The Fujitsu Group places ICT as our core business. Our corporate vision is to contribute to creating a safe, pleasant, networked society, we work to ensure and improve the level of information security throughout the Group.
In April 2016, we established the Fujitsu Group Information Security Policy（*1） in order to share this vision and encourage action by each employee. Based on this policy, we are implementing information security measures, along with establishing internal regulations related to information management and ICT security at Group companies in Japan and overseas.
- （*1）Complete text of the Fujitsu Group Information Security Policy (Global Security Policy)
KEIDANREN, otherwise known as the Japan Business Federation, announced its Declaration of Cyber Security Management in March 2018. The Fujitsu Group supports KEIDANREN’s declaration as being consistent with principles set forth in the Fujitsu Cyber Security Declaration (November 2016).
Given the recent increase in cyberattacks, the Fujitsu Group appointed a Chief Information Security Officer (CISO) under the authority of the Risk Management and Compliance Committee（*2） in order to further strengthen security measures in the Group. Moreover, in aiming to strengthen our global information security governance we have appointed Regional CISOs around the world.
（*2）Message from the Fujitsu Group Chief Information Security Officer (CISO) (page 2)
Regional CISOs report to the CISO on information security measures implemented by security teams at each group company. The CISO periodically reports to the Risk Management and Compliance Committee on the status of information security measures, and also makes additional reports whenever necessary.
In order to strengthen information security measures, the Fujitsu Group has established a Security Management Organization directly controlled by the CISO. The Security Management Organization implements controls by fulfilling the following functions: Security Management, Security Measure Implementation, Monitoring, Analysis, and Evaluation, and Incident and Response.
Security Measures Which Incorporate "Zero Trust"
The number of cyberattacks is rapidly increasing, and their methods are becoming more sophisticated and complex. In addition, changes to how people work are also causing security defense initiatives to be revamped to keep up with the times.
The Fujitsu Group has adopted the idea of multi-layered defense as the basic concept of its information security measures, using multiple different measures to defend against cyberattacks, which are typified by targeted attacks that cannot be protected against by a single security measure. As IT environments change from being on on-site to being on the cloud, we are making the shift from the concept of multi-layered defense to a "zero trust" concept which trusts nothing, operating under the premise that all networks, devices, users and applications will be attacked. We apply "zero trust" to the three axes of cybersecurity, physical security, and information management, and ensure internal information security by authorizing access to information assets after authenticating the legitimacy of the user.
The Fujitsu Group has taken measures according to its IT infrastructure characteristics, in order to achieve zero trust. As a measure against targeted cyberattacks, we have built an authorization and authentication based infrastructure, in addition to taking measures against unauthorized access and malware, in combination with measures against device management, ID management and data breaches. We are introducing measures to fight ever more sophisticated, varied and complex cyberattacks.
Fujitsu has built a physical security environment which combines manned guarding and mechanical security on three levels: sites, buildings and floors. Furthermore, in order to create an even more advanced physical security environment, we have internally deployed security gates in combination with a vein authentication device that can prevent identity theft. In addition, we are considering linkage for applications other than security gates (such as multifunctional printers) with the vein authentication device to improve the user-friendliness of internal services.
Safeguarding Information Through Information Protection Management Systems
Fujitsu and its domestic Group companies implement autonomous activities at work sites to properly safeguard third-party confidential information and our confidential information. Specifically, these include establishing appropriate management, depending on the client, and taking action to protect information. Activities are designed to match circumstances at different customers and clients; for example, we consider rules for different industries and business categories. We also conduct audits by in-house, third-party organizations. In this way, we work to build information protection management systems to confirm the status of initiatives and improve protection of information.
In addition, we have also unified the classification of information on a global basis, which includes overseas Group companies, to enable the exchange of information that is not affected by regional characteristics, business practices, or culture, and to enhance the security of information management across the entire group.
Safeguarding Personal Information
As part of our efforts to protect personal information, Fujitsu acquired the PrivacyMark（*3） from JIPDEC in August 2007. We are also working to continually enhance our personal information protection, including annual training and audits on personal information handling.
Domestic Group companies also acquire the PrivacyMark as needed and implement thorough personal information management. Privacy policies based on the laws and social demands of each country are posted on the websites of overseas Group companies.
- （*3）The PrivacyMark is granted to business operators that appropriately handle personal information under personal information management systems that conform to JIS Q 15001:2017.
Fujitsu has constructed a global personal information protection structure and is working to strengthen protection of personal data. Under the guidance of the CISO organization and legal business units, we have cooperated with entities such as our European subsidiaries to develop guidelines and internal regulations related to protection of individual rights in response to GDPR. We have also designed check sheets for the formulation, design, and initial setting of rules. Furthermore, we have updated the operation process with the rules and held employee training.
In response to restrictions on transfer of personal data outside of the EU, we provide appropriate contractual and technical support in accordance with legal requirements.
In addition, we applied to the Dutch Data Protection Authority (DPA) in December 2017 for our Binding Corporate Rules for Processors (BCR-P), which are common rules established across the Fujitsu Group related to the handling of personal data that customers have entrusted to the Group for processing.
In addition, the European Commission and Japan have mutually recognized each other’s data protection laws, which went into effect on January 23, 2019, as providing an adequate level of protection. Based on this recognition, Fujitsu has established internal rules related to the handling of personal information moved between regions, and spread awareness regarding those rules.
- （*4）General Data Protection Regulation (GDPR): The GDPR (EU regulations requiring companies, organizations, and groups to protect personal information) was enacted on May 25, 2018. It includes regulations on transferring personal data out of the European Economic Area and the obligation to report data leaks within 72 hours.
For details on other security measures, please refer to the Fujitsu Group Information Security Report 2018 (pages 8 to 13).
Information Management Training
To prevent information leaks, instead of simply informing our employees of the various rules and regulations, it is important to raise the security awareness and skill level of each individual employee. The Fujitsu Group holds information management training for employees. Specifically, we hold e-Learning for all employees (including executives) every year. We also provide information security education during training for new employees and employees being promoted. At overseas Group companies, we hold information security training for employees every year.
In addition, we have made the Fujitsu Learning EXperience, which has seminars on basic skills for Fujitsu employees that can be taken at any time, and teaching materials on information management, entitled "Basic Principles of Information Management," newly available internally. We are also implementing guidance on how to properly handle information so that the employees can adapt to new environments such as teleworking.
Information System Certification
The Fujitsu Group is actively working to acquire third-party evaluations and certifications in its information security initiatives.
FY 2020 Performance
Information management education
- Company-wide e-learning education for information management (targeted Fujitsu employees: 36,000)
- E-learning for newly-appointed managers (Fujitsu): 530 managers
- Introductory education and e-learning for new employees (Fujitsu): 912 new employees