The SoftBank Group has formulated the following Information Security Policy according to which it shall address information security throughout the Group, and thereby earn the trust of society.
Information security initiatives
SoftBank recognizes its major responsibility as a communications service provider (for mobile communication services, broadband comprehensive services, fixed-line services and others) to strictly protect personal information received from customers, and abides by the communications privacy* provisions guaranteed by the Japanese Constitution.
With the goal of strengthening information security, SoftBank shares information and technology relating to information security initiatives across the company, works to create a structure for promoting information security activities, and conducts staff education and training through organizational, personnel, physical and technological measures.
On-site there are a high number of certified security experts, including Certified Information Systems Security Professionals (CISSPs), Certified Information Security Managers (CISMs), Certified Information Systems Auditors (CISAs), Japan Government Information Security Professionals (JGISPs) and those with Global Information Assurance Certification), who advance security measures.
As part of its efforts to ensure information security, Information Systems divisions and directly-owned SoftBank shops are being run by SoftBank in a manner compliant with ISO27001, an international standard for information security management systems, and conducted external independent audits based on ISO27001 twice a year*. As retaining personal information at SoftBank shops is prohibited, high-security computers for customer registration have been introduced to prevent information leakage and ensure the information's security. Regular security inspections are also carried out at sales agents and shops, providing necessary instruction and education so that companies who provide outsourced operations can maintain the same securities standards.
- *Please refer to this following link for the registration range.
Initiatives to protect personal information
SoftBank Corp. strives to pay due regard to human rights when handling personal information based on the laws concerning the protection of personal information. We are a member of an accredited personal information protection organization (Telecommunications Personal Information Protection Promotion Center) and comply with the personal information protection guidelines for telecommunications businesses to take the initiative in privacy protection.
The Chief Information Security Officer (CISO) selected by the Board of Directors is responsible for implementing the “Personal Information Protection Management Systems - Requirements” (JISQ15001) as the administrator for personal information protection. In the event that the administrator for personal information protection receives a request for personal information from an administrative body, the administrator shall verify the validity of that request. When providing personal information to third parties, the consent of the individual shall be obtained by law.
To prevent a human rights violation relating to personal information from occurring, restrictions are applied to the retrieval, use, and provision of information involving human rights within the processes to comply with the Personal Information Protection Management Systems, and regular risk assessments are conducted to ensure their appropriate operation. In the event a risk is verified, the appropriate risk response is carried out, and the risk is minimized through monitoring and continuous improvement. In the event that a human rights violation relating to personal information occurs, it shall be promptly investigated, and the necessary corrective measures are implemented. In the event that a human rights violation relating to personal information occurs as a result of providing personal information to a third party, points of contact shall be established, and other necessary responses will be implemented to provide relief measures to the affected individuals.
During fiscal 2019, there were no leaks of personal information or complaints, etc. about information handling in violation of the law. In the event that a personal information leak or other legal violation should occur, the incident will be announced on the company's website.
Our four types of information security measures
In line with SoftBank Group Guidelines for Information Security Measures, we have appointed a Chief Information Security Officer and instituted an Information Security Policy applicable to all staff throughout the organization.
The Chief Information Security Officer chairs the Information security committee, which enables us to share useful knowledge on information security and review measures that are adapted to technological innovation and changes in the environment.
As a provider of various communications services, we are undertaking information security initiatives with the protection of customers' personal information as a top priority. We have also established and made public our guidelines and legal disclosure process related to personal information in Privacy.
Furthermore, to ensure the appropriate handling of information, and provide for its security in our daily work — particularly with regard to the secrecy of communications and protection of personal information - officers and staff are continuously working to improve knowledge and foster an ethical mindset concerning information security through regular training sessions, e-learning and ongoing educational activities. Data related to information security is available on our Intranet, which staff can access at any time.
In the actual operating environment, security has been divided into five levels, and access to respective locations is managed accordingly for each level. Anything Level 3 or above is categorized as a “high security area”, and personal information is handled only in these areas.
We have established rules specific to the high security areas to ensure thorough security management. For example, a customer support center designated as a high security area has rigorous security, with security guards, access card identification, and the use of transparent bags for personal belongings in order to prevent the carrying of prohibited items.
We monitor internal network use, individual server access, and the status of office computers in the Security Operation Center (SOC), designated as a high security area, with the aim of maintaining and managing security levels. Physical location of and network access for individuals and groups have been completely separated according to each security level.
With regard to office computers, we are tightening security by controlling access to unrelated websites and promoting thin-clients. This is done with the aim of keeping classified documents within the company at all times, and to limit access to websites unrelated to office work.
Information security committee
SoftBank appoints a Chief Information Security Officer (CISO) who chairs and periodically convenes the Information security committee (ISC). The ISC is composed of each division's persons in charge of information security, and seeks to promote and manage information security activities company-wide. In addition, in order to implement effective security measures, we have formed an Information security committee Office (ISC Office) for the rapid implementation and alignment of company-wide information security measures and plans.
SoftBank has appointed Chief Privacy Officers to determine policy related to the handling of personal information and to work to protect the personal information of customers and staff.
As an interdisciplinary organization the Information security committee is working toward company-wide promotion and management of information security activities.
- Sharing of information beneficial to information-security activities
- Company-wide sharing of measures and plans related to information-security activities
- Understanding and improvement of information-security status company-wide
- Promotion and development of information-security education
- Coordination of information-security measures between divisions