Information Security / Personal Information ProtectionInformation Security / Personal Information Protection

Information Security

Management strategies call on the Company to focus on environmental, social and governance factors in strengthening management foundations. Governance is a focus of these efforts and a task with respect to which we have declared a commitment to rigorous compliance and information security.
In response to the recent proliferation of cybersecurity incidents, including unauthorized access to information, internal information leaks, and other threats, the entire Group is committed to working as one to ensure data security and to safeguard confidential information concerning or belonging to customers and business partners.

Information Security Management Structure

Responses to organization-wide risks, including those related to information security, are examined at Board of Directors meetings and at a monthly Group Management Conference. In addition, we have established a security team in the Information Systems Division to respond to day-to-day security incidents, revise regulations and guidelines, and promote organization-wide and technological countermeasures to risks.

Establishment of Regulations on Information Security

Fundamental policies and management structures for business execution risks affecting the Group are stipulated by risk management regulations. These regulations guide our efforts to establish, promote awareness of, and thoroughly implement clear policies and rules on the handling of information assets.

Auditing Structure

The Internal Audit Office conducts audits of compliance with regulations and rules, and appropriate improvements are implemented.

Improvement of Information Security Literacy Throughout the Organization

The Company provides employees with training and education on information security to ensure that they take information security into consideration when conducting operations. Ongoing efforts in this area include information security training that is provided when employees join the Company and periodically thereafter, training on responses to targeted email attacks, and Companywide awareness-raising and individual guidance in response to incidents.

Technological Measures for Information Security

The Company undertakes comprehensive measures to ensure the confidentiality, integrity, and availability of information assets. Each business site deploys identification cards, fingerprint recognition, and facial recognition to implement physical management of confidentiality. Intruders are promptly identified by an alert system. Backbone systems are monitored to prevent internet-based intrusion. In addition, systems are in place to detect unauthorized alteration of server data. An integrated management system for information devices allows the Company to automatically apply administrator-controlled policies, apply security patches in a timely manner, and utilize deep learning technology-enabled anti-malware software that prevents information leaks.

Acquisition of Third-Party Certification

The Company and some of its subsidiaries are authorized to use the PrivacyMark because they have been certified as companies that appropriately handle personal information. Further, S-Pool Glocal, Inc., a subsidiary whose businesses include business process outsourcing in relation to the operation of call centers for municipal authorities, has earned certification for its information security management systems under the ISO 27001 international standard.

Protection of Personal Information

The Group uses appropriate methods to collect customers’personal information, complies fully with the Act on the Protection of Personal Information and other applicable laws and regulations, and appropriately protects, stores, and manages such information. Through its website, the Company discloses its Personal Information Protection Policy and Handling of Personal Information. In addition, when collecting information directly through its website or by other means, the Company clearly indicates the purposes of use and obtains the consent of users beforehand. The Company strictly manages such information in accordance with basic policies.