Information Security Measures

To ensure that we can respond swiftly and comprehensively to every security risk, we have an organization called “Cybersecurity Office (CyberAgent CSIRT)” which consists of representatives from each business and department such as information system, law affairs, public relations, internal audit, and security promotion, including two executive officers, and we have a group-wide information security management system in place. We also have a special security organization called “Security Promotion Group” in place, which consists of experienced security professionals, in order to prevent information security incidents that are changing and becoming more complex every day and ensure that we can respond smoothly to them.
Cybersecurity Office (CyberAgent CSIRT) is a member of the Nippon CSIRT Association and the Forum of Incident Response and Security Teams (FIRST) and realizes appropriate incident responses by working together with external organizations.

In addition, we established a Product Security Team (P-Sec Team) to strengthen the security management of our products. We appointed a security officer for each jurisdiction, created a workflow to prepare for incidents, and built a system to quickly coordinate with each product engineer in the event of a major incident.

In light of recent circumstances, we have launched a cross-functional project to strengthen security measures. Engineers from various departments are implementing initiatives to visualize and continuously monitor the security risks of key products. To raise awareness of information security among all executives and employees, we have established a dedicated website which publishes content that explains the importance of security from various perspectives in an easy-to-understand manner, thereby promoting the accumulation, dissemination, and enlightenment of information.
In addition, we provide security-related content of various levels and types, such as security tests for all employees through our e-learning system, training for new employees, and training content tailored to the characteristics of each business for engineers and creators who develop products. For the advertising business, we specifically have produced an original drama in-house to enhance awareness of compliance, such as customer information management, and employees are required to take a test after viewing the drama.

Internal Systems

We centrally manage the employee accounts with a user management system connected to the HR database and limit the use of internal systems and access to the internal network by unauthorized users.

We have malware protection measures in place, ranging from general virus protection to advanced malware protection measures depending on the professions and the risk level of the business and operation. We always monitor the system to detect and respond to cyberattacks from external sources.

Service Development

Security Promotion Group, a special system security organization, has developed security guidelines on service development. We have a support system for secure service development in place, which is ready to respond to consultation from divisions in the service planning and design phases.
We also have a system to centrally manage the accounts for the development environment and manage users and rights for each project properly. We perform vulnerability diagnosis before releasing new services to solve problems that may lead to security incidents. We also perform vulnerability diagnosis for the main services in operation once a year.

Office

Access to offices is controlled with a security card. We have enhanced information security measures in place to, for example, control access to rooms and install security cameras depending on the security level of information handled.

Data Center

The data centers we rent are equipped with full-fledged disaster resilience measures to ensure that personal information and system infrastructure are managed securely. The data center is divided into areas from levels 1 to 7 depending on the importance level and various measures are in place to prevent natural disasters and avoid human risks, including controlling access to the building and rooms with security staff and card authentication, checking devices brought in and taken out, and monitoring with multi-element authentication and security cameras.

Based on our information security policy, we conduct surveys on the status of information security efforts of each supplier company. We strive to reduce security risks through appropriate information management in the supply chain.