Fujitsu Group appointed dedicated Chief Information Security Officer (CISO) in October 2021. Under the new information security regime, we are striving to secure and improve information security for our customers through our products and services, while also ensuring the information security of the entire Fujitsu Group.
We have established Regional CISOs in Japan and three international regions (Americas, Europe and Asia Pacific) under the CISO to implement globally consistent security policies and measures. They align the headquarters’ policies with security requirements specific to each country to bolster information security through our globally integrated system.
We have also been building a system to strengthen the CISO’s control over relevant departments to achieve the ideal state of information security by assigning security managers in charge of autonomous information security enhancement of each department in Fujitsu Headquarters and its group companies inside and outside Japan.
Specifically, our security manager system ensures that each department has an “Information manager,” who oversees the management and protection of information; an “System Security Manager,” who supervises the maintenance and management of information security system; and a “Product Security Incident Response Team (PSIRT) Manager,” who leads product vulnerability management, so that they can promote various information security measures in cooperation with the CISO.
Information Security Initiatives
Our Goals for Information Security
With the rapid increase in more skillful and more sophisticated cyber-attacks, enhancing information security has become an urgent issue for national economic security and for corporate economic activities.
We have set up our goals for information security as described below. To achieve them, we respond to cyber-attacks with ever-evolving advanced information security and by continuing to reform the awareness of each employee and our organizational culture as it is the key to success. Together with relevant departments and employees, we are developing processes, rules, and systems to promote cybersecurity and working to strengthen information security for the entire Fujitsu Group as well as a safer business environment for our customers and partners.
<Our Goals for Information Security>
- Proactive information security
- Continuous evolution of information security to support diverse work styles in the age of digital transformation (DX)
- Autonomous information security response by employees and organizations
- Defensive information security
- Cyber-attack prevention by addressing vulnerability
- Enhanced monitoring to minimize cyber risks in case of emergency
<Cross-departmental Application of Recurrence Prevention Measures and Visualization of Security Risks>
In response to information security incidents involving our project information sharing tool, “Project WEB” and cloud service, “FJcloud-V/NIFCLOUD”, we have been applying recurrence prevention measures across different departments under the dedicated CISOs’ system. By 2022 we had completed the application of one of the principal recurrent prevention measures, “multi-factor authentication of web systems” in Japan. We also continue to promote corrective measures by visualizing security risks through company-wide security inspections.
In 2023, we will continue our efforts to achieve our goals for information security by taking appropriate corrective measures through visualization of security risks and evolving information security based on the following major themes:
<What Visualization of Security Risks Can Achieve>
- Autonomous risk control by internal relevant departments
Objectively visualized risks related to information management and information system security are reviewed and promptly addressed by relevant department within the company. In case of critical system or information, an organization under the direct control of CISOs conducts direct inspection to objectively confirm the risk content with more accuracy.
Moreover, the information management literacy of each employee and the organization (internal factors) and the actual status of cyber-risks (external factors) are also visualized and shared (Visual control). Having each employee understand this and take this personally (developing a sense of ownership) fosters an organizational culture of autonomous information security measures (taking initiatives).
- Accurate correction of digitally visualized risks
Introduction of CMDB (*1) and Information Management Dashboards (*2) allows digital visualization of information system vulnerability and information management deficiencies. Correcting the visualized risks mechanically, not manually, minimizes security risks accurately and speedily.
- (*1)CMDB：Configuration Management Database
CMBD is a database that automatically collects and centrally manages information systems’ configuration information of hardware, software, network, etc.
The collected information is utilized for security inspections and audits, handling vulnerability, and responding to security incidents.
- (*2)Information Management Dashboard: digitalized information management register.
The Fujitsu Group maintains a digitalized information management register, which controls managers, management locations, and scope of sharing of the confidential information.
Any deficiencies detected through consistency checks between the Dashboard and the actual information management status (such as audit logs of storage services) will be readily and quickly corrected through a trouble ticketing system, or set a workflow for the solution.
- Evolution of information security with technology
From 2023, we will unify our authentication infrastructure to promote centralized and visualized management of user IDs, authorization information and trail logs.
With this authentication infrastructure, we will seek to conduct behavior analysis using trail logs and optimize authorization information in conjunction with the analysis results.
We will introduce the main measures tied to each theme from the following three perspectives.
Introduction of information system security (or ensuring and maintaining the safety and reliability of information systems and networks), as well as measures related to activities to maintain the security of our products and service
- Information management
Introduction of measures to maintain and manage the confidentiality, integrity and availability of information itself, including critical information (confidential or personal information)
- Governance enhancement
Introduction of measures to strengthen governance to instill and establish security measures and enhance the security of the entire organization.
Based on the IT asset management information of Fujitsu’s systems, we will bolster preventive measures against security compromises by providing perimeter defense and zero-trust security not only to block any unauthorized access by an attacker, but also to detect and take defensive actions in the event of such intrusion.
Measures Linked to Centralized IT Asset Management
<Autonomous Correction Through Centralized and Visualized IT Asset Management>
To support our customers’ safe, secure, and sustainable business activities, we have centralized and visualized the IT asset management of the IT systems for our globally operating customers, as well as our internal ones. This helps us promptly identify and correct any security risks throughout the group. We have been strengthening routine risk management, visualizing risk audits conducted by an organization under the direct control of the CISOs and their result, and promoting an appropriate understanding of the actual situation in relevant departments and their autonomous correction.
<Vulnerability Scanning of Systems Exposed to The Internet>
We provide vulnerability scanning mechanism in systems exposed to the Internet from the outside based on IT asset management information. This enables our relevant departments managing those systems to conduct autonomous periodic scans and take corrective actions triggered by vulnerability detection. By conducting periodic inspections through this mechanism on annual basis, we ensure implementation of countermeasures against vulnerabilities. Moreover, we inspect critical systems with more accuracy through third-party audits conducted by an organization under the direct control of the CISOs. In 2023, we will promote the automation and mechanization of this process.
Furthermore, we have also established a mechanism to ensure that vulnerabilities of systems not exposed on the Internet are thoroughly addressed, by regularly updating IT asset management information, checking it against the vulnerability database, and, in case of any critical vulnerability, issuing tickets (corrective tasks) to responsible department.
<Utilization of Threat Intelligence and Attack Surface Management>
We are proactively utilizing threat intelligence to speed up the detection of, and response to, vulnerabilities in systems exposed to the Internet. Threat intelligence enables us to collect information in the early stage of an actual attack from an attacker’s perspective, such as information on global threat trends and vulnerability as well as vulnerability information in Fujitsu Group’s systems exposed to the Internet. The obtained threat intelligence allows impact analysis and prompt corrective action.
Moreover, in combination with vulnerability scanning of Internet-exposed systems based on IT asset management information, we also implement attack surface management, which monitors system vulnerabilities from an attacker’s perspective.
The cyber security environment is constantly changing, and attack methods are becoming more complex and sophisticated. Under these circumstances, the Fujitsu Group takes a zero-trust approach, based on the concept that 100% prevention of intrusion by cyber-attack is impossible, to reinforce security monitoring. We will improve the internal guidelines for security monitoring and conduct periodic system inspections to grasp and visualize the current situation. We will also work to ensure a sound monitoring system to enhance detection capabilities and earlier response to cyber-attacks. Furthermore, we ensure that critical systems are thoroughly monitored through third-party inspections conducted by an organization under the direct control of the CISOs.
Response to Incidents
As a company that supports customers’ safe and secure business activities, we must respond immediately to cyber-attacks that are becoming increasingly skillful and sophisticated. To that end, we have created an incident response process on the premise that a contingency is inevitable, so that in such cases our organization can quickly implement the series of processes of escalation to higher levels, response, recovery, and notification.
We have standardized, and are continuously improving, the process of calculating an impact of each incident risk and escalating accordingly, to bolster the organization’s ability to respond to any incident.
②Incident response and system recovery process
After receiving information on attacks and vulnerabilities, we will take actions for prompt recovery by formulating a system recovery plan that includes appropriate incident handling, patch application plan and business continuity plan (BCP) for the affected product or system.
To ensure accountability to our stakeholders, we strive to properly share and report incident information.
④Activities to have the processes take root in the organization
The Fujitsu Group conducts regular education and training on incident response to raise employees’ awareness and implement activities for the incident response processes to take root.
<Sophistication of Incident Response>
Responding to a security incident requires an accurate understanding of the event from a technical perspective through log analysis, malware analysis, disk forensics, and other methods. A quick and fitting response also requires determining an overall policy and collaborating with parties involved inside and outside the company.
In our company, technical experts and members who take the lead on the path to the solution work together to handle security incidents, following various processes, including the escalation process.
In addition, we have been accumulating information on attacker’s tools, processes, and access methods and improving technical knowledge and skills of our response team members through continuous training. We also review the incidents we, including our global group companies, have handled to continuously improve our response capabilities, including upgrading our structure, rule and processes and accumulating know-how, so that we can speed up our response and minimize the impact.
Risk Prevention in Our Products and Services
<PSIRT Manager System>
To protect our customers who use our products and services, we have assigned PSIRT Managers in internal relevant departments to be responsible for centralized management of information on product configuration, IT asset and threat intelligence, including vulnerability information, as well as for vulnerability response. This is a system that enables speedy and proactive response to risks caused by vulnerabilities in our products and services.
<Formulation of Processes>
To accelerate estimation of the risks to products and services, as well as consideration and execution of countermeasures against them, we created standards and processes to handle the risks caused by vulnerabilities. We are continuously improving those processes based on statistical analysis by data scientists and track record of our responses.
Earlier problem resolution through prompt vulnerability response based on these systems and processes will prevent secondary damage to customers and minimize the impact on their business continuity.
Fujitsu Group in Japan implemented the Information Protection Management System in order to appropriately protect third-party confidential information (including personal information) and our confidential information. We also apply a PDCA cycle from the “(1) Roles & Responsibilities” to ”(7) Review”. In order to clarify information assets that must be protected, we establish appropriate management according to the status of our customers and suppliers, and take initiatives for protecting information. These steps are taken for the autonomous information protection activities (regulations by industry, business type, etc.) conducted by each division while unifying the classification of information on a global scale.
Furthermore, we provide various automation support tools that utilize information management dashboards to support appropriate information management. We make improvements as necessary to realize operations that are both effective and safe.
The main activities of the Information Protection Management System are described below.
<Information Protection Management System>
(1) Roles & Responsibilities
Under the CEO, we are building a system to manage and protect information through a global network that is centered on the CISO and overseen by the CEO. We appoint management staff for each department, clarify roles, and promote the appropriate handling of information.
(2) Policies & Regulations
In order to handle information correctly, we have formulated necessary rules, procedures, and an annual activity plan. We also periodically review our policies and rules, including responding to legal amendments.
(3) Training & Awareness
In order to improve the awareness and skills of each employee, we provide necessary information according to employees’ positions and roles. We also hold various training sessions and disseminate information in response to changes in the work environment (for example, telecommuting, etc.).
Every year, we carry out information management education (e-Learning) for all employees including executives, and publish internal information management learning materials that can be studied at any time.
*Number of participants in 2022: 37,343
We identify and classify our information assets, conduct risk analysis, and carry out periodic inventory check.
(5) Incident Response
We have established a system for fast and appropriate response to information management incidents. We have also set up escalation routes, procedures, etc., on a global scale.
The Information Management Promotion Division confirms the status of information management for each division from a third-party perspective. It also gives instructions and suggestions for corrections and improvements.
We are working to improve and review our Information Protection Management System by considering external opinions (including audit results, incidents, and complaints), law revisions, and changes in the environment.
Protection of Personal Information
Fujitsu has established a global Personal Information Protection System to strengthen the protection of personal data. Under the leadership of the organization under the direct control of the CISOs and the Legal Division, we work with each region and Group company to comply with the laws and regulations of each country, including the GDPR (*1). In regard to the handling of personal information, we post and announce privacy policies on public sites in each country.
- (*1)GDPR: General Data Protection Regulation
A European regulation that was put into effect on May 25, 2018 and that requires companies, organizations, and groups to protect personal data. Includes rules on the transfer of personal data outside the European Economic Area (EEA), the obligation to report within 72 hours of a data leakage, etc.
In Japan, with the objective of protecting personal information, Fujitsu Group obtained certification for the PrivacyMark (*2) by the Japan Information Processing and Development Center (JIPDEC) in August 2007. We are continually working to strengthen our Personal Information Protection System. Our domestic Group companies also obtain the PrivacyMark as necessary and work to thoroughly manage personal information.
- (*2)The PrivacyMark
The PrivacyMark is granted to businesses that handle personal information appropriately under a personal information protection management system that is in compliance with JIS Q 15001:2017.
In FY2022, Fujitsu Customer Service Center Personal Information Protection Desk did not receive any consultations or complaints regarding customers’ privacy. No customer information was provided to government or administrative agencies in accordance with the Act on the Protection of Personal Information.
Acquisition of Information System Certification
Fujitsu Group is actively promoting the acquisition of third-party evaluation and certification in our information security efforts.
We are working to minimize security risks through a multifaceted approach to enhance global security governance.
To ensure common governance in the global group, we clarify what must be done by “(1) making policy requirements mandatory,” and make sure “(2) thorough application by system governance” under the Information Security Management Structure. By organically combining these with “(3) execution of inspections and audits,” mentioned earlier, and “(4) problem detection through ASM,” we realize reliable security measures that each department can carry out autonomously.
In addition, by “(5) visualizing risks and maturity levels“ along with metering of security maturity levels, we foster a culture of taking security measures autonomously and thus promote self-purification effect of cyber-security measures.
Metering of Security Maturity Levels
Fujitsu evaluates the security maturity levels of organizations by automatically collecting and scoring infrastructure configuration values, security logs, audit data and other data. By visualizing the maturity level of each department at Fujitsu Headquarters and each group company on a monthly basis, we foster a culture of autonomous implementation of specific measures and corrective actions based on an understanding of the current situation and differences from targets, and thus promote self-purification effects of cyber security measures in each department.
Inspired by the C2M2 (*1), or Cybersecurity Capability Maturity Model, and SIM3 (*2), or Security Incident Management Maturity Model, both of which have been proven in Japan and overseas, our security maturity level evaluation indicators incorporate a unique method of scoring maturity mechanically from data taken from security measures. The evaluation score is capped at 100 points. The maturity levels are scored on six axes: governance, human security risk management, system security risk management, information asset risk management, incident detection and response capabilities, and organizational culture and mindset. In 2023, we will conduct 8-axis evaluation, adding external organizational collaboration and supply chain risk management.
- (*1)C2M2：Cybersecurity Capability Maturity Model
- (*2)SIM3：Security Incident Management Maturity Model
Maturity Score Trends(Entire Company)
Visualized Graph of Security Maturity Levels (sample)
Dissemination and Spread of Framework Rule Process
We are implementing mainly two initiatives to unify and raise the level of security measures on a global basis.
<Fujitsu Group Standards for Information Security Measures>
The first is the formulation of “Fujitsu Group Standards for Information Security Measures” which set the standard security measures in the group. Consisting of more than 200 management measures based on the global standards NIST’s CSF (*1), SP800-53 (*2) and ISO/IEC27002, it will establish rules for the application of management measures according to the importance of information systems and other factors. We are also preparing materials such as manuals and guidelines to support the application of such management measures.
<Risk Management Framework>
The second is the development of “Risk Management Framework,” a framework for security risk management in the group. Based on the global standards NIST’s SP800-37 (*3), the framework will establish a set of processes to identify and manage security risks of each organization and information system in a systematic and appropriate manner. It will establish rules for periodic risk management in each organization and risk management in the development and operation phases of each information system. We will incorporate these processes into the Fujitsu Group’s various business processes to ensure that they are well understood and widely accepted.
By sharing these two initiatives within the Fujitsu Group and executing a series of processes of “Risk Management Framework,” we will apply management measures based on the “Fujitsu Group Standards for Information Security Measures” to each organization and information system, while we will run a continuous improvement process. This will help us with our pursuit for effective implementation of security measures and realization of “security by design.”
- (*1)CSF：Cybersecurity Framework
- (*2)SP800-53：NIST SP800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations
- (*3)SP800-37：NIST SP800-37 Rev.2 Risk Management Framework
Security Training, Development of Mindset, Human Resource Development and Maturity of Responsible Personnel
As one of the measures to support the improvement of security maturity levels, mentioned above, we are working on security education and training. Particularly, we focus on preventing the recurrence of recent incidents. For example, our company-wide mandatory information security education program shares the latest trends of security threats and incident cases and informs trainees of the lessons learned from the past incident responses and the measures that were supposed to be taken, in order to develop a security mindset and strengthen skills of each employee.
In addition, we hope that regular information sharing by the CISOs and an organization under their direct control within the company, as well as vitalization of security managers’ community, will contribute to creating a corporate culture that does not allow information management and security measures to take a backseat to business convenience and cost reduction. To achieve this goal, we are working on the following:
<Security Education and Training>
In addition to basic education on information management and cyber-security, we thoroughly disseminate the lessons learned from the latest trends and incident responses. We also work to improve the skills of our professional personnel by issuing guidelines on system monitoring for system managers. As 100% prevention of incidents is difficult, we have changed from efforts not to allow contingencies to happen, to efforts that take contingencies into consideration. As a part of such efforts, we conduct incident response training for employees. For instance, we annually provide system engineers (SEs) and business producers involved in business and internal operations with practical training under a scenario of an incident. In the event of an incident with a social impact, we also conduct incident training for executives and relevant departments to ensure a quick response and minimization of the impact.
In addition, we carried out targeted e-mail drills twice in the FY2022 to promote the security mindset in each employee. We will continue this drill at least once a year.
<Strengthening the Security Management Structure and Human Resource Development>
Fujitsu Group will work to reform each department’s security-related way of thinking and behavior by having the CISO and an organization under their direct control periodically share information within the company, assigning security managers to support each department, and stimulating their community.
In 2023, we redefined the image of security personnel, especially that of security managers working in the field. We also reviewed our professional certification system. After clarifying their functions and responsibilities, we revised the system, including the compensation system, and have been reinforcing the security system in organizations in the field of Japan ahead of schedule since January 2023.
We also strive to better the security maturity level of each department lacking security-related experience by sharing with it their actual status visualized through the above-mentioned “metering of security maturity levels” and by having the security managers’ community communicating with it periodically.