Information Security
The information on this page is current as of October 1, 2023.
INDEX
Third-party Certification
The Company and its subsidiaries shall undergo an annual third-party audit of all business operations and continue to obtain certification under the international ISMS standard ISO/IEC 27001:2013 as well as the Japanese domestic standard JIS Q 27001:2014.
Information Security Management System
To ensure the information security of the Group (including all consolidated subsidiaries), we have established an information security management system that conforms to the requirements of third-party certification standards.
At least once a year, the Board of Directors shall discuss how to address issues related to information security in the Group, as well as plans and progress in information security.
The Audit & Supervisory Committee, which consists of independent outside directors, recognizes various issues related to information security in the Group as risks and shall request reports from business execution divisions as appropriate.
The Risk Management Committee, which implements integrated risk management, is led by the President and Chief Executive Officer and meets at least four times a year to identify and assess risks, including information security, for the Company and all consolidated subsidiaries. Each departmental manager in charge is responsible for responding to significant risks. In addition, the Risk Management Committee reports four times a year to the Board of Directors on the status of the Company’s response to significant risks.
The Internal Audit Office conducts internal audits on information security on a regular basis and reports the results to the Audit & Supervisory Committee once a year.
Security Education and Training
In order to ensure that information security is maintained in daily operations without the need for constant awareness, we shall conduct personal information protection and information security training for all employees at least once a year. In addition, we define roles and competencies by job level and conduct training to acquire the skills required at each level.
| Trainees | All employees (including temporary and outsourced employees) who access the internal network, regardless of their employment status. |
|---|---|
| When joining the company | e-learning-based security training is conducted. |
| After joining the company | e-learning-based security training and compliance training is conducted periodically. |
Personal Information Protection
Policy
The Group appropriately manages the personal information in its possession based on its Privacy Policy, Action History Information Protection Policy and Service Terms of Use.
Handling of Requests Regarding Personal Information
When we receive a request from an individual to disclose personal information we hold pertaining to them, or to make amendments, additions or deletions to that information, or to cease use, erase said information or cease providing said information to third parties, we will respond appropriately and promptly.
Conduct of PIA(Privacy Impact Assessment)
Based on the “Basic Rules for Data Protection,” we conduct a PIA(Privacy Impact Assessment) as a preliminary evaluation to ensure that the services and systems provided by us are sufficiently protective of users’ privacy. In addition, a team DPO (Data Protection Officer) has been established to comprehensively monitor and advise on the purpose and use of data obtained from users, and this team is in charge of PIA evaluation and review.