Information Security Policy
Amidst the rapid development of the internet-based information technology society (hereafter "IT Society"), economic conveniences have spread far more quickly than expected. On the other hand, new problems, including the leakage of personal Information, have surfaced and there has been widespread demand for appropriate responses to create a robust IT society.
In this environment, the Rakuten Group, which provides a wide range of services from e-commerce to financial services over the internet, recognizes that Information Assets, including personal Information and the hardware and software that make up the Information Systems, are indispensable for implementing its business activities. Ensuring the security of these assets through appropriate protection and management is one the highest management priorities. The Rakuten Group is continually bolstering its efforts in its Information Security policies.
Therefore, the Group will establish an Information Security Management System in which all related persons shall participate, through the following items (below), and continue its tireless efforts to ensure Information Security.
1. Establishment of the Information Security Management System
To build an Information Security Management System under a management-team initiative and strive to enhance and maintain Information Security.
2. Appropriate management of Information Assets
To recognize the importance of Information Assets held and to evaluate risks and properly manage these assets.
3. Establishing Regulations for ensuring Information Security
To establish regulations, etc., for ensuring Information Security, and thoroughly extend these to all related persons.
4. Compliance with laws and norms
To comply with all laws and norms related to Information Security.
5. Continuous improvement
To implement audits on a regular basis and continuously improve the Information Security Management System.
Initiatives for Information Security Enhancement
1. Maintaining Information Security Management System
Rakuten Group sets standards and regulations based on ISO/IEC 27001, aiming to maintain the confidentiality, integrity and availability of information assets by constructing, operating, and continuously improving its Information Security Management System (ISMS) to manage various risks, such as the loss or falsification of information assets and service outages.
Rakuten Ichiba became ISO/IEC27001 certified the first time in November 2006, and today we are further committed to ensuring information security with 18 Rakuten Group companies (see below) which have received this certification as a result of annual external independent audits.
- Rakuten Group, Inc.
- LINKSHARE JAPAN K.K.
- Target, Inc.
- Rakuten Socio business, Inc.
- Rakuten Baseball, Inc.
- Rakuten Travel Service, Inc.
- Rakuten ANA Travel Online Co., Ltd.
- Rakuten Communications, Inc.
- Rakuten Insight, Inc.
- Rakuten Card Co., Ltd.
- Keiba Mall, Inc.
- TicketStar Inc.
- Rakuten Edy, Inc.
- Rakuten Super Logistics, Inc.
- Rakuten Mobile, Inc.
- Rakuten Payment, Inc.
- Rakuten Wallet, Inc.
- Rakuten Vissel Kobe, Inc.
2. Raising Awareness among Employees
In order to ensure information security, raising employee security awareness is important. Rakuten Group therefore provides annual information security training to all employees including not only executives and full-time employees, but also non-regular employees.
3. Strengthening Cyber Security
Cyber security is about ensuring the safety of a virtual environment (cyberspace) composed of the internet, computer networks and information systems, devices such as personal computers and smart phones, and their users, and taking measures against threats, including but not limited to falsification of information, computer viruses, destructive behavior, and phishing attacks (fraudulent acts via emails).
Rakuten Group has established a specialized organization dedicated to cyber security and a proactive system to develop safe services while eliminating vulnerabilities (information security flaws) by ensuring thorough security education for developers, implementing security reviews during the software development process, and conducting inspections for vulnerabilities.
Our efforts to prevent security incidents also include monitoring illegal access, as well as surveying and responding to information security flaws. In addition, we have established Rakuten-CERT (Computer Emergency Response Team) to cooperate with external stakeholders such as relevant ministries, organizations specialized in cybercrime, and other companies. In addition, through measures related to cyber security, we are committed to not only maintaining our own security but also to strengthening information security of the internet society as a whole.
4. Protecting Personal Information
Rakuten Group prioritizes the provision of services that customers feel safe using and thorough compliance with laws concerning the protection of personal information in the areas where we operate.
To comply with Europe’s General Data Protection Regulation (GDPR) -- a newly adopted EU law on data protection and privacy that is considered to be best practice for personal information protection, we introduced a set of global privacy protection standards, referred to as Binding Corporate Rules, which have been approved by the European Union data protection authorities.
We also ensure thorough compliance with PCI DSS (Payment Card Industry Data Security Standard), an international information security standard for businesses that handle payment cards, including credit cards, for our payment-card related businesses.
In addition, for business activities in Japan, we regularly check and monitor compliance with the Personal Information Protection Law and other laws and guidelines established by relevant authorities. Moreover, three companies in the Rakuten Group have received Privacy Mark Certification (see below), given to accredited businesses that have established systems for appropriately protecting personal information in accordance with the Japanese Industrial Standard, "Personal information protection management systems - Requirements (JIS Q 15001)."
- Rakuten Securities, Inc.
- Rakuten Communications Corp.
- Rakuten Insight, Inc.