The DeNA Group provides a variety of services using the internet and AI to delight people beyond their wildest dreams. However, by their nature these services face the threat of cyberattack and privacy violation. For this reason, at DeNA our basic approach for information security is to protect customer information appropriately and ensure the security of the services we provide and our internal systems, and in that way provide safe and secure services.
Information Security Management Committee
The DeNA Group has established an Information Security Management Committee, chaired by the President & CEO and composed mainly of officers and group executives, and has put in place a group-wide system. Discussions by the committee are regularly reported to the management meeting, and important matters are also discussed at the management meeting. Further, important matters are also reported to the Board of Directors.
Information Security Management Supervisor
The Information Security Management Supervisor is appointed by the Information Security Management Committee as the person responsible for supervising information security management duties in compliance with the approach indicated by the Information Security Management Committee. The Information Security Management Supervisor leads DeNA CERT and works on security issues and enhancing response for both ordinary times and emergency situations.
This cross-departmental team with members from the Security Dept., Information System Dept., Legal Dept., and Corporate Unit, etc. works to solve security issues.
DeNA CERT always coordinates throughout the company and handles issues in ordinary circumstances and in emergencies.
In ordinary circumstances, DeNA CERT consults with various departments and subsidiaries about security and works to solve issues. The result of handled issues is accumulated as knowledge in the team, and is disseminated to the entire company by being reflected in security policies and being shared on the portal site and in other ways. However, to solve major issues that go beyond the scope of authority entrusted to DeNA CERT by the Information Security Management Committee, DeNA CERT proposes a method for addressing the issue to the Information Security Management Committee and works to address the issue after the company approach has been set.
In the case of a suspected incident, DeNA CERT forms the core of the response. There are team members with highly specialized knowledge, enabling a rapid response.
DeNA CERT also disseminates security-related information to the external community, and works to enhance the security measures both internally and externally.
*CERT is the abbreviation for Computer Emergency Response Team, which is an organization or mechanism to address computer security issues in a company or organization. It is also referred to as CSIRT (Computer Security Incident Response Team).
Personal Information Management Committee
The DeNA Group has established the Personal Information Management Committee, chaired by the President & CEO and composed mainly of officers and group executives, and has established a group-wide system. Discussions by the committee are regularly reported to the management meeting, and important matters are also discussed at the management meeting. Highly important matters are also reported to the Board of Directors.
Personal Information Management Supervisor
The Personal Information Management Supervisor is appointed by the Personal Information Management Committee to oversee the personal information management operations of the DeNA Group. The Personal Information Management Supervisor leads the Personal Information Management Supervision Group to ensure the appropriate handling of personal information in the DeNA Group.
Personal Information Management Supervision Group
Under the supervision of the Personal Information Management Supervisor, this group strives to ensure the appropriate handling of personal information within the DeNA Group.
For example, when conducting campaigns that handle personal information, this group checks whether the usage purpose is clearly stated, whether there are any problems with the process from acquisition to deletion of personal information, and other checks to support the safe handling of personal information. In addition, the group regularly checks the status of personal information management in the DeNA Group and strives to ensure the appropriate handling of personal information by encouraging business units to provide visibility into the handling of personal information from acquisition to deletion, to acquire only the minimum necessary personal information, and to take inventory of access privileges.
In order to realize the basic policy of appropriately protecting information entrusted by customers and keeping services and internal systems secure, the DeNA Group complies with applicable laws and regulations, and also has established a
unified Group-wide security policy based on the Cybersecurity Management Guidelines and the NIST (National Institute of Standards and Technology) Cybersecurity Framework, etc. This security policy applies to DeNA and DeNA’s subsidiaries.
In addition to the DeNA Group Information Security Policy, which outlines the principles of our response policy, we have also established the Group Information Management Standard, which specifically outlines the appropriate handling of information assets, and the Group Information System Standard, which specifically outlines security measures to be incorporated into the development and operation of information systems. We strive to provide security and peace of mind by establishing and complying with these standards.
However, cyber attacks and other threats are becoming more sophisticated every day, so we continue to update our security policies in a timely manner in response to changes in the internal and external environment.
In addition, we endeavor to improve employee understanding by publishing a security handbook and case studies that are designed to be easy to understand.
The DeNA Group respects customers' rights to privacy. The DeNA Group acquires customers' personal information through various services, and handles customers' personal information only after clearly indicating the usage purpose in advance.
The DeNA Group established the Group Personal Information Management Guidelines regarding handling personal information, and strives to handle personal information appropriately by acquiring only the minimum necessary information, optimizing access privileges, and deleting information that has fulfilled its usage purpose. In addition, a company-wide personal information management ledger is maintained to make visible the handling of personal information from acquisition to deletion.
In addition, to the extent permitted by law, customers have the right to request the DeNA Group to disclose, correct, or discontinue the use of their own personal information (hereinafter referred to as "disclosure, etc."), and a contact point has been set up for this purpose.
To ensure unified handling in the DeNA Group, the Group Personal Information Management Guidelines were formulated and applied to DeNA and DeNA’s subsidiaries in Japan.
International Privacy Handling
When providing services to overseas customers, it is necessary to comply with the GDPR (EU General Data Protection Regulation), CCPA (California Consumer Privacy Act), and other privacy-related laws and regulations in the countries where
services are provided.
The DeNA Group's Overseas Privacy Office, consisting of the legal and security departments, provides one-stop support to business departments from legal research to the implementation of security measures.
The DeNA Group defines services and information systems that are essential from the perspective of business continuity as "critical systems," and has established a security management system that covers all stages from normal times to
In the event of an emergency, DeNA CERT plays a central role in incident response. In the unlikely event of an incident, such as the leakage of customers' personal information, the DeNA Group will follow predetermined incident response and recovery procedures, cooperate with business departments, and work to minimize the impact on customers until restoration is complete.
In the immediate aftermath of an incident, an accurate initial response is critical. To confirm and improve our incident response capabilities, the DeNA Group conducts regular incident response training to enhance our response capabilities.
The DeNA Group classifies and manages information assets according to their level of confidentiality. In particular, information that can identify individual customers is classified as "strictly confidential" information, which is the most sensitive, and the handling procedures are centrally managed in a personal information management ledger. The personal information control ledger is regularly inventoried to check the information handled, delete information that has achieved its usage purpose, and optimize access privileges, thereby managing procedures from the acquisition of personal information to its destruction.
In order to provide better services to customers, the DeNA Group may entrust the handling of personal information, etc. to subcontractors to the extent necessary to achieve the usage purpose, such as to support the operation of DeNA Group
services. The DeNA Group has established standards and procedures for supervising contractors when handling personal information is outsourced.
In the event that a subcontractor accesses any DeNA Group information system to perform its work, the DeNA Group implements technical measures such as limiting access to the minimum necessary information, and provides necessary training to the subcontractor.
Inspection & Audits
The DeNA Group's security department inspects the status of compliance with personal information and security policies. Issues discovered by the security department are escalated to the Information Security Management Committee or the
management meeting, depending on the magnitude of the risk, and executives are involved in making decisions on how to respond to the issues.
The effectiveness of the DeNA Group's personal information and information security management system, including the activities of the security department is also verified through audits by an independent internal audit division.
The DeNA Group conducts training related to personal information and information security for all employees of the DeNA Group (including temporary employees and employees of partner companies) so that each and every employee can work with
full consideration and strict adherence to security rules.
With the exception of some employees who handle sensitive information, DeNA promotes a style of work incorporating remote work. While technical and other measures are taken to secure information security during remote work, it is also essential to raise employees' awareness of the importance of information security. For this purpose DeNA created a guide for security measures for each individual working location to disseminate and ensure appropriate information asset management.
|When entering company / starting work |
Information security training
Personal information training
|All employees (including temporary employees and employees of partner companies)|
|Security training for engineers||All engineers (including temporary employees and employees of partner companies)|
Information security training
Personal information training
|All employees (including temporary employees and employees of partner companies)|
|Information security training for officers||All officers and employees|
|Quarterly||Security information sharing meeting at the management meeting||Officers / group executives|
|When appointed to officer position||
Information security training for officers
Incident response workshop for officers
|Those newly appointed to an officer position|
Security Personnel Training
In order to provide high quality services using technology, the creation of safe and secure systems is an important issue. Currently, threats related to cyber security are becoming more diverse and sophisticated, and there is a need to
train security personnel to respond to these threats.
To enable security department staff to respond promptly to any case, we have created an environment in which they can acquire necessary security knowledge through their work, for example, by hypothesizing attack scenarios that match the characteristics of cyber attacks and conducting periodic training on how to respond to incidents. The development and open-sourcing of security tools is also considered as a measure to improve security knowledge.
The DeNA Group is entrusted with the important information of our customers. Since it is important for each employee to recognize and understand the importance of the information handled and their responsibilities, we have executed
non-disclosure agreements for all direct employees of the DeNA Group.
Non-disclosure agreements are also in place for subcontractors.
Office Access Management
The DeNA Group has multiple offices, and access to these offices is controlled by security cards and surveillance cameras. The DeNA Group has defined security levels in accordance with the degree of confidentiality, etc. of information handled in an office space, with security measures appropriate for that security level put into place.
In particular, offices that handle important information are equipped with dedicated offices for such work, surveillance cameras that record all views of the office, and more stringent access control measures, such as granting access only to those who are involved in the work.
The DeNA Group may acquire and manage important information in the form of documents, USBs, or other media. These media are also managed according to confidentiality classifications, and the DeNA Group strives to handle them securely by storing them in lockable cabinets, strictly controlling keys, and disposing of media that have served their intended purpose in a manner that makes it difficult to recover the information.
The DeNA Group sets confidentiality levels for data and manages data according to the level of confidentiality. In particular, access to data that can identify individual customers is restricted after appropriate high-level encryption is applied. To restrict access, we have introduced a system that allows accounts to be managed centrally for integrated management. In addition, we keep records of access to ensure traceability (knowing when, where, and by whom).
Measures to Prevent Unauthorized External Access
The DeNA Group has introduced measures to prevent unauthorized access based on attack scenarios. Risks are reduced by implementing a multi-layered defense that includes controlling communications that are unnecessary for business, monitoring and analyzing communications, responding to vulnerabilities, secure coding, and encrypting data items on a per-item basis. In particular, vulnerability handling and encryption are performed in-house to achieve a higher level of security in accordance with the characteristics of our business services.
The DeNA Group believes that it is also important to properly address vulnerabilities* in the services we provide, and since the DeNA Group has in-house security engineers who are knowledgeable and capable of conducting vulnerability
assessments, in-depth assessments tailored to the company's needs can be conducted promptly when necessary.
The DeNA Group has also developed our own assessment tools and are constantly improving the quality of our assessments. We are also consulted by companies outside of the DeNA Group for vulnerability assessments. Vulnerability assessment and defense against hacking, especially for smartphone applications, is a developing field, but DeNA's team of security engineers is not bound by conventional wisdom and is improving the level of security for our business by developing our own diagnostic techniques and defense functions.
In addition, the diagnostic tools developed in the process of research and development are released as open source so that anyone can use them, thereby contributing to raising the level of security in the industry as a whole.
A software security flaw caused by a program defect or design flaw.
Automated Management of Cloud Settings
The DeNA Group develops and operates services using cloud technology.
In cloud services, a misconfiguration may cause information leaks, etc. The DeNA Group has created guidelines that define specific configuration procedures for each of our major cloud services, and have made these guidelines known to engineers and others, but there is always the possibility of a mistake due to human error. Therefore, we have developed a system that automatically monitors configuration values on a daily basis and notifies us of any errors, thereby enhancing the quality of our services.
Contribution to Security Industry
Disseminating Information and Raising Awareness in Industry
An important activity of DeNA CERT is to contribute to the security industry and exchange information with external parties. Security measures are not an issue for the DeNA Group alone, but must be addressed by all of society as we increasingly rely on technology, and the knowledge accumulated by the DeNA Group is provided to communities outside the company. We also contribute to improving the security level of the industry as a whole by releasing diagnostic tools and other tools developed through security research and development as open source so that they can be used by anyone.
Nippon CSIRT Association
As an executive member, the DeNA Group provides a forum for connecting security personnel from other organizations to solve problems. Through these activities, we ourselves exchange security-related information and cooperate with various CSIRTs in our industry and other industries beyond our own interests, helping to improve internal and external security.
Security Camp Committee
As a member company, the DeNA Group contributes to the restoration and operation of "security camps" with the goal of discovering and training young, talented security personnel.
In addition to the above, the DeNA Group actively disseminates the know-how we have cultivated through technical activities, human resource development, and educational activities to external security professionals, magazines, and seminars, etc.
Making Tools Open Source
DeNA produces the tools necessary to respond to vulnerabilities in-house , but we have also open-sourced some of these tools. We are also contributing to the security industry by open sourcing.
Various Initiatives at DeNA Group Companies
DeSC Healthcare, Inc.
DeSC Healthcare, Inc. has obtained PrivacyMark (JIS Q15001:2017) certification. PrivacyMark is a system to evaluate businesses that have established a personal information protection management system that conforms to JIS Q 15001, and to grant the mark.
DATA HORIZON Co., Ltd.
DATA HORIZON Co., Ltd. has obtained the ISO/IEC 27001:2013 (JIS Q27001:2014, known as ISMS) certification as well as PrivacyMark (JIS Q15001:2017) certification.
Allm Inc. has obtained the ISO/IEC 27001:2013 (JIS Q27001:2014, known as ISMS) certification as well as PrivacyMark (JIS Q15001:2017) certification.
Technology Report (Security Version)
This report compiling security information is available for download below (Japanese only).