To ensure that we can respond swiftly and comprehensively to every security risk, we have an organization called “Cybersecurity Office (CyberAgent CSIRT)” which consists of representatives from each business and department such as information system, law affairs, public relations, internal audit, and security promotion, including two executive officers, and we have a group-wide information security management system in place. We also have a special security organization called “Security Promotion Group” in place, which consists of experienced security professionals, in order to prevent information security incidents that are changing and becoming more complex every day and ensure that we can respond smoothly to them.
Cybersecurity Office (CyberAgent CSIRT) is a member of the Nippon CSIRT Association and the Forum of Incident Response and Security Teams (FIRST), and realizes appropriate incident responses working together with external organizations.
Information security system chart
Security officers from each department gather in the Cybersecurity Office (CyberAgent CSIRT)
To raise the awareness of information security among all employees, we collect and provide information and enlighten them by, for example, launching a special information website publishing with content using manga to explain the importance of security in an easy to understand manner from various perspectives.
We also provide security education for employees using an e-learning system. We encourage employees to acquire the knowledge necessary for their professions by providing content tailored to the duties of each employee, such as content for service development engineers or service planning professionals, in addition to content that helps understand the information security basics and the Personal Information Protection Act.
We centrally manage the employee accounts with a user management system connected to the HR database, and limit the use of internal systems and access to the internal network by unauthorized users.
We have malware protection measures in place, ranging from general virus protection to advanced malware protection measures depending on the professions and the risk level of the business and operation. We always monitor the system to detect and respond to cyberattacks from external sources.
Security Promotion Group, a special system security organization, has developed security guidelines on service development. We have a support system for secure service development in place, which is ready to respond to consultation from divisions in the service planning and design phases.
We also have a system to centrally manage the accounts for the development environment and manage users and rights for each project properly. We perform vulnerability diagnosis before releasing new services to solve problems that may lead to security incidents. We also perform vulnerability diagnosis for the main services in operation once a year.
Access to offices is controlled with a security card. We have enhanced information security measures in place to, for example, control access to rooms and install security cameras depending on the security level of information handled.
Our data center is equipped with full-fledged disaster resilience measures to ensure that personal information and system infrastructure are managed securely. The data center is divided into areas from levels 1 to 7 depending on the importance level and various measures are in place to prevent natural disasters and avoid human risks, including controlling access to the building and rooms with security staff and card authentication, checking devices brought in and taken out, and monitoring with multi-element authentication and security cameras.