Home > About Fuji Xerox > Sustainability Report 2016 > Management and Organization > Organization and Systems > Information Security

Information Security

Information Security Basic Policy

Fuji Xerox and its affiliates strive for strong information security and continue to work on this issue so as to be able to provide peace of mind to customers and other stakeholders.

  1. Purpose of Information Security

    The purpose of information security is to protect information received from customers and suppliers, the Company's own technical information, and other sensitive information from the threats of leakage, alteration, and loss and to handle such sensitive information in a proper manner.
    In particular, we apply stricter control and operational procedures when we handle confidential information and the personal information of customers to prevent leakage of these types of information.

  2. Operation of Information Security

    Under a system of corporate-wide control, we manage and operate information security in accordance with applicable laws and regulations and in-house Company rules.
    Specifically, we implement security programs, inspections, and improvement efforts based on risk assessment results. We also provide employee education programs to raise and enhance the security awareness of employees.

  3. Control of Information Security

    In the event of any security incident occurring, we will take the appropriate actions to minimize the impact of the incident and implement necessary measures to prevent the recurrence of a similar incident.

Summary on Information Security

Fuji Xerox believes that an important element in the operation of our business is risk management; protection against external threats and internal vulnerabilities. Information security is considered a key part of risk management, and we have been implementing a variety of measures accordingly. We believe that the most critical risk in information security is the leakage of information, such as a leak of personal information or confidential information that has been entrusted to us by our customers. In order for our customers to feel safe in allowing us to maintain their information assets and for them to utilize our solution services, we will first establish an optimal information security structure within the company, and will continue to implement the PDCA cycle to eliminate accidents and enhance the management of information security.

Concept of Information Security Governance

The approach of Fuji Xerox toward information security governance is based on the concept illustrated in the diagram below. We have been increasing the awareness of our employees on the policies and rules regarding information security, and have been ensuring that all incidents involving information security are properly reported. We have also been issuing the Information Security Report to inform our customers and partner companies of our activities and have them evaluate our efforts, thereby seeking to provide a higher level of information security governance.

Information Security Promotion System

In April, 2016, we established an information security center within the General Affairs Department at Fuji Xerox headquarters to build a system to supervise and promote information security throughout the company. This center is seeking to promote information security throughout the company by working together with the Computer Security Incident Response Team (CSIRT), which is a cross-departmental group for the prevention of cyber-attacks, the Information and Communications System Department, which is responsible for IT governance, and Fuji Xerox Information Systems Co., Ltd. (FXIS), which engages in the development and operation of IT infrastructure.

Fuji Xerox Initiatives in Fiscal 2015

In fiscal 2015, we implemented the following measures to strengthen information security governance and improve operational productivity.

  1. The CSIRT, which is a cross-departmental team for the prevention of cyber-attacks, created manuals to deal with vulnerabilities and make responses in the event of an accident, and conducted cyber-attacks drills.
  2. To further improve the quality and security of our products, we have invited internal and external experts to inspect and test the products from multiple perspectives.
  3. To ensure that sensitive information provided to service contractors is properly handled, we started to centralize the information management and standardize the criteria for information security measures implemented at the contractors.

Acquisition Status of Information Security Management System Certification

Fuji Xerox and its affiliates promote the acquisition of third-party certification for information security. The table below shows the acquisition status for Information Security Management System (ISMS) certification and the Privacy Mark as of March 31, 2016.

Acquisition Status of Information Security Management System (ISMS) Certification and the Privacy Mark
Company/Department Date of ISMS
Acquisition
Date of Privacy
Mark Acquisition
Fuji Xerox Co., Ltd. and its affiliates in Japan Note 1 Note 2 January 2004 no data
Fuji Xerox Service Link Co., Ltd. no data April 2014
Fuji Xerox System Service Co., Ltd. (Itabashi Office) March 2004 March 2001
Fuji Xerox Learning Institute Inc. no data July 2005
11 independent prefectural distributors (12 offices) 2006~2007 no data
Fuji Xerox of Shanghai Limited March 2007 no data
Fuji Xerox Korea Co., Ltd. April 2007 no data
Fuji Xerox of Shenzhen Ltd. September 2007 no data
Fuji Xerox Eco-Manufacturing (Suzhou) Co., Ltd. June 2010 no data
Fuji Xerox Asia Pacific Pte Ltd. (Singapore) April 2012 no data
Fuji Xerox BusinessForce Pty. Limited (Australia) July 2013 no data

Future Direction

In fiscal 2016, we intend to continue implementing the following activities with the aim to both strengthen information security governance and increase operational productivity.

  1. To strengthen resistance against cyber-attacks, stronger measures to detect attacks will be introduced by setting up an information security emergency response system.
  2. For the appropriate management of personal information including social security and tax numbers ("My Numbers"), we will review the related rules and foster education, awareness raising activities and inspections in a planned manner, thereby ensuring legal compliance.
  3. Measures to prevent internal fraud and human error will be enhanced to prevent information leakage by employees or contractors.