To protect information assets from various threats and to fulfill its social mission, SCSK has established and is operating the Information Security Management System. We are continuously evaluating risks to information assets and ensuring the effectiveness of countermeasures for these risks. To ensure that each of our employee, as well as everyone that does business with SCSK, understands our Information Security Management System, including the Basic Policy, we engage in extensive educational activities, such as holding training courses on information security and the protection of personal information. We also require our subcontractors to adhere strictly to the Information Security Guidelines that we have established, and we are working to prevent occurrences of issues related to information security.
Furthermore, SCSK's data centers are ISO 27001 certificated , an international standard for information security management systems.
Management Frameworks for Information Security
SCSK considers information security to be one of management’s top priorities. We have established the Chief Information Security Officer as the person in charge of building the information security structure and information security management system as well as the process for continual improvement.
In addition to the above, the Information Security Management Department was established in October 2021 as an organization to aid the Chief Information Security Officer and manage and promote information security at SCSK.
The Information Security Management Department, which is under the Chief Information Security Officer, takes the lead in increasing mutual collaboration among information security related departments and implementing information security measures across the entire company in unison with Business Groups.
Initiatives to Strengthen Information Security
At SCSK, we have incorporated information security standards into SmartEpisode Plus (SE+), our standards for executing operations such as developing and operating systems.
To protect information assets that are the important assets of clients, we are also making information handled and risks visible, building a system to evaluate and improve security measures (S-SIMS*1), and continuing to undertake surveys and improvement activities covering 220 items and targeting all projects being undertaken, regardless of monetary amount or size.
As an IT business operator entrusted with the important information assets of clients, we will continue to improve engagement awareness and professional ethics through training for all employees.
*1 S-SIMS: SCSK Security Information Management System
Summary of the SCSK Security Information Management System (S-SIMS)
This is a system for obtaining an integrated understanding of and making visible the information security risks and state of security measures for each project and running through the PDCA cycle for appropriate information management by collaborating with worksites and organization line levels.
Response to Cyber Security Incidents
SCSK-CSIRT*1 System
We have organized SCSK-CSIRT to ensure a prompt response and that minimize damages should a computer security incident occur.
Aimed at appropriate incident response, departments in charge of information security management and departments responsible for cybersecurity work together to analyze incidents and discuss response policy and methods. They also work alongside external organizations, such as JPCERT/CC*2 and NISC*3
Collaboration with related departments such as the Legal Department and Corporate Planning Department enables SCSK-CSIRT to correctly ascertain compliance, legal matters and impacts on business operations.
In this manner, SCSK-CSIRT consolidates information obtained through collaboration with related departments and determines a response promptly based on the degree of impacts.
*1 SCSK-CSIRT (Computer Security Incident Response Team): A permanent organization that carries out activities in response to computer security incidents
*2 JPCERT/CC (Japan Computer Emergency Response Team Coordination Center)
*3 NISC (National center of Incident readiness and Strategy for Cybersecurity)
Responding to Emergencies
●To minimize damages should an incident occur, SCSK-CSIRT has a system in place for determining the prompt shutdown of systems and restoration. It has also compiled response procedures as a set of rules that it shares internally in order to increase the effectiveness of responses.
Training and Drills
●We are conducting information security education using e-learning to prevent damages from cyberattacks, etc.
●We conduct email drill for targeted attack.
●In addition, we are carrying out tabletop drills based on incident scenarios so that the SCSK-CSIRT and related departments can collaborate smoothly and implement a swift response, etc.
Response to Vulnerabilities
●We have established security countermeasure standards for servers and cloud services accessible from the Internet. In addition, we regularly implement vulnerability checks of these servers and services and conduct corrective actions.
SCSK-CSIRT System Diagram
*1 The head of the group in the department responsible for cybersecurity or center director serves as the leader. At the current time, and SE+ Center Director is the leader (As of April 2022)
*2 SCSK has built a CSIRT system to handle cybersecurity incidents, and constantly cooperates with the Security Operation Center (SOC), which is responsible for monitoring networks and devices, including SCSK in-house network.
