Strengthening Information Security and Protection of Personal Information

CISO Message

The NTT Group has five unique strengths in terms of security.

Our first strength is the Group's scale.

As an information and telecommunications infrastructure operator, the NTT Group is the target of many cyberattacks.

This enables us to understand the world's most advanced cyberattacks techniques.

Second is our superior technology, which is instrumental in the early detection of cyberattacks and subsequent rapid response and recovery.We have an AI engine that automatically detects, visualizes, and notifies of threats. We also maintain global partnerships for the collection and sharing of threat information, and employ high-level security analysts at our Security Operation Center (SOC).

Third is our human resources.All NTT Group employees in Japan take mandatory security courses. Approximately 3% of our domestic employees, around 4,700 people, are ranked as intermediate-level security professionals.Moreover, we have a group of approximately 100 elite specialists recognized by external experts as having some of the best track records in the industry.

Fourth is our know-how.The NTT Group was a partner at the international sports events held in Tokyo in 2021, and was partly responsible for defense against cyber attacks.We also have experience with other major international events such as past G7 and G20 summits.

Our fifth strength is our ability to disseminate information.We have the only team dedicated to external communication specializing in cybersecurity of any Japanese company, and deliberately disclose and share our strategies within feasible limits to promote global collaboration.
We believe that through ensuring information security and protecting personal data, we safeguard "trust."Society is entering a connected age, where everything is interconnected.
Based on the five strengths described above, we will protect not only our own company but also our customers, companies upon which our Group depends, and the entire supply chain in its broader sense, securing society as a whole to contribute to the realization of a safe, secure, and trustworthy society.

Shinichi Yokohama, NTT Group CISO

Strengthening Information Security and Protection of Personal Information

As we enter the zero trust, cloud-native era, the NTT Group will aim to resolve social issues together with our partners through our business activities. As a trusted global provider of safe and secure ICT services, the NTT Group will strive to ensure the security of the information entrusted to us by our customers, shareholders, business partners and other parties, and contribute to the sound development of the digital economy and the Remote World.

In ensuring information security, we recognize the importance of information security in the digital economy and remote society, and approach this with a unified information security management system, as a critical infrastructure provider of ICT services, under the supervision of the Chief Information Security Officer (CISO).Based on the belief that "cyber incidents are inevitable and minimizing damage is crucial," we work under the top leadership of the holding company and the various group companies to establish and closely comply with regulations, intensify service security, develop high-level talent, and strengthen global collaboration.

The NTT Group's executives and employees rigorously manage personal information as a top priority, understanding that in the protection of personal information, leakage can have many business repercussions, including damage to its corporate value and loss of customers.As a company entrusted with extensive personal information from individual and corporate customers, we handle personal information appropriately in accordance with domestic and international legal regulations. We implement organizational, human, physical, and technical security measures, and have established contact points for inquiries related to personal information.In the event of a serious data leak, we immediately engage with external experts to conduct a root cause analysis and to develop and implement measures to prevent a recurrence.

At the NTT Group, we have established the NTT Group Information Security Policy, which mandates appropriate information security not only for executives and employees but also for contractors handling confidential matters, and we are committed to enhancing both information security and the protection of personal information.It is stipulated that in the event that personal information is leaked in violation of the NTT Group Information Security Policy and Group internal policies, including the Information Security Management Policy and related rules, disciplinary action will be taken in accordance with the rules of employment, etc.

Information Security

Policies and Concepts

With the progressing digitalization of society and the economy and changes in international circumstances, security threats are becoming more serious and sophisticated, particularly cyber-attacks.It is the duty of the NTT Group to safeguard ICT service infrastructure and the basic rights, freedoms and information assets of its customers and provide a sound foundation aimed at the growth of the digital economy amid these circumstances.For security as well, we have defined our mission as the building and development of a free, open, and safe ICT platform for supporting the infrastructure of the digital economy. Additionally, we have made it our vision to realize the digital transformation of both customers and NTT itself, and for that reason, we will be chosen by customers.

With a view to the realization of this mission and vision, we continue to tackle our pillars of tackling R&D and service development that leverages our scale, realizing superior early detection and rapid response capability, endeavoring to develop human resources who share the values of sincerity and advanced skills, and transcending profit-focused principles to transmit pioneering knowledge to society.Based on the medium-term management strategies that we formulated in 2023, the role that security will play is envisioned to grow even larger.We will continue to tackle the realization of our vision.

Our medium-term management strategy, "New value creation & Sustainability 2027 powered by IOWN," has three main pillars, one of which is "NTT as a Creator of New Value and Accelerator of a Global Sustainable Society," in which security is a critical element.
To address the constantly evolving threats, we work to share information globally and defend against attackers from their own perspective, aiming to create networks and systems that are resilient to cyberattacks and further strengthen our business foundation.

Global Collaboration
We participate in cybersecurity improvement initiatives by various governments and industries, mainly in the United States and Europe, to share cyber threat data and best practices and form communities of trusted companies and organizations.

Further Strengthening of Business Foundations
The NTT Group has a cross-Group Red Team that verifies and evaluates the effectiveness of security measures by setting off simulated cyberattacks from the angle of the attacker on key services and systems within the Group.

Organization for Implementation

NTT Group enforces information security management under the charge of the Chief Information Security Officer (CISO), and is thorough in its information security management.We have also established a Group CISO Committee, and are working to formulate Group information security management strategies, plan and implement related measures, undertake human resources training, and otherwise engage in activities in collaboration with companies across the Group.We are also advancing efforts to maintain and improve security defenses within the Group based on the idea of a "three-line organization."

NTT Group's Security Governance Goals

Targets and Performance

(12-1) Number of major incidents due to cyberattacks
Results for fiscal 2021: 0 incidents
Results for fiscal 2022: 0 incidents
Results for fiscal 2023: 0 incidents
Target for fiscal 2024: 0 incidents

^*Number of service outages due to cyberattacks during fiscal 2021-2023.

(12-2) Number of data leaks
Target for fiscal 2024: 0 incidents

Main Initiatives

In responding to information security risks, the NTT Group operates under the belief that cyber incidents are inevitable and that minimizing damage is crucial. Under the top leadership of the holding company and each group company, we are committed to establishing and adhering to regulations that the entire Group must follow (systematization of information security), and conduct a wide range of security training and incident response exercises.We also work to increase service security, train high-level security personnel, and foster global collaboration.

Systematization of Information Security

In 2022, we completely revised our information security rules to accommodate zero-trust security measures that support flexible working styles without location restrictions.To raise awareness among not only information security departments but all employees, the revisions eliminate ambiguities and improve readability, ensuring that the rules can be followed with certainty.

Information Security Training

Each Group company seeks to raise information security literacy by organizing training for all employees as well as the employees of partner companies.Training is offered through e-learning, and all employees are obliged to participate in the course once a year.Going forward, we aim to standardize the information security knowledge required for business across the entire Group and unify our training content accordingly.In addition, we will conduct training for the presidents of NTT Group companies on implementing security measures as a company and demonstrating leadership in response to incidents that might occur.Through these efforts, we aim to enhance the NTT Group's capabilities and strengthen our workforce to offer safe and secure services to our customers and society.

People generally tend to avoid security training due to the difficulty of the content and the restrictions it places on convenience.At NTT, security training begins with a witty, theatrical opening message by the CISO, followed by engaging content mainly consisting of animated videos. The primary aim is to capture employees' interest. Training emphasizes the need for all employees to be security-conscious and always maintain a basic stance of immediately reporting anything that seems suspicious in their daily work. By cultivating this attitude, we aim to encourage each employee's individual participation in and contribution to the organization's early detection and rapid response capabilities.

Incident response drills

Once a year, we prepare a disaster scenario that reflects the latest threats, and conduct an exercise to verify the incident response involving all CSIRTs within the Group.As external communication becomes crucial during an actual incident, in the past few years, departments involved in public relations have also participated.

NTT formed a Red Team in 2019.A Red Team conducts simulated cyberattacks from the perspective of external attackers.In the realm of cybersecurity, it is a never-ending game of cat and mouse, with new types of attacks emerging no matter how much one defends.Moreover, while attackers only need to succeed once with any variety of assaults, defenders must block every single one, creating an imbalance that favors the attackers.To address this challenge, NTT's Red Team was established to formulate countermeasures from the attacker's viewpoint.The ultimate goal is to improve defensive capabilities; the activities are not limited to just conducting simulated attacks.The Red Team's activities also include analyzing and reporting vulnerabilities and organizational challenges in the targeted systems after the simulated attack and even providing actionable advice for improvement. In some cases, the team may assist with implementing these improvements.

Strengthening Service Security

To provide safe and security information and communication services that, as critical infrastructure, forms the foundation for the digitalization of society and the economy, we strive to strengthen security in all of our services, which include telecommunications facilities, IT service environments, smart cities, and smart buildings.

Bug Bounty Program

NTT began a Bug Bounty Program on a trial basis in 2022 and fully launched it in 2023.A bug bounty is a reward given to individuals who discover security loopholes in an information system. NTT has implemented this program with two specific aims.

1) To identify and rectify vulnerabilities before they can be exploited by malicious third parties, there by enhancing the overall security posture of the NTT Group.

2) To offer employees who participate an avenue to refine their security skills from an attacker's viewpoint, thereby nurturing the development of security talent.

The trial phase demonstrated that the program not only contributed to enhancing corporate security, but also helped in discovering undiscovered security talent and further honing their skills.Although fully operational only since 2023, the program will be continually refined, and we aim to broaden the understanding that improving security is a collaborative effort involving all employees.

Research and Development

In addition to advancing the technological development of service security, we are focusing on developing elemental security technologies.Building on a foundation of cryptographic theory research, we conduct studies in application areas such as cybersecurity and data security. Additionally, we incorporate perspectives on utilizing artificial intelligence (AI) and protecting AI itself, engaging in research through an interdisciplinary approach that includes technical aspects as well as considerations of privacy, ethics, and legal frameworks.

Developing High-Level Security Professionals

Whether it is strengthening corporate information security or enhancing service security, specialized personnel with advanced knowledge and skills are indispensable.Changes in security technology (such as zero trust, cloud native, digital transformation (DX), and telework) especially in the past few years require the NTT Group to work constantly to stay abreast of the times. This has heightened the need to consistently and rapidly develop skilled security personnel on an ongoing basis.
At NTT, we launched a security expert certification system in 2015 with the aim of increasing the quality and number of our security personnel.As of April 2024, we have 99 expert-level personnel who are leading figures in the industry both domestically and internationally, with strong track records that have earned significant trust and recognition both internally and externally, of whom 13 were newly certified this fiscal year. We also have 4,715 intermediate-level certified personnel who have the necessary and sufficient practical experience and expertise to lead teams.

Internal, External and Global Collaboration

We are advancing global partnerships in the security field in order to enhance competitiveness in global business under One NTT. This NTT Group cooperation includes many businesses and regions and incorporates an approach to risk-based management, the introduction of a framework that acts as a shared language, and the setting of standards that should be met by all Group members in regard to identification, defenses, detection, response, and recovery.

NTT has joined the Joint Cyber Defense Collaborative (JCDC), a U.S. government cybersecurity and resilience initiative, as its first Asian member.
Established by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in 2021, the JCDC is spearheading the collaborative development of cyber defense plans, information sharing on cybersecurity, and the dissemination of cyber defense guidance to reduce risks to critical infrastructure and essential national functions.Private sector members include major telecommunication companies, technology giants, and major security companies, such as AT&T, Verizon, Lumen, Microsoft, Google, Cisco, Mandiant, and Palo Alto Networks. Moreover, U.S. government intelligence agencies and cybersecurity-related departments from countries allied with the U.S. are also participating.By leveraging the global intelligence gained from the JCDC, NTT can offer more effective protection of vital information networks and improved responses to cyber incidents.Additionally, sharing information with other JCDC members enables NTT to further advance its own cybersecurity initiatives.

Building on our existing foundation of trust and collaboration with CISA and the U.S. government, we will contribute a unique Asian perspective to the JCDC while sharing NTT's leadership along with its expansive global experience and specialized expertise in security.In an era of continued global uncertainty surrounding cybersecurity, we firmly believe that a collaborative approach between the public and private sectors in cybersecurity is essential, not just in the United States but also globally, to defend against cyberattacks that threaten the critical social infrastructure upon which our daily lives depend.

Protection of Personal Information

Policies and Concepts

Every year, the importance of ensuring the protection of personal information and the comprehensive management of information around the world continues to grow. The NTT Group has been entrusted with a considerable quantity of personal information, ranging from data on individual customers to that of corporate customers, and as such ensure that personal information is handled appropriately in accordance with the laws and regulations of each country, such as Japan's Act on the Protection of Personal Information and the EU's General Data Protection Regulation (GDPR).

Under these circumstances, personal information leakage could have various repercussions for the NTT Group in the operations of its businesses, including damage to its corporate value and loss of customers, which makes it essential to rigorously manage personal information as the NTT Group's top priority.

Organization for Implementation

Under the NTT Group Information Security Policy, we disclose on our website specific policies for protecting the personal information of customers and shareholders and policies for protecting personally identifiable information re- quired by Japan's Social Security and Tax Number System.In this policy, we also define how we respond to requests for disclosure, correction, and suspension of use related to the personal information retained by the NTT Group.
As part of our security management system, we have appointed a Chief Information Security Officer (CISO) at NTT, who is responsible for enforcing information security throughout the NTT Group.
Furthermore, in internal audits, we verify the response status of the holding company and each Group company, and, when necessary, make improvement proposals to strengthen information security governance across the entire group.

Main Initiatives

NTT has systematic security control measures, human security control measures, physical security control measures, and technical security control measures in place for handling our customers' personal information.

Handling of Customers' Personal Information

As NTT is a holding company and does not provide services directly, personal information is only collected from customers in limited circumstances.The guidelines below have been established for the specific case of collecting personal information from website visitors.
Privacy policies have been established in accordance with each business unit's operations, ensuring the appropriate handling of personal information across the entire NTT Group.

Contact Points for Personal Information Inquiries

NTT has a contact point for customers' personal information inquiries, and has similar contact points at Group companies for inquiries about personal information handled by their respective services.As NTT is a holding company that does not offer services directly, inquiries regarding personal information related to service provision, etc., are directed to the contact points of the respective companies that provide those services.
Responses to inquiries about personal information based on laws and regulations are conducted under the responsibility of the information security officers of each company.

Main Initiatives of Domestic Group Companies

Each domestic company in the Group has established a personal information protection system in line with its business and based on the Act on the Protection of Personal Information. We are consistently pursuing initiatives to protect information, including stringent measures on the physical and systems aspects of security and appropriate supervision of outsourcing contractors.To further strengthen information management at Group companies in Japan, personal information collected from individual and household-oriented domestic services, such as mobile phones and internet access, has been primarily retained and accessed domestically since May 2021.

Responding to Information Leaks

In October 2023, we disclosed that a former temporary employee dispatched to NTT Business Solutions had wrongfully taken customer information and leaked it to a third party. As a group, we take this matter very seriously.We have conducted various investigations and root causes analyses with external experts at NTT West, and have devised measures to prevent a reoccurrence. We are currently working to implement these measures.In fiscal 2023, we conducted emergency inspections and remedial actions against similar incidents throughout the entire Group, and are proceeding with comprehensive countermeasures against major information leaks at each Group company in fiscal 2024.Furthermore, in a Group-wide effort, we are working to share strategies and experiences, develop and deploy human resources, accelerate IT standardization, increase awareness regarding Group security policies, promote the implementation of technical solutions, and strengthen internal audit functions.Under the leadership of the presidents of each Group company, we will constantly strengthen and enhance our overall security level to meet and uphold our customers' trust.