Information Security

Since 2021, Fujitsu has faced multiple significant security incidents. While field organization implemented responses, a number of internal issues surfaced, highlighting areas in need of attention. As we worked to address these challenges, we recognized the importance of establishing and continuously maintaining Fujitsu as an attack-resilient organization that is difficult for attackers to target. In this context, attack-resilient refers to making attackers believe that their attacks will be unlikely to succeed.
To make Fujitsu an attack-resilient company, we are focused on thoroughly eliminating security risks that could serve as entry points for external threats—particularly vulnerabilities in internet-facing assets. By doing so, we aim to create an environment where it is extremely difficult for attackers to identify points of entry. Even if such an entry point were discovered, the subsequent execution of an attack would remain highly challenging.

Fujitsu’s conventional approach to security risk management was rooted in standard risk management practices, with an emphasis on minimizing damages through post-incident response. As a result, potential risks that went unrecognized by field organization gradually enlarged, and the severity of those risks only became apparent after an incident had occurred.
In light of this, we believe it is necessary to proactively identify and materialize potential risks from attackers perspective, and to implement countermeasures in advance. This approach is essential to minimizing the impact of cyber threats. Given the increasingly short window between risk discovery and actual attacks in today’s threat landscape, it is imperative to adopt a management framework that enables early risk detection and swift response.
We assume various potential risk scenarios and a mechanism for making them materialize to exhaustively identify potential risks and select the field organization that should respond to them. During our response to risks, we analyze (difficulty of attack, etc.) and assess (probability of occurrence and extent of damage) the identified risks to determine response policies and priorities. For high-priority risks, the CISO (Chief Information Security Officer) organization under the direct supervision of the CISO, which oversees company-wide security controls, may directly instruct field organization on how to respond.

To support the realization of Our Purpose, Fujitsu is implementing security measures based on the assumption that cyber attackers may target not only Fujitsu itself but also our partners and SaaS offerings on our cloud infrastructure. These measures are designed to safeguard customer information across the entire supply chain, both domestically and internationally. Our efforts span cybersecurity for systems that deliver value to our customers (business systems) and those that support internal operations (corporate systems). In addition, we focus on robust information management to ensure proper handling and protection of data and extend our security initiatives to the products we provide as well as to partner companies that form part of our supply chain.

This scheme is designed to enable company-wide implementation of security measures, involving senior management, field organization and the CISO, as visualizing risks and building a shared understanding of them are key to driving coordinated efforts across all organizational levels.
The CISO plays a pivotal role in communicating security risks to senior management and fostering a shared understanding between leadership and field organization. This alignment enables effective top-down governance (the outer loop) while encouraging bottom-up improvements (the inner loop). The CISO also defines policies and standards to guide autonomous improvement initiatives at the operational level. In cases where critical and time-sensitive vulnerabilities emerge, the organization exercises direct security oversight of field organization. Through these coordinated efforts, Fujitsu Group advances company-wide security via comprehensive and consistent initiatives across the organization.
The role of the senior management is to make decisions based on information on visualized risks. When risk mitigation measures are implemented at the operational level, field organization sometimes face competing demands—such as increasing business efficiency, reducing costs, and meeting customer expectations. These pressures can at times conflict with security measures and impact the speed of response to such security measures. To address this challenge, management makes decisions based on visualized risks and improves the environment that the field organization cannot resolve conflict or cannot implement the measures even if they want to.
At the operational level, field organization conduct their activities in accordance with company-wide policies and standards set by the CISO organization during normal time. In the event of a security incident due to materialized risk, provisional measures are taken within the respective departments, while formal responses are implemented in line with directions and guidance from the CISO organization. Additionally, teams proactively work to improve their own operations based on visualized risks.

This scheme promotes company-wide security by fostering a shared understanding of risk status and the progress of security measures through two key meetings: the Risk Management and Compliance Committee, chaired by the CEO of the Fujitsu Group, and Regular Meetings on Quality and Security Measures, which includes the CEO, CRMO, CISO, CQO, and heads of each field organization. These meetings bridge communication between management, control, and operational layers of the organization.
For example, it was decided through these meetings that responsibility for implementing security measures would be included in the duties of field organization heads. In addition, departments that were slow to address critical vulnerabilities were identified for the CISO to step in as necessary to prompt the responsible department heads to take action through a top-down approach. This communication approach encourages department heads to not leave security matters solely to their staff, but to take an active leadership role in driving security improvements themselves.
The status of risks and the implementation of security measures are continuously monitored, enabling both management and operational layers to quantitatively assess the response of their respective departments. This monitoring fosters a sense of urgency and risk awareness when responses are delayed. In instances where the implementation of security measures is delayed or deemed insufficient, the CISO may intervene with direct oversight. This has reinforced accountability among operational-level managers, fostering a heightened awareness of their critical role in advancing security initiatives and ensuring more robust execution at the operational level.

A governance framework has also been established to permeate the CISO organization’s policies, standards, and security measures at the operational level. Based on directives from the CISO organization, each of Fujitsu’s headquarters, under the authority of its organization head, has appointed three key roles including a System Security Manager, Information Manager, and PSIRT (Product Security Incident Response Team) Manager*1, to promote autonomous security practices within the field organization. The CISO organization engages in structured communication at both the head of Business Unit and security managers in the field organization by pairing head of Unit and persons in charge of initiatives in CISO organization.
Specifically, one-on-one discussions are conducted with each division head to convey the current realities facing Fujitsu, including specific incidents, as well as the actual risk landscape within their organization. These conversations aim to foster a shared sense of urgency and encourage division heads to actively engage in their division’s security response. Additionally, regular leadership meetings and subcommittees led by persons in charge of implementing security measures provide a forum for dialogue between the CISO organization’s initiative leaders and security managers in the field organization. Through these discussions, company-wide policies, standards, and security measures are effectively embedded into day-to-day operations. These efforts strengthen the leadership role of division heads in promoting security initiatives and ensure that responsible officers are executing them effectively at the field organization. For global operations, where alignment between corporate policy and local security requirements is essential, a regional CISO framework has been established to coordinate and oversee efforts by region.

*1: System Security Manager: Person responsible for overseeing the maintenance and management of information systems security.
Information Manager: Person responsible for overseeing information management and protection.
PSIRT Manager: Person responsible for overseeing the management of product related vulnerabilities.

Fujitsu has established a Risk Management Framework grounded in the global standards of NIST’s (*2) SP800-37 (*3), to define its approach to security risk management across the Group. This framework outlines a structured set of processes for identifying and systematically managing security risks related to both organizational operations and information systems. It institutionalizes regular risk management activities across all organizational units and embeds these practices as formal rules throughout the development and operational phases of information systems. By integrating these processes into business workflows, Fujitsu ensures widespread awareness and adoption of risk management practices across the Group.
In addition, the Fujitsu Group Standards for Information Security Measures have been formulated with reference to NIST’s CSF (*4), SP800-53 (*5), and ISO/IEC 27002 for standardized application across the Group. This standards consists of 165 management measures, which defines how each management measure should be applied based on the importance of the information systems involved. Materials such as manuals and guidelines are also available to support the effective company-wide implementation of these measures.

*2: NIST: National Institute of Standards and Technology
*3: SP800-37: NIST SP800-37 Rev.2 Risk Management Framework
*4: CSF: Cybersecurity Framework
*5: SP800-53: NIST SP800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations

Fujitsu has developed various dashboards, such as the Risk Monitor and Information Management Dashboard, for the digital (mechanic) visualization of risks, including status of remaining vulnerability on information systems or improper information management.
The Risk Monitor provides a comprehensive view of each department at Fujitsu headquarters and Group companies and visualizes numerical values of risks. With regard to the risks detected through the above mentioned vulnerability scanning and other measures, the remaining number of corrective actions by severity level is displayed in a heatmap or graph, and it is possible to prioritize the most important risks.
The Information Management Dashboard is a digitized information management ledger that maintains inventory of confidential information, including names of administrators, storage locations and disclosure restrictions in digital form. The system checks for consistencies with the actual status of information management (e.g., audit logs for storage services) and alerts the management department if any deficiencies are detected, thereby enabling an immediate response.
These dashboards are utilized across the management, control, and operational layers, functioning both as governance tools for monitoring field organization and as practical tools for those departments to evaluate their performance and foster autonomous improvement efforts.

To support our customers’ safe, secure, and sustainable business activities, we have centralized and visualized the IT asset management data of the IT systems (business systems) for our globally operating customers, as well as internal IT systems. This helps us promptly identify and remediate any security risks throughout the Fujitsu Group. We have been strengthening routine risk management, visualizing risk audits conducted by the CISO organization and their result, and promoting an appropriate understanding of the actual situation in each departments and their autonomous remediation.

By establising vulnerability scanning process for systems directly accessible from the Internet using IT asset management information, each department that manages the system can autonomously conduct periodic scanning and implement remedial solutions triggered by vulnerability detection. Annual inspection using this process are conducted to ensure that vulnerability remediation practices are in place, and when high-risk vulnerabilities are detected, reliable solution will be implemented in a timely manner with the involvement of the CISO organization.
Even systems that are not directly accessible from the internet may be compromised through lateral movement originating from internet-facing systems, potentially resulting in broader impact. Annual inspection using this process are conducted to ensure that vulnerability remedial actions are in place, and when high-risk vulnerabilities are detected. Reliable solutions will be implemented in a timely manner with the involvement of the CISO organization.
This initiative has been rolled out across the entire Fujitsu Group, ensuring proactive management of vulnerabilities in managed assets. As a result, the number of new externally exposed vulnerabilities detected has significantly declined. In particular, detections of high-risk vulnerabilities, such as open ports, have been reduced to just a few cases.

We are proactively utilizing threat intelligence to speed up the detection of, and response to, vulnerabilities in systems exposed to the Internet. Threat intelligence enables us to collect information in the early stage of an actual attack from an attacker’s perspective, such as information on global threat trends and vulnerabilities as well as vulnerability information in Fujitsu Group’s systems exposed to the Internet. The obtained threat intelligence allows impact analysis and prompt remedial action.
Moreover, in combination with vulnerability scanning of Internet-exposed systems based on IT asset management information, we also implement attack surface management, which monitors system vulnerabilities from an attacker’s perspective.

It is essential to establish a system that enables swift response to vulnerabilities not only during emergencies but also in normal operations. As such, the following measures have been implemented in Japan: appointment of designated personnel authorized to make service suspension decisions and establishment of comprehensive procedures for emergency vulnerability response.
Today, cyberattacks targeting software vulnerabilities are launched in increasingly shorter intervals following their discovery, while the speed of such threats continues to accelerate. Given these circumstances, as Fujitsu prioritizes the protection of customer data and the delivery of stable services, we may proactively suspend services at our own discretion if a critical vulnerability arises. This action is taken only when rapid intervention, including service suspension, is essential to protect the information assets of both customers and the company. Such decisions are made with the belief that they not only mitigate security risks but also minimize potential business impacts.

Responding to a security incident requires an accurate understanding of the event from a technical perspective through log analysis, malware analysis, disk forensics, and other methods. A quick and fitting response also requires determining an overall policy and collaborating with parties involved inside and outside the company.
At Fujitsu, technical experts and members who take the lead on the path to the solution work together to respond to security incidents, following several processes, including the escalation process.
We have been accumulating data on attacker’s tools, processes, and access methods and improving technical knowledge and skills of our response team members through continuous training. We also conduct reviews of the result of past incidents we have handled with our global Group companies to continuously improve our incident response capabilities, including upgrading our structure, rule and processes and accumulating know-how, to enable immediate responses and minimize the impact of incidents.

To protect customers who use Fujitsu’s products and services, we centrally manage product configuration information, IT asset information, and threat intelligence information, which includes vulnerability information. In addition, to enable prompt and proactive response to risks arising from vulnerabilities in products and services, we have established an xSIRT (*6) regime by assigning PSIRT managers and System Security Managers, who are responsible for managing vulnerabilities in their departments.

*6: xSIRT: Security Incident Response Team
An organization or regime that handles incidents that affect products and services offered by Fujitsu.

In order to estimate risks to products and services, and to promptly consider and execute countermeasures against vulnerabilities based on risks to products and services, we have established criteria and processes for addressing risks associated with vulnerabilities. In addition, we are continuously improving these processes based on statistical analysis and our past incident response results.
With these regime and processes in place, we ensure prompt remediation of vulnerabilities in order to shorten the vulnerability response time and resolve them in a timely manner, thereby preventing secondary damage to our customers and minimizing the impact on their business continuity.
As an example of the successful achievements of implementing this solution, at the time when a vulnerability-induced cyber attack occurred in the past, which caused significant damage and had an impact worldwide and resulted in a major risk warning from CISA (*7), Fujitsu has been able to avoid damage from information exploitation based on its prompt identification of the affected system and appropriate remedial action taken.

*7: CISA: The U.S. Cybersecurity and Infrastructure Security Agency

In Japan, with the objective of protecting personal information, Fujitsu Group obtained certification for the PrivacyMark (*10) by the Japan Information Processing and Development Center (JIPDEC) in August 2007 and we are continually working to strengthen our Personal Information Protection System. Group companies also obtain the PrivacyMark as necessary to ensure thorough management of personal information. The Information Management Promotion and Audit Division conducts third-party reviews of each division’s information management practices, providing guidance and recommendations for remedial actions and improvements as needed. Internal audits were conducted in all departments in FY2024.

*10: The PrivacyMark
The PrivacyMark is granted to businesses that handle personal information appropriately under a personal information protection management system that conforms to JIS Q 15001.

In FY2024, Fujitsu Customer Service Center Personal Information Protection Desk did not receive any consultations or complaints regarding customers’ privacy. No customer information was provided to government or administrative agencies in accordance with the Act on the Protection of Personal Information.

At Fujitsu, we digitally score factors such as the occurrence of vulnerabilities within organizations and the speed at which they are remediated, and visualize them as indicators of organizational maturity.
By visualizing the maturity level of each department at Fujitsu headquarters and Group companies on a monthly basis, we aim to foster a culture of autonomous implementation of specific solutions and remedial actions based on an understanding of current circumstances and gaps from targets.
Inspired by the C2M2 (*11), or Cybersecurity Capability Maturity Model, and SIM3 (*12), or Security Incident Management Maturity Model, both of which have been proven globally, our security maturity level evaluation indicators incorporate a unique method of scoring maturity mechanically from data taken from our security measures. The maturity levels are scored on six axes: governance, human security risk management, system security risk management, information asset risk management, incident detection and response capabilities, and organizational culture and mindset.
In addition to Fujitsu’s internal metering, we aim to strengthen our cybersecurity incident response capabilities by using external security rating services to continuously check Fujitsu’s security scoring, which is objective from a third-party perspective.

*11: C2M2：Cybersecurity Capability Maturity Model
*12: SIM3：Security Incident Management Maturity Model

As a global provider of IT services, the Fujitsu Group places strong emphasis on the continuous implementation of security measures and maintaining accountability to stakeholders regarding the health of our security posture. As part of these efforts, we have adopted industry-recognized security rating services—SecurityScorecard and Bitsight—to enable objective, third-party assessments. These services provide risk evaluations from an attacker’s perspective and incorporate publicly disclosed security incidents to visualize overall security hygiene as a quantified score. Through proactive management based on these insights, we have successfully achieved and sustained advanced ratings across both SecurityScorecard and Bitsight.

The Fujitsu Group is committed to continuously enhancing its security measures based on objective assessments provided through security rating services. Through these efforts, we aim to further strengthen stakeholder trust and contribute to positive business outcomes, including garnering deeper partnerships and expanding the customer base.

In addition to providing basic education on cyber-security and information management, we thoroughly disseminate the latest trends, as well as current status and lessons learned from response to incidents occurred at Fujitsu . We work to improve the skills of our professional personnel by issuing guidelines on system monitoring for system managers. Moreover, as incidents cannot be 100% prevented, we have shifted our approach from “efforts to prevent contingencies”, to “efforts based on the premise that contingencies will occur”, thereby strengthening our company-wide incident response capabilities.
As part of this effort, the Fujitsu Group conducts company-wide training for executives and employees every six months. Specifically, with the aim of responding quickly and minimizing the impact of incidents that have a social impact, we conduct incident drills in which executives and personnel from various departments participate. We also provide practical training scenarios for SEs and sales personnel who are involved in external business and internal operations. Insights gained from these training sessions are reflected as appropriate in the Incident Response Handbook & Guidelines described in the "Incident Response" section, and are shared across the Group. In addition, targeted e-mail drills are conducted on an ongoing basis to foster a security mindset among each employee.
* Number of training sessions conducted in FY2024: 1 time company-wide training sessions, 2 times targeted e-mail training session

In an effort to change employees’ mindsets and behavior regarding information security within the Fujitsu Group, the CISO and the CISO organization regularly disseminate information across the Fujitsu Group, and security measures are taken through security managers assigned to each department.
In 2023, the Fujitsu Group redefined the profile of its ideal security personnel and revised the Professional Certification System. In addition to clearly outlining the expected competencies of personnel contributing to security enhancement across the organization, we also launched training programs and aligned compensation schemes to reflect such professional expertise.
Through these initiatives, we are expanding skilled security personnel and reinforcing security frameworks across all departments.