SUSTAINABILITY

Information Security

  • 09-logo
  • 16-logo

Basic Approach to Information Security

MIXI Group’s mission is to create spaces and opportunities for hearts and minds to connect through our business activities. To this end, we recognize that it is our social responsibility to handle information appropriately and securely. While ensuring that information is not leaked (confidentiality), not tampered with (Integrity), and is always available (availability), we are striving to maintain and improve information security for the normal maintenance of information assets.
Based on this approach, we have established a “Basic Policy on Information Security” to ensure that our executives and employees, as well as those of our partner companies, are aware of the importance of information security, as well as to implement safe and appropriate information security measures. In addition, we have established various rules and guidelines, such as the “Information Security Management Regulations”, which stipulate rules for the proper and effective use of information assets, including how to appropriately acquire, manage, and dispose of information.

Information Security Management System

MIXI Group has established an information security management system to respond to the constant change in security risks in a holistic and speedy manner. The Risk Management Committee, the Personal Information Protection Management System (PMS¹) Section, and the Information Security Section all work in coordination and are headed by directors.
Major incidents are reported to the Board of Directors In accordance with internally established criteria.

• The Risk Management Committee identifies, evaluates, and proposes responses to cross-organizational risks and summarizes risk information for the Group.
• The PMS Section operates the Personal Information Protection Management System.
• The Information Security Section works to prevent information security incidents from occurring during times of normal activity and operates the “mixirt” incident response team. As an internal CSIRT², “mixirt” has established a system for the early detection of incidents and rapid and accurate emergency responses. As a member of the Nippon CSIRT Association, we share various incident response and vulnerability information with other member companies to help them strengthen information security measures.

The Internal Audit Section conducts internal audits of information security policies and systems at least once every two years and reports audit results and improvements to the Board of Directors.

Companies affiliated with MIXI and MIXI Group are working to enhance information security management for the entire Group through cooperation with MIXI.

Note 1: PMS – Personal information protection Management Systems
Note 2: CSIRT – Computer Security Incident Response Team

Initiatives to Provide Safe and Reliable Services

Incident Response

To provide safe and secure services, MIXI Group implements both preventative measures to reduce the likelihood of information security incidents and reactive measures to minimize their impact should they occur.

As preventative measures, we continuously implement technological initiatives such as application vulnerability assessments, infrastructure configuration monitoring, and security measures based on the Zero Trust concept. We also provide information security training and phishing awareness training for all directors, full-time employees, contract employees, temporary employees, and part-time employees of MIXI and its Group companies. In addition, we provide information security training for newly hired engineers and promote security awareness through education tailored to employees’ roles and responsibilities.

As reactive measures, we have established an escalation process that enables employees to promptly report or consult with designated internal contacts whenever they become aware of, or suspect, an information security incident. Upon receiving a report, mixirt, the incident response team operated by the Information Security section, takes the lead in coordinating with the relevant sections to conduct the initial response, verify the facts, assess the scope of impact, contain further damage, and carry out recovery activities.

Following each incident, we review its cause and the effectiveness of the response, and, where necessary, implement measures to prevent recurrence, revise internal rules and operational processes, and provide additional employee awareness and training. We also conduct incident handling training for CSIRT members and new employees to strengthen our ability to respond promptly and appropriately to information security incidents.

Technological Initiatives

In order to deliver safe and secure services to our users, MIXI Group strives to prevent information security incidents by conducting vulnerability assessments for our applications and monitoring infrastructure settings.

Education and Training

To improve each employee’s awareness of information security, we conduct training on information security through e-learning for all directors, permanent employees, contract employees, temporary employees, and part-time employees of our company and our group companies at the time they join the company and once a year. We also conduct training for newly-graduated engineers. Through various exercises, they learn about information security incident cases related to development, the latest trends in vulnerabilities and hacking, the significance of these incidents, and the proper countermeasures. In addition, we provide incident handling training for CSIRT members and new graduates to strengthen their judgment and response skills in preparation for cyber attacks.

Human resource development – Training systems
https://mixi.co.jp/en/sustainability/materiality/diversity/human/

Supply Chain Security Initiatives

To provide our customers with safe and reliable services, MIXI implements security measures across the entire supply chain, including software, cloud services, and outsourced service providers.

Third-party certification

PCI DSS certification

We acquired certification for the Payment Card Industry Data Security Standard (PCI DSS) in 2019. The PCI DSS is a set of security standards defined to protect users’ credit card data.

These security standards were established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by five international credit card brands. The PCI DSS uses around 400 evaluation criteria in 12 categories to protect cardholder data and transaction information. Maintenance of certification requires an annual on-site audit by a certified Qualified Security Assessor (QSA) and regular network scans by a certified vendor. MIXI has acquired certification every year since 2019.

Personal Information Protection Initiatives

MIXI Group considers the management of personal information to be an important part of its business operations as a means to prevent not only external leakage of personal information, but also the inappropriate use and falsification of such information. To this end, we strictly manage our businesses’ workflows and follow regulations related to the handling of personal information, and are proactively working to protect personal information and abide by related laws and company guidelines with initiatives including thorough in-house training for all Group employees.
In addition, the servers that store personal information are strictly managed in a data center with 24-hour security equipment, and access to this personal information is strictly managed, being limited to certain employees.

Initiatives that contribute to society

MIXI sponsors the Security Camp Committee3 and will continue to consider similar activities with the aim of contributing socially and scouting new personnel.

Note 3: A committee for training camps that deal with security technology.