MARUI GROUP Information Security Policy
MARUI GROUP (the Company and its subsidiaries and affiliates) practices co-creation management, which entails co-creating the happiness of its customers and other stakeholders through business activities merging retailing and finance. This undertaking entails collecting information on customers as well as other information assets. For this reason, strengthening Groupwide information security to protect these assets from unauthorized access, cyberattacks, and other threats is among the most important tasks for management.
The purpose of this policy is to provide guidelines for establishing and implementing information security management systems to protect the information assets of customers and of MARUI GROUP from all threats, whether internal or external, accidental or intentional, and thereby help ensure the continuity of MARUI GROUP’s business activities.
2. Basic Principles
- (1) MARUI GROUP shall practice appropriate management of the information entrusted to it by individuals or organizations during the course of its business activities while respecting the rights and interests of these individuals or organizations.
- (2) MARUI GROUP shall practice appropriate management of trade secrets, technological information, and other valuable information acquired during the course of its business activities and protect the rights and interests of MARUI GROUP.
- (3) MARUI GROUP will engage in research and human resource development in order to work to improve information security as it pertains to customer information and thereby gain greater levels of trust from customers and subsequently society as a whole.
3. Scope of Application
This policy is applicable to all MARUI GROUP officers and employees.
4. Definition of Information Security
- (1) MARUI GROUP defines information security as precautions for protecting the information assets of MARUI GROUP from threats with the potential to impact the confidentiality, completeness, and availability of these assets. Cybersecurity is one facet of information security.
- (2) MARUI GROUP defines cybersecurity as safety precautions necessary for preventing information from being leaked, destroyed, or damaged; provisions for ensuring the safety and reliability of MARUI GROUP’s information systems and telecommunications networks; and measures for ensuring proper maintenance and management of these provisions.
5. Information Security Provisions
Recognizing the various risks that may threaten information security during the course of its business, MARUI GROUP shall implement the following information security provisions.
- (1) Risk management pertaining to IT systems for the entire Group shall be overseen by the Compliance Promotion Board, which is to be chaired by the president and representative director of MARUI GROUP CO., LTD.
- (2) MARUI GROUP shall establish an Information Security Committee tasked with maintaining an accurate understanding of circumstances pertaining to information security and discussing information security measures. The Information Security Committee shall submit reports on its activities to the Compliance Promotion Board in order to facilitate the swift implementation of Groupwide information security measures.
- (3) MARUI GROUP shall appoint a chief security officer (CSO) to serve as the highest-level authority on security responsible for promoting appropriate management and protecting Groupwide information assets. Responsibility and authority for the implementation of information security measures at MARUI GROUP shall be entrusted to the CSO.
- (4) The CSO shall issue reports on the execution of their duties to the Board of Directors of MARUI GROUP CO., LTD., and to the Compliance Promotion Board when deemed necessary.
- (5) The president and representative director of M & C SYSTEMS CO., LTD., a Group company that is responsible for the management and operation of the Group’s information security systems, shall serve as the chief information officer (CIO).
- (6) The MARUI GROUP Hot Line (internal reporting system) is to be maintained as a means for preventing the occurrence of legal violations or misconduct by organizations or individuals and for correcting any issues that may be discovered. The MARUI GROUP Hot Line is to be operated in accordance with internal regulations and is to provide a venue for reporting to the Audit Department of MARUI GROUP CO., LTD., or to an outside lawyer. MARUI GROUP is to prevent reporters from suffering any detrimental treatment as a result of filing reports.
6. Information Security Measures
- (1) Information security frameworks
MARUI GROUP shall formulate action plans for addressing information security risks and conduct evaluations to assess whether or not these plans are being effectively implemented. In addition, a framework will be put in place to facilitate ongoing improvements through a plan-do-check-act (PDCA) cycle.
- (2) Compliance with internal regulations and laws
MARUI GROUP shall establish internal regulations for ensuring effective information security measures and disseminate these regulations among officers and employees. Harsh penalties shall be levied against individuals that are found to be in violation of internal regulations or laws related to information security.
- (3) Resource management
- i.MARUI GROUP shall secure and allocate the management resources necessary for implementing appropriate information security measures.
- ii.MARUI GROUP shall recruit and develop the human resources necessary for implementing appropriate information security measures in a systematic and ongoing manner.
- iii.MARUI GROUP shall provide education on information security to officers and employees to promote awareness of the importance of information security and encourage action in this regard.
- iv.MARUI GROUP shall actively participate in external forums for exchanges of information and reflect the information gained in its information security measures.
- (4) Sharing of information security policies with business partners
MARUI GROUP shall share its information security policies with tenants, affiliates, subcontractors, and other business partners and request that they practice appropriate information security in accordance with these policies.
- (5) Information disclosure
MARUI GROUP shall practice appropriate disclosure of its information security initiatives in order to gain greater levels of trust from its stakeholders.
- (6) Implementation and enhancement of auditing systems
MARUI GROUP shall conduct audits of its information security systems periodically and as necessary to verify that it is in compliance with all laws, government and industry organization standards, and internal rules and regulations related to information security in its operations and that these information security systems are functioning appropriately. Harsh penalties shall be levied in response to any violations found to ensure effective management of information.
- (7) Systems reflecting information security measures
MARUI GROUP shall develop systems that reflect its information security measures for preventing unauthorized access, destruction, leakage, alteration, or other incidents affecting information assets.
- (8) Improvement of information security literacy
MARUI GROUP shall continually conduct education and training programs to improve the information security literacy of officers and employees and support effective management of information assets across the Group.
- (1) Information security frameworks
7. Protection of Personal Information of Customers
8. Response to Information Security Incidents
In the event that an information security risk materializes (an information incident occurs), MARUI GROUP shall respond through the following frameworks and response policies.
- (1) MARUI GROUP shall identify the lines of reporting and create initial response manuals regarding information security incidents. Awareness regarding these provisions shall be entrenched among relevant personnel and regular, practical drills shall be conducted.
- (2) In the event that a major information security incident occurs, the head of the division that detected the incident shall promptly report to the chairperson of the Information Security Committee and to the CSO.
The chairperson of the Information Security Committee shall then report to the CIO, and the CSO will report to the president and representative director of MARUI GROUP CO., LTD., as necessary.
- (3) When the CSO receives a report of a serious information security incident, a task force will be assembled under the guidance of the CSO to respond to the incident.
- (4) When the president and representative director of MARUI GROUP CO., LTD., receives a report of an emergency incident, they will promptly set up a response headquarters when necessary. This response headquarters will work to quickly resolve the issue, identify its cause, and formulate and implement measures to prevent recurrence.
- (5) Notification will be submitted to the relevant government authorities and to other related parties as necessary in the event of an information security incident.
9. Revision or Abolishment of This Policy
This policy is to be reviewed as necessary by the Board of Directors of MARUI GROUP CO., LTD., and revised or abolished when deemed prudent through sufficient discussion.
Minor revisions, such as changes to organization names, may be made at the discretion of the CSO.
10. Ongoing Improvement
MARUI GROUP shall regularly evaluate the aforementioned provisions and make revisions as necessary to implement ongoing improvements to its information security measures in response to changes in external and internal information security trends and IT technologies.
11. Third-Party Evaluation and Certification
- (1) Information Security Management Certification (ISO 27001)
The Data Center Division of M & C SYSTEMS CO., LTD., received information security management system certification in 2006. In March 2007, after the development of international standards as well as standards set by the Japanese Industrial Standards Committee (JISC) related to information security management systems, ISO 27001 certification was acquired.
- (2) IT Service Management Certification (ISO 20000)
In April 2008, ISO 20000 certification was acquired with regard to the product sales and distribution systems of MARUI CO., LTD., and the core operating systems of Epos Card Co., Ltd. The ability to acquire this certification was a reflection of MARUI GROUP’s swift response to system malfunctions, its provisions for preventing recurrence of incidents, and other factors that contribute to the high quality of its services.
- (3) PrivacyMark Certification (JIS Q 15001)
Group companies M & C SYSTEMS CO., LTD.; Epos Card Co., Ltd.; AIM CREATE CO., LTD.; MOVING CO., LTD.; MRI Co., Ltd.; and MARUI HOME SERVICE Co., Ltd., handle personal information in the course of their businesses. The personal information management systems of these companies are compliant with JISC standards and have been certified by JIPDEC, granting these companies permission to use the PrivacyMark.
- (1) Information Security Management Certification (ISO 27001)
Established on June 25, 2018