GTM-MQNC2Z4
Skip to main content

Information Security

Basic Policy

To realize the "creation of a safe, pleasant, networked society" as proposed in the FUJITSU Way group vision and values, the Fujitsu Group is working to ensure and improve information security based on the "Fujitsu Group Information Security Policy," our global security policy.

Fujitsu Group Information Security Policy

As a company that places ICT as our core business, the Fujitsu Group's corporate vision is to contribute to the "creation of a safe, pleasant, networked society," under which we work to ensure information security throughout the group, while ensuring and improving the level of customer information security by providing ICT products and services.

With the publication of the "Cybersecurity Management Guidelines" by the Ministry of Economy, Trade and Information and the Information-technology Promotion Agency, Japan (IPA) in December 2015, our Risk Management and Compliance Committee, which reports directly to the Board of Directors, reviewed our group-wide global security policy, and in April 2016 formulated the "Fujitsu Group Information Security Policy."

Fujitsu Group Information Security Policy (excerpt*)
(Global Security Policy)

  1. Purpose
    In accordance with the "Cybersecurity Management Guidelines" formulated by the Ministry of Economy, Trade and Industry, the purpose of the Information Security Policy (hereafter, the "Basic Policy") is to set forth the measures, frameworks, and other basic matters required to ensure information security within the Fujitsu Group, as well as execute our corporate vision set forth in the FUJITSU Way, by which we have declared, both internally and externally, that the Fujitsu Group aims to ensure information security throughout the group and actively work to ensure and improve the information security of our customers through our products and services as a company that has placed ICT as the core of its business.
  2. Basic Principles
    1. (1) The Fujitsu Group, in all its business dealings, shall appropriately handle information provided by customers and partners as individuals and organizations, thereby protecting the rights and interests of said individuals and organizations.
    2. (2) The Fujitsu Group, in all its business dealings, shall appropriately handle trade secrets, technical information, and any other information of value, thereby protecting the rights and interests of the Fujitsu Group.
    3. (3) The Fujitsu Group shall endeavor to conduct research and development and train personnel, as well as provide products and services that contribute to ensuring and improving our customer's information security in a timely and reliable fashion in order to contribute to the continued growth of our customers and society as a whole.

Management Frameworks

Given the recent increase in cyberattacks, the Fujitsu Group appointed a Chief Information Security Officer (CISO) under the authority of the Risk Management and Compliance Committee in August 2015. Moreover, in aiming to strengthen our global information security management framework, we have appointed Regional Chief Information Security Officers (Regional CISO) around the world under the authority of the CISO. Specifically, we are working to strengthen the global information security governance that supports our global ICT business in the five regions of the US, EMEIA, Oceania, Asia, and Japan.

Infomation Security Management Frameworks

Security Management Function

Company Security Policy Formulation

Based on the "Fujitsu Group Information Security Policy," each Fujitsu Group company around the world prepares internal policies for information management and ICT security, by which they implement information security measures. Under the shared global Fujitsu Group Information Security Policy, we have prepared policies related to information management and information security for the group companies. Each overseas group company creates and prepares unique rules and policies in accordance with the restrictions of the respective country.

Framework of Information Security Rules

Security Inspection and Auditing

The Fujitsu Group conducts information security audits for each business department globally. These audits are conducted by an audit department that is independent of the business departments. The audits are conducted in a manner that considers the characteristics, business strategies, and ongoing information security measures, etc., of the different business departments. For example, in addition to conducting on-site investigations to determine whether setup is in accordance with the rules at the time the intranet was installed, we also preform audits at the time public servers on the internet go on-line, as well as regular vulnerability audits in Japan.

In accordance with ISO27001 compliant security requirements, overseas group companies utilize assessment tools to evaluate the management condition. Business departments that have been audited then work to improve their information security measures based on the audit results.

Information Security Training

To prevent information leaks, we feel it is important to raise the security awareness and skill level of each individual employee, not simply inform our employees of the various policies. Therefore, all 100,000 employees of Fujitsu and group companies in Japan are provided with information security training during new employee training and promotion/advancement training, and all employees, including officers, are provided with security e-Learning in both Japanese and English every year.

Similarly, we provide employees of our overseas group companies with security training once per year in approximately 10 languages. Moreover, we provide international information security managers with the required security training for managers.

Information Security Awareness Development

Fujitsu Group conpanies in Japan formulated and raised a new domestic shared group slogan, "Declaration for complete information management! Information management is the lifeline of the Fujitsu Group" in 2007. Along with posting educational posters in the business offices of Fujitsu and our domestic group companies, we place seals on every employee's work computer, for example, to raise the awareness of each individual employee regarding information security.

In addition to these measures, we encourage the alertness of our employees by using our intranet to inform them of the frequent and global occurrences of information leaks, and hold security check days once per month as a way of ensuring that our managerial employees verify the security status of their own departments.

Declaration for complete information management!Complete Information Management Seal

Collaboration with Partners

As a result of dramatic changes in the ICT environment in recent years, the risk of information leaks has never been higher. In response, the Fujitsu Group has held information security presentations not only for Group employees but also for domestic business partners to which we outsource software development and services, and has worked to share information on challenges and to thoroughly implement prevention measures. In detail, please refer to the folliwing pages;

Security Measure Implementation Function

In accordance with the security policies for all companies, the Fujitsu Group implements the following security measures for all companies across the entire group. In detail, please refer to the page 11 of Infomration Security Report 2017.

  • Network Security
  • E-mail Security
  • Internet Access Security
  • Remote Access
  • Endpoint Security
  • Authentication Security

Monitoring, Analysis, and Evaluation Function

Security Monitoring

We record 1 billion logs per day using security monitors located around the world. When implementing information security management, it is essential to efficiently and effectively manage these logs.

The Fujitsu Group has established a Security Operations Center (SOC) that functions 24 hour a day, 365 day a year, and have created a mechanism that allows for fast, accurate incident and security alert response. The logs generated from the "Security Monitors" installed in multiple locations within the company's network are compiled and centralized in the "Log Integration Management System." These logs are then transmitted to "Systemwalker Security Control," a log automation and control tool, which then sends an alert notification e-mail to the SOC if it confirms a threat.

The SOC is comprised of "Local Operators," "Incident Managers," and "Security Assistants," who analyze the details of the received alert notification e-mail, determine the quality, scope, and weight of the threat, rank the response priority, and handle the threat in a fast, accurate manner.

White Hat Hacker Internet Behavior Surveys

To respond to the evolving threat of cyberattacks, we use white hat hackers to investigate global incidents and vulnerabilities, and use cyber intelligence to investigate logs based on the risk information generated from unauthorized access and malware analysis, thereby minimizing the risk of new threats and preventing the occurrence of incidents.

Personal Information Protection

Privacy Mark LogoFujitsu acquired the PrivacyMark* in August 2007, and have continuously worked to strengthen our personal information protection framework, which includes annual personal information handling training and audits. Our domestic group companies have also acquired the PrivacyMark when necessary, and work to ensure personal information management. On the public websites of our international group companies, we post privacy policies designed to meet the laws and social requirements of each country. For a list of domestic group companies that have acquired the PrivacyMark, please see Third-party Evaluation and Certification (P 37) discussed later.

*PrivacyMark:
A certification system relating to the handling of private information. The system is operated by the Japan Institute for Promotion of Digital Economy and Community.

Information Security Report

Since 2009, Fujitsu has globally publicized its information security efforts through its annual "Information Security Report" in order to maintain trust from its shareholders, customers, and other stakeholders.

  • Infomration Security Report 2017
    *English version of Information Security Report will be published by the end of August, 2017.