Figure 1: Information Security Governance Structure
Information Security Report
Published on March 31, 2022
In recent years, new business models utilizing digital technology have emerged in all fields, and society is becoming increasingly digital. As a result, while our lives and business become more convenient, threats such as cyber-attacks and internal fraud are becoming more advanced and complex, creating new risks. Under these circumstances, SoftBank Group Corp. (hereinafter referred to as “SBG”) is promoting information security at SBG and its group companies to realize and lead a safe and secure digital society as a strategic investment holding company. To do so, we need to identify and manage risks and respond appropriately to them.
This page explains information security at SBG and the Group companies. We hope that this page will help you understand our information security initiatives and strengthen your relationship of trust.
2. Information Security Governance Structure
SBG has improved Information Security Governance Structure that controls and promotes information security at SBG and throughout the entire group companies.
In the event of a serious information security incident involving SBG and the Group companies, responses are implemented promptly and appropriately to minimize damages and recovers under CISO control, who is also a director of SBG. Furthermore, we analyze the causes of incidents, identify future issues to prevent a recurrence and use such information to ensure the information security strategies, as well as to improve the contents of security education for officers and employees.
3. Risk Management
SBG has established and implemented a risk management process to identify and manage risks related to information security. For those identified as material risks, we analyze the causes and their impacts, examine response policies, and encourage the Group companies to implement risk countermeasures. In addition, in order to identify potential risks at an early stage and prevent them from materializing, we collect information of threats and vulnerabilities relating to infringement of information assets, detect any incidents to minimize damage, and then escalate it within the Group companies. By monitoring the implementation of risk measures by the Group companies and evaluating their effectiveness and improvements, we prevent the occurrence of unexpected incidents and minimize their impact on the entire Group.
Figure 2: Risk Management Process
4. Principles for Information Security Policy
As stated at the beginning, the digitalization of society has created new risks. To address such risks as much as possible, SBG protects its important information assets by implementing measures from four perspectives: organizational, physical, technical, and personnel. In addition, we work appropriately with the Group companies to share useful information related to information security and prepare a reporting process in the event of an information security incident.
Figure 3: Information Security Policy Conceptual Diagram
5. Information Security Measures
SBG and the Group companies are working on information security measures and protects its important information assets by implementing measures from the following perspectives: Organizational Measures to ensure appropriate control throughout the organization; Physical Measures to prevent the physical destruction or unauthorized removal of information assets; Technical Measures to prevent threats such as cyberattacks, and internal fraud; and Personnel Measures to improve awareness and capabilities on information security of directors, officers and employees, and outsourced workers. We also continually evaluate and review information security measures to ensure that they are effective and reliable based on changes in the internal and external environment.
To promote information security, SBG has developed various regulations based on our Information Security Policy, which is the highest document of our rules related to information security system. In addition, we have prepared our group Information Security Governance Policy based on the Information Security Policy, which stipulates various rules to be observed by the Group companies or their directors and employees. The Group companies have developed various regulations in accordance with this policy. SBG and the Group companies operate under a common understanding by managing these issues through the information security promotion system described in the Information Security Governance Structure.
SBG and the Group companies have set up security areas and implemented access control, to prevent unauthorized intrusion into our offices and physical destruction and unauthorized removal of information assets. In addition, we are working to maintain business continuity by implementing measures such as protecting information assets and improving the disaster prevention environment in case of a disaster.
SBG and the Group companies have implemented technical measures to prepare for threats such as cyberattacks and internal misconduct. To respond to the current trends, such as the use of cloud computing and work-style reforms, we have adopted a network architecture that combines operational convenience and robust security. The network architecture is based on a “Zero Trust” approach, where access is allowed only when it is trusted. In addition to threat analysis by a third-party organization and 24/7 security monitoring by the Security Operation Center, regular penetration tests are conducted to analyze and strengthen system vulnerabilities. Furthermore, as a measure to prevent internal misconduct, we conduct behavioral analysis using operation records of information systems for officers, employees, and outsourced workers to detect high-risk behavior and take countermeasures.
SBG and the Group companies continuously educate our officers, employees, and outsourced workers to improve their awareness and capabilities regarding information security. For security education for our officers and employees, we have prepared an e-learning environment which allows them to take courses without being restricted by location or time. This security training is also shared with the Group companies to improve awareness and capabilities across the entire group, and we require our officers and employees, as well as outsourcing companies, to thoroughly comply with relevant laws and regulations and confidentiality.
6. NIST CSF Compliance and External Organization Assessment
SBG implements measures that comply with NIST CSF*, a cybersecurity framework adopted by organizations and enterprises around the world. We have received assessments of the safety by external organizations with expertise in NIST CSF in the U.S. and other countries.
7. Future Initiatives
SBG will appropriately protect information assets and develop a mechanism for the Group companies to manage information security risks autonomously and efficiently. We will also contribute to ensure the safe development of the digital society through the information revolution in the field of information security.
NIST CSF: Established by an agency of the United States Department of Commerce, National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (CSF) is a framework that integrates cybersecurity risk management standards, guidelines, and best practices.