Information Security and Personal Information Protection Policy

Please refer to "Information Security and Personal Information Protection".

system

The planning and implementation status of information security and personal information protection within the business companies are managed by the Compliance and Security Division, headed by the Senior Executive Officer, CLRO and Head of Compliance and Security, through each business unit head. Each business unit appoints an information security officer to implement and promote information security, establishes an information security promotion system, and defines emergency response plans and incident response procedures. In addition, an Information Security Monitoring Committee has been established as an external body. We undergo regular audits by external experts and are working to build world-class information security.

Emergency response

We have established reporting routes and a system to ensure that countermeasures can be taken quickly in the event of an emergency, such as an incident.

Any employee who discovers or receives a report from a contractor regarding any anomaly related to information security or the handling of personal information is required to promptly report it to their department head. The department head will then promptly report it to the "Information Security Reporting Desk" and the "Emergency Incident Reporting Desk (Benesse Group Hotline)." To facilitate more rapid reporting of emergencies, a reporting route is also in place allowing discoverers to directly report to the "Emergency Incident Reporting Desk" depending on the situation. The Compliance and Security Headquarters collects the information and reports the overall incident situation to the CEO, and has established a system to take countermeasures for the identified issues.

Information Security Monitoring Committee

The Information Security Monitoring Committee is tasked with regularly reviewing the status of the establishment of appropriate security standards and usage/management regulations regarding the operation and maintenance of data and systems, as well as the compliance status of group companies with such standards and regulations. Its mission is to make fair judgments from the customer's perspective, including necessary improvement measures. Established on October 15, 2014, the committee meets regularly, approximately once a quarter, and continues to conduct reviews by external experts.
Furthermore, we have appointed external academic experts who are leading figures in information security and personal information protection as committee members, and we have received their recommendations for further strengthening information security.詳細は「社外有識者の定期的な監視強化」をご参照ください。

Efforts to strengthen information security

System enhancement and environmental improvement

To ensure that our customers can entrust their personal information to us with peace of mind and confidence, we continue our efforts to strengthen system security through enhanced system operation and monitoring, and technical measures based on the latest information. Furthermore, we strive to achieve world-class information security through audits and advice from external experts.

■ Strengthening system security measures

In today's IT society, new technologies are constantly being born and released. Therefore, there is no end to the need for corresponding security measures. We will implement various measures from the following perspectives to ensure continuous strengthening of our security.

• Security measures in system operation (e.g., strengthening alert functions to detect anomalies)
• Measures to prevent infection by malicious programs (such as implementing strict access restrictions from inside the company to outside)
• Measures to protect communication networks (such as appropriate network configuration changes and blocking external access)
• Access control to systems and information (stricter authorization, enhanced ID/password management, etc.)

■ Strengthening the security environment

We are continuously implementing numerous enhancement measures to achieve the world's highest level of security. Here are some of the specific details:

1) Enhanced checks using metal detector gates

We strictly check entry and exit points to prevent the bringing in or removal of electronic devices and storage media from the location where we manage our customer information database.

2) Implement optimal security measures to limit, manage, and address risks.

At Benesse Corporation, we have strengthened security zoning (separation) at several levels in the locations where customer information data is managed, according to the information handled, the nature of the work, and the people who can access it. We implement appropriate security measures for each area to handle customer information in a safe environment. Here are a few specific examples.

[Risk countermeasures in general office areas]

Only employees and related personnel are permitted entry. Customer service will be provided using a secure terminal accessible only to designated individuals, allowing them to view personal information.

[Risk countermeasures in the customer information database viewing area]

In addition to strict control over who has access, security measures are implemented on a special network, and operation logs and actions are fully monitored.

[Risk countermeasures in the customer information database operation area]

Access to the area is strictly controlled, and while database operations are permitted, operation logs and actions are fully monitored, and data output is impossible.

Handling of customer information

We clearly define the purpose of use for personal information entrusted to us by our stakeholders and thoroughly implement transparent and proper management of personal information at each stage (acquisition, use, utilization, and deletion). Furthermore, we have established a contact point to promptly respond to requests for disclosure and other inquiries.

詳細は以下よりご覧ください。

• お客様情報の取り扱い方針・対応

To ensure you can use our products and services with greater peace of mind, we are continuously reviewing our personal information handling policies and procedures based on the feedback we receive.

Employee education and awareness

■ Holding of Security Day

Following the personal information leak incident that came to light in 2014, we designated July 7th as "Security Day." Every year around this time, Benesse Corporation holds a morning meeting on information security, presents internal initiatives, and invites external experts to give lectures. These activities serve as a reminder to all employees that we will not forget the lessons learned from the incident and will continue to work to strengthen information security.

■ Information Security Training

At Benesse Corporation, all employees working at Benesse (from executives to part-time staff) are required to take information security training. Every year, the company reviews the rules, practices, and basic knowledge regarding information security, particularly focusing on personal information. The training had a 100% participation rate in fiscal year 2024. In addition, the company has prepared a system to maintain security standards and operations even when employees are working from home, and conducts training to review security rules again when employees start working from home. Furthermore, departments responsible for managing the group's systems also conduct training using dedicated programs.

Obtaining external certification

Please refer to "External Evaluations and Awards."