Information Security Report 2010 - Nec

More documents

Recommendations

Info

NEC’s Initiatives to Build a Secure IT-Driven Society Information Security Measures in Cooperation with Suppliers To protect customer information, the NEC Group conducts information security measures with the suppliers on our supply chain, and continues to expand the number of participating companies. Framework NEC Group business activities are conducted in partnership with suppliers. We recognize that it is extremely important for suppliers not only to have technical ability but also to maintain information security. The information security measures that we require of our suppliers are classified into the following six major categories. ■ Information Security Measures for Suppliers NEC Group 1) Contract Management General prohibition on subcontracting, confidentiality obligation, personal information protection, etc. 2) Subcontracting Management Prior approval required when subcontracting unavoidable 3) Staff Management Implementation of Basic Rules for Customers Support 4) Confidential Information Management Implementation of Confidential Information Management Guidelines 5) IT-based Measures Required measures and recommended measures Suppliers Electronic Pledges Instructors Video Programs on Confidential Information Management Secure Work Environment 6) Assessment On–site assessment of implementation of Information Security Standards for Suppliers and web-based self assessment Pdca Cycles Overview of the Measures (1) Contract Management All contracts between the NEC Group and suppliers are comprehensive agreements that include clauses prohibiting subcontracting in principle, maintaining confidentiality and protecting personal information. In addition, memorandums of understanding (MOUs) are concluded concerning the management of workers that handle information belonging to the NEC Group or our customers. These MOUs mainly require that workers handling such information pledge to their own companies that they understand the security measures and will fully comply with them. (2) Subcontracting Management Subcontracting by suppliers to other companies is forbidden in principle. If subcontracting cannot be avoided, information on the subcontractor must be submitted to the original contractor in the NEC Group and prior approval must be granted by the original contractor. (3) Worker Management The NEC Group established “Basic Rules for Customers Support”, which are security measures requested for suppliers. We promote compliance with these rules through the use of the aforementioned MOUs. The rules reflect lessons which we learned from security incidents that have occurred in the same industry. They represent the collection of required individual practices and prohibited acts, which are described specifically and clearly. (4) Confidential Information Management Management of confidential information handled under NEC Group contracts is covered by Confidential Information Management Guidelines. We require compliance with these guidelines for each commissioned task and promote the implementation of management according to the guidelines. The guidelines contain the following six sections: 16 NEC CORPORATION Information Security Report 2010
1) Designating managers responsible for confidential information management 2) Identifying and labeling confidential items 3) Managing off-site use of confidential information 4) Returning and destroying confidential information when work is complete 5) Centrally managing highly important information by ledgers and 6) Regular checks. (5) IT-based Measures We request that suppliers implement technical measures system, and use these results to improve their own to execute security measures firmly. They include both information security. The results are also reflected in the required and recommended measures. NEC Group’s own information security measures. We Required Measures intend to continue on-site and web-based self assessment every year for approximately 2,000 companies, We ask suppliers to implement the following security measures on computers used for contract work: 1) Set and to further improve information security of our appropriate passwords 2) Keep security patches up to suppliers. date 3) Implement antivirus measures 4) Prohibit peerto-peer software and 5) Encrypt all removable media (computers, USB flash drives, etc.) containing ■ Assessment Based on NEC Group’s confidential information. Standardized System Standardization of Assessment Items Recommended Measures We recommend the following technical measures to further strengthen management of confidential information: 1) software to prevent data extraction 2) document management software 3) access management software. NEC provides tools such as a system to prevent information leak and a shared platform system called PROCENTER/ES. (6) Assessment Information Security Standards for Suppliers were established and issued in fiscal 2010. The standards define the required levels of information security for NEC Group suppliers. We developed a standardized framework (systems and procedures) to assess suppliers’ information security measures based on the standards. Under the framework, assessors visit major suppliers, execute on-site assessment, and direct improvements as appropriate. Moreover, suppliers themselves execute self assessment via a web-based 1. Addressing Security in Third Party Agreements —Subcontracting management 2. Organization of Information Security —Use of personal items for business 3. Asset Management —Information asset classification and handling Standardization of Assessment Procedures ■ Assessment form ■ Assessment items ■ Judgement criteria ■ Points to consider, etc. 4. Human Resources Security —Observance of Basic Rules for Customers Support, and related pledges 5. Communications and Operations Management —Management of P2P file sharing software 6. Information System Acquisition, Development and Maintenance —Data encryption Regular Assessment On-site Assessment and Self Assessment Training for Assessors ■ Assigning instructors by organization ■ Conducting regular training Promoting Measures for Suppliers (1) NEC Information Security Initiatives Seminars NEC Information Security Initiatives Seminars are held from Hokkaido to Kyushu once or twice a year for approximately 2,000 suppliers nationwide. The seminars are run in collaboration between the Purchasing Division and the Information Security Division to ensure that suppliers understand and implement the NEC Group’s security measures. (2) Training Sessions to Develop Instructors Suppliers are requested to appoint in-house instructors to teach the aforementioned Basic Rules for Customers Support. We hold training sessions for instructors every year and give them certification (effective for one year). In fiscal 2010, approximately 1,200 instructors obtained or renewed certification. (3) Distribution of Video on Confidential Information Management In fiscal 2010, we distributed to suppliers a video on managing confidential information to raise awareness of the necessity and importance of confidential information management, and to promote the implementation of the Confidential Information Management Guidelines. In fiscal 2011, we will distribute to suppliers an internal training support CD-ROM aimed at improvement of more practical skills on confidential information management. NEC Information Security Initiatives Seminar NEC CORPORATION Information Security Report 2010 17
Page 1 and 2: Information Security Report 2010 Ye
Page 3 and 4: NEC’s Initiatives to Build a Secu
Page 5 and 6: NEC’s Initiatives to Build a Secu
Page 7 and 8: ■ NEC Group Management Policy The
Page 9 and 10: ■ Utilizing Results from Organiza
Page 11 and 12: IT Platform for User Management and
Page 13 and 14: (Centralized Management of Security
Page 15 and 16: (4) Thin Clients To prevent informa
Page 17: Development of Security Promotion M
Page 21 and 22: When development takes place while
Page 23 and 24: We aim to speed up management, visu
Page 25 and 26: Privacy Mark Certification The foll
Page 27 and 28: The NEC Way “The NEC Way” is th
Page 29 and 30: NEC Information Security Statement

Information Security Report 2010 - Nec

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?