Our company continuously improves its information security management system based on the following information security policy.
Information Security Policy
-
As a systems engineering company, we will build and maintain information security structures and systems in accordance with the following basic policies in order to establish and maintain social trust and reputation.
- Comply with relevant laws and contractual requirements.
- We strive to properly protect and manage proprietary information.
- We aim to comply with international standards related to information security.
- We plan and implement information security programs to establish and maintain information security structures and systems.
- The Company will establish and operate an Information Security Committee to monitor and support the smooth promotion of the Information Security Program.
Masakazu Haneda, Representative Director, President & CEO
Information security management system (organizational security management measures)
- Management promotion organization for the entire B-EN-G Group = Information Security Committee
- The Information Security Committee is responsible for company-wide planning, decision-making, coordination, and management of activities that affect information security. The Information Security Committee is chaired by the director in charge and consists of members selected from each department and a secretariat appointed from the legal and information systems departments. The committee meets regularly.
- Implementing body of safety management measures = each department, project, subsidiary
- The department heads of each department have overall responsibility and authority regarding information security in their respective departments, and are responsible for identifying property information to be managed, and for planning, implementing, inspecting, and correcting information security activities.
Project managers of individual projects have overall responsibility and authority regarding information security specific to their project.
- Specialized incident response unit = B-EN-G CSIRT
- We have formed a cross-organizational team to respond in a timely and appropriate manner to increasingly sophisticated and complex security incidents. We also collaborate with external organizations such as specialized security vendors and the Japan CSIRT Association.
- Confirmation of internal rules and operational status = internal audit
- The audit department regularly conducts internal business audits and internal audits regarding personal information protection.
Information security measures
- Personnel safety management measures
- As a human safety management measure, we provide regular training regarding our company rules and submit confirmation documents. Information security education includes general education at the start of employment and at least once a year, as well as rank-specific education such as on-boarding training and project management training. We also conduct training for responding to incidents such as attack emails.
Employees are required to comply with various rules related to information security in their work regulations, and employees of partner companies are required to comply with various rules regarding information security, as well as disciplinary action and compensation for damages in the event of a violation. For full-time employees and temporary workers, we also obtain written pledges regarding confidentiality, even after their employment ends.
- Physical safety control measures
- As physical safety management measures, we have implemented zoning of the facilities we use, entry restrictions, and record keeping.
Entrance to the office area is restricted to those other than our employees. In areas with particularly high security requirements, such as server rooms, only authorized personnel are allowed to enter.
As a disaster countermeasure, we are promoting the remote storage of backup data and the use of highly available cloud services as necessary.
- Technical safety control measures
- As a technical safety management measure, we implement safety measures for information infrastructure, confirm its security level, and record access status.
We have implemented a variety of measures, including installing firewalls, anti-malware measures, applying security patches, encrypting media and communications, restricting connections to websites, and restricting the use of external storage media.
In addition to monitoring and inspecting network usage status and various logs, we also conduct software vulnerability diagnosis and network platform diagnosis as necessary.
- Initiatives to improve the security quality of products and services
-
In order to improve the security level of the products and system services we provide to our customers, we are implementing various activities and improvements such as those listed below.
- Establishment of technical standards for security measures
- Survey of software product security measures and feedback on our own products
- Implementation of vulnerability diagnosis for web application type products (SaaS type)
Cloud service information security policy
Based on our commitment to information security, our organization uses cloud services to develop our business with a focus on the ERP field. This policy has been established in order to appropriately handle information from users of the systems provided by our company through cloud services from an information security perspective.
- Target of this cloud service information security policy
GLASIAOUS+
GLASIAOUS
- Information security requirements applicable to the design and implementation of cloud services
Based on the basic information security policy and this policy based on cloud services, our company designs and implements cloud services that take into account the information security requirements of users, including the following.
- Isolation of cloud computing environments
Our cloud services utilize virtualized environments provided by cloud service providers, and provide tenant environments that are physically or logically isolated depending on the contract. Additionally, user data will be provided in logical isolation for each usage contract.
- Access and protection of customer data by our operations personnel
Except as stipulated in the terms of use, service specifications, etc., we will not access information assets stored in cloud services stored by users without the user's prior permission.
- Providing a secure authentication procedure
Authentication to cloud services provides strong authentication methods such as multi-factor authentication.
- Isolation of cloud computing environments
- Cloud service risks
Our company regularly conducts information security risk assessments for cloud services and takes measures to address identified risks related to cloud services.
- Establishment of operational system
The Company will establish an operational system for cloud service administrators, etc., and will regularly provide education and training to appropriately handle user data.
- Notifications related to cloud services
In accordance with cloud service change management procedures, we will notify users on the service screen or by notification to individual users regarding changes in service content that affect users.
- Information sharing
With the prior permission of the user, within the scope stipulated in the terms of use, service specifications, etc., the Company will provide violation notices and share information through investigations and forensic support as a countermeasure against incidents such as unauthorized access to cloud services and information leaks.
Business Engineering Corporation
Atsushi Nakano, Managing Director
Enactment date: August 1, 2023
[ISO/IEC 27001 certification registration information]
ISO/IEC 27001 is an international standard for information security management systems (ISMS). This certification aims to provide requirements for organizations to establish, implement, maintain, and continually improve their information security management systems.
| Certification standards | ISO/IEC 27001:2022 |
|---|---|
| Certification registration number | JUSE-IR-522 |
| Registered organization | Business Engineering Corporation Products Business Division Systems Development Division / Systems Development Dept. 4 and Development Technology Dept. Cloud Business Promotion Division / Cloud Technology Operation Dept. Products Service Division / Technical Services Dept. |
| First registration date | January 25, 2024 |
| Certification registration scope | Development and operation of cloud-based ERP |
| Examination body | JUSE, ISO Center |
[ISO/IEC 27017 certification registration information]
ISO/IEC 27017 is an international standard for cloud service providers and their users to build a safer cloud environment and reduce security risks, assuming they have obtained ISMS (ISO/IEC 27001) certification. . This certification certifies that cloud service-specific controls have been implemented and security standards have been met.
| Certification standards | ISO/IEC 27017:2015 |
|---|---|
| Certification registration number | JUSE-IR-522-CS01 |
| Registered organization | Business Engineering Corporation Products Business Division Systems Development Division / Systems Development Dept. 4 and Development Technology Dept. Cloud Business Promotion Division / Cloud Technology Operation Dept. Products Service Division / Technical Services Dept. |
| First registration date | January 25, 2024 |
| Certification registration scope | Development and operation of cloud-based ERP (GLASIAOUS and GLASIAOUS+) |
| Examination body | JUSE, ISO Center |
| Disclosure information | Cloud Security Policy White Paper |