Information Security and Cybersecurity Framework

The NEC Group’s information security implementation framework comprises the Information Security Strategy Committee, its subordinate organizations, and related organizations.

Chaired by the Chief Information Security Officer (CISO) of NEC Corporation, the Information Security Strategy Committee discusses, evaluates, and improves information security measures, investigates the causes of incidents, sets the direction of recurrence prevention measures, and discusses how to apply the results of its activities in the information security business. The committee also regularly briefs the President of NEC Corporation on the status of measures adopted by the committee to obtain approval. In addition, we conduct annual penetration tests via a third-party organization to assess vulnerability risks. We also conduct audits of all external servers four times a year.
These actions ensure that vulnerabilities are dealt with in a timely manner.

The CISO oversees the Corporate CISO Office, which promotes information security measures, and the Computer Security Incident Response Team (CSIRT), which monitors for cyberattacks and resolves incidents quickly whenever they occur. The Information Security Promotion Committee and Working Groups plan and promote security implementation, discuss and coordinate implementation measures, ensure that all instructions are followed, and manage the progress of measures, among other things.

General managers at NEC Corporation have responsibility as information security managers for ensuring information security for the relevant organizations, including the Group companies under their supervision. They work to ensure that rules are understood within their organizations, introduce and deploy measures, while continuously checking and reviewing the implementation progress to improve the situation.

In FY2024, CSIRT’s Cyber Threat Intelligence (CTI) team gathered and analyzed over 4,000 items of data (IP addresses, file hashes, web addresses and domain names) related to cyber threats within NEC Group to generate threat intelligence. Furthermore, by using CTI to hunt threats, the CTI team is proactively reducing risks.

We have introduced cyber risk assessments (CRA) carried out by the “Red Team,”¹ and are enhancing our capabilities as an organization by building greater organizational resilience to cyberattacks and expanding reporting requirements for security management practices. We have designed attack scenarios based on threats to the NEC Group, ICT usage conditions, incident status and levels of information handled, for which the Red Team conducts surveillance and controlled attacks to assess resilience and risks.

The NEC Group’s Information Security Implementation Framework

Information Security and Cybersecurity Policy

NEC recognizes that it has a duty to protect the information assets entrusted to it by its customers and business partners as well as its own information assets in order to provide better products and services and contribute to the development of a better society. Based on this concept, NEC has positioned security (information security and cybersecurity) as one of its priority management themes from an ESG perspective—its materiality—and has established the NEC Group Information Security Statement as the basis for driving efforts.

NEC evaluates risks from various perspectives including the need for countermeasures as well as possible impacts both on corporate management and on society, and selects Priority Risks that it has evaluated as having major impacts and that need to be addressed. With these risks in mind, we are deploying measures to counter cyberattacks that are becoming increasingly sophisticated, while complying with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and Cybersecurity Management Guidelines Ver. 3.0 by Japan’s Ministry of Economy, Trade and Industry.

Based on its information security implementation framework as well as its Purpose, which shows why as a company it conducts business, the NEC Group is working to realize a secure information society and provide value to its customers.

Information Security Implementation Framework

To protect information assets, NEC is taking the following approaches:

At the same time, we have positioned information security management, information security infrastructure, and information security personnel as the three pillars of the NEC Group’s information security governance framework, thereby maintaining and improving our information security with a comprehensive and multilayered approach.

Providing Secure Products, Systems, and Services

NEC has structured a security implementation promotion framework for secure development and operation of the products, systems and services it provides to customers. This framework involves the Cybersecurity Strategy Department and information security managers in each business department at NEC. The framework and security implementation processes are stipulated in the Cybersecurity Management Rules. NEC Group companies are also promoting the establishment of a security implementation framework and the formulation of cybersecurity management rules similar to those of NEC.

In addition, NEC implements security from the planning and proposal phase to the operation and maintenance phase based on the concept of “security by design” (SBD) to ensure security. To efficiently inspect and monitor the status of security measures, we use checklists in each phase of development to confirm the implementation of security tasks in conjunction with the “security implementation assessment system,” which centrally manages and visualizes the implementation status of security tasks. In the operation and maintenance phase, we ensure security by collecting and distributing information on vulnerability in a centralized manner and by providing it to business divisions and customers.

Furthermore, we have established the Product Security Incident Response Team (PSIRT) to collect and handle information on vulnerability related to NEC Group products. We appropriately handle such undisclosed information by having a point of contact for external inquiries and publishing a vulnerability disclosure policy.

We have also established a cloud-based software development platform as our standard internal environment for system development. This platform utilizes security vulnerability testing tools and other tools that streamline and automate security implementation to improve the productivity, quality, and security of system development. It also consolidates the development environments of our supply chain, including subcontractors, enabling centralized management of security for those development environments.

Information Security Management

To facilitate the establishment of a variety of groupwide measures, we have introduced an information security management system and security policy, both of which we continuously work to maintain and improve.

Information Security Risk Assessments

The NEC Group conducts risk assessments and implements countermeasures by analyzing deviations from baseline criteria and carrying out detailed risk analysis, with both methods conducted separately. First, we ensure that security is implemented in line with criteria that serve as a baseline, and when more advanced management is necessary, we conduct a detailed risk analysis and implement finely tuned countermeasures.

Risk Management for Information Security Incidents

Information security incidents are subject to mandatory reporting. The contents of these reports are analyzed, and the results are put through a PDCA cycle for risk management assessment. Incident information is centrally managed for the entire NEC Group, and changes in the number of incidents, trends by organization and type of incident, and other data are analyzed. NEC then reflects this analysis in groupwide measures while also measuring the effectiveness of these measures.

Critical Information Management

Based on the Three Lines of Defense Model, the NEC Group establishes a scheme to manage critical information by clarifying the roles of the three lines.

The NEC Group has a framework to classify and manage the corporate secrets it handles based on the security level. Each organization checks details of all the information it handles, and clearly identifies its security level to ensure that all necessary information is properly managed. We also have rules for handling, storing and managing critical information according to importance, as well as thorough measures to prevent information leaks.

Establishment of Information Security Rules

NEC has released the NEC Group Information Security Statement and established and streamlined a variety of rules, including overall information security rules, rules for managing corporate secrets, and IT security rules.

Information Security Education and Awareness Training

NEC provides a web-based training course on information security for all NEC Group employees (including contractors) to increase knowledge and skills in the information security field. The content of the training is updated every year to reflect information security trends, including information management, external security measures, and subcontractor management.

Enhancing Information Security Management at Partner Companies

The NEC Group conducts its business activities in collaboration with business partners. In these collaborations, the Group believe it is important to ensure that the technology capabilities and information security level of its business partners meet its required standards. To this end, the Group categorizes its business partners by information security level based on the implementation status of their information security measures. In selecting business partners for a project appropriately, the Group checks the information security level and chooses partners with the appropriate security level according to the level required for the task.

The NEC Group requires business partners to implement information security measures classified into seven categories: 1) contract management, 2) subcontracting management, 3) staff management, 4) information management, 5) technical deployment, 6) security implementation, and 7) the execution of assessments.
Specifically, in subcontracting management, the basic agreement stipulates that business partners may not subcontract work to other companies unless they obtain written permission in advance from the organization that outsourced the work to them. In addition, the Group has clarified the framework for each project by obligating business partners to submit subcontractor confirmation documents. If subcontracting is unavoidable, the Group requires the same level of security for subcontractors that it requires for business partners.

Using these measures, the NEC Group reduce risks of information security incidents occurring at business partners.
In addition, by conducting document security survey checks and on-site inspections for business partners, the Group verifies whether the information security standards it requires have been met, and provide guidance for improvement.

Furthermore, every year the Group reviews inspection items in light of any incident trends, providing feedback to the business partner in the form of an inspection report, and following up on any issues that require improvement.

In order to strengthen cybersecurity measures, in April 2022 we revised our previous information security standards to be based on NIST SP800-171, which requires the establishment of incident response capabilities including preparation, detection, analysis, containment, recovery, and user response in the event of an incident. Every year, we implement a system security plan (SSP) to check progress toward our information security standards, and hold workshops on cybersecurity measures for issues that present difficulties for our business partners.

In addition, we disclose the results of third-party evaluations to priority business partners and implement risk reduction activities with the goals of reducing the risk of cyberattacks and improving security levels. These initiatives help business partners to mitigate risk.

Information Security Certification

The NEC Group has aligned its overall information security rules with the international standard ISO/IEC 27001 (main standard and control measures ) and manages information security in accordance with these rules. It has also acquired ISMS certification (ISO 27001) for almost all of its medical, financial, cloud and government and public business units, for which information security is critical.

Measures against Cyberattacks

As cyberattacks grow increasingly complex and sophisticated, the NEC Group focuses on the protection of information assets entrusted by customers and business partners as well as its own. To this end, the Group has implemented comprehensive cybersecurity management by conducting uniform and advanced measures worldwide based on cybersecurity analysis, and established an incident response framework with CSIRT.

In particular, given that the NEC Group creates and provides social solutions for countries worldwide, an information security incident caused by a cyberattack or any other factor could diminish the social credibility of the entire NEC Group and significantly impact its business management. For this reason, the Group considers a comprehensive and global approach to cybersecurity risks to be essential for business continuity.

The NEC Group is strengthening its global measures against increasingly sophisticated cyberattacks based on a multilayered defense approach while using generative AI and other technologies, with particular emphasis on the following.

Cyber risk assessments by the “Red Team”

Generating and Utilizing Threat Intelligence

Enhancing Organizational Security Resilience

Advanced Cybersecurity Measures Using AI

Cybersecurity Dashboard Drives Culture Change

Medium- to Long-term Goals, Priority Activities and Progress, Achievements, and Issues

Medium- to Long-term Goals and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

M: Major non-financial indicators related to materiality

FY2024 Goals, Progress, Achievements and Issues, and FY2025 Goals

FY2024 Goals

Progress, Achievements and Issues

FY2025 Goals