Information Security
Basic Approach
DNP's strength lies in the information security technology and know-how it has cultivated through the utilization of information assets entrusted to it by companies and consumers, as well as its own information assets.
To fulfill our social responsibility as a company that handles a large amount of information assets, we will ensure the utmost security in the management and protection of information assets, while providing new value through safe and highly reliable products and services.
Policy
Promotion Structure
DNP has established the Information Security Committee and the Information Security Headquarters at its headquarters to inspect and provide guidance to business divisions and group companies. The committee is chaired by Managing Director in charge of the headquarters.
In addition, the Information Security Committee has been established in each business division and group company, with the head of each organization acting as chairman and personal information management officer. Under this committee, managers and inspection officers are appointed for each issue, such as education, security area measures, and information system measures. We have also been establishing Information Security Committees at overseas group companies since 2015.
Furthermore, in October 2021, we established the DNP CSIRT (Computer Security Incident Response Team) at our headquarters as a cybersecurity response organization to maintain business continuity in the event of an unforeseen incident.
Under this management promotion system, DNP is promoting information security measures based on three pillars: organizational measures, personnel measures, and physical and technical measures.
Indicators/Goals
Based on our basic concept of information security, DNP has set priority indicators and targets, which we use to drive ongoing activities.
| Indicator | Targets | FY2024 results |
|---|---|---|
| ① Implementation rate of information security compliance assessment ② Implementation rate of inspections and guidance for divisions implementing measures to prioritize personal information, etc. 3) Attendance rate of information security education and training ④ Security vulnerability testing rate for publicly available internet sites |
①100% implementation rate for business divisions and group companies ② 100% implementation rate for target divisions 3) 100% participation rate in target divisions ④ 100% implementation rate for target sites |
① 100% (87 divisions /companies) ② 100% (66 times) 3) 100% (approximately 45,000 participants) *Participants include support staff, etc. ④ 100% (implemented for 412 systems) |
Strategy and Risk Management
In order to ensure information security, including cybersecurity, DNP has adopted the concept of "security by design" from the planning and design stages, identifying risks and formulating response plans. This allows us to build a system for effective response, and we utilize the PDCA cycle to continuously improve it.
Organizational Measures
Maintaining internal procedures and rules
Personal information protection includes the development of the Personal Information Protection Policy and the Regulations within the Group. We also developed the Basic Personal Information Policy and Basic Personal Information Regulation, under which 10 standards have been established concerning information security, including those for document control, computer usage, restricted areas, education, website and social media. We rapidly send out notices and establish or revise our rules in response to new threats and risks, and we make sure that employees are thoroughly informed about them.
Establishment of a management system
DNP ensures thorough legal compliance, attaining the Privacy Mark in July 2008, and is promoting the establishment of a management system in compliance with the Japanese Industrial Standards, “Personal Information Protection Management System Requirements” (JISQ15001). We are also actively making progress toward acquiring the Privacy Mark and ISO / IEC27001 at all business units and Group companies handling personal information in the course of business activities.
Human Measures
Strengthening information security through human resources development
DNP provides ongoing education and training to all employees, particularly personnel responsible for strengthening information security. We prepare teaching materials in 10 languages, including Japanese, to make sure our education covers all employees.
In addition, with a view toward the development of "Plus-Security" workforce who are able to implement the necessary and sufficient security measures while also engaging in their regular assignments, DNP provides cybersecurity educational programs to approximately 30,000 employees of the DNP Group in Japan and overseas who have email addresses.
Promoting Information Security Measures in the Industry
To enhance personal information protection throughout the printing industry, DNP dispatches employees with sophisticated technical knowledge to personal information protection working groups run by the information security committee of the Japan Federation of Printing Industries. The employees participate in making guidelines for personal information protection, Q&A and formulating and preparing educational materials. (Two DNP employees have been stationed there since 2004.)
Practical training for essential personnel involved with cyber attack countermeasures
Cyber Knowledge Academy, a Group company, has introduced the training system TAME Range from Israel Aerospace Industries (IAI), of Israel, which is an advanced country in cybersecurity, and holds lectures and exercises that incorporate a variety of actual cases ranging from typical attack methods to the most-recent incidents.
To date, we have trained cybersecurity specialists by holding lectures, drills and various types of training for more than 8,500 security personnel from government agencies and approximately 390 organizations, including those in the information and communications, aviation and electric power sectors, not to mention eligible employees of the DNP Group (as of May 2025)
In 2023, we developed "Organizational Collaboration Course - Metaverse Exercise" for corporate executives and managers. This course uses the metaverse, a virtual space on the Internet, to teach emergency response and inter-organizational collaboration across multiple divisions in the event of a security threat (incident).
This exercise is conducted in the metaverse by four members of the management team who will be responsible for issuing instructions when an incident occurs. They are divided into roles and are able to learn about the actions that should be taken when an incident occurs and how to cooperate with other organizations, regardless of location.
Organizational Collaboration Course Metaverse Exercise
Organizational Collaboration Course Metaverse Exercise Participation Image
Physical and Technical Measures
Measures in divisions handling personal information
Various measures are in place at the Data Processing Offices handling personal information and other important data, including controls for entering/leaving a building (room) using biometrics to ensure that unauthorized persons cannot access the facilities, surveillance cameras that keep improper behavior in check and pocket-free uniforms for on-site workers so that data cannot be taken off-site. We also separate the locations where information is written to media, employ checks using metal detectors, implement and verify access logs, and reduce the number of employees engaged in the work of writing to recording media. These and other measures serve to further strengthen control.
Measures at operational bases using smart card employee IDs
DNP is promoting a variety of information security measures using smart card employee IDs. We are increasing the number of operational bases with a security gate system in which employees need the smart card to enter and leave the building or factory. We are also adding a function enabling the integrated management of a multi-purpose machine usage logs by the manager on a server by requiring authentication via smart card when printing.
Initiatives for the safe delivery of information
DNP has introduced a tool to prevent the wrong transmission of email with such functions as destination identity verification, the temporary holding of outgoing mail. The aim is to prevent information leaks through wrong transmission when employees send email outside the Group. In addition, we are operating a system that securely transfers the personal data of clients via a network.
Vulnerability analysis
DNP conducts vulnerability tests twice a year for all internet servers handling personal information that are run by the Group to ensure more secure and robust website creation and management.
DNP has also introduced a rating service that utilizes various types of data to objectively evaluate, analyze and visualize risks related to cyber security and continuously monitors these risks.
Related Measures
Response to Cyber Attacks
Response through DNP CSIRT (Computer Security Incident Response Team)
As a supervising organization responsible for overall cybersecurity, DNP Group CSIRT will implement the following activities for the entire Group in Japan and overseas in addition to performing its basic functions of strengthening security.
- Visualize ICT infrastructure and implement countermeasure instructions based on security vulnerability information and confirm the status of application.
- Design of and proficiency in countermeasures in the event of any unforeseen circumstances (incidents)
- Instructions and support for various organizations in the event of any unforeseen circumstances (incidents)
- Education, practical exercises and awareness of cybersecurity
- Collaboration with external organizations such as the National center of Incident readiness and Strategy for Cybersecurity (NISC) and Nippon CSIRT Association
- Enrollment in and application of cyber risk insurance
Introduction of Zero Trust Network
Recent years have witnessed rapid changes in corporate activities and people’s lives spurred by such factors as the promotion of DX, the use of external clouds, and the adoption of remote work that has accelerated due to the COVID-19 pandemic. In response to these changes and with a view toward increasing security for the use of digital networks, DNP has adopted a Zero Trust Network, the concept of not trusting anything, strengthened internet access security and bolstered endpoint security for each type of terminal, such as personal computers and servers.
We will get a full picture of the zero-trust concept and continue to strengthen access control and vulnerability management, while also increasing the sophistication of our zero-trust procedures by, for example, establishing a 24-hour/365-day monitoring system. Through these efforts, we will work to enhance security measures on a global basis.
Training in measures against targeted attack emails
Advanced Persistent Threat (APT) mail are a criminal technique in use for more than 10 years. Recently, however, the content of these emails has become more elaborate and this type of email has emerged as a major threat both in Japan and abroad. DNP has been responding to the threat by implementing four drills every year that employees who have corporate email accounts, including the employees of overseas group companies, participate in. The drills not only enable employees to understand the characteristics of targeted attack emails and take appropriate steps when attack emails are received, but they also prevent targeted attacks and minimize any damage such as information leaks.
Global deployment of information security management
DNP is striving to strengthen governance by transitioning from systems that were previously utilized individually by each overseas base to a shared system that maximizes use of the cloud. This transition will ensure conformance with security standards across the entire DNP Group at domestic and overseas bases, which have different environments and cultures.
Additionally, to promote information security management at overseas group companies, we are independently creating our own educational tools in 10 languages, including Japanese, as we promote initiatives globally to improve the information security literacy of our employees.
Metaverse "Metropolitan Police Department Cyber Security Center"
In 2023, DNP was commissioned by the Tokyo Metropolitan Police Department Cybersecurity Headquarters to conduct training using the metaverse, and opened the Tokyo Metropolitan Police Department Cybersecurity Center.
The center was developed with the aim of increasing consumers' knowledge of cybersecurity and improving their ability to respond to threats, and has been established within the metaverse "Virtual Akihabara," which is operated by DNP in collaboration with the AKIBA Tourism Council.
Since 2021, DNP has been developing its XR Communication® business, which uses Extended Reality (XR) technology to fuse real and virtual spaces to enhance people's experiences. Users of this center can learn about cybersecurity at any time, anywhere, according to their level of understanding and goals. Through this center, DNP works with the Tokyo Metropolitan Police Department to raise awareness of cybersecurity, reduce the risk of consumers becoming involved in crime, and contribute to the development of a safer and more secure society.
