Ensure compliance and confidentiality

Information security

Information Security Policy and System

We are aware that our businesses have a social infrastructure aspect, and so we work to preserve the confidentiality of confidential information, including pre-disclosure insider information. To handle such information safely, we devise an information security policy, and strengthen the relevant framework and system.

Information Security Policy

We have set the goal of eliminating information security accidents, while maintaining clients’ convenience and operability of employees. To this end, we have drafted the Information Security Policy consisting of 10 articles of guidelines for action, which is observed by all employees of PRONEXUS Group companies.

Action Policies
  • 1. Establish an Information Security Management System (ISMS) committee to set up and maintain ISMS, to enable its systematic and continuous operation.
  • 2. Set up and operate the risk management systems that are needed to ensure a high degree of trust in terms of confidentiality, integrity and availability.
  • 3. Establish standards and risk-assessment procedures that can be used to make rational evaluations of risk.
  • 4. Comply with legal or regulatory matters pertaining to information security.
  • 5. Comply with security requirements stated in agreements.
  • 6. Apply our basic principles, goals, and action policies to our entire Company.
  • 7. Respond promptly in the event of an information security incident or accident, to prevent the spread of damage.
  • 8. Implement measures to ensure business continuity in the event of disasters or other emergencies.
  • 9. Measure and evaluate the effectiveness of information security management plans.
  • 10. Conduct education and training in information security, and make efforts to help employees better understand it.
  • 11. Strictly discipline any violations involving information security.

Information Security System

We established a system centered on an Insider Information Security Committee to ensure effective insider information management and the reliable implementation of information security within the Company, including compliance with ISO 27001.

The Insider Information Security Committee deliberates and shares all activities related to information security, including insider information.

Business systems that handle insider information have been consolidated and a structure has been put in place to centralize management to ensure that no one, other than those designated in each department, from sales to plants, has authorization to access any insider information. The consolidation of business systems eliminates the need for data delivery between systems, such as data reentry and intermediate files. This has reduced the risk of information leaks, either within the Company or by someone outside the Company.

Also, business areas that handle insider information are isolated from general areas, and the file servers that handle that data are also separated from general servers.

Construction of a CSIRT*1 Organization

We have established a CSIRT system with the aim of smoothly implementing responses to security incidents.

We carry out log surveillance and other activities to understand and consider responses to news of the now ever-increasing threats, to clarify the response process when incidents occur, and to enable early discovery of unauthorized access.

We periodically conduct simulations against threats, such as targeted attacks and ransomware, to check the effectiveness of our response.

  • *1 CSIRT:Computer Security Incident Response Team is an organization that conducts surveillance to see if problems have occurred in our computers or networks, and to analyze their causes and effects, if any problems occur.
Insider Information Security Committee
Chairperson (president), Personal information protection manager, ISMS management head, Secretariat, Members, Internal Audit Office, CSIRT, SOC*2, ISO working member, Note *2. SOC:Security Operation Center
Conceptual Diagram of PRONEXUS Security Measures
Security measures, Multi-layered defense, Entrance measures, Incursion detection, Exit measures, ISMS-based rules, Operated by the CSIRT, Security training, etc., Insider information management structure, Isolation of work areas, Network separation, Control within applications, Strict authorization settings and audit at the individual level, Insider information education, etc.

Insider Information Security Activities

Initiatives Based on Japan's Cybersecurity Management Guidelines

We regard cybersecurity as an important management issue. In particular, the top executives have instructed the CISO*2 to promptly implement responses to all requirements in the Cybersecurity Management Checklist presented in the Cybersecurity Management Guidelines published by Japan’s Ministry of Economy, Trade and Industry in 2015.

  • *2 CISO:Chief Information Security Officer

Commitment to Cybersecurity Threat Analysis and Response Policy

In response to periodic cybersecurity threat analyses by the CISO,*2 an assessment of the effectiveness of the threat response policy and risk management is conducted at the management level.

Employee Education

The rules that employees must obey have been collated in the PRONEXUS Group 10 Articles of Information Security. These are available via groupware and are posted in print in many locations throughout the Company to promote effective action. We also hold regular training sessions on information security for employees.

We also conduct disaster-prevention drills to combat targeted emails, and give regular e-learning courses on information security.

Initiatives to Prevent Insider Trading

Setting Up Systems

As a responsibility of specialist company that supports corporate disclosure and IR, PRONEXUS implements a wide range of measures to prevent insider trading, including setting up organizational structures, implementing regulations, education, practical management, information systems, human resources systems, and auditing. Within the Company, the Insider Information Security Committee plays a central role, setting the rules on handling of insider information and prevention of insider trading, as well as reducing the number of people involved with insider information.

Insider Trading Prevention Education

Twice a year, all employees attend a training session on handling insider information and they are tested on their understanding via e-learning. New employees receive training of their own. In addition, sales staff, who often come into contact with confidential information, as well as employees responsible for handling insider information, take a further five sessions of specialized training every year. Additionally, we conduct regular training as well as onsite surveys at Group companies, associate companies and outsourcing suppliers.

Stock Transaction Regulations

Our stock transaction regulations completely prohibit managers at the division head level and higher, as well as sales staff and those who handle insider information, from dealing in the stocks of listed companies. For other employees, we have a permission system, which requires them to apply in advance to deal in stocks. Every year, all employees are required to hand in a written pledge to prevent insider trading.