Information Security

Policy

The Fujitsu Group has appointed a dedicated Chief Information Security Officer (CISO) to strengthen our information security management regime, while at the same time developing globally consistent security policies and measures to ensure the information security of the entire Group and to ensure and improve information security for customers through our products and services.

Management Structure

<Top Management-led Information Security Control>

With the rapid increase in more complex and sophisticated cyber attacks, strengthening information security has become a top priority for national economic security and corporate business activities. In order to further strengthen and ensure the effectiveness of information security policies., We believe it is necessary more than ever before to take prompt and appropriate actions under the leadership of top management. Therefore, we have enhanced the structure and functions of the Risk Management and Compliance Committee, chaired by the CEOof the Fujitsu Group, where critical risks and compliance issues in Fujitsu Group are discussed, to enable a continuous, company-wide cyber security controls.

In parallel with the security controls by the Risk Management and Compliance Committee, monthly Regular Meetings on Quality and Security Measures have been established as a venue for discussing countermeasures involving the CEO, CISO, CRMO (Chief Risk Management Officer), CQO (Chief Quality Officer), and the heads of each business group to share the status of information security and strengthen measures according to the given status, thereby ensuring CEO-led risk management.

<Enhanced CISO Governance Structure>

CISO governance structure includes regional CISOs in Japan and three international regions (Americas, Europe, and Asia Pacific) to strengthen information security through a globally integrated structure by aligning headquarters policies with the security requirements specific to each country.
For Fujitsu headquarters and group companies in Japan and international regions, information security managers have been assigned to strengthen autonomous information security in each department, and a system has been established to reinforce the leadership by the CISO.

Specifically, our security manager system ensures that each department has an “Information Manager,” who oversees the management and protection of information; an “System Security Manager,” who supervises the maintenance and management of information security system; and a “Product Security Incident Response Team (PSIRT*1) Manager,” who leads product vulnerability management., so that they can promote various information security measures in cooperation with the CISO.

• *1
  Product Security Incident Response Team (PSIRT): An organization that is responsible for incident resolution involving products offered by the company

Information Security Initiatives

Our goal is to achieve information security to provide secure services to our customers through appropriate risk control by planning/executing proactive security strategies and initiatives based on security lifecycle management.

In order to achieve this goal, we are committed to “respond to cyber attacks with ever-evolving advanced information security” and to “improve the awareness of each employee and reform our organizational culture,” which are the keys to success. The entire Fujitsu Group is united in the efforts to develop processes, rules, and methods to promote cybersecurity practices, and to strengthen information security for the entire Fujitsu Group and while ensuring a safe environment for our customers and partner companies.

To achieve our information security goals, we have established a “Company-Wide Security Risk Management Scheme” which focuses on highly objective security risk identification, visualization, and their precise remediation.
The Company-Wide Security Risk Management Scheme forms a dual-loop structure as shown in the figure below. Under the scheme, a combination of security measures is implemented to address each issue identified by visualizing security risks, and senior management, departments, and the CISO organization collaborate on a response through organic activities.
This dual-loop includes, monitoring by senior managements through monthly reviews conducted during the Risk Management and Compliance Committee and Regular Meetings on Quality and Security Measures where senior management is directly involved. This enables security measures under the responsibility of the CISO to be considered as part of the business priorities and can be pursued with the same perspective as the senior management, thereby realizing a company-wide risk management cycle.

• Outer loop (gray arrow)
  Control loop consist of a role to strengthen senior management involvement by making visualized risks available to senior management, and a role of risk management with security governance by the CISO organization.
• Inner loop (blue arrow)
  Autonomous loop to promote self-improvement (autonomous corrective activities based on principles) in each department to ensure correct understanding of the situation in their own department through highly objective risk visualization.

<What Can be Realized through the "Company-Wide Security Risk Management Scheme">

In the dual-loop of the Company-wide Security Risk Management Scheme, "visualization of security risks" serves as a common checkpoint between the outer loop and the inner loop. By rotating the dual-loops starting from this checkpoint enables information security to be continuously maintained, improved, and enhanced. By continuing this cycle, the scheme becomes firmly established thus realizing a reform of the organizational culture.

<Visualization of Security Risks Using Technology>

"Visualization of security risks," is enabled by introduction of CMDB*2 and Information Management Dashboards*3 to digitally (mechanically) visualize risks such as the residual vulnerabilities of information systems and inappropriate information management practices. For example, if a vulnerability is detected through a process of matching the information system configuration information registered in the CMDB with the Vulnerability Database*4, the system management department is instructed to mitigate the vulnerability by issuing a remediation task ticket. The status after the remediation instruction is also visualized in the remaining vulnerability status dashboard to ensure successful completion of the remediation.
If a particularly hazardous risk is detected through risk visualization, a timely and appropriate remedial solution will be implemented under the control of the management and the CISO.

• *2
  CMDB: Configuration Management Database
  A database for collecting and consolidating configuration information on information systems, including hardware, software and network. The collected configuration information is used for security inspections/audits, vulnerability mitigation and security incident resolution.
• *3
  Information Management Dashboard: A digitized information management ledger
  Fujitsu Group manages and utilizes an information management ledger that maintains inventory of confidential information, including name of administrators, storage locations and disclosure restrictions, in digital form. The system checks for consistency with the actual status of information management (e.g., audit logs for storage services) and alerts the managing department if any deficiencies are detected, thereby enabling an immediate response.
• *4
  Vulnerability Database:
  A database that collects and consolidates known product vulnerabilities.

Each department will foster an organizational culture that encourages self-improvement based on risk visualization. The first step is to visualize and share the state of the organization's and individual employees' information management literacy (internal factors) as well as the actual state of cyber risks (external factors). (Visualization)
Then, by having each employee correctly understand the visualized risks and take them personally (taking ownership), autonomous information security practices will be facilitated (taking the initiative). Repeatedly reinforcing this process while making improvements, will nurture an organizational culture with effective self-improvement.

In the following chapters, the key initiatives implemented within the "Company-wide Security Risk Management Scheme" are introduced by the following three themes.

• Cyber security
  Introduction of measures related to information system security (ensuring and maintaining the safety and reliability of information systems and networks), as well as security maintenance activities for Fujitsu products and services
• Information management
  Introduction of measures to maintain and manage the confidentiality, integrity, and availability of the information itself, including critical information (e.g., confidential information and personal information)
• Governance enhancement
  Introduction of governance enhancement measures to strengthen the security of the entire organization by disseminating and instilling the security practices.

Cyber Security

Based on the IT asset management information of Fujitsu’s systems, we will strengthen cyber security practices to prevent security breaches by providing perimeter defense and zero-trust security not only to block any unauthorized access by an attacker, but also to detect and take defensive actions in the event of such intrusion.

<Autonomous Risk Remediation Through Centralized and Visualized IT Asset Management>

To support our customers’ safe, secure, and sustainable business activities, we have centralized and visualized the IT asset management of the IT systems for our globally operating customers, as well as internal IT systems. This helps us promptly identify and remediate any security risks throughout the Fujitsu Group. We have been strengthening routine risk management, visualizing risk audits conducted by the CISO organization and their result, and promoting an appropriate understanding of the actual situation in relevant each departments and their autonomous correction.

<Vulnerability Detection and Remediation>

By providing vulnerability scanning process for systems (assets) directly accessible from the Internet using IT asset management information, each department that manages the system can autonomously conduct periodic scanning and implement remedial solutions triggered by vulnerability detection. Annual inspection using this process are conducted to ensure that vulnerability remediation practices are in place, and when high-risk vulnerabilities are detected, reliable solution will be implemented in a timely manner with the involvement of the CISO organization.
In addition, by maintaining IT asset management information up to date on a regular basis and matching it with a vulnerability database, any vulnerabilities detected are reported to the relevant department via issued remediation task ticket, ensuring that all vulnerabilities are fully addressed. This process also makes it possible to detect vulnerabilities in systems (assets) that are not directly accessible from the Internet.
As of the end of FY2023, we have completed implementing solutions to address the high-priority vulnerabilities*5 detected through this initiative for the systems in Japan. For international regions, remedial solutions are scheduled to be implemented by the end of FY2024.

• *5
  High-priority vulnerabilities:
  High-risk vulnerabilities that remain in systems (assets) that are directly accessible from the Internet and that hold sensitive information such as personal data.

<Utilization of Threat Intelligence and Attack Surface Management>

We are proactively utilizing threat intelligence to speed up the detection of, and response to, vulnerabilities in systems exposed to the Internet. Threat intelligence enables us to collect information in the early stage of an actual attack from an attacker’s perspective, such as information on global threat trends and vulnerability as well as vulnerability information in Fujitsu Group’s systems exposed to the Internet. The obtained threat intelligence allows impact analysis and prompt remedial action.
Moreover, in combination with vulnerability scanning of Internet-exposed systems based on IT asset management information, we also implement attack surface management, which monitors system vulnerabilities from an attacker’s perspective.

The cyber security environment is constantly changing, and attack methods are becoming more complex and sophisticated. Under such circumstances, the Fujitsu Group takes a zero-trust approach, based on the concept that 100% prevention of intrusion by cyber-attack is impossible, to reinforce security monitoring. We have established internal guidelines for security monitoring and conduct periodic system inspections to assess and visualize the current situation. We are also working to ensure a sound monitoring to enhance detection capabilities and enable timely response to cyber-attacks. Furthermore, we ensure that critical systems are thoroughly monitored through third-party inspections conducted by the CISO organization.
As of the end of FY2023, we have completed enhancing and improving capabilities for detecting cyber attacks against critical systems in Japan. For international regions, formulation of a improvement plan was completed at the end of FY2023, and actual improvement is scheduled to be completed in accordance with the plan during FY2024.

As a company that supports the safe and secure business activities of our customers, we need to be able to respond immediately to increasingly advanced and sophisticated cyber attacks. For this reason, we have preemptively established an incident response policy, scheme, and procedures based on the assumption that security incidents may occur during normal times. This allows us to quickly implement a series of procedures in the event of an incident, including escalation, response, recovery, and notification

(1) Escalation
When a security incident is confirmed to have caused damage to the system managed by a department or to a personal terminal, the incident and the extent of the damage are assessed in according to preestablished procedures, and immediate emergency measures to be carried out, while also escalating the incident to the appropriate level. After escalation, support staff will be assigned by the Security Control Organization to assist with incident response, allowing them to work together to resolve the incident.

(2) Incident response
The Security Control Organization and the department managing the affected system cooperate to prevent the spread of damage by shutting down the affected system and/or disabling specific functions. The cause of the incident is investigated and eradicated thereafter. ( e.g., application of patches).

(3) Recovery
After eradicating the cause of the incident, system and business-related data are restored to resume the system and business operations to a normal state.

(4) Notification
Incident details is shared and reported to fulfill our accountability to stakeholders, including public authorities, affected customers, and business partners.

The Incident Response Handbook & Guidelines, which defines the above incident response policies and procedures has been developed and deployed in Japan by FY2023. Versions for international regions will be released and deployed by FY2024 after making alignment with the specific requirements of each country.

<Sophistication of Incident Response>

Responding to a security incident requires an accurate understanding of the event from a technical perspective through log analysis, malware analysis, disk forensics, and other methods. A quick and fitting response also requires determining an overall policy and collaborating with parties involved inside and outside the company.
At Fujistu, technical experts and members who take the lead on the path to the solution work together to respond to security incidents, following several processes, including the escalation process.
We have been accumulating data on attacker’s tools, processes, and access methods and improving technical knowledge and skills of our response team members through continuous training. We also conduct reviews of the result of past incidents we have handled with our global group companies to continuously improve our incident response capabilities, including upgrading our structure, rule and processes and accumulating know-how, to enable immediate responses and minimize the impact of incidents.

<xSIRT Regime>

To protect customers who use Fujitsu's products and services, we centrally manage product configuration information, IT asset information, and threat intelligence information, which includes vulnerability information. In addition, to enable prompt and proactive response to risks arising from vulnerabilities in products and services, we have established an xSIRT*6 regime by assigning PSIRT managers and System Security Managers, who are responsible for managing vulnerabilities in their departments.

• *6
  xSIRT: Security Incident Response Team
  An organization or regime that handles incidents that affect products and services offered by Fujitsu. It plays a similar role to PSIRT, while xSIRT covers wider range of cases.

<Process Formulation>

In order to estimate risks to products and services, and to promptly consider and execute countermeasures against vulnerabilities based on risks to products and services, we have established criteria and processes for addressing risks associated with vulnerabilities, and are continuously improving these processes based on statistical analysis and our past incident response results.

With these regime and processes in place, we ensure prompt remediation of vulnerabilities in order to shorten the vulnerability response time and resolve them in a timely manner, thereby preventing secondary damage to our customers and minimizing the impact on their business continuity.
As an example of the succesful achivements of implementing this solution, at the time when a vulnerability-induced cyber attack occurred in the past, which caused significant damage and had an impact worldwide and resulted in a major risk warning from CISA*7, Fujitsu was able to quickly identify the affected system and took appropriate remedial action to avoid damage from information exploitation.

• *7
  CISA: The U.S. Cybersecurity and Infrastructure Security Agency

Information Management

Fujitsu Group is actively promoting the acquisition of third-party evaluation and certification in our information security efforts.

• Third-party evaluation/certification audit results (link)