Updated on August 29, 2018
Like many companies, Sony faces an increasingly advanced threat environment, which presents challenges in the areas of information security and privacy. Third parties seeking to compromise the information of global companies continue to grow in number, capability, and persistence. To address this reality and ensure that Sony continues to earn customers' trust, Sony maintains a robust information security and privacy program. Led by the Chief Information Security Officer (CISO), Sony’s approach to information security and privacy is grounded in a company-wide governance structure that enables the effective management of potential risks, incorporates security and privacy controls into systems and products to safeguard information, trains employees and business partners to understand how their actions can introduce information security and privacy risk, and deploys monitoring and response capabilities to swiftly address the situation in the event of an attack.
Sony's information security and privacy management is governed by a set of global policies and standards, which are based on internationally accepted industry best practices. These policies set forth Sony's commitment to information security and privacy and define practices and procedures to be followed by Sony executives and employees to help protect information resources and information systems from unauthorized access or leakage, falsification, loss, destruction and other security risks. Sony routinely reviews and revises these policies and standards to address changes in the risk landscape, threats, and the regulatory environment. The CISO monitors the global implementation of and compliance with those policies.
The CISO’s office coordinates with information security officers (ISO) and privacy officers (PO) responsible for information security and privacy at Sony Group companies globally to create a Group-wide information security and personal information management system. These officers at Sony Group companies ensure effective implementation of policies and standards.
Strong executive support for, and governance of, information security and privacy are essential. Accordingly, executives at each Sony Group company take responsibility for playing an active role in managing risks within their organizations and instilling a culture of awareness in all employees. Sony Group companies have governance structures set-up to directly address this responsibility through information security and privacy management committees.
Protecting the data privacy of Sony’s customers, employees, and other stakeholders is very important to Sony. To fulfill this commitment to privacy, Sony Group companies have policies and controls in place for creating and maintaining rules for handling personal information based on applicable laws, regulations, and best practice. Sony continues to enhance the security and protection of personal data by evaluating and addressing privacy risks through the use of a privacy management framework, which promotes the integration of privacy principles and requirements into Sony’s data processing activities.
Every employee has a critical role to play in protecting Sony's most sensitive information. To increase the education and awareness of our workforce, Sony requires all personnel to receive annual information security and privacy training, which teaches employees how to report incidents and what type of behavior to avoid in order to reduce risk. Sony employees also regularly receive phishing awareness training, which tests employees' knowledge of how to spot and avoid cyber attacks delivered through fraudulent emails.
Sony has established a 24x7 global security operations center equipped with advanced technical capabilities for the purpose of preventing and managing cyber security incidents. Sony’s incident response team defends the company’s networks through threat intelligence and analysis, monitoring and detection of malicious activity, rapid response and containment, and sophisticated forensics capabilities.
Sony is committed to safeguarding the trust of customers, employees, and business partners. Sony continuously looks for ways to improve practices, implement stronger controls, and provide more robust security to protect personal data and the information entrusted to its care.