Information Security Management
Policy Related to Information Security
Shiseido establishes “Shiseido Group Information Security Policy” for all persons working in the Shiseido Group to protect and maintain various essential information assets owned by business sites of the Group by setting robust information security. Under this Group-wide basic policy, we strive to manage and operate various information assets. Employees receive continuous education on information security, such as annual training through e-learning.
Policy Related to Protection of Personal Information
Shiseido deeply recognizes the importance of personal information acquired through business and other relevant activities and considers it a social responsibility to thoroughly protect such information. Therefore, we have established the “Shiseido Group Privacy Rule” to which all employees of the Shiseido Group should adhere. All companies in the Shiseido Group endeavor to ensure the protection of personal information.
Information Security Management Systems
(1) Management structure
The Shiseido Group has established information security management systems, and the Chief Information Security Officer (CISO) has been appointed their representative. The CISO assumes overall responsibility for the handling of information assets and information systems, and engages in the planning and implementation of information security strategies and initiatives while communicating with the management team.
The CISO also supervises the activities carried out by each Group company to promote information security management. Those activities are related to the development and enforcement of rules and guidelines regarding confidential information control, personal information protection, information system management and information security measures; installing safety measures; and providing training/education/awareness programs. The heads of offices, departments and affiliates in Japan are appointed as information security managers responsible for the implementation of information security-related initiatives at their respective organizations. At regional headquarters outside Japan, an information security contact has been installed to regularly communicate with the CISO, in order to ensure continued efforts to maintain and improve the Group’s overall information security activities.
Shiseido Information Security Management
(2) Development of policies and rules
To promote information security management systems, we have formulated the Shiseido Security Framework in reference to a number of major related guidelines, such as the ISO 27001 international standard for information security management systems, the NIST Cybersecurity Framework/special publications, and the Center for Internet Security Critical Security Controls (CIS-CSC).
To put the Framework into practice, a range of more specific guidelines and rules have been created. These include the above-mentioned “Shiseido Group Information Security Policy” and “Shiseido Group Privacy Rule”, in addition to rules and regulations regarding information asset handling/management and information system development, operation and management. We are working to promote compliance with these guidelines and rules on a global scale by encouraging the engagement of overseas offices.
To ensure information security in activities involving external business partners, we ask them to observe the Shiseido Group Supplier Code of Conduct［ PDF : 876KB ］, which includes requirements for proper handling of confidential information and protection of personal information. When outsourcing operations involving personal information, we verify the information management capability of potential outsource service providers in advance.
Establishment of information security-related rules
Information Security Enhancement Initiatives
(1) Employee training/education/awareness
The Shiseido Group conducts information security e-learning programs on a regular basis to maintain and improve employee awareness. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of information security management in our personnel from the time they start with the Group.
To keep employees updated about information security issues, the latest information is posted on our internal portal site and sent to the entire workforce via e-mail.
Training for all employees
(2) Information security audit/vulnerability check
At the Shiseido Group, we ensure the proper handling of information assets as well as the implementation of appropriate information security measures for information system development, operation and management. Information system and operational audits are performed at all offices, departments and affiliates, where supervision is conducted over improvements to any issue detected.
Also, we periodically perform a vulnerability check on information system infrastructures and application programs, and if vulnerability issues are detected, instructions and improvement advice are provided.
(3) Information security incident response
At the Shiseido Group, the information security department responds to accidents and emergency situations involved in information security. It executes the necessary actions in cooperation with the risk management and information system departments depending on the impact of specific situations. The information security department works to improve emergency response capabilities through organizing periodic drills (more than twice a year: provided by Nippon CSIRT Association, forensic service provider and others) and revising associated sections of the manual based on issues revealed through such training opportunities.
Shiseido has registered with the Nippon CSIRT Association (Shiseido CSIRT) to share information with relevant agencies and with similar departments at other companies.
(4) Third-party assessment
In order to verify that the Shiseido Group’s practice of its information security initiatives and management systems are appropriate, the information security department is subject to periodic third-party assessment performed by the Group’s audit department as well as external assessment services entrusted by the department. Issues and challenges identified through each assessment session is used to develop information security strategies and initiatives.