The Fujitsu Group places ICT as our core business. Our corporate vision is to contribute to creating a safe, pleasant, networked society, we work to ensure and improve the level of information security throughout the Group.
In April 2016, we established the Fujitsu Group Information Security Policy（*1） in order to share this vision and encourage action by each employee. Based on this policy, we are implementing information security measures, along with establishing internal rules related to information management and ICT security at Group companies in Japan and overseas.
- （*1）Complete text of the Fujitsu Group Information Security Policy (Global Security Policy)
KEIDANREN, otherwise known as the Japan Business Federation, announced its Declaration of Cyber Security Management in March 2018. The Fujitsu Group supports KEIDANREN’s declaration as being consistent with principles set forth in the Fujitsu Cyber Security Declaration (November 2016).
Given the recent increase in cyberattacks, the Fujitsu Group appointed a Chief Information Security Officer (CISO) under the authority of the Risk Management and Compliance Committee（*2） in order to further strengthen security measures in the Group. Moreover, in aiming to strengthen our global information security governance we have appointed Regional CISOs around the world.
（*2）Message from the Fujitsu Group Chief Information Security Officer (CISO) (page 2)
Regional CISOs report to the CISO on information security measures implemented by security teams at each group company. The CISO periodically reports to the Risk Management and Compliance Committee on the status of information security measures, and also makes additional reports whenever necessary.
In order to strengthen information security measures, the Fujitsu Group has established a Security Management Organization under the direct control of the CISO. The Security Management Organization implements controls by fulfilling the following functions: Security Management, Security Measure Implementation, Monitoring, Analysis, and Evaluation, and Incident and Response.
Information Management Training
To prevent information leaks, instead of simply informing our employees of the various rules and regulations, it is important to raise the security awareness and skill level of each individual employee. The Fujitsu Group holds information management training for employees. Specifically, we hold e-Learning for all employees (including executives) every year. We also provide information security education during training for new employees and employees being promoted. At overseas Group companies, we hold information security training for employees every year.
We also provide information security managers with special security training for managers.
Three Important Measures Incorporating the Concept of Defense in Depth
The cyberattacks in recent years are prime examples of targeted attacks. These attacks have an unprecedented level of sophistication, diversity, and complexity. It is no longer possible to achieve comprehensive defense by using single types of conventional security measures.
The basic concept of information security measures at the Fujitsu Group incorporates defense in depth. This refers to implementing multilayer protection via multiple measures, instead of seeking protection through a single measure. Defense in depth has three objectives: 1) to prevent attacks by establishing a multilayer defense wall, 2) to discover attacks at an early stage by establishing a multilayer detection function, and 3) to minimize damage in the event of infiltration.
Appropriate implementation of these objectives makes it possible to prevent attacks and minimize damage.
The Fujitsu Group implements the following three priority internal information security measures: 1) information management for protecting information, 2) cybersecurity which focuses on measures for protecting systems against cyberattacks, and 3) physical security which prevents unauthorized access to facilities such as offices and plants.
Safeguarding Information Through Information Protection Management Systems
Fujitsu and its domestic Group companies implement autonomous activities at work sites to properly safeguard third-party confidential information and our confidential information. Specifically, these include establishing appropriate management and taking action to protect information. Activities are designed to match circumstances at different customers and clients; for example, we consider rules for different industries and business categories. We also conduct audits by in-house, third-party organizations. In this way, we work to build information protection management systems to confirm the status of initiatives and improve protection of information.
Safeguarding Personal Information
As part of our efforts to protect personal information, Fujitsu acquired the PrivacyMark（*3） from JIPDEC in August 2007. We are also working to continually enhance our personal information protection, including annual training and audits on personal information handling.
Domestic Group companies also acquire the PrivacyMark as needed and implement thorough personal information management. Privacy policies based on the laws and social demands of each country are posted on the websites of overseas Group companies.
- （*3）The PrivacyMark is granted to business operators that appropriately handle personal information under personal information management systems that conform to JIS Q 15001:2017.
Fujitsu has constructed a global personal information protection structure and is working to strengthen protection of personal data. Under the guidance of the CISO organization and legal business units, we have cooperated with entities such as our European subsidiaries to develop guidelines and internal rules related to protection of individual rights in response to GDPR. We have also designed check sheets for the formulation, design, and initial setting of rules. Furthermore, we have updated the operation process with the rules and held employee training.
In response to regulations on transfer of personal data outside of the EU, we applied to the Dutch Data Protection Authority (DPA) in December 2017 for our Binding Corporate Rules for Processors (BCR-P), which are common rules established across the Fujitsu Group related to the handling of personal data that customers have entrusted to the Group for processing.
In addition, the European Commission and Japan have mutually recognized each other’s data protection laws, which went into effect on January 23, 2019, as providing an adequate level of protection. Based on this recognition, Fujitsu has established internal rules related to the handling of personal information moved between regions, and spread awareness regarding those rules.
- （*4）General Data Protection Regulation (GDPR): The GDPR (EU regulations requiring companies, organizations, and groups to protect personal information) was enacted on May 25, 2018. It includes regulations on transferring personal data out of the European Economic Area and the obligation to report data leaks within 72 hours.
For details on other security measures, please refer to the Fujitsu Group Information Security Report 2018 (pages 8 to 13).
The Fujitsu Group implements separate measures at multiple layers based on network characteristics to prepare for cyberattacks. We are working to protect against increasingly sophisticated, diverse, and complex cyberattacks by combining gateway security measures, including firewalls and targeted attack measures; network security measures, such as unauthorized access detection; and endpoint security measures, including malware measures and security patch management.
Fujitsu has built a physical security environment which combines manned guarding and mechanical security on three levels: sites, buildings and floors. Furthermore, in order to create an even more advanced physical security environment, we have internally deployed security gates in combination with a vein authentication device that can prevent identity theft.
Information System Certification
The Fujitsu Group is actively working to acquire third-party evaluations and certifications in its information security initiatives.
FY 2019 Performance
Information management education
- Company-wide e-learning education for information management (targeted Fujitsu employees: 35,400)
- E-learning for newly-appointed managers (Fujitsu): 640 managers
- Introductory education and e-learning for new employees (Fujitsu): 1,200 new employees
Please refer to the following URLs for details on information security in the Fujitsu Group.
- Company-wide e-learning education for information management (targeted Fujitsu employees: 35,100): Trained employees: 34,708 (99% attendance ratio)
- Cyber Security