Information Security Initiatives

Our company continuously improves its information security management system based on the following information security policy.

Information Security Policy

  1. As a systems engineering company, we will build and maintain information security structures and systems in accordance with the following basic policies in order to establish and maintain social trust and reputation.

    1. We comply with relevant laws and contractual requirements.
    2. We strive to properly protect and manage proprietary information.
    3. We aim to comply with international standards related to information security.
  2. We plan and implement information security programs to establish and maintain information security structures and systems.
  3. We establish and operate an Information Security Committees to monitor and support the smooth promotion of the Information Security Program.

Masakazu Haneda, Representative Director, President & CEO

Information Security Management System (Organizational security management measures)

The Information Security Committee, the management and promotion organization for the entire B-EN-G Group, is responsible for the company-wide planning, decision-making, coordination, and management of activities that affect information security. The Information Security Committee is chaired by the Director in charge, and is composed of committee members selected from each department and a secretariat appointed by the legal affairs and information systems departments. The committee meets regularly.

Implementing Body of Safety Management Measures = Each Department, Project, SubsidiaryEach department head has overall responsibility and authority regarding information security in their respective departments. They are responsible for identifying property information to be managed, as well as planning, implementing, inspecting, and correcting information security activities.
Project managers of individual projects have overall responsibility and authority regarding information security specific to their project.

Specialized Incident Response Team = B-EN-G CSIRT (CSIRT) We have organized a cross-organizational team that responds promptly and appropriately to increasingly sophisticated and complex security incidents. We also cooperate with external organizations such as security specialist vendors and the Nippon CSIRT Association.

Checking company rules and implementation status = internal audits The audit department periodically conducts internal audits of internal operations and personal information protection.

Information Security Measures

Personnel Safety Management MeasuresAs a human safety management measure, we provide regular training regarding our company rules and submit confirmation documents. Information security education includes general education at the start of employment and at least once a year, as well as rank-specific education such as on-boarding training and project management training. We also conduct training for responding to incidents such as attack emails.
Employees are required to comply with various rules related to information security in their work regulations, and employees of partner companies are required to comply with various rules regarding information security, as well as disciplinary action and compensation for damages in the event of a violation. For full-time employees and temporary workers, we also obtain written pledges regarding confidentiality, even after their employment ends.

Physical Safety Control MeasuresAs physical safety management measures, we have implemented zoning of the facilities we use, entry restrictions, and record keeping.
Entrance to the office area is restricted to those other than our employees. In areas with particularly high security requirements, such as server rooms, only authorized personnel are allowed to enter.
As a disaster countermeasure, we promote the remote storage of backup data and the use of highly available cloud services as necessary.

Technical Safety Control MeasuresAs a technical safety management measure, we implement safety measures for information infrastructure, confirm its security level, and record access status.
We have implemented a variety of measures, including installing firewalls, anti-malware measures, applying security patches, encrypting media and communications, restricting connections to websites, and restricting the use of external storage media.
In addition to monitoring and inspecting network usage status and various logs, we also conduct software vulnerability diagnosis and network platform diagnosis as necessary.

Initiatives to Improve the Security Quality of Products and Services

In order to improve the security level of the products and system services we provide to our customers, we are implementing various activities and improvements such as those listed below.

  1. Establishment of technical standards for security measures
  2. Survey of software product security measures and feedback on our own products
  3. Implementation of vulnerability diagnosis for web application type products (SaaS type)

Cloud Service Information Security Policy

Based on our commitment to information security, our organization uses cloud services to develop our business with a focus on the ERP field. This policy has been established in order to appropriately handle information from users of the systems provided by our company through cloud services from an information security perspective.

  1. Target of this cloud service information security policy:

    GLASIAOUS+

    GLASIAOUS

  2. Information security requirements applicable to the design and implementation of cloud services

    Based on the basic information security policy and this cloud services policy, our company designs and implements cloud services that take into account the information security requirements of users, including the following.

    1. Isolation of cloud computing environments

      Our cloud services utilize virtualized environments provided by cloud service providers, and provide tenant environments that are physically or logically isolated depending on the contract. Additionally, user data will be provided in logical isolation for each usage contract.

    2. Access and protection of customer data by our operations personnel

      Except as stipulated in the terms of use, service specifications, etc., we will not access information assets stored in cloud services stored by users without the user's prior permission.

    3. Providing a secure authentication procedure

      For cloud services, we provide strong authentication methods such as multi-factor authentication.

  3. Cloud service risks

    Our company regularly conducts information security risk assessments for cloud services and takes measures to address identified risks related to cloud services.

  4. Establishment of operational system

    We have established an operational system for cloud service administrators, etc., and will regularly provide education and training to appropriately handle user data.

  5. Notifications related to cloud services

    In accordance with cloud service change management procedures, we will notify users on the service screen or by notification to individual users regarding changes in service content that affect users.

  6. Information sharing

    With the prior permission of the user, within the scope stipulated in the terms of use, service specifications, etc., we will provide violation notices and share information through investigations and forensic support as a countermeasure against incidents such as unauthorized access to cloud services and information leaks.

Business Engineering Corporation
Satou Yuusuke, Managing Director
Revised: October 1, 2024



[ISO/IEC 27001 certification registration information]
ISO/IEC 27001 is an international standard for information security management systems (ISMS). This certification aims to provide requirements for organizations to establish, implement, maintain, and continually improve their information security management systems.

ISOIEC27001.png
Certification Standards ISO/IEC 27001:2022
Certification Registration Number JUSE-IR-522
Certified Organization Business Engineering Corporation
Products Business Division
Systems Development Division / Systems Development Dept. 4 and Development Technology Dept.
Cloud Business Promotion Division / Cloud Technology Operation Dept.
Products Service Division / Technical Services Dept.
First Certification Date January 25, 2024
Certification Registration Scope Development and operation of cloud-based ERP
Certifying Agent JUSE, ISO Center


[ISO/IEC 27017 certification registration information]
ISO/IEC 27017 is an international standard for cloud service providers and their users to build a safer cloud environment and reduce security risks, assuming they have obtained ISMS (ISO/IEC 27001) certification. This certifies that cloud service-specific controls have been implemented and security standards have been met.

ISOIEC27017.png
Certification Standards ISO/IEC 27017:2015
Certification Registration Number JUSE-IR-522-CS01
Certified Organization Business Engineering Corporation
Products Business Division
Systems Development Division / Systems Development Dept. 4 and Development Technology Dept.
Cloud Business Promotion Division / Cloud Technology Operation Dept.
Products Service Division / Technical Services Dept.
First Certification Date January 25, 2024
Certification Registration Scope Development and operation of cloud-based ERP (GLASIAOUS and GLASIAOUS+)
Certifying Agent JUSE, ISO Center
Disclosure Information Cloud Security Policy White Paper


[JUSE-IS27018:2023 (ISO/IEC 27018) Certification Registration Information]
JUSE-IS27018:2023 (ISO/IEC 27018) is a standard certified by the ISO Certification Center of the Union of Japanese Scientists and Engineers (JUSE) that focuses on the protection of personal information managed by cloud service providers on public clouds, with the prerequisite of ISMS (ISO/IEC 27001) certification. It is specialized in the handling of personal information stored on the cloud, and is applicable only to organizations that provide cloud services.

ISOIEC27018.jpg
Certification Standards JUSE-IS27018:2023(ISO/IEC 27018:2019)
Certification Registration Number JUSE-IR-522-CP01
Certified Organization Business Engineering Corporation
Products Business Division
Systems Development Division / Systems Development Dept. 4 and Development Technology Dept.
Cloud Business Promotion Division / Cloud Technology Operation Dept.
Products Service Division / Technical Services Dept.
First Certification Date January 27, 2025
Certification Registration Scope Development and operation of cloud-based ERP
Certifying Agent JUSE, ISO Center