Initiatives for Addressing Material Issues 1—Reinforcement of Information Security and Personal Information Protection

Last updated : December 27, 2017

NTT Group serves numerous customers, ranging from individuals to enterprises, and it has thus been entrusted with vast quantities of personal information. Recent occurrences of large-scale personal information leaks in Japan and overseas are increasing customers' expectations for the protection of personal information. The regulatory environment is also becoming a greater influence on the needs for personal information protection, as indicated by the introduction of personal information protection regulations by the European Union. Accordingly, the requirements for effective information management are growing ever more rigorous.
Were a leak of personal information to occur, NTT Group's operations would suffer from a decrease in corporate value, the loss of customers, and other negative impacts. It is therefore crucial that we reinforce our information security and personal information protection systems to ensure stringent information management.

Overview of NTT Group's Information Security and Personal Information Protection Initiatives

Initiatives for Protecting NTT Group's Networks

Establishment and Implementation of Policies Regarding Information Security and Personal Information Protection

NTT Group has established policies and rules concerning customer, shareholder, employee, and other information in accordance with NTT Group Information Security Policy.
Furthermore, each Group company has developed a personal information protection structure that matches its particular business and has formulated its own information protection policies. Group companies are also advancing various other initiatives, including establishing organizations for promoting information security management and introducing security systems. Specific measures include introducing security systems and implementing strict hardware and software security measures to prevent unauthorized access to and loss of information and infection of systems by computer viruses and to manage removal of information from Company premises. At the same time, we are conducting other ongoing information security measures, including thoroughly educating employees and appropriately supervising outsourcing contractors.

Maintenance of an Information Management Structure Centered on the Group CISO Committee

In the Group's information management structure, a senior executive vice president (Representative Member of the Board) of NTT takes charge as the Chief Information Security Officer (CISO), the highest authority for information management, guiding NTT Group in ensuring stringent information management. The Group CISO Committee was established in 2015 as a body for promoting rigorous information security by formulating initiative policies, planning and instituting various measures, and promoting human resource development. With this structure, we seek out resolutions to information security issues. Similar structures are in place at Group companies and appropriate coordination is pursued between Group companies.

Steering of CSIRT

NTT Group established NTT-CERT in 2004 to function as a computer security incident response team (CSIRT). This team collects information regarding security incidents associated with the Group. It then offers support for addressing these incidents, formulates measures to prevent reoccurrence, develops training programs, and provides security-related information. As a central element of NTT Group's security initiatives, NTT-CERT provides a reliable venue for consultations regarding information security. The team also collaborates with organizations and specialists inside and outside NTT Group to offer support for detecting and resolving security incidents, minimizing damages, and preventing occurrence. NTT-CERT is thereby contributing to better security for both NTT Group and societies that are permeated by information networks.
Moreover, NTT-CERT coordinates with the United States Computer Emergency Readiness Team (US-CERT) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and is also a member of the Forum of Incident Response and Security Teams (FIRST) and the Nippon CSIRT Association, which enables it to coordinate with domestic and overseas CSIRT organizations. This coordination makes it possible for NTT-CERT to share information on relevant trends and response measures. In addition, NTT-CERT participates in the cross-industry seminars held by the National center of Incident readiness and Strategy for Cybersecurity (NISC) to share expertise and gather information. NTT-CERT also plays a role in promoting the establishment of CSIRTs at Group companies and helping improve their response capabilities.

Cultivation of Information Security Human Resources

Threats to information security are becoming increasingly sophisticated and diverse, making damage from cyber-attacks and information leaks a public concern. At the same time, the spread of the Internet of Things (IoT) is driving a rapid rise in the number of devices connected to the Internet, greatly increasing the importance of addressing security issues. However, of the approximately 265,000 information security engineers at Japanese companies, it is estimated that around 160,000 lack the necessary skills to perform their job, while another 80,000 engineers are required to sufficiently meet the demand in the Japanese market. In this context, NTT Group is working to enhance its staff of security personnel. Believing that such efforts are also necessary at the national level, NTT Group is contributing to the training of security personnel across Japan through cooperation with the government, other companies, and educational institutions.
For its security personnel development measures, NTT Group has set the goal of expanding its staff of security experts in Japan from the level of 2,500 in November 2014 to about 10,000 by the fiscal year ending March 31, 2021. Meanwhile, Group companies are implementing human resource development measures based on the types and levels of security personnel. The number of certified security personnel showed a substantial year-on-year increase, reaching approximately 31,000 on April 30, 2017. We will continue to enhance our range of ever more practical development programs to increase the number of intermediate and advanced personnel, who are core to our security field operations.
Furthermore, NTT Group has participated in the Cross-Industry Committee on Cybersecurity Personnel Development as a secretariat since its establishment in June 2015, with the aims of forming bridges for collaboration within the cybersecurity industry, defining the types of human resources necessary for the industry and tracking their development, and supporting effective human resource development activities within the industry. The Group has also been holding the "Cyber-attack and Cyber-defense Technologies" course at Waseda University, an academia-industry collaboration project designed to uncover and cultivate future cybersecurity industry workers, since 2015. Through participation in these and various other initiatives, the Group is contributing to the development of security personnel at the national level.

Initiatives for Supporting Customers in Reinforcing Information Security

Integrated Development of Information Security Services through NTT Security Corporation

NTT Security Corporation commenced operations in August 2016. This company consolidates the specialized security technologies of other Group companies from around world for use in the development of high-value-added security services that address new risks arising from the spread of next-generation technologies, such as IoT and AI technologies, and in the global provision of these services.
In addition, NTT Security has an integrated, global organizational structure for security services. With this structure, NTT Security fulfills its functions as the Group's center of excellence for security services by developing innovative security services and providing sophisticated security functions for the comprehensive ICT solutions other Group companies supply to customers. This company is also dealing in the Security Information & Event Management (SIEM) platform, into which it incorporates the technologies of NTT Laboratories to provide defense, quick detection, isolation, and other services for combating threats and attacks against which generally marketed security tools are ineffectual. In addition, NTT Security is developing and operating global threat intelligence platforms to aggregate the information collected from around the world through the managed security services and honeypots (decoy systems) NTT Group offers on a global scale. By analyzing this information, NTT Security identifies antagonistic agents, determines their capabilities and means of attack, and collects other valuable information, or security intelligence, for use in security measures. This security intelligence is utilized on a global scale to protect the ICT networks of customers.
Going forward, NTT Security will work to expand its provision of end-to-end business solutions with embedded security services on the global market, through promoting cross-selling and service coordination with other NTT Group companies.

Utilization of Security Technologies through Collaboration

Cybersecurity Technologies Supporting Safe and Secure Operation of Control Systems

Mitsubishi Heavy Industries, Ltd., and NTT have completed the joint development of a prototype of InteRSePT®, a cybersecurity technology for critical infrastructure (social infrastructure) control systems. InteRSePT® realizes safe and secure system operation using real-time anomaly detection and response for unknown attacks. MHI and NTT plan to apply the newly developed technology to thermal power generation facilities, chemical plants, and other facilities where continuous system operation is of high importance.

R&D Capabilities Supporting NTT Group's Information Security and Personal Information Protection Initiatives

Directives for Security-Related R&D Activities

Strategically, security is an extremely important development theme for maintaining a competitive edge in global cloud services and for building a solid platform for the creation of new businesses through the B2B2X model. Accordingly, NTT Group has put forth three directives for security-related R&D activities. These directives are designed to help the Group respond to recent changes in the circumstances surrounding security while advancing R&D activities that contribute to increased safety and reliability in the cloud and communications services provided by NTT Group.

Example of R&D Activities

Security Orchestration Technologies

Cyber-attacks continue to grow more skilled and sophisticated each year. In particular, there is a need for rapid, effective security measures for networks, which can have an influence on all types of social infrastructure. NTT Group is thus advancing the development of security orchestration technologies.
Reflection distribution denial of service (DDoS) attacks, for example, cause network congestion with huge amounts of traffic, but our security orchestration technologies can shut off these attacks at the optimal point, without hindering normal traffic. In addition, networks can be restored in an autonomous manner through automatic control. NTT Group will examine the introduction of these technologies on entire networks.

Anonymization Technologies for Utilizing Personal Information

In May 2017, a revision to the Act on the Protection of Personal Information came into full effect, laying out regulations for the handling of anonymously processed information. This revision came at a time when there was a strong need for the effective utilization of big data and personal data coupled with a disciplined approach respecting both legal requirements and the privacy of the individuals from whom such data originates.
Anonymously processed information is personal information that has been processed in a manner that makes it impossible to identify the individual with whom it is associated or to revert it to its previous, un-anonymized form. Information processed in this manner can be distributed, with certain restrictions. In principle, un-anonymized personal information requires the consent of the individual in question in order to be provided to a third-party, while anonymously processed information has the advantage of being able to freely distribute without receiving consent. The appropriate utilization of anonymously processed information has the potential of leading to the creation of new businesses.
If anonymously processed information is to be used for business applications, this information will need to be processed in a manner that meets the legal requirements for anonymity while also fulfilling safety requirements. Moreover, this processing method must also allow for this information to be utilized effectively. NTT Group has developed sophisticated anonymization technologies that employ mathematics to enable personal data to be used safely and effectively for the intended purpose and under the desired conditions. These technologies have led to victory in contests for technologies for protecting personal information. At the same time, we are advancing verification testing with companies that use data in their business to prepare services utilizing these services.

Receipt of Excellence in the Field of Mathematics Award by NTT Fellow Dr. Okamoto in 20th Annual RSA Conference Awards

Dr. Tatsuaki Okamoto, an NTT Fellow who is the head of the Okamoto Research Laboratory in NTT's Secure Platform Laboratories, was presented with the Excellence in the Field of Mathematics award in the 20th Annual RSA Conference Awards program at RSA Conference 2017, a global information security conference.

RSA Conference Awards
The RSA Conference Awards program is a program that dates back to 1998. This program has three categories—mathematics, information security, and public policy. Each year, individuals or organizations (one per category, in principle) are presented with awards to honor the significant contributions they have made in their respective field over their lifetime.
Previous recipients of the Excellence in the Field of Mathematics award include researchers who have created modern encryption methods and other researchers who have made substantial contributions to the field of encryption. As such, this award is one of the highest honors one can receive in the field of encryption.
The 2017 Excellence in the Field of Mathematics was presented to Dr. Okamoto out of recognition for the exceptional contributions he and the Okamoto Research Laboratory have made to the field of encryption.

Disaster Countermeasures

Stable and Reliable Telecommunications Services in Preparation for Large-Scale Disasters

NTT Group has defined three key themes for disaster countermeasures—improving communications network reliability, securing critical communication systems, and promptly restoring telecommunications services. We have been strengthening efforts based on these themes since the Great East Japan Earthquake.
Specifically, we are taking measures to improve the reliability of our telecommunications infrastructure. To ensure that our telecommunications services operate without interruption at all times, we employ transmission trunk line multi-routing, have enacted blackout countermeasures for communications buildings and base stations, and are making communications buildings more disaster resistant. In addition, we are expanding the assortment of power supply vehicles and other disaster response equipment that we have positioned throughout Japan and are continuously conducting training to prepare for major natural disasters. Furthermore, we are making a daily effort to guarantee that, in the event of a disaster, we are able to immediately set up a Disaster Countermeasures Office and other emergency preparations and make the necessary emergency and critical communications as a public institution as designated by the Basic Act on Disaster Control Measures.
In the fiscal year ended March 31, 2017, two serious telecommunications disruptions*1 occurred at four telecommunications business companies (NTT East, NTT West, NTT Communications, and NTT DOCOMO), while service stability was maintained at 99.99%.*2

  • *1Number of disruptions that led to a stop of or lower quality for telecommunications services and that fulfill the following conditions:
    • Voice services usable for emergency reports (110, 119, etc.): Service impacted for more than one hour with more than 30,000 people affected
    • Voice services not usable for emergency reports: Service impacted for more than two hours with more than 30,000 people affected or service impacted for more than one hour with more than 100,000 people affected
    • Internet-related services (free): Service impacted for more than 12 hours with more than 1,000,000 people affected or service impacted for more than 24 hours with more than 100,000 people affected
    • Other services: Service impacted for more than two hours with more than 30,000 people affected or service impacted for more than one hour with more than 1,000,000 people affected
  • *2[1 - total hours under the impact of serious disruptions (number of affected users x hours of serious disruptions) / total hours of major service provision (number of users x 24 hours x 365 days)] x 100%

NTT Group's Basic Policy on Disaster Countermeasures

Support for Customers' Post-Disaster Restoration of Operations and Business Continuity

NTT Group has continued to provide telecommunications services in Japan, which cannot be allowed to be interrupted in the event of a disaster, for over 100 years. We are leveraging the track record of reliability and the associated expertise accumulated over this history to develop a solution business for supporting customers in maintaining business continuity. We anticipate significant business opportunities to arise with this regard going forward.
Damage from natural disasters, such as heavy rains and more frequent typhoons, is becoming increasingly common due to recent climate change. As a result, there is a growing risk of water and lightning damage and power outages, which now threaten to cause extensive damage should they occur. Many companies need to take measures to ensure that, if emergency situations such as disasters occur in the future, the organizations are able to continue important operations and restore order quickly. These measures are necessary to provide support to disaster victims and facilitate swift recovery.
For this reason, NTT Group strives to provide support to help customers restore operations and maintain business continuity after disasters. To this end, we are developing business continuity solution operations across a wide range of fields, including data center services and cloud services, an area where service is provided by NTT Communications and NTT DATA, and building and electricity technologies, an area where service is provided by NTT FACILITIES.