１．Policy and Basic Concept

Information and Data Security

• We aim to reduce and avoid information and data security risks by taking a structured approach to ensure a high level of information security. The Information Security Policy is communicated to all of our executives and employees and serves as the overarching policy that guides our information management initiatives. We have also established the Basic Information Management Rules, which includes a code of conduct specific to information and data security to which our executives and employees must comply with. More specifically, rules and standards are strictly set regarding information management risk management, personal information protection and management, document management and IT security to prevent information leakage and breaches.
  • Information Security Policy

Personal Information Protection

• We have established a policy to protect the personal information and specific personal information which should be observed by all organizations and individuals involved in our operations based on our code of conduct. We thoroughly protect and manage information. We also make sure to comply with laws and regulations and protect all personal data, including in terms of privacy.
  • Personal Data Guiding Principles
  • Privacy Policy
  • Handling of Personal Information and Specific Personal Information

２．Organization and Systems

• The Risk Management Committee, an advisory body to the Board of Directors, manages risks over our entire group and sets the policies for measures against them in our company. It submits its determinations to the Board of Directors. The Board of Directors then votes on the final policy.
• We have a Security Committee to ensure unified information security across the entire group concerning information assets and to formulate policies for responding to cyber incidents. The Chairman of this committee is the Chief Risk Officer (CRO), who also chairs the Risk Management Committee, an advisory body to the Board of Directors. Additionally, the CIO, CISO, heads of the Information Crisis Management Division, BELL-CSIRT, Legal & Compliance Division, and Risk Management Division participate as committee members. This committee collaborates with the information security management officers of each division, subsidiary and affiliate to accurately assess the state of information security management and to rapidly implement various measures to strengthen information security across the entire group.

  

３．Initiatives

Preventive Measures

• Cybersecurity Measures
  • 24-hour monitoring with the Security Operation Center (SOC)
• Information Provision and Training for Employees
  • We provide training to all our employees twice a year to be able to respond to targeted e-mail attacks
  • We are strengthening communication to improve the literacy of our employees and ferment awareness among them about cybersecurity (Security News, etc.)
  • We have opened the Cyber Security Portal on Intranet to showcase the latest trends and examples about cybersecurity

Incident Response

• Introduction of CSIRT (Computer Security Incident Response Team)
  • We have established the BELL-CSIRT division as a specialist organization under the Chief Information Officer (CIO) to respond promptly to incidents such as information leak and cyberattacks. Additionally, we have established incident response procedures based on the scale and severity of the damage, enabling us to immediately implement incident response (root cause investigation, countermeasure planning, service restoration) and recurrence prevention measures.

４．Information Security Management System (ISMS) Certification

• We have obtained certification for the international standard of the Information Security Management System (ISMS) through audits conducted by BSI Group Japan K.K., as detailed below. All employees involved in the operations covered by the scope of this certification will continue their efforts to maintain and enhance information security management.