Information Security
Policy
Fujitsu Group appointed dedicated Chief Information Security Officer (CISO) in October 2021. Under the new information security regime, we are striving to secure and improve information security for our customers through our products and services, while also ensuring the information security of the entire Fujitsu Group.
Management Structure
Fujitsu Group is working on strengthening its global information security governance. We appointed Regional CISOs in each 4 Regions (Japan, Americas, Europe, and Asia Pacific) who report to Fujitsu Group CISO. In addition to strengthening the CISO’s governance of internal organization related to the form of information management and reestablishing the overall management structure, we have reallocated the resources for leadership of each unit in regards to information security to an organization under the direct control of the CISO.
We have four functions to drive information security initiatives; “Security Strategy,” “Information Management,” “Risk Management,” and “Incident Handling.” We reorganized each region to hold these four functions to enable cross-region activities.
Each of the four functions is explained below.
Security Strategy
Fujitsu supports our customers' businesses by developing and executing security strategies that foster trust with stakeholders and appropriately control security threats that may hinder the business and social activities of our group and each region. Additionally, through a security framework based on global regulation, we foster processes and an organizational culture that continuously creates an organizational structure, measures, and operations that will serve as a reference model in the global market. Moving forward, we will embrace challenges in fields where we are unexperienced or have yet to enter.
Security Framework
We will develop series of frameworks & guidelines in 2022 which allow organizations to review their approach to the ideal form starting from the current state of cyber security measures, taking in consideration current business environment, risk tolerance, and available resources. We also strengthen our activities to enhance maturity of our organization.
In addition, by expanding the above documents to each region, we are working to unify information security activity policies, objectives, ways of thinking, and processes for which awareness is required from all members involved in security. We will be also strengthening our sustainable structure on a global scale.
Initiatives and Structures for Continued Trust from Society
In order to protect customers who use our services and products, we are strengthening the collection and accumulation of information such as vulnerability information, visualization of information assets, and bill of material (BOM) information. We are also utilizing a new technology infrastructure to construct data relations for statistical analysis and decision making by data scientists.
Based on this system, we estimate risks to products/services and examine countermeasures for threats/vulnerabilities to products/services based on those risks. This enables us to respond quickly and proactively, and to minimize the impact on the business continuity of our customers.
Information Management
Fujitsu Group in Japan implemented the Information Protection Management System in order to appropriately protect third-party confidential information (including personal information) and our confidential information. We also apply a PDCA cycle from the “Roles & Responsibilities” to “Review”. In order to clarify information assets that must be protected, we establish appropriate management according to the status of our customers and suppliers, and take initiatives for protecting information. These steps are taken for the autonomous information protection activities (regulations by industry, business type, etc.) conducted by each division while unifying the classification of information on a global scale.
Furthermore, we provide various automation support tools that utilize information management dashboards to support appropriate information management. We make improvements as necessary to realize operations that are both effective and safe.
The main activities of the Information Protection Management System are described below.
<Information Protection Management System>
Information Management Education for all employees (FY2021 version)
(1) Roles & Responsibilities
Under the CEO, we are building a system to manage and protect information through a global network that is centered on the CISO and overseen by the CEO. We appoint management staff for each department, clarify roles, and promote the appropriate handling of information.
(2) Policies & Regulations
In order to handle information correctly, we have formulated necessary rules, procedures, and an annual activity plan. We also periodically review our policies and rules, including responding to legal amendments.
(3) Training & Awareness
In order to improve the awareness and skills of each employee, we provide necessary information according to employees’ positions and roles. We also hold various training sessions and disseminate information in response to changes in the work environment (for example, telecommuting, etc.).
Every year, we carry out information management education (e-Learning) for all employees including executives, and publish internal information management learning materials that can be studied at any time.
(4) Self-Inspection
We identify and classify our information assets, conduct risk analysis, and carry out periodic inventory check.
(5) Incident Response
We have established a system for fast and appropriate response to information management incidents. We have also set up escalation routes, procedures, etc., on a global scale.
(6) Audit
The Information Management Promotion Division confirms the status of information management for each division from a third-party perspective. It also gives instructions and suggestions for corrections and improvements.
(7) Review
We are working to improve and review our Information Protection Management System by considering external opinions (including audit results, incidents, and complaints), law revisions, and changes in the environment.
<Protection of Personal Information>
Fujitsu has established a global Personal Information Protection System to strengthen the protection of personal data. Under the leadership of the CISO organization and the Legal Division, we work with each region and Group company to comply with the laws and regulations of each country, including the GDPR (*1). In regard to the handling of personal information, we post and announce privacy policies on public sites in each country.
- (*1)Acronym for General Data Protection Regulation. A European regulation that was put into effect on May 25, 2018 and that requires companies, organizations, and groups to protect personal data. Includes rules on the transfer of personal data outside the European Economic Area (EEA), the obligation to report within 72 hours of a data leakage, etc.
In Japan, with the objective of protecting personal information, Fujitsu Group obtained certification for the PrivacyMark (*2) by the Japan Information Processing and Development Center (JIPDEC) in August 2007. We are continually working to strengthen our Personal Information Protection System. Our domestic Group companies also obtain the PrivacyMark as necessary and work to thoroughly manage personal information.
- (*2)The PrivacyMark is granted to businesses that handle personal information appropriately under a personal information protection management system that is in compliance with JIS Q 15001:2017.
<Acquisition of Information System Certification>
Fujitsu Group is actively promoting the acquisition of third-party evaluation and certification in our information security efforts.
Risk Management
<Centralized Management of IT Assets>
In order to support safe, secure and sustainable business activities by our customers, Fujitsu Group centralizes and visualizes the IT asset management of global customer IT systems and in-house IT systems. By doing so, we quickly identify and correct security risks in the entire Group. In addition to strengthening risk management during normal times, we will visualize the results of risk audits by the CISO organization, to enable appropriate understanding of current conditions and trigger autonomous correction in each project division.
<Security Awareness>
In order to maintain healthy IT systems for our customers, in addition to systematic system management, it is also important to improve the security awareness and skills of each employee. Therefore, in addition to strengthening the company-wide education that Fujitsu Group has periodically conducted, we are working on the following initiatives with the aim of thoroughly raising awareness among employees by periodically disseminating information within the company through methods such as CISO notifications.
(1) Security Education
- We raise security awareness among employees by sharing the latest security threat trends and incident cases.
(2) Security Consultation Portal
- We provide close-to-site support for various security-related consultation items.
- We support security measures from the system design stage. (security by design)
(3) Provide Information
- We will provide security information via our website so that our employees can easily acquire updated vulnerability information and FAQ.
Cybersecurity Incident Handling
In order to respond promptly to cybersecurity incidents, knowledge in various specialized fields such as log analysis, malware analysis, and forensics is required. Furthermore, as the method of cyberattacks is becoming more sophisticated and complex, it is necessary to enhance various aspects of incident handling measures including improvement of knowledge, periodical training, strengthening of security monitoring, improvement of incident response procedure, accumulating and utilizing know-how from past incident handling records etc.
Fujitsu Group is strengthening the key functions of incident handling such as people, data, processes and systems and continuously improving these functions.
<People: Case Study and Training>
Since it is becoming more difficult to completely prevent incidents, we shifted our incident response initiatives from "preventing security incidents" to "preparing for incidents", and we are working to strengthen our capability of incident response in all Fujitsu Group. As one of the initiatives for “preparing for incidents”, we conduct incident response training for all employees.
As an example, we are conducting training for system engineers and business producers assigned in the field and involved in internal operations. This training envisions a real incident situation and is carried for our practical reviews. Furthermore, in order to prepare our response to an incident with social impact, we carry out training involving corporate executives and related departments with the aim of responding promptly and minimizing impact.
<Data: Sophistication of Security Monitoring>
The environment surrounding cybersecurity is constantly changing, and cyberattack methods are becoming increasingly complex and clever. Fujitsu Group is working to improve security monitoring operations to provide safe and secure business environment for our stakeholders, even under such environment. We improve the quality of data by using advanced technologies to keep up with the latest attacks and continuously optimize and improve our entire security operations, so that we will be able to respond to any changes in the environment.
<Process: Standardization of Incident Response Process>
In order to react to the current cybersecurity environment, it is necessary to shift from the traditional passive approach in network protection to an approach based on the assumption that unauthorized access always occurs. In preparation for responding to incidents, it is important that the relevant department should function properly when incidents occur by documenting a series of response procedures such as attack detection, response, recovery, etc. Based on the incident response process, we provide a globally unified response and will continue to make improvements based on feedback from incident response evaluations in order to promptly respond to incidents and to minimize impact.
<System: Accumulating and Utilizing Know-how from Incident Handling>
In addition to storing records of daily incident response activities, we are also taking initiatives to convert those records into database and use them as knowledge. In regard to creating database, we link incident response information together with other information such as internal configuration management and external tools. This enables investigation and deep analysis from various perspectives, as well as the creation of education/training. We are making continuous improvements with the aim of improving our capability to respond to incidents with preparedness.
The information obtained from incident response includes a variety of useful information, such as the tools, processes, and access methods used by the attackers as well as the actions taken by the incident response staff. Therefore, we look back on the information obtained with a multifaceted view of actions in order to derive valuable lessons. These lessons show how experienced incident response staff is conducting analysis and responding when incidents occur, and they would be training material to enhance our incident response capabilities by effectively utilizing such knowledge information.
We apologize for any inconvenience to our customers and other related parties caused by the unauthorized access to our project information sharing tool “ProjectWEB”. Fujitsu will work to prevent the recurrence of similar incidents and strengthen our information security management, based on the recommendations received from the external committee established directly under the Board of Directors.
