Information SecurityGovernance

Information Security Policy

At Sagawa Express, we believe it is our social responsibility to protect our information assets. We are thus working to reinforce our information security based on the SG Holdings Information Security Basic Policy and Personal Information Protection Policy.

Information Security Basic Policy

At Sagawa Express, as we aim to support economic and social development and become a company that contributes to society, we believe it is our social responsibility to protect our information assets, including the information assets provided to us by our customers. As such, we will strive to maintain and manage information security based on the Information Security Basic Policy (hereinafter "Basic Policy") formulated by SG Holdings Co., Ltd.

Development and Implementation of Internal Rules

Based on this Basic Policy, we will develop our information security regulations and other rules and implement information security measures.

Development of an Information Security Management System

In addition to developing a management system for information security, we will build and operate other relevant systems to work with external institutions and other organizations as necessary.

Information Security Measures

We will take appropriate information security measures to prevent the falsification, loss, leakage, fraudulent intrusion, or other interference with the use of information assets.

Continuous Implementation of Education

We will strive to promote understanding of the Basic Policy among company officers and employees through the continuous implementation of necessary information security education.

Response to Accidents

In the event that an accident occurs, we will promptly investigate the causes, and in addition to preventing the damage from expanding, we will implement recurrence prevention measures.

Compliance with Laws and Regulations, etc.

We will strictly comply with laws and regulations, internal rules, etc., related to information security.

Evaluation and Review of Information Security Activities

We will regularly review whether our information security measures are appropriately being implemented, maintained, and managed, and implement improvement measures as necessary.

Information Security Response

In our information security activities, not only do we ensure rapid response in the event of an incident, we carry out improvement activities to prevent incidents in advance and prevent their recurrence. Through these activities, we are able to continuously enhance the level of security at the SG Holdings Group.

Overview

Building a Support System to Respond to Security Incidents and Collect Information

Purpose	From the occurrence to the conclusion of a security incident, aim to minimize damage alongside SGH-CSIRT (SG Holdings Computer Security Incident Response Team).
Implementation Details	Prevention activities in times of normality SGH-CSIRT (SG Holdings Computer Security Incident Response Team) activities Collection of threat information and impact surveys Development of operational processes, procedures, rules, and regulations for CSIRT Accumulation and organization of knowledge Coordination with external organizations Nippon CSIRT Association, JPCERT/CC Security Alerts, National Center of Incident Readiness and Strategy for Cybersecurity, Initiative for Cyber Security Information Sharing Partnership of Japan, and Transportation ISAC Japan Maintenance and management of server environment used to analyze logs when responding to incidents Incident response/proposals for incident recurrence prevention measures Minimization of damage from cyber attacks Development of operational processes, procedures, rules, and regulations for CSIRT Malware analysis Response availability 24 hours a day 365 days a year (for attacks that require emergency response)

Purpose

From the occurrence to the conclusion of a security incident, aim to minimize damage alongside SGH-CSIRT (SG Holdings Computer Security Incident Response Team).

Implementation Details

Prevention activities in times of normality
SGH-CSIRT (SG Holdings Computer Security Incident Response Team) activities

Collection of threat information and impact surveys
Development of operational processes, procedures, rules, and regulations for CSIRT
Accumulation and organization of knowledge
Coordination with external organizations
Nippon CSIRT Association, JPCERT/CC Security Alerts, National Center of Incident Readiness and Strategy for Cybersecurity, Initiative for Cyber Security Information Sharing Partnership of Japan, and Transportation ISAC Japan
Maintenance and management of server environment used to analyze logs when responding to incidents

Incident response/proposals for incident recurrence prevention measures

Minimization of damage from cyber attacks
Development of operational processes, procedures, rules, and regulations for CSIRT
Malware analysis
Response availability
24 hours a day 365 days a year (for attacks that require emergency response)

Examination of Measures Based on the Security Roadmap

Purpose	Reflect the latest threats and circumstances into measures under the Security Roadmap and optimize them based on degree of priority.
Implementation Details	Consider measures for each fiscal year based on the three-year security measures roadmap

Drills Simulating Targeted Email Attacks

Purpose	By regularly hosting response drills to Group employees for identification of and response to threats via email, reduce malware infection risks and improve Group network security.
Implementation Details	Twice yearly implementation Upgrading of content as necessary based on social conditions, etc. Review and implementation of training, including reporting to supervisors by the mail opener Analysis based on roles and departments, etc. Review and implementation of surveys and individual training for departments and individuals with high rates of opening emails E-learning and read-throughs of the Security Handbook