Ensure information security
Ensure Information Security and Protect Data Privacy
NTT DATA recognizes the importance of achieving an appropriate balance between ensuring the safety of
information
and the active utilization and sharing of information. We implement a wide range of measures that cover both the
human and
technological aspects of information security. Administrative measures include formulating rules and providing
education and
training in information security, while technological measures involve solutions that prevent information leaks and
the adoption
of thin client computing.
To share knowledge and expertise across the entire Group, we work with domestic Group companies to host information
security forums, and with overseas regional head offices to host the Global CISO Conference and other events.
Through this
distribution of knowledge within the Group, we are working to establish unified information security governance.
Basic Policy
NTT DATA has established rules and regulations including the NTT DATA Security Policy (GSP). The GSP
includes a code of conduct to protect information assets from serious security breaches, such as information leakage
and
unauthorized access, and a code of conduct for the active utilization and sharing of information. To protect
personal information,
the GSP includes policies and guidelines for each Group company and requires personal information to be handled
appropriately
according to such policies and guidelines, so that personal information is protected effectively throughout the
Group. These
codes of conduct, which also apply to business partners to whom we outsource operations, help us ensure that our
information
assets are handled appropriately.
For domestic Group companies, we established the NTT DATA Group Japan Regional Personal Information Protection
Regulations (JPP) and the NTT DATA Group Japan Regional Personal Information Management Guidelines (JPG) to comply
with the revised Act on the Protection of Personal Information. In these ways, we have established items to be
observed and the
procedures to be implemented to handle personal information appropriately.
Promotion System
Global Governance
Since fiscal 2006, NTT DATA has been working diligently to secure information security based on the NTT DATA Security Policy (GSP), which also applies to the Group's overseas operations. Since fiscal 2012, we have been building a global framework for promoting information security, centered on the five regional head offices in North America (NDAP), the EMEAL region (EMEAL), the APAC region (APCA), China, and Business Solutions. We manage information security according to unified baselines, as well as in a flexible manner that meets the specific needs of each region.
Global Security through Collaboration
To ensure meticulous information security governance on a global scale, we manage information security through information security steering organizations at three levels: Head Office, regional head offices, and individual Group companies.
The information security steering organizations at each level cooperate closely to maintain and develop information security policies, monitor the progress of measures under way, and take preventive measures against incidents. They also serve as task forces in times of emergency.
Security Incident Prevention, Detection, and Responses
NTT DATA operates NTTDATA-CERT as an organizational CSIRT to prevent the occurrence of information security incidents1 through its day-to-day activities. NTTDATA-CERT works to detect incidents early and provide quick and appropriate emergency responses.
- 1Actualization of security threats related to information management and system operation, such as computer malware infection, unauthorized access,and information leakage
Activities to Prepare for New Security Risks
We gather, analyze, and communicate a wide range of security-related information including the newest attack methods and incident occurrences, while engaging in communication monitoring, emergency responses, research and development, and collaboration with external organizations.
Wide-Ranging Internal and External Collaborations
In addition to internal activities, NTT DATA is a member of FIRST2, a global CSIRT community. We also collaborate broadly with external security organizations, including the JPCERT Coordination Center (JPCERT/CC) and CSIRT teams from all member companies of the Nippon CSIRT Association (NCA). With these efforts, we quickly share security-related information and enable early detection and responses to security concerns.
- 2Abbreviation of Forum of Incident Response and Security Teams: A global community of 635 CSIRT teams (as of July 29, 2022) from government agencies, educational institutions, corporations, and the like.
CSIRT Management Utilizing OSINT
We adopt an open-source intelligence (OSINT) approach when operating NTTDATA-CERT, which involves actively utilizing information obtained lawfully through such sources as official government announcements, mass media reports, academic articles, and technical materials. Information collected daily is analyzed by NTTDATA-CERT's experts, who then predict future security trends and report their findings to NTT DATA companies through news briefings and quarterly reports. The information is also used for strengthening the monitoring of cyberattacks. In these ways, NTT DATA makes full use of the information for our security strategies and measures.
Conducting Incident Response Workshops
We hold workshops for domestic Group companies so that, in the event of an information security incident, we can respond systematically and promptly to minimize the impact and ensure that the incident is terminated. Referring to NTT DATA Information Security Incident Response Standard for Japan, workshop participants learn how to respond appropriately to cyberattacks by learning the actions they should take from an incident's occurrence to its termination. They also learn from exercises using past incidents that occurred within NTT DATA.
Stepping Up Security Governance Efforts
We are stepping up our security governance efforts to better understand and methodically respond to the security risks that NTT DATA faces globally.
In fiscal 2021, we engaged in improving global governance maturity, worked to strengthen and ensure the stable operation of our global security infrastructure, and reliably escalated our responses to serious incidents.
Improving Global Governance Maturity
NTT DATA has established a protocol process for aggregating the security risks faced by each regional head office and determining security measures that should be prioritized by all global Group companies. In addition, we regularly hold a Global CISO Conference attended by all key persons, including the CISOs of each regional head office, to strengthen information sharing and collaboration between Group companies and the Head Office.
Global Security Infrastructure
To respond to diversifying working styles and to prepare for cyberattacks, which are increasingly sophisticated, we have built and now operate a security platform common to NTT DATA companies. Using this security platform to strengthen security when using e-mail and cloud services and to centrally manage Internet connection points helps us maintain a high level of security across the entire NTT DATA Group. Moreover, we can block connection points between NTT DATA's domestic and overseas bases, allowing us to prevent any damage from spreading to other areas in the event of an intrusion in the network. We also have an advanced log analysis solution that enables us to detect even advanced persistent threats (targeted attacks). In fiscal 2020, we also strengthened our e-mail security and cloud security (using zero trust security) as the second phase of our global security infrastructure development.
Early Escalation to Address Serious Incidents
To ensure early detection and report responses in the event of a serious incident, we systematically established incident response organizations at NTT DATA's domestic and overseas bases. This guarantees our ability to respond immediately to problems on site and deal with high-level incidents. In addition, we have rules within the Group that clearly define the various roles, responsibilities, and reporting standards. In the event of a serious incident, this system ensures prompt reporting from NTT DATA domestic and overseas companies to the Head Office via regional head offices. Moreover, in fiscal 2021, NTT DATA CUSTOMER SERVICE Corporation received no specific complaints regarding breaches of client privacy or loss of client data.
Specific Initiatives
Ensuring the Security of Commercial Systems
Recently, there have been multiple incidents of illegal access to information through breaches (vulnerabilities) of
information systems, resulting in personal and confidential information leaks, blackmail by ransomware, and other
harmful outcomes. In addition to known attacks against which countermeasures are available, more and more attacks
exploit vulnerabilities that even software developers and system development vendors are not aware of. To address
such unknown attacks, we must adopt security measures across our systems without leaving any vulnerabilities.
We share the latest trends in security technology and vulnerability information across the Group in a timely manner.
When building and operating our systems, we incorporate processes to maintain the necessary level of security and
establish mechanisms to enable the system to maintain that security level. We strive to continuously provide safe
and secure systems and services, including by subjecting our system to regular diagnostic testing by security
experts and appropriately responding to newly discovered vulnerabilities.
Comprehensive Security Management to Ensure Safe and Secure System Environments
NTT DATA harnesses the expertise it has gathered from its experience and track record to propose optimal solutions that reflect changes in its clients' business structure.
For example, we offer global security governance frameworks that also cover client sites across the world and superior security technologies required for systems that handle important information. We also provide zero trust security that realizes secure remote working environments to promote new work styles.
Moreover, information security incidents in recent years have highlighted the importance of preparing against contingencies on the assumption that protective security measures might be bypassed altogether by sophisticated targeted attacks or information leaks caused by internal misconduct. To contain and localize any damage, we must provide reliable detection of an attack and swift response and recovery. We help reinforce the security measures of our clients by offering security consulting to identify risks and providing solutions and services for neutralizing and protecting against risks. Furthermore, we provide enhanced support services for detection; response and recovery by constructing systems, including UEBA1, EDR2, sandboxes3, SIEM4, SOC5, and CSIRT6; and monitoring system management.
- 1Abbreviation of User and Entity Behavior Analytics: Solution for learning behaviors of people and objects at normal times by machine learning and issuing alerts when abnormal behaviors are detected.
- 2Abbreviation of Endpoint Detection and Response: Solution for monitoring endpoints, such as PCs and servers, and enabling integrated management of incident detection and subsequent response processes.
- 3Solution for detecting malware by running programs within a protected virtual environment.
- 4Abbreviation of Security Information and Event Management: Solution for detecting, analyzing, and visualizing traces or signs of unauthorized access that are difficult to find by security equipment alone.
- 5Abbreviation of Security Operation Center IDS/IPS: A center or an organization that comprehensively monitors and manages firewalls, DB firewalls, WAFs, and the like.
- 6Abbreviation of Computer Security Incident Response Team: An incident response team of computer security specialists. The team collects and analyzes information on security incidents, security-related technologies, and vulnerabilities, and conducts activities that include implementing effective countermeasures and training.
Information Security Training and Education
NTT DATA provides information security education for employees, business partners, and temporary workers. We have delivered this education and training via e-learning and classroom instruction to promote understanding of the Group's policy on the protection of personal information, the rules contained in NTT DATA Security Policy, and the need to be constantly aware of the importance of information security. In fiscal 2021, we continued implementing various measures to ensure that every employee rigorously takes basic actions to maintain information security.
Information Security Training at NTT Data in Fiscal 2021
| Target | Content and Format | Participation | |
|---|---|---|---|
| All employees | Information security and personal information protection training (e-learning) | Target | 12,384 eligible employees (completion 100%) |
| Achieved | 12,384 eligible employees (completion 100%) |
||
| Position based | Information security lectures (onsite learning) | Incorporated in position-based training conducted by the Human Resource Department | |
| Internal security training for qualified personnel (e-learning) | Learning materials were provided online to applicable personnel. | ||
| Business partners and temporary staff | Personal information protection introduction training and information security education (e-learning) | Target | Parties registered on our company system 30,126 people (completion 100%) |
| Achieved | Parties registered on our company system 30,126 people (completion 100%) | ||
| Information Security Training Handbook | Booklets available to new business partners and temporary staff via download | ||
Information Security Training at Key Group Companies in Fiscal 2021
| Target | Implementation Format | Participation |
|---|---|---|
| Group company employees, business partners, and temporary staff | ・GSP security training and personal information protection training (e-learning; in three languages) | 34,058 people (66 Domestic Group companies) |
- Note:In addition to the above, information security education was provided for overseas Group companies under the control of each regional head office.
Certifications Acquired (as of March 31, 2022)
| Certifications |
|
|---|
