Information Security

DNP has a core strength in information security technology and know-how built up in the application of information assets entrusted to us by companies and consumers as well as our own information assets. We leverage this strength to provide new value through highly secure and reliable products and services.

Medium-to long-term vision

We ensure the exceptional security of personal information and all other information assets through management and protection as part of the social responsibility of a company handling such information assets.

SDGs Covered by the Vision

  • Goal 9: Industry, Innovation and Infrastructure
  • Goal 11: Sustainable Cities and Communities

Performance Indicators to Monitor the Progress in Achieving the Vision and Activity Results

Performance indicators Targets Results
  • (1)Rate of information security compliance assessments conducted
  • (2)Rate of inspections and instructions by executive officer in charge of divisions implementing priority measures for personal information protection, etc.
  • (3)Participation rate of information security education and training
  • (4)Rate of security vulnerability tests for publicly open websites
  • (1)Achieve 100% (covering all business unit and Group companies)
  • (2)Achieve 100% (covering all organizations concerned)
  • (3)Achieve 100% (covering all organizations concerned)
  • (4)Achieve 100% (covering all websites concerned)
For most-recent fiscal year results

Structure to Promote Management

Structure to Promote Management

Since establishing the Office for the Protection of Personal Information in 1999, DNP has continued to strengthen our information security measures in response to changes in the security environment in Japan and overseas. We established the Information Security Committee and Information Security Headquarters, which are supervising organizations for Company-wide management to provide inspection and guidance for business unit and Group companies. The Senior corporate officer in charge of the head office serves as the committee chief. Also, Information Security Committees have been established in each of the business units and Group companies, in which under the direction of the committee chief and person responsible for managing personal information (together with the heads of each operating unit), they handle issues such as education, security area measures and information security measures, as well as taking responsibility for inspections. Information Security Committees have been set up at overseas Group companies since 2015.

Moreover, in October 2021, we established the DNP-CSIRT (DNP Computer Security Incident Response Team) at the headquarters as a cybersecurity response organization, thereby ensuring business continuity is not interrupted in the event of any unforeseen circumstances (incidents).

This is a schematic image of the DNP Group information management structure. Persons in charge are assigned to the Head Office, business units and all Group companies.

Organizational Measures

Maintaining internal procedures and rules

Personal information protection includes the development of the Personal Information Protection Policy and the Regulations within the Group. We also developed the Basic Personal Information Policy and Basic Personal Information Regulation, under which 10 standards have been established concerning information security, including those for document control, computer usage, restricted areas, education, website and social media. We rapidly send out notices and establish or revise our rules in response to new threats and risks, and we make sure that employees are thoroughly informed about them.

Establishment of a management system

DNP ensures thorough legal compliance, attaining the Privacy Mark in July 2008, and is promoting the establishment of a management system in compliance with the Japanese Industrial Standards, “Personal Information Protection Management System Requirements” (JISQ15001). We are also actively making progress toward acquiring the Privacy Mark and ISO / IEC27001 at all business units and Group companies handling personal information in the course of business activities.

Acquisition status of Privacy Mark and ISO / IEC 27001 (Japanese site opens)

Human Measures

Strengthening information security through human resources development

DNP provides ongoing education and training to all employees, particularly personnel responsible for strengthening information security. We prepare teaching materials in 10 languages, including Japanese, to make sure our education covers all employees. Training courses are provided via groups to personnel in charge of strengthening information security, and the Group company CP Design Consulting, Ltd., which provides consulting related to personal information protection, offers practical courses based on DNP’s products and services.
In addition, with a view toward the development of"Plus-Security"workforce who are able to implement the necessary and sufficient security measures while also engaging in their regular assignments, DNP provides cybersecurity educational programs to approximately 30,000 employees of the DNP Group in Japan and overseas who have email addresses.

Physical and Technical Measures

Measures in divisions handling personal information

Various measures are in place at the Data Processing Offices handling personal information and other important data, including controls for entering/leaving a building (room) using biometrics to ensure that unauthorized persons cannot access the facilities, surveillance cameras that keep improper behavior in check and pocket-free uniforms for on-site workers so that data cannot be taken off-site. We also separate the locations where information is written to media, employ checks using metal detectors, implement and verify access logs, and reduce the number of employees engaged in the work of writing to recording media. These and other measures serve to further strengthen control.

This is a schematic image of security-related physical measures ranging from outdoor measures to the high security zones within buildings. The DNP Group is implementing multiple=
Measures at operational bases using smart card employee IDs

DNP is promoting a variety of information security measures using smart card employee IDs. We are increasing the number of operational bases with a security gate system in which employees need the smart card to enter and leave the building or factory. We are also adding a function enabling the integrated management of a multi-purpose machine usage logs by the manager on a server by requiring authentication via smart card when printing.

Initiatives for the safe delivery of information

DNP has introduced a tool to prevent the wrong transmission of email with such functions as destination identity verification, the temporary holding of outgoing mail. The aim is to prevent information leaks through wrong transmission when employees send email outside the Group.
In addition, we are operating a system that securely transfers the personal data of clients via a network.

Security controls for website vulnerability

DNP conducts vulnerability tests twice a year for all internet servers handling personal information that are run by the Group to ensure more secure and robust website creation and management.
DNP has also introduced a rating service that utilizes various types of data to objectively evaluate, analyze and visualize risks related to cyber security and continuously monitors these risks.

Promoting Information Security Measures in the Industry

To enhance personal information protection throughout the printing industry, DNP dispatches employees with sophisticated technical knowledge to personal information protection working groups run by the information security committee of the Japan Federation of Printing Industries. The employees participate in making guidelines for personal information protection, Q&A and formulating and preparing educational materials. (Two DNP employees have been stationed there since 2004.)

DNP’s Main Initiatives

Response to Cyber Attacks

Response through DNP CSIRT (Computer Security Incident Response Team)

As a supervising organization responsible for overall cybersecurity, DNP Group CSIRT will implement the following activities for the entire Group in Japan and overseas in addition to performing its basic functions of strengthening security.

  • Visualize ICT infrastructure and implement countermeasure instructions based on security vulnerability information and confirm the status of application.
  • Design of and proficiency in countermeasures in the event of any unforeseen circumstances (incidents)
  • Instructions and support for various organizations in the event of any unforeseen circumstances (incidents)
  • Education, practical exercises and awareness of cybersecurity
  • Collaboration with external organizations such as the National center of Incident readiness and Strategy for Cybersecurity (NISC) and Nippon CSIRT Association
  • Enrollment in and application of cyber risk insurance
Introduction of Zero Trust Network

Recent years have witnessed rapid changes in corporate activities and people’s lives spurred by such factors as the promotion of DX, the use of external clouds, and the adoption of remote work that has accelerated due to the COVID-19 pandemic. In response to these changes and with a view toward increasing security for the use of digital networks, DNP has adopted a Zero Trust Network, the concept of not trusting anything, strengthened internet access security and bolstered endpoint security for each type of terminal, such as personal computers and servers.
We will get a full picture of the zero-trust concept and continue to strengthen access control and vulnerability management, while also increasing the sophistication of our zero-trust procedures by, for example, establishing a 24-hour/365-day monitoring system. Through these efforts, we will work to enhance security measures on a global basis.

Training in measures against targeted attack emails

Advanced Persistent Threat (APT) mail are a criminal technique in use for more than 10 years. Recently, however, the content of these emails has become more elaborate and this type of email has emerged as a major threat both in Japan and abroad. DNP has been responding to the threat by implementing four drills every year that employees who have corporate email accounts, including the employees of overseas group companies, participate in. The drills not only enable employees to understand the characteristics of targeted attack emails and take appropriate steps when attack emails are received, but they also prevent targeted attacks and minimize any damage such as information leaks.

Practical training for essential personnel involved with cyber attack countermeasures

Cyber Knowledge Academy, a Group company, has introduced the training system TAME Range from Israel Aerospace Industries (IAI), of Israel, which is an advanced country in cybersecurity, and holds lectures and exercises that incorporate a variety of actual cases ranging from typical attack methods to the most-recent incidents.

The training management system launches the attack on the automatic attack system.The automatic attack system automatically attacks the student training environment (typical organization IT network) through a series of attack activities that reproduce real cyber attacks.Students will practice attack mitigation and reporting their incident response.The instructor monitors the students' attack mitigation status through the training management system and provides guidance and evaluates the students’ performance.

To date, we have trained cybersecurity specialists by holding lectures, drills and various types of training for more than 7,200 security personnel from government agencies and approximately 280 organizations, including those in the information and communications, aviation and electric power sectors, not to mention eligible employees of the DNP Group (as of May 2023)

Global deployment of information security management

DNP is striving to strengthen governance by transitioning from systems that were previously utilized individually by each overseas base to a shared system that maximizes use of the cloud. This transition will ensure conformance with security standards across the entire DNP Group at domestic and overseas bases, which have different environments and cultures.
Additionally, to promote information security management at overseas group companies, we are independently creating our own educational tools in 10 languages, including Japanese, as we promote initiatives globally to improve the information security literacy of our employees.