Seven & i Holdings positions the appropriate protection and security of information assets handled by the Group as an important priority and social responsibility of its management and operations and as mandatory for all executives and employees. We strictly manage personal information received from customers in particular and take special care to prevent information leaks and other such incidents.
Seven & i Holdings anticipates that points of contact with customers will further increase through our Omni-Channel Strategy. In light of this, just as with food safety, initiatives to ensure the safety and security of information assets themselves constitute the foundation that will support the strategy.
Seven & i Holdings has established the Basic Policy on Information Security and Basic Policy on Protection of Personal Information to promote the appropriate protection and use of customer information (personal information) acquired through Omni-Channel initiatives and further promote safe and secure business operations, and we have obtained ISMS certification (ISO 27001) for information security management systems. Through the implementation of a PDCA cycle for our ISMS we continue to develop a high-level information security system. We have also acquired the PCI DSS certification, which is a global security standard, in our Omni-Channel system. Our goal is to ensure the safe handling of particularly credit card information and business partners’ information.
Information security is also regarded as an important risk, and we have established the Information Management Committee to analyze, assess, and address this risk. We develop our management systems based on these activities. Specifically, we are working to strengthen our information management and security by establishing information security standards to be achieved by the Group and conducting development in accordance with the PDCA cycle method prescribed by ISMS certification at Group companies.
Information security management system
Seven & i Holdings conducted information security training through e-learning and group training programs for all executives and employees of the Group companies in order to raise employee awareness of information security and cyber security. The fiscal year ended February 29, 2016 training was on the theme of internal fraud, and in the fiscal year ended February 28, 2017 it was focused on targeted cyberattacks. We also provide educational tools used in morning meetings and departmental meetings to encourage education within departments. All employees at hiring and retirement sign a confidentiality pledge, which also raises awareness of information security.
In employee training through daily operations and regular meetings, all employees are told to promptly report, communicate, and consult about any problems that occur to the person responsible for information management of the respective division, and in e-learning and group training as well, employees are trained to immediately report suspicious occurrences. Reporting lines to upper management have been established depending on the severity of the occurrence. We have also created Reporting Guidelines for Significant Events, and when a significant event occurs that could potentially impact the entire Group, there is an internal reporting line depending on the severity level for reporting to upper management at the Group company where it occurred. There is also a reporting line for reporting the incident to the Information Management & Security Department and upper management of Seven & i Holdings. In creating these two reporting lines, we strive to ensure the accuracy of information conveyed and the promptness of our response.
Seven & i Holdings has established the 7&i Computer Security Incident Response Team (7&i CSIRT) to respond to external cyberattacks and minimize their impact and potential damage, particularly from a technical standpoint. The team conducts quick and appropriate containment and other measures in response to information security incidents in an organized manner.
In addition, when an information security incident is judged to be a major incident by the 7&i CSIRT (based on the extent of damage, etc.), a response system has been built for mobilizing the 7&i Security Incident Response Team (7&i SIRT) and to deciding on and carry out emergency response measures, standard response measures for system recovery, and externally directed actions, in particular, such how the incident is to be disclosed. A test of the response system is conducted annually.