Basic Policy on Information Security
Seven & i Holdings Co., Ltd. and its domestic subsidiaries (hereinafter referred to as "the Group") provide new value and services to customers through a variety of business types such as convenience stores, superstores, department stores, specialty stores, financial services, and e-commerce.
In providing these services, we recognized that the most important management issue is protecting customer information and other information assets held by our Group from various threats, such as unauthorized access and cyberattacks, and ensuring the information security of the entire Group.
The Group has established the Basic Policy on Information Security to ensure that all officers, employees and those who are involved in our business operations deal with the information assets appropriately and use properly, which should enable us to make the best of the information assets and establish our value to society through digital strategies.
Based on the Basic Policy, we will establish an information security management system and make efforts to instill it into all officers and employees through education and training, and also build and continuously improve a management system which meets social demands and environmental changes.
Revised October 1, 2020
Seven & i Holdings Co., Ltd.
President and Representative Director
1. Structure for Information Security
The Group established the Security Management Office under the direct control of the President and Representative Director, which provides each Group company supports to establish the control environment and evaluates them, and strive to enhance and ensure information security among the entire Group under the Information Management Committee.
Moreover, each Group company appoints the General Manager of Information Management who supervise planning, promotion and management of information security, which should ensure the safety of material information including confidential or personal information under its Information Management Committee.
2. Information Security Initiatives
- (1) Compliance
- The Group shall be compliant with the domestic and foreign laws, regulations and contractual obligations which apply to it regarding Information Security, and also strive for compliance with other standards and guidelines related to information security.
The Group shall also establish information security and its related standards to properly implement information security measures.
- (2) Structure for Information Security Management
- The Group shall secure the resources necessary for information security measures and strive to maintain and improve its information security management system.
- (3) Management and Protection of Information Assets
- The Group shall appropriately manage information security based on the risk assessment of information assets. Moreover, the officers and employees of the Group shall not use its information assets for any reason other than the business purpose.
- (4) Human management
- The Group shall periodically educate and train its officers and employees to ensure and raise their awareness of their responsibilities, obligations and penalties for information security.
- (5) Physical access management
- The Group shall implement physical access controls such as locking, monitoring, and access restrictions, depending on the importance of the information assets, in order to protect information assets from threats such as intentional or negligent leakage, theft, falsification and destruction.
- (6) Technical Management
- The Group shall conduct technical measures such as prevention, detection and analysis of information leakage, falsification, loss and destruction caused by vulnerability of access control, development and operation management or the like of information system.
- (7) Ensuring information security of the entire supply chain, including business partners and contractors
- The Group shall strive to understand the information security environment of the entire supply chain including business partners and contractors, and require appropriate information security management.
- (8) Response to information security incidents and accidents
- The Group shall establish structures and procedures, in preparation for information security incidents and accidents, so that it could promptly conduct effective countermeasures in cooperation with relevant parties of inside and outside the Group. The Group shall also respond promptly and appropriately to minimize damage and prevent its recurrence when an information security incident, accident or an event that may lead to such an incident or accident.
- (9) Ensuring Information Security in Business Continuity
- The Group shall establish a business continuity plan for disaster or accident, and strive to ensure information security.
- (10) Obtaining, providing and effective utilization of intelligence related to information security
- The Group shall participate in intelligence and knowledge sharing activities related to information security, and actively obtain and provide intelligence and knowledge. The Group shall also establish an environment to use the intelligence and knowledge gathered effectively.
- (11) Inspection and audit
- The Group shall conduct inspections and audits on a regular basis or on demand to verify that the information security and its related standards are being complied with and that information security measures are appropriate and effective. The Group shall also take corrective action when any problems are detected.
- (12) Continuous improvement
- The Group shall continuously improve its structure for information security management and security measures.
3. Enhancement of Cyber Security Measures
The Group considers that cyberattacks, which are getting more sophisticated and complicated every day, should be a material management risk, and shall strive to build its cyber security measures by building a defense in depth including protection against unauthorized network intrusions and appropriate access control, as well as a structure capable to respond to threats.
- (1) Establishment of a professional organization
- The Group has established a professional organization responsible for cyber security to review security of its information systems and their operations. The Group shall also strive to improve its cyber security measures to prevent security incidents with having vulnerability assessments by a third-party and response to vulnerabilities.
- (2) Education and training
- The Group shall conduct education and training with an assumption of cyber security incidents at ordinary times, in order to respond quickly to cyberattacks and minimize their damage, and shall strive to improve the response capabilities of the professional organization, officers and employees so that its structure for response for incidents and accidents can work effectively.
- (3) Cooperation with external organization
- The Group shall cooperate with external organizations including JPCERT/CC and NCA (Nippon CSIRT Association) to share intelligence and knowledge related to cyberattacks and measures so that it can respond to cyberattacks.