Our services facilitate the management and use of data that includes private customer information, such as that on companies and individual users. We position the handling and protection of personal information and other vital information assets as our most critical management concern. In addition, convenience and security often come into conflict in developing cloud services. Yet it is vital to maintain the best possible balance between these two elements when increasing efficiency and productivity. Balancing security and convenience is a premise of our corporate philosophy. In addition to ensuring convenience, we minimize security risks by having all officers and employees take every possible measure to protect data privacy and information security, etc., to ensure the stable provision of highly secure services.
In our security system, to be able to respond quickly and in all directions to privacy and security risks, directors themselves assume the roles of CISO*1, DPO*2, and Personal Information Protection Managers. We have also set up Information Security Department dedicated to information security and cyber security across our group. Our Information Security Department has the function of CSIRT*3 and also operates in-house SOC*4 to regularly monitor and analyze threats. In addition, we have set up a product security team to strengthen the security of our products and address vulnerabilities. Since our founding in 2007, we have maintained a Personal Information Protection Management System as a measure to protect data, establishing an environment to deal with such protection within the company. We have also built a system that can continually monitor key data by fully leveraging the latest security technology.
The Information Security Department and persons responsible for developing each product report directly to CISO and are under his supervision. CISO participates in management meetings to regularly report security and risk status and makes important decisions on information security and cybersecurity at the management level. CISO has also established an information security privacy committee as his advisory body and meet with Head of Information Security Department and Head of General & Legal Affairs in charge of privacy compliance once in two weeks to analyze threats of the environment surrounding the Company and take measures against them and to consider and review various risk control measures.
Kenji Shiomi
Kenji Shiomi who serves as CISO co-founded the Company in 2007 and has consistently led the development of its products since then. Now as Engineering Division Head with his abundant experience and expertise, he oversees the engineering organization. He also serves as CEO of Sansan Global Development Center, Inc., our overseas subsidiary, focusing on building a diverse organization.
In 2023, he assumed the position of Chief Information Security Officer (CISO). Since then, he has been striving to enhance security in our group by strengthening product security, promoting zero trust security model, and taking the lead in the event of an incident. He also contributes to the security enhancement of the entire industry by making a speech at external conferences. Furthermore, to promote the protection of data privacy and compliance as Data Protection Officer (DPO), he has developed and implemented data protection strategies for the entire organization and is leading our group both in terms of security and privacy.
We are strengthening our management and control systems against anticipated risks such as information leakage and cyberattacks by establishing regulations and rules on information security and providing guidelines for each service. The regulations, rules, and guidelines are reviewed annually to keep them up-to-date.
The regulations stipulate procedures for appropriate handling of personal information in order for the Company to meet JIS Q 15001.
The rules stipulate the procedures on information system management operations handling our information assets.
The rules stipulate the procedures on information asset management in order to properly and safely manage information assets and effectively use them.
They stipulate the rules on technical safety management of information systems.
They stipulate the guidelines for each service on security functions to be included and their operations.
We are taking the following measures in response to the revision, enactment and enforcement of laws regarding the protection of personal information in various countries.
Along with the amendment of the Act on the Protection of Personal Information, we have revised our internal rules, including our basic regulations for the protection of personal information, and changed and tightened relevant procedures.
We take safety management measures for the protection of personal information in our overseas subsidiaries while understanding the related systems in Singapore, the Philippines, and Thailand where the subsidiaries are located.
As for overseas contractors, we have conducted surveys on legal systems in more than 30 countries such as the Philippines, Myanmar, Vietnam, Bangladesh, and Thailand to evaluate safety management measures of the contractors from organizational, human, physical, and technical perspectives.
We promote correct understanding of the Act on the Protection of Personal Information and the safe management of the information among all officers and employees through various measures to raise company-wide security awareness.
All officers and employees must acquire Protection of Individual Information Person qualifications. Salary increases are, in principle, suspended if an employee does not pass the exam after a certain period.
Information security and personal information protection training is provided upon hiring and then annually.
The Director serving as CISO updates all our officers and employees monthly on security initiatives and topics.
Clarifying the classification of information assets according to confidentiality, we define management measures based on the risk of each category. To ensure the implementation of management measures, security committee members are appointed from among employees to conduct mutual security auditing.
We globally recruit human resources by evaluating security knowledge, skills, experience, responses, and expertise in specific areas.
We select persons who have specialized knowledge, experience, and excellent skills in specific areas and are expected to handle a wide range of security areas, and provide them with one-on-one on-the-job training (OJT) by experts to develop their expertise.
Some engineers who provide services also serve on CSIRT with the aim of strengthening security awareness through work and developing security personnel with the ability to implement necessary and sufficient security measures while gaining experience.
We encourage our employees to get advanced security certifications designated by the Company as part of efforts to secure advanced security personnel and to promote knowledge acquisition through self-learning.
As of May 31, 2024 | |
---|---|
Holders of Advanced Security Certifications | 9 people |
We develop personnel until they are able to independently carry out their security-related roles within the Company while experiencing one-on-one on-the-job training (OJT) by experts.
We are committed to obtaining third-party security-related certifications and have received various accreditations.
The operation of our personal information protection management system (PMS) is assessed based on the assessment criteria specified by“JIS Q 15001: 2017 Personal Information Protection Management System – Requirements.” In 2007, we obtained PrivacyMark. By introducing the PMS, we work to strengthen our management system by minimizing risk of exposure to personal information breaches, developing the structure and response procedures in the event of incidents, and taking appropriate measures to emergencies and recurrence prevention measures.
We have acquired ISO/IEC 27001 certification, an international standard for information security management systems and ISO/IEC 27017 certification, an international standard for cloud security applicable to cloud service provision and use. Sansan aims to acquire ISO/IEC 27701 certification and is building a world standard privacy protection management system.
The Japan Image and Information Management Association administers the Legal Requirements for Electronic Transaction Software Certification System. The certification checks whether software and software services that create and electronically exchange national tax-related documents meet the requirements of Article 7 of the Electronic Book Storage Act. In April 2022, Bill One and Contract One obtained certification under criteria of the 2021 revision and later.
We have built a robust system to support defense and monitoring activities in order to combat threats to complicated cybersecurity and information security and to provide safe and secure services to users entrusting us with their important data.
We have adopted a defense-in-depth architecture including network communication control, and have established a system that uses our SOC to promptly investigate and respond to abnormalities when detected with EDR*6 installed in each terminal. In addition, the newly established Product Security Team is working to bolster security consistently from the development of each service. We also have set up CSIRT and developed a system to ensure immediate response to an incident.
We work with external vendors to conduct 24/7 monitoring activities against cyberattacks and make quick investigation and response of abnormalities when detecting them. We also conduct monitoring activities to prevent unauthorized access to internal information equipment.
We test and strengthen the security levels for each service and our systems by having hackers from outside agencies conduct intentional cyberattacks on our company. In such cases, penetration testing is conducted in the internal environment and training for targeted attack emails and BCP*7 is provided to our officers and employees.
(Unit: times) | FY2020 | FY2021 | FY2022 | FY2023 |
---|---|---|---|---|
Vulnerability Assessment | 1 | 1 | 1 | 1 |
Penetration Testing | 1 | 1 | 1 | 1 |
We implement a variety of security measures, including vulnerability assessments, which third-party organizations and specialized in-house departments perform.
All external transmissions to our data center are highly encrypted using user-authenticated HTTPS.
After business cards, invoices, and other paper documents are scanned, the image data is deleted from the device.
All our servers are load-balanced through multiplexed network equipment. Services can be promptly restored in the event of a failure. Additionally, our data centers are redundantly configured to minimize the risk of functional and service outages in the event of a disaster.
We have adopted zero trust security across the company to safely do our work inside and outside the internal network and conduct business activities by ensuring the safety of all the mechanisms that allow access to the information assets to be protected. As a measure to promote zero trust security, we are building an environment that applies zero-trust-based management measures to allow us to work from any locations. The key functions include the following:
We have established the standard for risk assessment to perform risk assessment and management.
Risk assessment is performed with “threat agent factors” and “vulnerability factors,” and likelihood of risks (probability of emerging risks) is quantitatively calculated and evaluated on three levels: high, medium, and low.
Risk assessment is performed with “technical impact factors considering confidentiality, integrity, and availability” and “business impact factors,” and impact of risks (magnitude of impact when risks emerge) is quantitatively calculated and evaluated on three levels: high, medium, and low.
Risk severity is assessed based on the values calculated at Steps 1 and 2. Risks are classified as critical, high, medium, low, and info, and risk acceptance decisions are made and managed.
Balancing security and convenience is a premise of our corporate philosophy. Apart from ensuring convenience, the Information Security Department minimizes security risks by implementing measures to ensure our officers and employees maintain data privacy and information security, and aims to provide highly safe and stable services. It also seeks to lead the SaaS industry as its vision. In addition, it pursues improving the security level of the entire industry not only by raising the Company’s security level to the highest in the industry, but also by actively sharing and circulating best practices and learning internally and externally.
In 2023, we newly established Product Security Team as a new initiative. In the development process of each service and function, the security team is involved not only in vulnerability assessments at the final testing stage, but also in design processes from early stages under the concept of Security by Design*11 to promote the development of safe and secure services with no vulnerabilities. In addition, we completed our annual penetration testing in 2023 without virtually tolerating any intrusions. Accordingly, we are proud that our detection and protection capabilities are among the best in the industry, not allowing even the most prominent white hat hackers in Japan to break into our systems.
Since the COVID-19 pandemic, security risks have increased across society as a whole, with companies rapidly promoting digital transformation (DX). Strong security not only reassures customers and business partners, but also is essential for the development of the digital society and brings great benefits to society as a whole beyond the framework of companies. We will promote proactive security measures and continue to provide safe and reliable services. To this end, we believe that our initiatives will support DX across society and become a driving force to create a sustainable future.