The Shiseido Group (hereafter “Group”) establishes “Shiseido Group Information Security Policy” for all people working in the Group to protect and maintain various essential information assets owned by business sites of the Group by setting robust information security. Under this Group-wide basic policy, we strive to manage and operate various information assets.
The Shiseido Group has established information security management systems, and the Chief Information Security Officer (CISO) has been appointed our representative. The CISO assumes overall responsibility for the handling of information assets and information systems and engages in the planning and implementation of information security strategies and initiatives while communicating with the management team. In the Shiseido Group, the Chief Financial Officer (CFO) has ultimate responsibility for information security.
The CISO also supervises the activities carried out by each Group company to promote information security management. Those activities are related to the development and enforcement of rules and guidelines regarding confidential information management, information systems management and information security measures, installing safety measures, and providing training/education/awareness programs.
The heads of offices, departments, and affiliates are appointed as Information Managers responsible for the implementation of information security-related initiatives at their respective organizations. As for the regional headquarters outside Japan, information security contacts have been installed to regularly communicate with the CISO and HQ’s Information Security department in order to ensure continued efforts to maintain and improve the Group’s overall information security activities.
To promote information security management systems, we refer to several major related guidelines or best practices such as the ISO 31000 international standard for risk management, the ISO 27001 international standard for information security management systems, the NIST Cybersecurity Framework of the National Institute of Standards and Technology, the CIS Controls of the Center for Internet Security, and the Cybersecurity Management Guidelines of Ministry of Economy, Trade and Industry.
Furthermore, specific guidelines and rules have been formulated. These include the above-mentioned “Shiseido Group Information Security Policy,” in addition to rules and regulations regarding information asset handling/management and information systems development, operation, and management. We are working to promote compliance with these guidelines and rules on a global scale by encouraging the engagement of overseas offices.
To ensure information security in activities involving external business partners, we ask them to observe the “Shiseido Group Supplier Code of Conduct”, which includes requirements for proper handling of confidential information and protection of personal information. When outsourcing important operations, we check the information security management systems of the companies before we execute a service agreement requesting them to take appropriate safety management measures.
The Shiseido Group conducts information security e-learning programs and group sessions on a regular basis to help employees increase their awareness and knowledge of information security. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of information security management in our personnel from the time they start with the Group.
To keep employees updated on information security issues, the latest information is posted on our internal portal.
The Shiseido Group has developed internal systems and processes that enable the Information Security department to be involved in the development of new business or services from scratch so that necessary information security measures can be taken at the planning/designing stage.
At the Shiseido Group, we ensure the proper handling of information assets as well as the implementation of appropriate information security measures for information systems development, operation, and management. Audits on information systems and related operations are performed on the risk basis, where supervision is conducted over improvements to any issue detected.
Also, we periodically perform vulnerability checks on information system infrastructures and application programs, and if vulnerability issues are detected, instructions and improvement advice are provided. In addition, we constantly monitor information security using external threat intelligence services.
For business partners to whom we outsource important operations, we regularly check their information security management systems even after contracts are concluded.
At the Shiseido Group, the Information Security department responds to accidents and emergency situations involved in information security. It executes the necessary actions in cooperation with the Risk Management and Information Systems departments depending on the impact of specific situations. The Information Security department works to improve emergency response capabilities through organizing periodic drills (provided more than twice a year by several organizations including the Nippon CSIRT Association and a forensic service provider) and revising associated sections of the manual based on issues revealed through such training opportunities.
Shiseido has registered with the Nippon CSIRT Association (Shiseido CSIRT) to share information with relevant agencies and with similar departments at other companies.
To verify that the Shiseido Group’s implementation of its information security initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessment are then considered to develop information security strategies and initiatives.