Displaying present location in the site.

Information Security and Cyber Security

Governance

Information Security and Cybersecurity Framework

The NEC Group’s information security implementation framework comprises the Information Security Strategy Committee, its subordinate organizations, and related organizations.

Chaired by the Chief Information Security Officer (CISO) of NEC Corporation, the Information Security Strategy Committee discusses, evaluates, and improves information security measures, investigates the causes of incidents, sets the direction of recurrence prevention measures, and discusses how to apply the results of its activities in the information security business. The committee also regularly briefs the President of NEC Corporation on the status of measures adopted by the committee to obtain approval. In addition, we conduct annual penetration tests via a third-party organization to assess vulnerability risks. We also conduct audits of all external servers four times a year.
These actions ensure that vulnerabilities are dealt with in a timely manner.

The CISO oversees the Corporate CISO Office, which promotes information security measures, and the Computer Security Incident Response Team (CSIRT), which monitors for cyberattacks and resolves incidents quickly whenever they occur. The Information Security Promotion Committee and Working Groups plan and promote security implementation, discuss and coordinate implementation measures, ensure that all instructions are followed, and manage the progress of measures, among other things.

General managers at NEC Corporation have responsibility as information security managers for ensuring information security for the relevant organizations, including the Group companies under their supervision. They work to ensure that rules are understood within their organizations, introduce and deploy measures, while continuously checking and reviewing the implementation progress to improve the situation.

In FY2024, CSIRT’s Cyber Threat Intelligence (CTI) team gathered and analyzed over 4,000 items of data (IP addresses, file hashes, web addresses and domain names) related to cyber threats within NEC Group to generate threat intelligence. Furthermore, by using CTI to hunt threats, the CTI team is proactively reducing risks.

We have introduced cyber risk assessments (CRA) carried out by the “Red Team,”1 and are enhancing our capabilities as an organization by building greater organizational resilience to cyberattacks and expanding reporting requirements for security management practices. We have designed attack scenarios based on threats to the NEC Group, ICT usage conditions, incident status and levels of information handled, for which the Red Team conducts surveillance and controlled attacks to assess resilience and risks.

  • 1.
    A team that conducts simulated cyberattacks mimicking real-world threats against companies and organizations, assesses the organization’s resilience to attacks and risk levels, and recommends improvements and additional countermeasures.

The NEC Group’s Information Security Implementation Framework

  • *1
    Computer Security Incident Response Team
  • *2
    Product Security Incident Response Team

Strategy

Information Security and Cybersecurity Policy

NEC recognizes that it has a duty to protect the information assets entrusted to it by its customers and business partners as well as its own information assets in order to provide better products and services and contribute to the development of a better society. Based on this concept, NEC has positioned security (information security and cybersecurity) as one of its priority management themes from an ESG perspective—its materiality—and has established the NEC Group Information Security Statement as the basis for driving efforts.

NEC evaluates risks from various perspectives including the need for countermeasures as well as possible impacts both on corporate management and on society, and selects Priority Risks that it has evaluated as having major impacts and that need to be addressed. With these risks in mind, we are deploying measures to counter cyberattacks that are becoming increasingly sophisticated, while complying with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and Cybersecurity Management Guidelines Ver. 3.0 by Japan’s Ministry of Economy, Trade and Industry.

Based on its information security implementation framework as well as its Purpose, which shows why as a company it conducts business, the NEC Group is working to realize a secure information society and provide value to its customers.

Information Security Implementation Framework

The picture of Information Security Implementation Framework

To protect information assets, NEC is taking the following approaches:

  • Implementing cyberattack measures
  • Providing secure products, systems, and services
  • Promoting information security in collaboration with business partners

At the same time, we have positioned information security management, information security infrastructure, and information security personnel as the three pillars of the NEC Group’s information security governance framework, thereby maintaining and improving our information security with a comprehensive and multilayered approach.

Providing Secure Products, Systems, and Services

NEC has structured a security implementation promotion framework for secure development and operation of the products, systems and services it provides to customers. This framework involves the Cybersecurity Strategy Department and information security managers in each business department at NEC. The framework and security implementation processes are stipulated in the Cybersecurity Management Rules. NEC Group companies are also promoting the establishment of a security implementation framework and the formulation of cybersecurity management rules similar to those of NEC.

In addition, NEC implements security from the planning and proposal phase to the operation and maintenance phase based on the concept of “security by design” (SBD) to ensure security. To efficiently inspect and monitor the status of security measures, we use checklists in each phase of development to confirm the implementation of security tasks in conjunction with the “security implementation assessment system,” which centrally manages and visualizes the implementation status of security tasks. In the operation and maintenance phase, we ensure security by collecting and distributing information on vulnerability in a centralized manner and by providing it to business divisions and customers.

Furthermore, we have established the Product Security Incident Response Team (PSIRT) to collect and handle information on vulnerability related to NEC Group products. We appropriately handle such undisclosed information by having a point of contact for external inquiries and publishing a vulnerability disclosure policy.

We have also established a cloud-based software development platform as our standard internal environment for system development. This platform utilizes security vulnerability testing tools and other tools that streamline and automate security implementation to improve the productivity, quality, and security of system development. It also consolidates the development environments of our supply chain, including subcontractors, enabling centralized management of security for those development environments.

Risk Management (Including Opportunity Generation)

Information Security Management

To facilitate the establishment of a variety of groupwide measures, we have introduced an information security management system and security policy, both of which we continuously work to maintain and improve.

Information Security Risk Assessments

The NEC Group conducts risk assessments and implements countermeasures by analyzing deviations from baseline criteria and carrying out detailed risk analysis, with both methods conducted separately. First, we ensure that security is implemented in line with criteria that serve as a baseline, and when more advanced management is necessary, we conduct a detailed risk analysis and implement finely tuned countermeasures.

Risk Management for Information Security Incidents

Information security incidents are subject to mandatory reporting. The contents of these reports are analyzed, and the results are put through a PDCA cycle for risk management assessment. Incident information is centrally managed for the entire NEC Group, and changes in the number of incidents, trends by organization and type of incident, and other data are analyzed. NEC then reflects this analysis in groupwide measures while also measuring the effectiveness of these measures.

Critical Information Management

Based on the Three Lines of Defense Model, the NEC Group establishes a scheme to manage critical information by clarifying the roles of the three lines.

The NEC Group has a framework to classify and manage the corporate secrets it handles based on the security level. Each organization checks details of all the information it handles, and clearly identifies its security level to ensure that all necessary information is properly managed. We also have rules for handling, storing and managing critical information according to importance, as well as thorough measures to prevent information leaks.

Establishment of Information Security Rules

NEC has released the NEC Group Information Security Statement and established and streamlined a variety of rules, including overall information security rules, rules for managing corporate secrets, and IT security rules.

Information Security Education and Awareness Training

NEC provides a web-based training course on information security for all NEC Group employees (including contractors) to increase knowledge and skills in the information security field. The content of the training is updated every year to reflect information security trends, including information management, external security measures, and subcontractor management.

Enhancing Information Security Management at Partner Companies

The NEC Group conducts its business activities in collaboration with business partners. In these collaborations, the Group believe it is important to ensure that the technology capabilities and information security level of its business partners meet its required standards. To this end, the Group categorizes its business partners by information security level based on the implementation status of their information security measures. In selecting business partners for a project appropriately, the Group checks the information security level and chooses partners with the appropriate security level according to the level required for the task.

The NEC Group requires business partners to implement information security measures classified into seven categories: 1) contract management, 2) subcontracting management, 3) staff management, 4) information management, 5) technical deployment, 6) security implementation, and 7) the execution of assessments.
Specifically, in subcontracting management, the basic agreement stipulates that business partners may not subcontract work to other companies unless they obtain written permission in advance from the organization that outsourced the work to them. In addition, the Group has clarified the framework for each project by obligating business partners to submit subcontractor confirmation documents. If subcontracting is unavoidable, the Group requires the same level of security for subcontractors that it requires for business partners.

Using these measures, the NEC Group reduce risks of information security incidents occurring at business partners.
In addition, by conducting document security survey checks and on-site inspections for business partners, the Group verifies whether the information security standards it requires have been met, and provide guidance for improvement.

Furthermore, every year the Group reviews inspection items in light of any incident trends, providing feedback to the business partner in the form of an inspection report, and following up on any issues that require improvement.

In order to strengthen cybersecurity measures, in April 2022 we revised our previous information security standards to be based on NIST SP800-171, which requires the establishment of incident response capabilities including preparation, detection, analysis, containment, recovery, and user response in the event of an incident. Every year, we implement a system security plan (SSP) to check progress toward our information security standards, and hold workshops on cybersecurity measures for issues that present difficulties for our business partners.

In addition, we disclose the results of third-party evaluations to priority business partners and implement risk reduction activities with the goals of reducing the risk of cyberattacks and improving security levels. These initiatives help business partners to mitigate risk.

Information Security Certification

The NEC Group has aligned its overall information security rules with the international standard ISO/IEC 27001 (main standard and control measures ) and manages information security in accordance with these rules. It has also acquired ISMS certification (ISO 27001) for almost all of its medical, financial, cloud and government and public business units, for which information security is critical.

Measures against Cyberattacks

As cyberattacks grow increasingly complex and sophisticated, the NEC Group focuses on the protection of information assets entrusted by customers and business partners as well as its own. To this end, the Group has implemented comprehensive cybersecurity management by conducting uniform and advanced measures worldwide based on cybersecurity analysis, and established an incident response framework with CSIRT.

In particular, given that the NEC Group creates and provides social solutions for countries worldwide, an information security incident caused by a cyberattack or any other factor could diminish the social credibility of the entire NEC Group and significantly impact its business management. For this reason, the Group considers a comprehensive and global approach to cybersecurity risks to be essential for business continuity.

The NEC Group is strengthening its global measures against increasingly sophisticated cyberattacks based on a multilayered defense approach while using generative AI and other technologies, with particular emphasis on the following.

Cyber risk assessments by the “Red Team”

  • Regular cyber risk assessments are conducted with the aim of improving the NEC Group’s cyber resilience and accountability.
  • A global assessment consisting of three investigations on 1) the management status of critical information, 2) risks that include public server vulnerabilities and data leakage, and 3) internal and external security breaches from an attacker’s point of view, are conducted to identify security risks that have been overlooked in security measures and operations, and actions are taken to implement improvements.
  • Audit organizations and security specialists are employed to conduct third-party attack diagnoses.

Generating and Utilizing Threat Intelligence

  • The NEC Group’s cyber threat intelligence (CTI) team consists of specialists who possess an understanding of the threats facing NEC, detects their early signs as well as their precursors, and implements advanced proactive defense measures.
  • The CTI team leverages the endpoint detection and response (EDR) tools deployed at all NEC Group companies, the network detection and response (NDR) that CSIRT independently developed, and a log analysis platform to hunt for unknown threats.
  • The team has also created a research environment to enhance its ability to generate unique CTI proactively, analyze threats in detail and enhance organizational security resilience.

Enhancing Organizational Security Resilience

  • We have developed a manual to ensure a rapid response if a ransomware attack occurs.
  • Management, relevant departments and specialists hold training exercises at least every six months in preparation for a security incident.

Advanced Cybersecurity Measures Using AI

  • Aiming to achieve automation, efficiency, and sophistication, we promote the use of AI, including generative AI, in a wide range of fields, including cyber risk assessment diagnostics, threat intelligence generation and utilization, NDR detection, incident investigation, and targeted attack email training.
  • Management, relevant departments and specialists hold training exercises at least every six months in preparation for a security incident.

Cybersecurity Dashboard Drives Culture Change

  • Released and made available to all employees, our cybersecurity dashboard visualizes the status of cyberattacks on the NEC Group, threat intelligence information, and the security risk status of each company and division.
  • The cybersecurity dashboard is designed to improve security awareness by having all employees understand the risks.
  • The cybersecurity dashboard is used at meetings attended by members of senior management and by all subsidiaries outside Japan to help accelerate management decisions and help security personnel manage more effectively.

Indicators and Goals

Medium- to Long-term Goals, Priority Activities and Progress, Achievements, and Issues

Medium- to Long-term Goals and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

M: Major non-financial indicators related to materiality

  1. Strengthen measures against cyberattacks
  2. Establish rules and governance for security proposal implementation
    • M: Human resource development: Triple the number of Certified Information Systems Security Professionals (CISSP)
    • Strengthen supply chain security management
    • Establish a safe system integration process
  3. Eliminate security-related incidents caused by partner companies by inspecting their standards and enhancing cybersecurity measures

FY2024 Goals, Progress, Achievements and Issues, and FY2025 Goals

FY2024 Goals

  1. Driving information security transformation
    Countering nation-state-level threats
    • Improve NIST CSF-based evaluation and third-party evaluation results
    • Realize zero trust security to support digital transformation (DX)
      - Roll out passwordless authentication
      - Promote utilization of data generated by the endpoint (terminal) management platform
    • Evolve awareness and control
      - Strengthen communication
      Implement regular exchanges of opinions among Group companies
      Encourage frequent discussions in the workplace using original video content
      - Enhance self-governance for critical information within on-site groups
  2. Establishing, practicing and enhancing governance for security proposal implementation
    • Formulate vulnerability management processes that enable rapid risk identification
    • Encourage employees to obtain advanced security professional certifications (e.g., CISSP)
    • Deploy security implementation measures for subsidiaries outside Japan
    • Promote the formulation of cybersecurity management rules at NEC Group companies
  3. 1. Strengthening cybersecurity measures
    • Strengthen compliance with information security standards
    • Revise information security standards for business partners and promote improvement activities using system security plans (SSP)
    • Reduce security risks in the supply chain by introducing BitSight at NEC Software Partners (NSP) events
    2. Strengthening information security for partners outside Japan
    • Roll out new standards for key partners in China, India and Vietnam

Progress, Achievements and Issues

  1. Driving information security transformation
    • Countering nation-state-level threats
      - Achieved targets in all areas in evaluation based on NIST CSF 1.1. and higher scores than in previous fiscal year in third-party evaluation results (BitSight)
    • Realized zero trust security to support digital transformation (DX)
      - Implemented risk-based authentication for all employees, requiring verification when usage patterns differ from usual and began full-scale operation of passwordless authentication for normal use
      - Successfully visualized vulnerability management status in conjunction with an endpoint (terminal) management platform and business intelligence (BI) tools
    • Evolve awareness and control
      - In fiscal 2024, information security managers (management) from 10 NEC Group companies exchanged opinions focused on information security and economic security
      - Decided to hold micro-theme talks on a quarterly basis as an opportunity for discussion within the workplace (130% increase compared with the previous fiscal year)
    • Installed a feature that provides an information labeling recommendation based on the results of an automatic search of file content for text that may violate trade secret control regulations
      - Monitored the status of critical information management and provided a summary report to the site manager to visualize that status. Provided opportunities to improve the site management process.
  2. Establishing, practicing and enhancing governance for security proposal implementation
    • Reducing the lead time from vulnerability information disclosure to acquisition and dissemination to as little as two hours by revamping the vulnerability management system
    • Number of CISSPs to exceed 450, about triple the number in FY2021
    • Deploying security rules at major Group companies outside Japan
    • Assigning security personnel to major group companies in Japan and beginning to formulate cybersecurity management rules for each company.
  3. 1. Strengthening cybersecurity measures
    • Revised information security standards for business partners in April 2022, held study sessions using SSPs, and promoted improvement activities
    • Introduced BitSight at NSP events, helping business partners to reduce risk by disclosing the results of third-party assessments
    2. Strengthening information security for partners outside Japan
    • Hold briefings to promote awareness of the new standards among key partners in China, India and Vietnam

FY2025 Goals

  1. Driving information security transformation
    • Countering nation-state-level threats
      - Comply with NIST CSF 2.0 and improve third-party evaluation results
      - Have AI Red Team automate attack diagnostics
      - Enhance threat intelligence performance
    • Realize zero trust security to support digital transformation (DX)
      - Reinforce global authentication platforms
      - Enhance internal fraud prevention measures
      - Automate vulnerability management and other information security operations
    • Evolve awareness and control
      - Implement information security surveys
      - Strengthen the risk assessments of Group companies
      - Visualize critical information management status
  2. Establishing, practicing and enhancing governance for security proposal implementation
    • Establish security implementation framework and processes at Group companies in and outside Japan
    • Ensure thorough vulnerability management and correction processes for NEC Group products and services
    • Develop and deploy human resources who can make security proposals and implement them based on appropriate knowledge and skills
  3. 1. Strengthening cybersecurity measures
    • Strengthen activities for compliance with information security standards based on NIST SP 800-171 (FY2025 is the final year for transitioning to the new standards)
    • Expand the use of BitSight. Inculcate improvement activities at NSP events. Add newly participating companies. Consider introducing alarm functions in areas other than development subcontracting.
    2. Strengthening information security for partners outside Japan
    • Base operational preparations in China, India, and Vietnam on new standards
    • Confirm progress by inspecting documents and sites