Displaying present location in the site.

Information Security and Cyber Security

Information Security and Cyber Security Policy

We recognize that it is our duty to protect the information assets entrusted to us by our customers and business partners as well as our own information assets in order to provide better products and services and contribute to the development of society. Based on this concept, NEC has positioned security—accurately referring to both information security and cyber security—as one of the critical subjects of “materiality,” its priority management theme from an ESG perspective and has established its Information Security Statement as the basis for driving efforts.

NEC has evaluated risks from various perspectives including the need for countermeasures as well as the possible damage both to corporate business and society, and has selected Priority Risks that will have huge impacts and that need to be addressed. With these risks in mind, we are deploying measures to counter cyber attacks that are becoming increasingly sophisticated, while complying with the Cybersecurity Management Guidelines Version 3.0 by Japan’s Ministry of Economy, Trade and Industry (METI) and the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1.

Based on our information security implementation framework as well as on our Purpose that shows why as a company we conduct business, NEC is working to realize a secure information society and provide value to our customers.

Information Security Implementation Framework

The picture of Information Security Implementation Framework

To protect information assets, NEC is taking the following approach:

  • Implementing cyber attack measures
  • Providing secure products, systems, and services
  • Promoting information security in collaboration with business partners

At the same time, we have positioned information security management, information security infrastructure, and information security personnel as the three pillars of the information security governance framework within the NEC Group, thereby maintaining and improving our comprehensive and multilayered information security.

Providing Secure Products, Systems and Services

NEC has structured processes and organizational frameworks for implementing secure development and operation of the products, systems and services it provides to customers. Our processes are based on the concept of Security by Design (SBD), and we implement processes and lifecycle management with due consideration of security from the planning stage through to the operation stage. Our security organizational frameworks involve the Cyber Security Strategy Department and information security managers assigned to each business department. We have established the Cybersecurity Management Rules to implement processes under these frameworks.

In addition, NEC ensures that it can continue to supply products, systems and services to its customers by addressing the risk of cyber attacks on the supply chain. This involves reviewing and strengthening security measures, including those of our business partners, based on our Information Security Standards for Business Partners.

Medium- to Long-term Goals, Priority Activities and Progress, Achievements, and Issues

Medium- to Long-term Goals and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

M: Major non-financial indicators related to materiality

  1. M: Strengthen measures against cyber attacks
  2. M: Establish rules and governance for security proposal implementation
    • Human resource development: triple the number of Certified Information System Security Professionals (CISSP)
    • Strengthen supply chain security management
    • Establish a safe system integration process
  3. M: Eliminate security-related incidents caused by partner companies by inspecting their standards and enhancing cyber security measures

FY2023 Goals, Progress, Achievements and Issues, and FY2024 Goals

FY2023 Goals

1. Response to national-level threats

  • Improve the NIST CSF1 maturity level and BitSight score2
  • Realize zero trust security to support digital transformation (DX)
  • Evolve awareness and control
  • Enhance security implementation for in-house systems
  • 1.
    NIST Cyber Security Framework
  • 2.
    A cyber security risk score rating service provided by BitSight Technologies

2. Reform of the process for incorporating security implementation as part of business proposals, and release of the vulnerability management dashboard

3-1. Enhancing standards inspections

  • Increase number of companies subject to standards management from 1,500 to 2,000 and improve document inspection
  • Consider increasing number of company bases subject to on-site inspections from 100 to 200 and increase efficiency by utilizing online tools

3-2. Strengthening cyber security measures

  • Revise information security standards to conform with NIST SP 800 from FY2023
  • Hold information security briefing sessions to request security measure implementation from partner companies, and provide security improvement support
  • Conduct self-assessment of system security plans (SSP) for 1,800 companies

Progress, Achievements and Issues

1. Response to national-level threats

  • Achieved the target maturity level of NIST CSF and improved BitSight score
  • Completed the endpoint (terminal) management platform and SaaS Security Posture Management (SSPM) deployment and deployed multi-factor authentication (MFA) using biometric authentication
  • Completed software-defined wide area network (SD-WAN) deployment at major business locations
  • Visualized security implementation status for in-house systems

2. Reform of the process for incorporating security implementation as part of business proposals, and release of the vulnerability management dashboard

  • 100% utilization of vulnerability management system in priority projects
  • The number of CISSP certified employees: about 300 (approximately double the number in FY2021)
  • Monitoring of security management systems and countermeasure status of suppliers based on our information security standards for business partners
  • Formulated and publicized Cybersecurity Management Rules and established organizational frameworks and processes

3-1. Enhancing standards inspections

  • Expanded the scope of management to 2,000 companies, improved document inspections
  • Expanded on-site inspections utilizing online tools to 202 companies

3-2. Strengthening cyber security measures

  • Revised information security standards based on NIST SP 800-171, and held briefing sessions for subsidiaries and key partners in Japan and overseas
  • Conducted the “SSP Study Group for Business Partners” to analyze the status of compliance with the new standards and promote improvements

FY2024 Goals

1. Driving information security transformation

  • Response to national-level threats
    Improve NIST CSF maturity level and scores of third-party evaluations of the NEC Group
  • Realize zero trust security to support digital transformation (DX)
    - Roll out passwordless authentication
    - Promote the endpoint (terminal) management platform for data use
  • Evolve awareness and control
    - Strengthen communication
    Implement regular exchanges of opinions among Group companies
    Encourage frequent discussions in the workplace using original video content
    - Enhance on-site self-governance for critical information

2. Establishing, practicing and enhancing governance for security proposal implementation

  • Formulate vulnerability management processes that enable rapid risk identification
  • Develop and operate human resources development programs for personnel responsible for organizational management in compliance with the Cybersecurity Management Rules
  • Encourage employees to obtain advanced security professional certifications (e.g., CISSP)
  • Deploy security implementation measures for overseas subsidiaries
  • Promote the formulation of the Cybersecurity Management Rules at NEC Group companies

3-1. Strengthening cyber security measures

  • Enhance activities to comply with information security standards
  • Revise information security standards for business partners and promote improvements using system security plans (SSP)
  • Reduce security risks in the supply chain by introducing BitSight at NSP networking events

3-2. Strengthening information security for overseas partners

  • Roll out new standards for key partners in China, India and Vietnam

3-3. Enhancing standards inspections

  • On-site inspections: Scheduled to be conducted at 300 companies, an increase of 100 companies compared with the previous fiscal year
  • Document inspections: Review inspection items and increase the number of companies subject to inspection

Information Security and Cyber Security Framework

The NEC Group’s information security implementation framework comprises the Information Security Strategy Committee, its subordinate organizations, and related organizations. Chaired by the Chief Information Security Officer (CISO), the Information Security Strategy Committee discusses, evaluates, and improves information security measures, investigates the causes of incidents, sets the direction of recurrence prevention measures, and discusses how to apply the results of its activities in the information security business. The committee also regularly briefs the president on the status of measures adopted by the committee to obtain approval. In addition, the committee is responsible for conducting annual penetration tests via a third-party organization in order to assess vulnerability risks, and regular audits of all Internet servers four times a year. These actions ensure that vulnerabilities are dealt with in a timely manner.

The corporate executive who assists the CISO oversees the Corporate CISO office, which promotes information security measures, and the Computer Security Incident Response Team (CSIRT), which monitors for cyber attacks and resolves incidents quickly whenever they occur. The Information Security Promotion Committee and working groups plan and promote security implementation, discuss and coordinate implementation measures, ensure that all instructions are followed, and manage the implementation progress of measures, among other things.

The Information Security Managers in each organization have responsibility for ensuring information security for the relevant organizations including the Group companies under their supervision. They make efforts to ensure that rules are understood within their organizations, introduce and deploy measures, while continuously checking and reviewing the implementation progress to improve the situation.

The NEC Group’s Information Security Implementation Framework

  • *1
    Computer Security Incident Response Team
  • *2
    Product Security Incident Response Team

Sensitivity Analysis and Stress Testing in Cyber Security

In 2022, CSIRT's Cyber Threat Intelligence team(CTI team) collects and analyzes more than forty thousand information related to cyber threats in NEC Group(e.g. IP addresses, File hashes, URLs, Domains) and generates it as Cyber threat intelligence. And CTI team are proactively reducing risk through threat hunting utilizing CTI.

Sensitivity Analysis by CTI Team of NEC-CSIRT

To expand organizational capability about resiliency for cyber attack and accountability for security management by establishing Red Team’s Cyber Risk Assessments(CRA) scheme. Attack of the organization (system operation, information management, CSIRT operation, policy) by creating an attack scenario according to the threat of the NEC group, ICT usage status, incident status, processing information level, and performing reconnaissance and attack by the Red Team To assess tolerance and risk.

Stress Testing by NEC-Red Team

Information Security Management

Information Security Management

To facilitate the establishment of a variety of Groupwide measures, we have introduced an information security management system and security policy, both of which we make every effort to maintain and improve.

Information Security Risk Assessment

The NEC Group conducts risk assessments and implements countermeasures by analyzing deviations from baseline criteria and, depending on the situation, carrying out more detailed risk analysis, with both methods conducted in a proper manner. First, we ensure that security is implemented in line with criteria that serve as a baseline, and when more advanced management is necessary, we conduct a detailed risk analysis.

Risk Management for Information Security Incidents

Information security incidents are subject to mandatory reporting. The contents of these reports are analyzed, and the results are put through a PDCA cycle for risk management assessment. Incident information is centrally managed for the entire NEC Group, and changes in the number of incidents, trends by organization and type of incident, and other data are analyzed. From there, NEC reflects this analysis in Groupwide measures while also measuring the impact of these incidents.

Critical Information Management

The NEC Group manages critical information based on the concept of the Three Lines Model, using its scheme for clarifying the roles of the three lines in managing critical information.
The NEC Group has a framework to classify and manage the corporate secrets it handles based on the secrecy level. Each organization checks details of all the information it handles, and clearly identifies its secrecy level to ensure that all necessary information is properly managed. We also have rules for handling, storing and managing critical information according to importance, as well as thorough measures to prevent information leaks.

Information Security Rules

NEC has laid out the NEC Group Management Policy as a set of comprehensive policies for the entire Group. We have released the NEC Group Information Security Statement and established and streamlined a variety of rules, including overall information security rules, trade secret control rules, and IT security rules.

Information Security Education and Awareness Training

NEC provides a web-based training course on information security and personal information protection (including protection of people’s personal identification numbers, namely, “My Numbers” in Japan) for all NEC Group employees to increase knowledge and skills in the information security field. The content of the training is updated every year to reflect the trends of information security including emerging threats and how to respond to them, security measures required in remote work, and appropriate ways of handling information.

Enhancing Information Security Management at Partner Companies

The NEC Group conducts its business activities in collaboration with business partners. In these collaborations, we believe it is important to ensure that the technology capabilities and information security level of the business partners meet our required standards. To this end, NEC categorizes its business partners by information security level based on the implementation status of their information security measures. In selecting business partners for a project appropriately, we check the information security level to outsource tasks, thus reducing risks of information security incidents occurring at business partners.

The NEC Group requires business partners to implement information security measures classified into seven categories: 1) contract management, 2) subcontracting management, 3) staff management, 4) information management, 5) technology deployment, 6) security implementation, and 7) assessments. In subcontracting management, the basic agreement stipulates that business partners may not subcontract work to other companies unless they obtain written permission in advance from the organization that outsourced the work to them. In addition, we have clarified the framework for each project by obligating business partners to submit subcontractor confirmation documents. If subcontracting is necessary, we insist on the same level of security for subcontractors that we require for business partners.

Using these measures, we reduce risks of information security incidents occurring at business partners. In addition, we conduct document security survey checks and on-site inspections for business partners. We also check whether the information security standards we require are met, and provide guidance for improvement.

Every year we review inspection items in light of any incident trends or in consideration of the business partner, issue a report of the inspection results and provide the business partner with feedback, and follow up on any issues that require improvement.

Information Security Certification

NEC has aligned its overall information security rules with the international standard ISO/IEC 27001 (main sections [Requirements] and Annex A [Information security controls]) and manages information security in accordance with these rules. We have also acquired ISMS certification (ISO 27001) for almost 100% of our business divisions, including medical, financial, cloud and government and public businesses, for which information security is critical.

Measures against Cyber Attacks

As cyber attacks grow increasingly complex and sophisticated, the NEC Group focuses on the protection of information assets entrusted by customers and business partners as well as its own. To this end, we have implemented total cyber security management by conducting uniform and advanced measures worldwide based on cyber security analysis, and established an incident response framework with CSIRT.

In particular, given that NEC creates and provides social solutions for countries worldwide, a single information security incident caused by a cyber attack or any other factor could diminish the social trust of the entire NEC Group and materially affect its business management. For this reason, we view a comprehensive and global approach to cyber security risks as essential for our business continuity.

We are strengthening our global measures against increasingly sophisticated cyber attacks based on a multilayered defense approach, with particular emphasis on the following.

Cyber Risk Assessments by “Red Team”

  • The NEC Group utilizes “Red Team” to conduct regular cyber risk assessments with the aim of improving cyber resilience and accountability.
  • Red Team conducts a global assessment consisting of three investigations on 1) the management status of critical information, 2) risks that allow us to perform a three-pronged investigation into management of important information and that include public server vulnerabilities and data leakage, and 3) internal and external security breaches from an attacker’s point of view. We can then make a global assessment, identify security risks we overlooked in our security measures and operations, and take actions for implementing improvements.
  • We employ audit organizations and security specialists to conduct third-party attack diagnoses.

Generating and Utilizing Threat Intelligence

  • Our team of cyber threat intelligence (CTI) specialists possesses an understanding of the threats facing NEC, detects their early signs as well as their precursors, and implements advanced proactive defense measures.
  • The CTI team leverages the endpoint detection and response (EDR) tools deployed at all NEC Group companies, the network detection and response (NDR) that CSIRT independently developed, and a log analysis platform to hunt for unknown threats. The team has also created a research environment to enhance its ability to generate unique CTI proactively and analyze threats in detail.

Enhancing Organizational Security Resilience

  • We conduct training that addresses targeted email attacks to ensure that employees are prepared for ransomware and other global threats.
  • We have developed a manual that provides the basis for comprehensive training exercises to ensure a rapid response if a ransomware attack occurs.
    Relevant departments and specialists hold training exercises at least every six months in preparation for a security incident.

Cyber Security Dashboard Drives Culture Change

  • Released and made available to all employees, our cybersecurity dashboard visualizes the status of cyber attacks on the NEC Group, threat intelligence information, and the security risk status of each company and division.
  • The dashboard is designed to improve security awareness by having all employees understand the risks.
  • Members of senior management use the dashboard at meetings to help accelerate management decisions and manage security personnel more effectively.