Information Security Management

The Shiseido Group (hereafter “Group”) establishes “Shiseido Group Information Security Policy” for all people working in the Group to protect and maintain various essential information assets owned by business sites of the Group by setting robust information security. Under this Group-wide basic policy, we strive to manage and operate various information assets.

In the Shiseido Group, the Chief Information Technology Officer (CITO), the representative executive officer, is responsible for the establishment of the information security management system. More so, the CITO has authority over and is responsible for the establishment and operation of regulations related to confidential information management, data protection, and security measures for information systems, as well as the implementation of safety measures and education and training. In addition, the head of the Information Security Department is responsible for promoting and implementing these measures. Thus, the Chief Executive Officer (CEO) is ultimately responsible for information security.

The representative of each regional headquarter, as the chief administrator for the handling of information assets and systems in the region, is responsible for overall information security, including confidential information management, data protection, security measures on information systems, and education and training. Information security contacts have been appointed in each region, and they are working to maintain and improve the Group’s overall information security activities in cooperation with HQ.
The heads of departments of each Group company confirm the protection and management of information assets handled in their departments on a regular basis, provide education and training to employees, and respond to security incidents.

The Shiseido Group conducts information security e-learning programs and group sessions on a regular basis to help employees increase their awareness and knowledge of information security. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of information security management in our personnel from the time they start with the Group.
To keep employees updated on information security issues, the latest information is posted on our internal portal.

The Shiseido Group has developed internal systems and processes that enable the Information Security department to be involved in the development of new business or services from scratch so that necessary information security measures can be taken at the planning/designing stage.

At the Shiseido Group, when outsourcing work that involves the handling of personal information as defined by the laws and regulations of each country or region, the handling of confidential information as defined by the Policy and Rules of the Shiseido Group, or operations that are considered to be significantly related to the business continuity and quality of goods and services of the Shiseido Group, we appropriately manage and supervise the third parties to ensure the information security of the outsourced work.

At the Shiseido Group, we ensure the proper handling of information assets as well as the implementation of appropriate information security measures for information systems development, operation, and management. Assessment on information systems and related operations are performed on the risk basis, where supervision is conducted over improvements to any issue detected. We also conduct security assessments of the factory system environment as needed to ensure information security in production activities.
Also, we periodically perform vulnerability checks on information system infrastructures and application programs, and if vulnerability issues are detected, instructions and improvement advice are provided. In addition, we constantly monitor information security using external threat intelligence services.
For business partners to whom we outsource important operations, we regularly check their information security management systems even after contracts are concluded.

To verify that the Shiseido Group’s implementation of its information security initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessment are then considered to develop information security strategies and initiatives.