Information Security

Policy

Framework

Main Activities and Results (Fiscal 2012)

Monitoring and Improvement

Objectives and Achievements

Privacy Protection Measures

Policy

NEC recognizes that it must protect the information assets it keeps for its customers and business partners as well as its own information assets, in order to contribute to society through the provision of better products and services. NEC has codified this duty in the NEC Information Security Statement.
Moreover, we will establish an information security promotion framework and information security management systems (the formulation, operation, review, and improvement of policies and measures to maintain and improve information security) and put in place information security infrastructure. Through these measures, NEC will strive to fulfill the duty set forth in the NEC Information Security Statement.

Framework

NEC's information security implementation framework consists of the Information Security Strategy Committee and its subcommittees, as well as the promotion systems of each organization. The Information Security Strategy Committee and its subcommittees determine the direction of the NEC Group's information security policies encompassing Japan and overseas, along with business partners.
In addition, the efforts of the overall NEC Group are directed and managed by the Security Technical Center (STC) of the Management Information Systems Division and the Customer Information Security Office of the Internal Control Division. The STC and the Customer Information Security Office implement and manage activities at each organization through the Information Security Strategy Committee and its subcommittees, while working closely with Informat on Security Management Supervisors and Promotion Managers appointed to each business division, corporate staff division and Group company.

Information Security Strategy Committee

Aiming to decrease the number of information security incidents throughout the NEC Group, this committee deliberates important issues such as the decision, assessment, and improvement of information security reinforcement measures, the clarification of the causes of major incidents and decision on measures to prevent reoccurrence, and the formulation of strategies for transferring achieved results into NEC's own information security business. (Chairperson: Senior Executive Vice President)

Promotion Committees and Working Groups

There are four sub-committees of the Information Security Strategy Committee, namely two promotion committees and two working groups. These sub-committees perform various tasks in order to maintain and improve the information security of the NEC Group as a whole. Tasks include discussion and coordination of implementation plans and measures to be executed, as well as enforcing directives and monitoring progress on various measures. By sharing information about incidents and monitoring the situation and issues faced by each organization, the sub-committees strive to enhance the effectiveness, efficiency, and feasibility of various security measures.

Main Activities and Results (Fiscal 2012)

NEC attained an even higher level of information security management by drastically reducing the number of information security incidents through continuous, stringent enforcement of security measures centered on information leaks. Another measure was putting in place global security infrastructure and a secure environment utilizing cutting-edge IT. For customers, NEC contributed to businesses by improving the quality of security with respect to products, services and systems through the promotion of secure development and operation.

Principal Activities for Internal Security

• Maintained and improved recognition and awareness of information security NEC held web-based information security training for NEC Group officers and employees in Japan and domestic partners of NEC Group companies who have access to NEC’s intranet. NEC also rigorously enforced compliance with the "Basic Rules for Customer Related Work and Trade Secret" through an electronic pledge system. Another measure was to stream the video content of an awareness-raising DVD (access count of 44,000). Through these measures, NEC sought to improve recognition and awareness of information security.
• Instituted a global service authentication platform NEC worked to institute the operation of a platform for managing the ID data of all overseas subsidiaries linked to the NEC intranet (70 companies and approx. 16,000 employees as of March 31, 2012). This measure has enabled timely maintenance of the ID data of overseas subsidiaries, and access control based on ID data at the global level.
• Establish a platform for global computer security measures NEC built a management platform that enables the visualization of the status of PCs (including application of security patches and malware countermeasures, etc.) at overseas subsidiaries. NEC completed the implementation of the platform in North America and China in fiscal 2012, and will steadily phase in the platform in the Asia-Pacific region, Latin America and EMEA (Europe, Middle East and Africa) from fiscal 2013. NEC has begun exploring considerations for achieving device control functions (USB memory, etc.) and network quarantine functions, which are planned to be rolled out going forward.
• Establish a global platform for information leakage countermeasures NEC has put in place and implemented infrastructure for encrypting PC hard disks and files at overseas subsidiaries. This has enabled reliable encryption measures to be implemented at business sites where the strict enforcement of encryption measures was previously difficult. As a result, NEC has improved the level of security.
• Develop external secure environments utilizing the latest IT NEC has expanded its external secure environment by enhancing the variation of thin client terminals, which are utilized as a security measure for work performed outside the company. Specifically, NEC developed thin client terminals compatible with new operating systems as a standard in-house PC model and promoted the transition to these terminals. NEC also began providing "soft" thin client terminals utilizing existing PCs. Furthermore, NEC developed a "trusted PC" with enhanced security features, including functions to remotely disable the use of PCs, delete specific data, and counter unknown vulnerabilities, as well as encryption. The goal is both to reduce the risk and increase the convenience of work performed outside the company. Looking ahead, NEC will promote the switch of PCs removable from business premises to "trusted PCs."

Principal Activities for Suppliers

• Reinforce information security at suppliers NEC worked to implement continuous training related to confidential information management (for approx. 2,400 companies), share examples of information security from operations, issue guidelines for achieving information security requirements and standards. NEC also worked to tighten enforcement of the "Basic Rules for Customer Related Work" at suppliers (including training of in-house instructors, and enforcement of compliance through submission of pledges).
• Strengthening information security measures for offshore outsourcing NEC expanded the same information security measures requested of suppliers in Japan ("Basic Rules for Customer Related Work," confidential information management, pledges, subcontracting management, etc.) to suppliers in China. Going forward, NEC plans to expand the scope of these measures to English-speaking regions.

Intiatives Concerning Solutions for Customers

• Strengthen the implementation system for secure development and operation NEC has put in place the Working Group for Promotion of Secure Development and Operation (determines company-wide policy) and the Coordinating Committee for Promotion of Secure Development and Operation (enforces knowledge of measures) as a company-wide framework. NEC has assigned Secure Development and Operation Promotion Managers (approx. 300 employees in product, systems and service development and operation divisions). Through these measures, NEC has strengthened the Group-wide implementation system for secure development and operation.
• Establish secure development and operation environments NEC has established Secure Development and Operation Implementation Standards as the basis for secure development and operation. These standards set forth the minimal measures that members of the NEC Group must take into consideration, such as collection of the latest vulnerability information and application of patches, implementation of vulnerability assessments and development based on checklists. In addition, NEC has promoted rigorous enforcement of the foregoing standards, while incorporating secure development processes based on ISO/IEC15408 into divisional development standards. (NEC has finished incorporating these secure development processes into the development standards of major business units.)
• Train personnel specializing in secure development and operation NEC has provided training on secure development to Secure Development and Operation Promotion Managers and developers in divisions that develop and operate products, systems and services. NEC strove to promote and institute mastery of expertise needed to implement secure development across the company as a whole. (Total number of training participants: 1,570).

Monitoring and Improvement

• Information security assessment activities The NEC Group verifies the implementation of information security measures at each Group company using a common Group-wide assessment system. The Group has continuously formulated and executed improvement plans every year if there are any measures that are improperly implemented. In fiscal 2012, we conducted information security assessments of 101 Group companies in Japan. In addition, we conducted assessments of individual roles (individual assessment), where general employees and the manager responsible for each information security measure verify the implementation status of each measure. Through this format, we endeavored to achieve more effective improvements by accurately gauging actual worksite conditions. In fiscal 2012, we conducted these individual assessments at 50 companies (around 82,000 people). Moreover, we performed assessments centered on organizational assessments of 90 overseas subsidiaries, where the information security management promotion managers of each organization verify the entire organization’s status. By providing specific feedback to each overseas subsidiary, we worked to make detailed improvements.
• Assessment of suppliers and offshore contractors Based on the NEC Group Information Security Standards for Suppliers and the Basic Rules for Customer Related Work and other guidelines, we conducted assessments and evaluations of the implementation status of information security measures by suppliers (on-site assessments: approx. 100 companies; written assessments: approx. 2,400 companies), with the view to raising the level of information security. In addition, we rigorously enforced information security measures by performing security assessments of suppliers in China that are the same as those required of suppliers in Japan (written assessments: approx. 150 companies, on-site assessments: approx. 50 companies).

Objectives and Achievements

Objectives for the Medium Term (From Fiscal 2011 to Fiscal 2013) and Fiscal 2012, Achievements and Progress, and Degree of Completion

(Degree of completion: achieved/mostly achieved/some progress/no progress)

Fiscal 2013 Objectives

Privacy Protection Measures

Internal Control (Compliance and Risk Management)

Business Continuity

For Shareholders and Investors

Top of this page