Information Security Report 2010 - Nec

More documents

Recommendations

Info

Reinforcement of Information Leak Prevention Measures Since fiscal 2009, the NEC Group has worked to implement measures aimed specifically at eradicating information leak incidents. That year we achieved our goal of reducing by half the number of leaks compared with those in the previous fiscal year. In fiscal 2010, we focused on following measures to reduce further the number of incidents. Specifically, management measures included: 1) management of confidential information for suppliers 2) measures to prevent the loss or theft of USB flash drives and other removable storage media 3) use of thin client terminals, etc. as an enhanced security measure for work outside the company and 4) inventory and management of personal information. Other technology measures included: 1) System to Prevent Information Leak 2) Secure Email Distribution System and 3) Secure Information Exchange Site. Information Security Assessment The NEC Group conducts information security assessment for ensuring that information security measures partner companies. management involved in an outsourcing business with have been strictly implemented within each organization. (2) Method for Conducting Information Security We have conducted assessments twice a year since Assessment fiscal 2006, and established a PDCA cycle for security The information security assessment was conducted from improvement activities. the management (organizational assessment) and implementation (individual assessment) point of view. Then by Aiming to eliminate the occurrence of any security incidents that could be prevented if the information security assessment was implemented strictly, the fiscal 2010 problems on both management and implementation reviewing the results of the gap analysis, we clarified the assessment was conducted targeting 98 domestic companies and 87 overseas companies, 185 Group Compa- PDCA cycle between the Information Security Promoters sides. To cope with these problems, we established a nies in total (an increase in the companies subject to and the individual staff members in each organization, and assessment compared with those in the previous year). between supervisors and their subordinates in pursuit of (1) Description of Information Security Assessment improved management activity at the working level. Five priority measures were defined specifically aimed at (3) Improvements Made Through Utilization of eradicating information security incidents related to information leaks. As a result of incident analysis, these mea- As a result of the assessment, each organization Assessment Results sures were determined as those reducing or eliminating worked to understand the causes of an inadequately the primary cause of the incidents. The measures implemented security measure, make an action plan to include: 1) security measures for use of USB flash drives improve the security level and carry out the plan. The and other removable storage media 2) security measures organization made the Information Security Promotion for the work outside the Company 3) assessment of Plan for fiscal 2011. And the plan included the insufficient security measures for fiscal 2010 and new secu- personal information relating to priority measures 4) security measures for entry passes 5) confidential information rity measures for fiscal 2011. As a result, the organization can keep following the PDCA cycle. ■ PDCA Cycle via Information Security Assessment In fiscal 2011 the NEC Group Improvements plans to conduct the assessment Assessment System Enhancements Act by each employee role. Check PDCA Cycle Plan Assessment Do 06 NEC CORPORATION Information Security Report 2010
■ Utilizing Results from Organizational and Individual Assessment The Pdca Cycle Depends on the Day-to-Day Workplace Management Level Management cycle at individual workplace level maintained between supervisors and subordinates via a gap analysis of organizational and individual assessment Report to ■ Division Head, ■ Upper Management, etc. Organizational Assessment Assessment by Organization’s Manager, Promotion Manager, etc. Individual Assessment Assessment by Supervisor, Results Confirmed Confirmation Guidance Self-Assessment by Subordinates Comparison Comparison of Results by Organizational Manager (Gap analysis) Feedback for corrective action Information Security Audits Information security audits center on NEC’s Corporate Auditing Bureau, which conducts ISMS and Privacy Mark-related audits. The Corporate Auditing Bureau conducts internal audits of each business division regularly, based on ISO/IEC 27001 and JIS Q 15001 audit standards. Efforts to Obtain Information Security Management System (ISMS) Certification For those organizations which need to obtain ISMS certification, the NEC Group provides a system to support the obtainment and management of the certification. Specifically, services are centered on standard ISMS content, and include consultation, audit structure development, training, and effective assessment methods (differential assessments, etc.). Standard ISMS content is designed to completely meet portions required under ISO specifications. NEC Group Promotional Office added Group Policy to the content. It is also possible to add independent components of each organization to the content. Through support for the obtainment and management of ISMS certification, NEC has unified Group policies and is making use of best practices from organizations that have already obtained certification. To date, this system has been used by 72 organizations throughout the NEC Group. The know-how that has been gained as a result is being provided as solutions (the NetSociety for ISMS service) to our customers and suppliers. ■ Support for obtainment of ISMS Certification Using “NetSociety for ISMS” NEC Group NetSociety for ISMS Individual Assessment Organization a Organization B Organization N NEC Group Promotional Office Preliminary Survey and Group Assessment Assessment by Certification Organization Business Architect ■ Business Planning Support ■ Operational Support, etc. Information Security Management Consultant ■ Consulting ■ Training Support IT Infrastructure ■ Asp Service ■ Operational Service NEC CORPORATION Information Security Report 2010 07
Page 1 and 2: Information Security Report 2010 Ye
Page 3 and 4: NEC’s Initiatives to Build a Secu
Page 5 and 6: NEC’s Initiatives to Build a Secu
Page 7: ■ NEC Group Management Policy The
Page 11 and 12: IT Platform for User Management and
Page 13 and 14: (Centralized Management of Security
Page 15 and 16: (4) Thin Clients To prevent informa
Page 17 and 18: Development of Security Promotion M
Page 19 and 20: 1) Designating managers responsible
Page 21 and 22: When development takes place while
Page 23 and 24: We aim to speed up management, visu
Page 25 and 26: Privacy Mark Certification The foll
Page 27 and 28: The NEC Way “The NEC Way” is th
Page 29 and 30: NEC Information Security Statement

Information Security Report 2010 - Nec

Create successful ePaper yourself

Delete template?

Save as template?