guidelines, and Privacy Policy.

Preventive Measures

• Cybersecurity Measures
  • 24-hour monitoring with the Security Operation Center (SOC)
• Information Provision and Training for Employees
  • We provide training to all our employees twice a year to be able to respond to targeted e-mail attacks
  • We are strengthening communication to improve the literacy of our employees and ferment awareness among them about cybersecurity (Security News, etc.)
  • We have opened the Cyber Security Portal on Intranet to showcase the latest trends and examples about cybersecurity

Incident Response

• Introduction of CSIRT (Computer Security Incident Response Team)
  • We have established the BELL-CSIRT division as a specialist organization under the Chief Information Officer (CIO) to respond promptly to incidents such as information leak and cyberattacks. Additionally, we have established incident response procedures based on the scale and severity of the damage, enabling us to immediately implement incident response (root cause investigation, countermeasure planning, service restoration) and recurrence prevention measures.

４．Information Security Management System (ISMS) Certification

• We have obtained certification for the international standard of the Information Security Management System (ISMS) through audits conducted by BSI Group Japan K.K., as detailed below. All employees involved in the operations covered by the scope of this certification will continue their efforts to maintain and enhance information security management.
• The scope of ISMS certification covers the overall business operations of BELLSYSTEM24, Inc., including the provision of CRM/BPO solution services and CRO services, as well as the design, development, operation, and maintenance of systems related to the provision of CRM/BPO solution services and CRO services. In addition, the certification scope also includes the recruitment and labor management of communicators at the company.