Basic Approach to Information Security
MIXI Group’s mission is to create spaces and opportunities for hearts and minds to connect through our business activities. To this end, we recognize that it is our social responsibility to handle information appropriately and securely. While ensuring that information is not leaked (confidentiality), not tampered with (Integrity), and is always available (availability), we are striving to maintain and improve information security for the normal maintenance of information assets.
Based on this approach, we have established a “Basic Policy on Information Security” to ensure that our executives and employees, as well as those of our partner companies, are aware of the importance of information security, as well as to implement safe and appropriate information security measures. In addition, we have established various rules and guidelines, such as the “Information Security Management Regulations”, which stipulate rules for the proper and effective use of information assets, including how to appropriately acquire, manage, and dispose of information.
Information Security Management System
MIXI Group has established an information security management system to respond to the constant change in security risks in a holistic and speedy manner. The Risk Management Committee, the Personal Information Protection Management System (PMS¹) Section, and the Information Security Section all work in coordination, are headed by directors, and share major risks and incidents with the Board of Directors.
• The Risk Management Committee identifies, evaluates, and proposes responses to cross-organizational risks and summarizes risk information for the Group.
• The PMS Section operates the Personal Information Protection Management System.
• The Information Security Section works to prevent information security incidents from occurring during times of normal activity and operates the “mixirt” incident response team. As an internal CSIRT², “mixirt” has established a system for the early detection of incidents and rapid and accurate emergency responses. As a member of the Nippon CSIRT Association, we share various incident response and vulnerability information with other member companies to help them strengthen information security measures.
The Internal Audit Section conducts internal audits of information security policies and systems at least once every two years and reports audit results and improvements to the Board of Directors.
Companies affiliated with MIXI and MIXI Group are working to enhance information security management for the entire Group through cooperation with MIXI.
Note 1: PMS – Personal information protection Management Systems
Note 2: CSIRT – Computer Security Incident Response Team
Initiatives to Provide Safe and Reliable Services
| Technological Initiatives | Education and Training | |
| Preventative Measures | Application vulnerability assessments, infrastructure configuration monitoring, etc. | Available to all officers, full-time employees, contract employees, temporary employees, and part-time employees of MIXI and MIXI Group companies – Information security training – Security education on phishing emails For recently graduated engineers: – Information security training |
| Reactive Measures | Creation of an incident response structure | For CSIRT members and new graduates: – Incident response training |
Technological Initiatives
In order to deliver safe and secure services to our users, MIXI Group strives to prevent information security incidents by conducting vulnerability assessments for our applications and monitoring infrastructure settings.
Education and Training
To improve each employee’s awareness of information security, we conduct training on information security through e-learning for all directors, permanent employees, contract employees, temporary employees, and part-time employees of our company and our group companies at the time they join the company and once a year. We also conduct training for newly-graduated engineers. Through various exercises, they learn about information security incident cases related to development, the latest trends in vulnerabilities and hacking, the significance of these incidents, and the proper countermeasures. In addition, we provide incident handling training for CSIRT members and new graduates to strengthen their judgment and response skills in preparation for cyber attacks.
Human resource development – Training systems
https://mixi.co.jp/en/sustainability/materiality/diversity/human/
Security Initiatives Incorporating a Zero Trust Concept
As a new way of working in the midst of a pandemic, we have introduced what we call a “Marble Work Style”, which is a fusion of remote and office work. The mainstream of conventional security measures has been “perimeter protection”, which allows access only with proper authentication from internal networks with physical restrictions. However, the increase in remote work and changes in information security trends require a shift to a new information security model. MIXI Group is working to develop an information security infrastructure based on the “Zero Trust” concept, which prevents threats through stricter authentication and verification when accessing information assets and systems that need to be protected, regardless of network or location.
* The purpose of the diagram is to illustrate the basic structure of the system and does not cover all elements.
Third-party certification
PCI DSS / PCI 3DS certification
We acquired PCI DSS (Payment Card Industry Data Security Standard) certification for MIXI M, our mobile wallet app, in 2019. The PCI DSS is a set of security standards defined to protect users’ credit card data. In 2023, we acquired certification for PCI 3DS, the standard for operation of systems related to 3-D Secure (three-domain secure protocol for cardholder authentication services).
These certifications are security standards established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by five international credit card brands. With a total of over 400 evaluation criteria, they are designed to protect cardholder data and transaction information. Maintenance of certification requires an annual on-site audit by a certified Qualified Security Assessor (QSA) and regular network scans by a certified vendor. MIXI has received certification every year since 2019.
Personal Information Protection Initiatives
MIXI Group considers the management of personal information to be an important part of its business operations as a means to prevent not only external leakage of personal information, but also the inappropriate use and falsification of such information. To this end, we strictly manage our businesses’ workflows and follow regulations related to the handling of personal information, and are proactively working to protect personal information and abide by related laws and company guidelines with initiatives including thorough in-house training for all Group employees.
In addition, the servers that store personal information are strictly managed in a data center with 24-hour security equipment, and access to this personal information is strictly managed, being limited to certain employees.
Initiatives that contribute to society
Several members of our information security section are management staff for the information security event SECCON1. We are an official member of the Security Camp Committee2 and will continue to consider similar activities with the aim of contributing socially and scouting new personnel.
- Short for Security Contest, SECCON is one of Japan’s largest contest events and hosts a variety of competitions with the theme of information security.
- A committee for training camps that deal with security technology.
