Information Security Basic Policy
Fuji Xerox and its affiliates strive for strong information security and continue to work on this issue so as to be able to provide peace of mind to customers and other stakeholders.
- Purpose of Information Security
The purpose of information security is to protect information received from customers and suppliers, the Company's own technical information, and other sensitive information from the threats of leakage, alteration, and loss and to handle such sensitive information in a proper manner.
In particular, we apply stricter control and operational procedures when we handle confidential information and the personal information of customers to prevent leakage of these types of information.
- Operation of Information Security
Under a system of corporate-wide control, we manage and operate information security in accordance with applicable laws and regulations and in-house Company rules.
Specifically, we implement security programs, inspections, and improvement efforts based on risk assessment results. We also provide employee education programs to raise and enhance the security awareness of employees.
- Control of Information Security
In the event of any security incident occurring, we will take the appropriate actions to minimize the impact of the incident and implement necessary measures to prevent the recurrence of a similar incident.
- Please see the Fuji Xerox Information Security Report for details.
Summary on Information Security
Fuji Xerox believes that an important element in the operation of our business is risk management; protection against external threats and internal vulnerabilities. Information security is considered a key part of risk management, and we have been implementing a variety of measures accordingly. We believe that the most critical risk in information security is the leakage of information, such as a leak of personal information or confidential information that has been entrusted to us by our customers. In order for our customers to feel safe in allowing us to maintain their information assets and for them to utilize our solution services, we will first establish an optimal information security structure within the company, and will continue to implement the PDCA cycle to eliminate accidents and enhance the management of information security.
Concept of Information Security Governance
The approach of Fuji Xerox toward information security governance is based on the concept illustrated in the diagram below. We have been increasing the awareness of our employees on the policies and rules regarding information security, and have been ensuring that all incidents involving information security are properly reported. We have also been issuing the Information Security Report to inform our customers and partner companies of our activities and have them evaluate our efforts, thereby seeking to provide a higher level of information security governance.
Information Security Promotion System
In April, 2016, we established an information security center within the General Affairs Department at Fuji Xerox headquarters to build a system to supervise and promote information security throughout the company. This center is seeking to promote information security throughout the company by working together with the Computer Security Incident Response Team (CSIRT), which is a cross-departmental group for the prevention of cyber-attacks, the Information and Communications System Department, which is responsible for IT governance, and Fuji Xerox Information Systems Co., Ltd. (FXIS), which engages in the development and operation of IT infrastructure.
Fuji Xerox Initiatives in Fiscal 2015
In fiscal 2015, we implemented the following measures to strengthen information security governance and improve operational productivity.
- The CSIRT, which is a cross-departmental team for the prevention of cyber-attacks, created manuals to deal with vulnerabilities and make responses in the event of an accident, and conducted cyber-attacks drills.
- To further improve the quality and security of our products, we have invited internal and external experts to inspect and test the products from multiple perspectives.
- To ensure that sensitive information provided to service contractors is properly handled, we started to centralize the information management and standardize the criteria for information security measures implemented at the contractors.
Acquisition Status of Information Security Management System Certification
Fuji Xerox and its affiliates promote the acquisition of third-party certification for information security. The table below shows the acquisition status for Information Security Management System (ISMS) certification and the Privacy Mark as of March 31, 2016.
Acquisition Status of Information Security Management System (ISMS) Certification and the Privacy Mark
|Company/Department||Date of ISMS
|Date of Privacy
|Fuji Xerox Co., Ltd. and its affiliates in Japan Note 1 Note 2||January 2004|
|Fuji Xerox Service Link Co., Ltd.||April 2014|
|Fuji Xerox System Service Co., Ltd. (Itabashi Office)||March 2004||March 2001|
|Fuji Xerox Learning Institute Inc.||July 2005|
|11 independent prefectural distributors (12 offices)||2006~2007|
|Fuji Xerox of Shanghai Limited||March 2007|
|Fuji Xerox Korea Co., Ltd.||April 2007|
|Fuji Xerox of Shenzhen Ltd.||September 2007|
|Fuji Xerox Eco-Manufacturing (Suzhou) Co., Ltd.||June 2010|
|Fuji Xerox Asia Pacific Pte Ltd. (Singapore)||April 2012|
|Fuji Xerox BusinessForce Pty. Limited (Australia)||July 2013|
- Note 1 In January 2016, we integrated the ISMSs of the corporate functions, Fuji Xerox Global Services, and sales departments and sales companies in Japan, and also set the target to include R&D and production functions.
- Note 2 Excluding Fuji Xerox System Service, Fuji Xerox Information Systems, Fuji Xerox Printing Systems, and Fuji Xerox Learning Institute
In fiscal 2016, we intend to continue implementing the following activities with the aim to both strengthen information security governance and increase operational productivity.
- To strengthen resistance against cyber-attacks, stronger measures to detect attacks will be introduced by setting up an information security emergency response system.
- For the appropriate management of personal information including social security and tax numbers ("My Numbers"), we will review the related rules and foster education, awareness raising activities and inspections in a planned manner, thereby ensuring legal compliance.
- Measures to prevent internal fraud and human error will be enhanced to prevent information leakage by employees or contractors.