Seven & i Holdings positions the appropriate protection and security of information assets handled by the Group as an important priority and social responsibility of its management and operations and as mandatory for all executives and employees. We strictly manage personal information received from customers in particular and take special care to prevent information leaks and other such incidents.
Seven & i Holdings anticipates that points of contact with customers will further increase through our Omni-Channel Strategy. In light of this, just as with food safety, initiatives to ensure the safety and security of information assets themselves constitute the foundation that will support the strategy.
Seven & i Holdings has established the Basic Policy on Information Security and Basic Policy on Protection of Personal Information to promote the appropriate protection and use of customer information (personal information) acquired through Omni-Channel initiatives and further promote safe and secure business operations, and we have obtained ISMS certification (ISO 72001) for information security management systems. Through the implementation of a PDCA cycle for our ISMS we continue to develop a high-level information security system.
Information security is also regarded as a type of risk, and we have established the Information Management Committee to analyze, assess and address this risk. Development of a management system based on this is conducted by the Information Management & Security Office.
Seven & i Holdings has established the 7&i Computer Security Incident Response Team (7&i CSIRT) to respond to external cyber attacks and minimize their impact and potential damage, particularly from a technical standpoint. The team conducts quick and appropriate containment and other measures in response to information security incidents in an organized manner.
In addition, when an information security incident is judged to be a major incident by the 7&i CSIRT (based on the extent of damage, etc.), a response system has been built whereby the 7&i Security Incident Response Team (7&i SIRT) is mobilized to decide on and carry out emergency response measures, standard response measures for system recovery, and externally directed actions in particular, such how the incident is to be disclosed.
Seven & i Holdings conducts security training through e-learning and group training programs for the Group's approximately 100,000 executives and employees twice a year in order to raise employee awareness of information security and cyber security. The fiscal year ended February 29, 2016 training was on the theme of internal fraud, and in fiscal 2016 it is scheduled to focus on targeted cyber attacks. All employees at hiring and retirement sign a confidentiality pledge, which also raises awareness of information security. In the fiscal year ended February 29, 2016, there were no information security violations or other cyber security incidents.
In employee training through daily operations and regular meetings, employees are told to promptly report, communicate, and consult on any problems that may occur, and in e-learning and group training as well, employees are trained to immediately report suspicious occurrences. Reporting lines to upper management have been established depending on the severity of the occurrence. We have also created Reporting Guidelines for Significant Events, and when a significant event occurs that could potentially impact the entire Group, there is a reporting line depending on the severity level for reporting to upper management at the Group company where it occurred. There is also a reporting line for reporting the incident to the Information Management & Security Office and upper management of Seven & i Holdings. Creating these two reporting lines helps to ensure the accuracy of information conveyed and the promptness of our response.