To realize the "creation of a safe, pleasant, networked society" as proposed in the FUJITSU Way group vision and values, the Fujitsu Group is working to ensure and improve information security based on the "Fujitsu Group Information Security Policy," our global security policy.
As a company that places ICT as our core business, the Fujitsu Group's corporate vision is to contribute to the "creation of a safe, pleasant, networked society," under which we work to ensure information security throughout the group, while ensuring and improving the level of customer information security by providing ICT products and services.
With the publication of the "Cybersecurity Management Guidelines" by the Ministry of Economy, Trade and Information and the Information-technology Promotion Agency, Japan (IPA) in December 2015, our Risk Management and Compliance Committee, which reports directly to the Board of Directors, reviewed our group-wide global security policy, and in April 2016 formulated the "Fujitsu Group Information Security Policy."
Given the recent increase in cyberattacks, the Fujitsu Group appointed a Chief Information Security Officer (CISO) under the authority of the Risk Management and Compliance Committee in August 2015. Moreover, in aiming to strengthen our global information security management framework, we have appointed Regional Chief Information Security Officers (Regional CISO) around the world under the authority of the CISO. Specifically, we are working to strengthen the global information security governance that supports our global ICT business in the five regions of the US, EMEIA, Oceania, Asia, and Japan.
Based on the "Fujitsu Group Information Security Policy," each Fujitsu Group company around the world prepares internal policies for information management and ICT security, by which they implement information security measures. Under the shared global Fujitsu Group Information Security Policy, we have prepared policies related to information management and information security for the group companies. Each overseas group company creates and prepares unique rules and policies in accordance with the restrictions of the respective country.
The Fujitsu Group conducts information security audits for each business department globally. These audits are conducted by an audit department that is independent of the business departments. The audits are conducted in a manner that considers the characteristics, business strategies, and ongoing information security measures, etc., of the different business departments. For example, in addition to conducting on-site investigations to determine whether setup is in accordance with the rules at the time the intranet was installed, we also preform audits at the time public servers on the internet go on-line, as well as regular vulnerability audits in Japan.
In accordance with ISO27001 compliant security requirements, overseas group companies utilize assessment tools to evaluate the management condition. Business departments that have been audited then work to improve their information security measures based on the audit results.
To prevent information leaks, we feel it is important to raise the security awareness and skill level of each individual employee, not simply inform our employees of the various policies. Therefore, all 100,000 employees of Fujitsu and group companies in Japan are provided with information security training during new employee training and promotion/advancement training, and all employees, including officers, are provided with security e-Learning in both Japanese and English every year.
Similarly, we provide employees of our overseas group companies with security training once per year in approximately 10 languages. Moreover, we provide international information security managers with the required security training for managers.
Fujitsu Group conpanies in Japan formulated and raised a new domestic shared group slogan, "Declaration for complete information management! Information management is the lifeline of the Fujitsu Group" in 2007. Along with posting educational posters in the business offices of Fujitsu and our domestic group companies, we place seals on every employee's work computer, for example, to raise the awareness of each individual employee regarding information security.
In addition to these measures, we encourage the alertness of our employees by using our intranet to inform them of the frequent and global occurrences of information leaks, and hold security check days once per month as a way of ensuring that our managerial employees verify the security status of their own departments.
As a result of dramatic changes in the ICT environment in recent years, the risk of information leaks has never been higher. In response, the Fujitsu Group has held information security presentations not only for Group employees but also for domestic business partners to which we outsource software development and services, and has worked to share information on challenges and to thoroughly implement prevention measures. In detail, please refer to the folliwing pages;
In accordance with the security policies for all companies, the Fujitsu Group implements the following security measures for all companies across the entire group. In detail, please refer to the page 11 of Infomration Security Report 2017.
We record 1 billion logs per day using security monitors located around the world. When implementing information security management, it is essential to efficiently and effectively manage these logs.
The Fujitsu Group has established a Security Operations Center (SOC) that functions 24 hour a day, 365 day a year, and have created a mechanism that allows for fast, accurate incident and security alert response. The logs generated from the "Security Monitors" installed in multiple locations within the company's network are compiled and centralized in the "Log Integration Management System." These logs are then transmitted to "Systemwalker Security Control," a log automation and control tool, which then sends an alert notification e-mail to the SOC if it confirms a threat.
The SOC is comprised of "Local Operators," "Incident Managers," and "Security Assistants," who analyze the details of the received alert notification e-mail, determine the quality, scope, and weight of the threat, rank the response priority, and handle the threat in a fast, accurate manner.
To respond to the evolving threat of cyberattacks, we use white hat hackers to investigate global incidents and vulnerabilities, and use cyber intelligence to investigate logs based on the risk information generated from unauthorized access and malware analysis, thereby minimizing the risk of new threats and preventing the occurrence of incidents.
Fujitsu acquired the PrivacyMark* in August 2007, and have continuously worked to strengthen our personal information protection framework, which includes annual personal information handling training and audits. Our domestic group companies have also acquired the PrivacyMark when necessary, and work to ensure personal information management. On the public websites of our international group companies, we post privacy policies designed to meet the laws and social requirements of each country. For a list of domestic group companies that have acquired the PrivacyMark, please see Third-party Evaluation and Certification (P 37) discussed later.
A certification system relating to the handling of private information. The system is operated by the Japan Institute for Promotion of Digital Economy and Community.
Since 2009, Fujitsu has globally publicized its information security efforts through its annual "Information Security Report" in order to maintain trust from its shareholders, customers, and other stakeholders.
Share this page