Seven & i Holdings positions the appropriate protection and security of information assets handled by the Group as an important priority and social responsibility of its management and operations and as mandatory for all executives and employees. We strictly manage personal information received from customers in particular and take special care to prevent information leaks and other such incidents. Seven & i Holdings and Group companies protect customer information and other information assets possessed by the Group from various threats, including illegal access and cyberattacks. The Group as a whole recognizes that ensuring information security is an important issue in terms of both management and business.
Seven & i Group has built information security management and personal information protection systems so that all executives and employees and all parties involved in our operations handle information assets appropriately and use them properly. These systems are disseminated to all executives and employees through education and training. In addition, we have established a management system that responds to environmental changes caused by social requirements, compliance, cybersecurity, and so on. We endeavor to appropriately manage and protect personal information and other information assets and are making continuous improvements.
To make the security departments, which previously were located in systems departments, independent from business execution, we newly established the Security Management Office directly under the control of the representative director of Seven & i Holdings as a body to overview the entire Group’s security. As well as revising the Basic Policy on Information Security, Basic Policy on Personal Information, and attached rules and guidelines, which are the Group’s common guiding principles, this office strengthens security as a whole by, among other things, supporting Group companies in building information security management systems (ISMSs), fostering security-related human resources through educational programs and so on, and bolstering monitoring functions.
In addition, based on the Group Information Management Committee operated by Seven & i Holdings, we promote the ensuring of safety and security throughout the entire Group by collaborating with the Information Management Committees of Group companies to raise awareness of security among all executives and employees and to further instill security through the special subcommittees under them.
The Information Management Committees at the Group companies appoint officers responsible for information management to supervise planning, promotion, and management relating to information security and ensure the reliability of personal information and other important information from the perspectives of both compliance and security.
At present the building of internal control through ISMSs is making headway in the Group companies, and main sites handling customer information are making efforts to acquire ISO 27001 certification, which is an international standard, and to further strengthen security through outside screening. Under the overall setup, we have established Group-wide report lines, such as the Guidelines for Reporting Significant Events. If an incident or suspicion regarding information security did occur, we can guarantee the reliability of information transmission and would endeavor to make a swift response.
Information security management system
Seven & i Holdings believes that to ensure the appropriate handling of personal information and confidential information in daily work, it is necessary for every executive and employee to understand the importance of information security, to raise their awareness of information security, and, on top of that, to have the knowledge required for accurate judgement and conduct.
Seven & i Holdings implements security education through e-learning several times a year at three levels (for directors, for managers, and for general staff) according to their respective job responsibilities so that they can respond properly to information security and cybersecurity threats. We also disseminate this teaching material to the Group companies so that all executives and employees in Seven & i Group can have the same level of knowledge.
In addition, we have opened an educational portal site with materials that can be quoted in manuals, meetings, etc. on information security, personal information protection, and so on, as well as a security video that can be borrowed. We are endeavoring to provide enlightenment so that all executives and employees can think and act for themselves.
The threat of cyberattacks by means of targeted email attacks is increasing day by day. Regular training is essential for all executives and employees to be able to respond properly if they come under attack. At Seven & i Holdings we send multiple patterns of mock email to all executives and employees and strengthen their ability to respond through actual experience of how to discern suspicious email and how to respond should such email be received.
Seven & i Holdings has positioned cyberattacks, which are becoming more advanced and more sophisticated by the day, as a serious risk in management and is endeavoring to strengthen cybersecurity countermeasures, including the building of a multitiered defense network to guard against illegal hacking into networks, conduct proper access control, etc.; the establishment of a setup capable of responding to threats; the education and training of human resources; and collaboration with outside professional bodies.
(1) Establishment of special organization As a special organization to handle cybersecurity, we have set up the 7&i Computer Security Incident Response Team (7&i CSIRT) to undertake security reviews of the information system and its operation and to promote cybersecurity countermeasures for the prevention of security incidents, such as vulnerability diagnosis by a third-party body, monitoring of illegal access, and vulnerability response.
(2) Education and training One or more times a year we implement education and training supposing a cybersecurity incident or accident so that if a cyberattack or the like does occur, we can respond swiftly and appropriately and minimize the damage. By thus improving the response capability of the special organization and all executives and employees, we ensure that our response setup and response measures against incidents and accidents function effectively.
(3) Outside collaboration In order to be able to respond speedily to cyberattacks and so on, we collaborate with such outside organizations as the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and the Nippon CSIRT Association, sharing information with them on cyberattacks, countermeasure trends, etc.