Security
Basic Concept toward Security System
As long as we are entrusted with our customers’ important information assets to conduct our business, the development of a thorough security environment is a prerequisite for our business. The following is an introduction of the security-related initiatives that SHIFT has continuously developed to ensure that customers can request SHIFT operations at ease. SHIFT considers security not only as a technical measure, but also as a measure that has been incorporated into the “awareness” of each individual. We also take thorough measures to prevent accidents caused by human error.
Internal system to promote security
The Information Security Committee, which is composed of representatives of each department and is headed by the President and CEO, is established to promote various activities to improve information security.
When a close call regarding security is identified, it is shared with the countermeasures and response status within the security committee that meets monthly to raise the awareness of security within the company on a daily basis.
SHIFT has ISMS(ISO/IEC 27001:2022) certification. Based on ISMS standards, rules/regulations are established for items that are determined to be required for securing SHIFT from the perspectives of human, physical, organizational, and technical measures. In addition to the items required by the standards, we take appropriate measures for items that are determined to be individually necessary.
Initiatives Regarding Security System
Here lists examples of distinctive rules and regulations based on the nature of SHIFT’s business.
Biometric Authentication
At each site, SHIFT prohibits entry of the outsiders and adopts the restrictions on entrance with biometric authentication. By switching from physical security card certification to biometric authentication, SHIFT is reducing the possibility of information leaks due to the loss of security cards and other factors, and also making use of this information to foster employee awareness of security.
Restriction on Carry-in Personal Property in the Office and on the Portable Media
In order to prevent the possibility of information leaks by those who are allowed to enter the office, SHIFT prohibits employees from not only using memory devices such as flash drives, but also bringing their private-use mobile/smartphones with themselves into the office area. In addition, all PCs that employees use for their operations belongs to SHIFT, and we control and manage them so as to prohibit the use of memory devices with the setting of each laptops. If they find it necessary to use memory devices for their business operations, we will allow them to use it only for limited purposes after the internal application process is approved.
Efforts to Prevent Incorrect Email Sending
Based on the fact that many of the information leaks that are generally occurring are caused by human error, such as e-mailing errors, we have introduced a check tool that makes all employees to review and reconfirm the email address, the subject and the body in order to prevent erroneous sending each time they are trying to send the email to the outsiders.
In addition to introducing the check tool, we have established a security environment in which only specified employees can send e-mails only to registered persons depending on the contract type and assigned tasks.
Education on Security
SHIFT considers “fostering and continuing security awareness” to be one of the most important things in maintaining security. From this perspective, we provide security training (e-learning) at the time of joining the company and on a monthly basis to all employees regardless of the type of contract. Training content is reviewed continuously and improved reflecting changes in the business environment and other factors. After the training is completed, we conduct a test to confirm their understanding and thoroughly manage it until the correct response rate for all eligible persons is 100%.
We also thoroughly manage e-learning provided to all employees on a monthly basis to ensure that they take the courses for sure. Since 2018, when we started to conduct monthly e-learning, we have maintained a 100% attendance rate.
Anti-Incident Month
SHIFT believes that raising and maintaining awareness of security and compliance among employees is vital in providing safety and security to customers. From this perspective, SHIFT has established an Anti-Incident Month once every 6 months to foster and strengthen awareness toward security and compliance. If a security or compliance-related incident (including near-miss) occurs during the month, the security team at SHIFT will announce the details of the incident to all the employees on the company intranet.
Even if it is a near-miss, the real cause behind the near-miss could have led to a major accident. Even if the cause is “inadvertent,” SHIFT believes that it will lead to an major incident in the future. Even one incident will have an enormous impact. In order to encourage employees to be strongly aware that an incident can happen to themselves, rather than the fire on the other side of the river, the security team at SHIFT share the incident/ near-miss cases with employees. SHIFT continually implements these activities to protect all of our stakeholders, including our employees and their families, customers, and shareholders.
Checking and audit
Internal audits based on ISMS certification standards are conducted to confirm the status of compliance with security measures in individual divisions as appropriate.
Review by the management
The president and CEO regularly reviews the status of information-security measures at SHIFT. Based on changes in the environment related to information security and the results of internal audits, we conduct continuous improvement activities.
ISMS
SHIFT has been evaluated by an external auditing organization for these initiatives, and has acquired ISMS certification since October 2012.
>>>Information Security Policy
Governance Structure
SHIFT discusses various risks including security risks in various meetings such as compliance committee.
>>>Governance Activity
Contribution to Solving Social Issues on Security
One of the major challenges in Japanese IT industry is cyber security.
Recently, the schemes and techniques of cyber-attacks aiming at damage from information leaks, acquisition of confidential information and fraudulent acquisition of money are becoming increasingly sophisticated, and the number of those attacks are growing at the same time. Furthermore, along with the dramatic change in the work environment due to the COVID-19, many companies are shifting their environment from web systems to clouds that is often described as highly convenient. Nevertheless, demand in the security area is acceleratingly increasing ever further, which makes the situation where service suppliers does not keep up with the rising demand.
SHIFT SECURITY, a SHIFT’s group company, has made it possible to recruit and train security personnel, who are difficult to acquire in Japanese IT industry, by thoroughly standardizing the skills of one of the leading white hat hackers in Japan. This has enabled SHIFT SECURITY to fundamentally overcome the “shortage of personnel,” the greatest challenge facing the IT industry in Japan. By providing diagnostic services of “high quality,” “low price,” and “quick delivery,” SHIFT SECURITY has built a solid supply system, achieved substantial growth every year.
>>>For further information (Japanese only)