Updated on August 29, 2019
Like many companies, Sony faces an increasingly advanced threat environment, which presents information security challenges. Third parties seeking to compromise the information of global companies continue to grow in number, capability, and persistence. To address this reality and ensure that Sony continues to earn customers' trust, Sony maintains a robust information security program. Led by the Chief Information Security Officer (CISO), Sony’s approach to information security is grounded in a company-wide governance structure that enables the effective management of potential risks, incorporates security controls into systems and products to safeguard information, trains employees and business partners to understand how their actions can introduce information security risk, and deploys monitoring and response capabilities to swiftly address the situation in the event of an attack.
Sony's information security program is governed by a set of global policies and standards, which are based on internationally accepted industry best practices. These policies set forth Sony's commitment to information security and define practices and procedures to be followed by Sony executives and employees to help protect information resources and information systems from unauthorized access or leakage, falsification, loss, destruction and other security risks. Sony routinely reviews and revises these policies and standards to address changes in the risk landscape, threats, and the regulatory environment. The CISO monitors the global implementation of and compliance with those policies.
The CISO’s office coordinates with the information security officers (ISOs) responsible for information security at Sony Group companies globally to create a Group-wide information security management system. These officers ensure effective implementation of policies and standards.
Strong executive support for, and governance of, information security is essential. Accordingly, executives at each Sony Group company take responsibility for playing an active role in managing risks within their organizations and instilling a culture of awareness in all employees. Sony Group companies have set up information security management committees to fulfill this responsibility.
Every employee has a critical role to play in protecting Sony's most sensitive information. To increase Sony employees’ awareness of information security threats , Sony requires all personnel to receive annual information security training,
where they learn how to report incidents and what types of behaviors they must avoid to reduce risk. Sony employees also regularly receive phishing awareness training, which tests employees' knowledge of how to spot and avoid cyber-attacks delivered through fraudulent emails.
Sony has a 24x7 global security operations center equipped with advanced technical capabilities to prevent and manage information security incidents. Sony’s incident response team defends the company’s networks using threat intelligence and analysis, monitoring and detection of malicious activity, rapid response and containment, and sophisticated forensics capabilities.
Sony is committed to safeguarding the trust of customers, employees, and business partners. Sony continuously looks for ways to improve practices, implement stronger controls, and provide more robust security to protect personal data and the information entrusted to its care.