1. Home
  3. Compliance and Risk Management
  4. Information Security Management

Information Security Management

1.Policy Related to Information Security

The Shiseido Group (hereafter “Group”) establishes “Shiseido Group Information Security Policy” for all people working in the Group to protect and maintain various essential information assets owned by business sites of the Group by setting robust information security. Under this Group-wide basic policy, we strive to manage and operate various information assets.

2.Information Security Management Systems

(1) Management structure

The Shiseido Group has established information security management systems, and the Chief Information Security Officer (CISO) has been appointed our representative. The CISO assumes overall responsibility for the handling of information assets and information systems and engages in the planning and implementation of information security strategies and initiatives while communicating with the management team. In the Shiseido Group, the Chief Financial Officer (CFO) has ultimate responsibility for information security.
The CISO also supervises the activities carried out by each Group company to promote information security management. Those activities are related to the development and enforcement of rules and guidelines regarding confidential information management, information systems management and information security measures, installing safety measures, and providing training/education/awareness programs.
The heads of offices, departments, and affiliates are appointed as Information Managers responsible for the implementation of information security-related initiatives at their respective organizations. As for the regional headquarters outside Japan, information security contacts have been installed to regularly communicate with the CISO and HQ’s Information Security department in order to ensure continued efforts to maintain and improve the Group’s overall information security activities.

Shiseido Information Security Management

Shiseido Information Security Management

(2) Development of policies and rules

Structure of Infomation Security Rules

Structure of Infomation Security Rules

3.Information Security Enhancement Initiatives

(1) Employee training/education/awareness

The Shiseido Group conducts information security e-learning programs and group sessions on a regular basis to help employees increase their awareness and knowledge of information security. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of information security management in our personnel from the time they start with the Group.
To keep employees updated on information security issues, the latest information is posted on our internal portal.

(2) Promotion of security by design

(3) Monitoring activities

At the Shiseido Group, we ensure the proper handling of information assets as well as the implementation of appropriate information security measures for information systems development, operation, and management. Audits on information systems and related operations are performed on the risk basis, where supervision is conducted over improvements to any issue detected.
Also, we periodically perform vulnerability checks on information system infrastructures and application programs, and if vulnerability issues are detected, instructions and improvement advice are provided. In addition, we constantly monitor information security using external threat intelligence services.
For business partners to whom we outsource important operations, we regularly check their information security management systems even after contracts are concluded.

(4) Information security incident response

At the Shiseido Group, the Information Security department responds to accidents and emergency situations involved in information security. It executes the necessary actions in cooperation with the Risk Management and Information Systems departments depending on the impact of specific situations. The Information Security department works to improve emergency response capabilities through organizing periodic drills (provided more than twice a year by several organizations including the Nippon CSIRT Association and a forensic service provider) and revising associated sections of the manual based on issues revealed through such training opportunities.
Shiseido has registered with the Nippon CSIRT Association (Shiseido CSIRT) to share information with relevant agencies and with similar departments at other companies.

Establishment of information security-related rules

Establishment of information security-related rules

(5) Third-party assessment

To verify that the Shiseido Group’s implementation of its information security initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessment are then considered to develop information security strategies and initiatives.