Information Security
Policy
The world is facing more frequent and severe cyberattacks than ever before, which result in a wide range of damages. With advancements in technology that enable the discovery of internet-facing system, it has become easy for any attacker to identify vulnerabilities and launch attacks. Meanwhile, the threats and methods of attack—which we must now be prepared for—are becoming increasingly sophisticated, including exploitation of unknown vulnerabilities and attacks launched within days from public disclosure of vulnerability.
Given this environment, the Fujitsu Group conducts its activities based on Our Purpose which is to “make the world more sustainable by building trust in society through innovation.” Fujitsu works with many customers to create value for society. We recognize that if Fujitsu were to encounter a cyber incident, the impact would not be limited to our company alone but could extend to our customers and society as a whole. As such, cybersecurity is positioned as a critical management issue. From top executives to the field organization, the entire organization is united in addressing this challenge. To achieve our information security goals, we have established a “Company-Wide Security Risk Management Scheme.”
Approach to Security Management
Since 2021, Fujitsu has faced multiple significant security incidents. While field organization implemented responses, a number of internal issues surfaced, highlighting areas in need of attention. As we worked to address these challenges, we recognized the importance of establishing and continuously maintaining Fujitsu as an attack-resilient organization that is difficult for attackers to target. In this context, attack-resilient refers to making attackers believe that their attacks will be unlikely to succeed.
To make Fujitsu an attack-resilient company, we are focused on thoroughly eliminating security risks that could serve as entry points for external threats—particularly vulnerabilities in internet-facing assets. By doing so, we aim to create an environment where it is extremely difficult for attackers to identify points of entry. Even if such an entry point were discovered, the subsequent execution of an attack would remain highly challenging.
Security Risk Management as an Attack-Resilient Company
Fujitsu’s conventional approach to security risk management was rooted in standard risk management practices, with an emphasis on minimizing damages through post-incident response. As a result, potential risks that went unrecognized by field organization gradually enlarged, and the severity of those risks only became apparent after an incident had occurred.
In light of this, we believe it is necessary to proactively identify and materialize potential risks from attackers perspective, and to implement countermeasures in advance. This approach is essential to minimizing the impact of cyber threats. Given the increasingly short window between risk discovery and actual attacks in today’s threat landscape, it is imperative to adopt a management framework that enables early risk detection and swift response.
We assume various potential risk scenarios and a mechanism for making them materialize to exhaustively identify potential risks and select the field organization that should respond to them. During our response to risks, we analyze (difficulty of attack, etc.) and assess (probability of occurrence and extent of damage) the identified risks to determine response policies and priorities. For high-priority risks, the CISO (Chief Information Security Officer) organization under the direct supervision of the CISO, which oversees company-wide security controls, may directly instruct field organization on how to respond.

Scope of Security Measures
To support the realization of Our Purpose, Fujitsu is implementing security measures based on the assumption that cyber attackers may target not only Fujitsu itself but also our partners and SaaS offerings on our cloud infrastructure. These measures are designed to safeguard customer information across the entire supply chain, both domestically and internationally. Our efforts span cybersecurity for systems that deliver value to our customers (business systems) and those that support internal operations (corporate systems). In addition, we focus on robust information management to ensure proper handling and protection of data and extend our security initiatives to the products we provide as well as to partner companies that form part of our supply chain.

Company-wide Security Risk Management Scheme
Through its experience in responding to past incidents and analysis of their impact, Fujitsu has recognized that a security incident affecting even a single operational unit can have far-reaching consequences, which not only affect the company, but also customers and society at large. We have come to understand that strengthening capabilities of field organization to proactively materialize potential risks and respond swiftly requires active involvement from senior management. As such, Fujitsu has established a company-wide security risk management scheme that unites senior management, field organization, and the CISO in a coordinated effort to address cybersecurity as a core business issue.
Scheme Overview
This scheme is designed to enable company-wide implementation of security measures, involving senior management, field organization and the CISO, as visualizing risks and building a shared understanding of them are key to driving coordinated efforts across all organizational levels.
The CISO plays a pivotal role in communicating security risks to senior management and fostering a shared understanding between leadership and field organization. This alignment enables effective top-down governance (the outer loop) while encouraging bottom-up improvements (the inner loop). The CISO also defines policies and standards to guide autonomous improvement initiatives at the operational level. In cases where critical and time-sensitive vulnerabilities emerge, the organization exercises direct security oversight of field organization. Through these coordinated efforts, Fujitsu Group advances company-wide security via comprehensive and consistent initiatives across the organization.
The role of the senior management is to make decisions based on information on visualized risks. When risk mitigation measures are implemented at the operational level, field organization sometimes face competing demands—such as increasing business efficiency, reducing costs, and meeting customer expectations. These pressures can at times conflict with security measures and impact the speed of response to such security measures. To address this challenge, management makes decisions based on visualized risks and improves the environment that the field organization cannot resolve conflict or cannot implement the measures even if they want to.
At the operational level, field organization conduct their activities in accordance with company-wide policies and standards set by the CISO organization during normal time. In the event of a security incident due to materialized risk, provisional measures are taken within the respective departments, while formal responses are implemented in line with directions and guidance from the CISO organization. Additionally, teams proactively work to improve their own operations based on visualized risks.

-
Outer loop (dark blue arrow)
This loop enhances senior management involvement through visualization of security risks and empowers the CISO organization to drive effective risk governance.
-
Inner loop (light blue arrow)
The inner loop serves as an autonomous loop to promote self-driven risk assessment and risk response based on information of visualized risks.
<Company-Wide Security Risk Management in Accordance with the Scheme>
This scheme promotes company-wide security by fostering a shared understanding of risk status and the progress of security measures through two key meetings: the Risk Management and Compliance Committee, chaired by the CEO of the Fujitsu Group, and Regular Meetings on Quality and Security Measures, which includes the CEO, CRMO, CISO, CQO, and heads of each field organization. These meetings bridge communication between management, control, and operational layers of the organization.
For example, it was decided through these meetings that responsibility for implementing security measures would be included in the duties of field organization heads. In addition, departments that were slow to address critical vulnerabilities were identified for the CISO to step in as necessary to prompt the responsible department heads to take action through a top-down approach. This communication approach encourages department heads to not leave security matters solely to their staff, but to take an active leadership role in driving security improvements themselves.
The status of risks and the implementation of security measures are continuously monitored, enabling both management and operational layers to quantitatively assess the response of their respective departments. This monitoring fosters a sense of urgency and risk awareness when responses are delayed. In instances where the implementation of security measures is delayed or deemed insufficient, the CISO may intervene with direct oversight. This has reinforced accountability among operational-level managers, fostering a heightened awareness of their critical role in advancing security initiatives and ensuring more robust execution at the operational level.
Structure and Communication of Security Measures during Implementation
A governance framework has also been established to permeate the CISO organization’s policies, standards, and security measures at the operational level. Based on directives from the CISO organization, each of Fujitsu’s headquarters, under the authority of its organization head, has appointed three key roles including a System Security Manager, Information Manager, and PSIRT (Product Security Incident Response Team) Manager*1, to promote autonomous security practices within the field organization. The CISO organization engages in structured communication at both the head of Business Unit and security managers in the field organization by pairing head of Unit and persons in charge of initiatives in CISO organization.
Specifically, one-on-one discussions are conducted with each division head to convey the current realities facing Fujitsu, including specific incidents, as well as the actual risk landscape within their organization. These conversations aim to foster a shared sense of urgency and encourage division heads to actively engage in their division’s security response. Additionally, regular leadership meetings and subcommittees led by persons in charge of implementing security measures provide a forum for dialogue between the CISO organization’s initiative leaders and security managers in the field organization. Through these discussions, company-wide policies, standards, and security measures are effectively embedded into day-to-day operations. These efforts strengthen the leadership role of division heads in promoting security initiatives and ensure that responsible officers are executing them effectively at the field organization. For global operations, where alignment between corporate policy and local security requirements is essential, a regional CISO framework has been established to coordinate and oversee efforts by region.
*1: System Security Manager: Person responsible for overseeing the maintenance and management of information systems security.
Information Manager: Person responsible for overseeing information management and protection.
PSIRT Manager: Person responsible for overseeing the management of product related vulnerabilities.

<Policies/Standards>
Fujitsu has established a Risk Management Framework grounded in the global standards of NIST’s (*2) SP800-37 (*3), to define its approach to security risk management across the Group. This framework outlines a structured set of processes for identifying and systematically managing security risks related to both organizational operations and information systems. It institutionalizes regular risk management activities across all organizational units and embeds these practices as formal rules throughout the development and operational phases of information systems. By integrating these processes into business workflows, Fujitsu ensures widespread awareness and adoption of risk management practices across the Group.
In addition, the Fujitsu Group Standards for Information Security Measures have been formulated with reference to NIST’s CSF (*4), SP800-53 (*5), and ISO/IEC 27002 for standardized application across the Group. This standards consists of 165 management measures, which defines how each management measure should be applied based on the importance of the information systems involved. Materials such as manuals and guidelines are also available to support the effective company-wide implementation of these measures.
*2: NIST: National Institute of Standards and Technology
*3: SP800-37: NIST SP800-37 Rev.2 Risk Management Framework
*4: CSF: Cybersecurity Framework
*5: SP800-53: NIST SP800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations
Visualization of Security Risks
Fujitsu has developed various dashboards, such as the Risk Monitor and Information Management Dashboard, for the digital (mechanic) visualization of risks, including status of remaining vulnerability on information systems or improper information management.
The Risk Monitor provides a comprehensive view of each department at Fujitsu headquarters and Group companies and visualizes numerical values of risks. With regard to the risks detected through the above mentioned vulnerability scanning and other measures, the remaining number of corrective actions by severity level is displayed in a heatmap or graph, and it is possible to prioritize the most important risks.
The Information Management Dashboard is a digitized information management ledger that maintains inventory of confidential information, including names of administrators, storage locations and disclosure restrictions in digital form. The system checks for consistencies with the actual status of information management (e.g., audit logs for storage services) and alerts the management department if any deficiencies are detected, thereby enabling an immediate response.
These dashboards are utilized across the management, control, and operational layers, functioning both as governance tools for monitoring field organization and as practical tools for those departments to evaluate their performance and foster autonomous improvement efforts.
Cyber Security Measures
Fujitsu implements a multi-layered cybersecurity framework. As part of its preventative measures against unauthorized access, the company manages vulnerabilities based on IT asset management data across its systems. In addition, comprehensive monitoring is conducted to detect and respond swiftly in the event of a breach. To further mitigate risk, sensitive information is encrypted to ensure data protection, even in the unlikely event of information exfiltration.
Measures Linked to Centralized IT Asset Management
<Autonomous Risk Remediation Through Centralized and Visualized IT Asset Management>
To support our customers’ safe, secure, and sustainable business activities, we have centralized and visualized the IT asset management data of the IT systems (business systems) for our globally operating customers, as well as internal IT systems. This helps us promptly identify and remediate any security risks throughout the Fujitsu Group. We have been strengthening routine risk management, visualizing risk audits conducted by the CISO organization and their result, and promoting an appropriate understanding of the actual situation in each departments and their autonomous remediation.

<Vulnerability Detection and Remediation>
By establising vulnerability scanning process for systems directly accessible from the Internet using IT asset management information, each department that manages the system can autonomously conduct periodic scanning and implement remedial solutions triggered by vulnerability detection. Annual inspection using this process are conducted to ensure that vulnerability remediation practices are in place, and when high-risk vulnerabilities are detected, reliable solution will be implemented in a timely manner with the involvement of the CISO organization.
Even systems that are not directly accessible from the internet may be compromised through lateral movement originating from internet-facing systems, potentially resulting in broader impact. Annual inspection using this process are conducted to ensure that vulnerability remedial actions are in place, and when high-risk vulnerabilities are detected. Reliable solutions will be implemented in a timely manner with the involvement of the CISO organization.
This initiative has been rolled out across the entire Fujitsu Group, ensuring proactive management of vulnerabilities in managed assets. As a result, the number of new externally exposed vulnerabilities detected has significantly declined. In particular, detections of high-risk vulnerabilities, such as open ports, have been reduced to just a few cases.

<Utilization of Threat Intelligence and Attack Surface Management>
We are proactively utilizing threat intelligence to speed up the detection of, and response to, vulnerabilities in systems exposed to the Internet. Threat intelligence enables us to collect information in the early stage of an actual attack from an attacker’s perspective, such as information on global threat trends and vulnerabilities as well as vulnerability information in Fujitsu Group’s systems exposed to the Internet. The obtained threat intelligence allows impact analysis and prompt remedial action.
Moreover, in combination with vulnerability scanning of Internet-exposed systems based on IT asset management information, we also implement attack surface management, which monitors system vulnerabilities from an attacker’s perspective.
<Establishment of an Emergency Vulnerability Response Process>
It is essential to establish a system that enables swift response to vulnerabilities not only during emergencies but also in normal operations. As such, the following measures have been implemented in Japan: appointment of designated personnel authorized to make service suspension decisions and establishment of comprehensive procedures for emergency vulnerability response.
Today, cyberattacks targeting software vulnerabilities are launched in increasingly shorter intervals following their discovery, while the speed of such threats continues to accelerate. Given these circumstances, as Fujitsu prioritizes the protection of customer data and the delivery of stable services, we may proactively suspend services at our own discretion if a critical vulnerability arises. This action is taken only when rapid intervention, including service suspension, is essential to protect the information assets of both customers and the company. Such decisions are made with the belief that they not only mitigate security risks but also minimize potential business impacts.
Thorough Monitoring
The cyber security environment is constantly changing, and attack methods are becoming more complex and sophisticated. Under such circumstances, the Fujitsu Group takes a zero-trust approach, based on the concept that 100% prevention of intrusion by cyber-attack is impossible, to reinforce security monitoring.
We have established internal guidelines for security monitoring and conduct periodic system inspections to assess and visualize the current situation. We are also working to ensure a sound monitoring to enhance detection capabilities and enable timely response to cyber-attacks. Furthermore, we ensure that critical systems are thoroughly monitored through third-party inspections conducted by the CISO organization.
Protection of Important Information
At Fujitsu, it is our policy that activities involving the handling of confidential information, such as development and operations tied to customer contracts, are conducted using the Fujitsu Developers Platform. This approach aims to enhance information security and ensure system quality.
The Fujitsu Developers Platform is equipped with features that fundamentally improve information management. These include restricted sharing functions that prevent data mixing across multiple projects by limiting access to designated project members and enforced access deadlines to deter improper data retention after project completion. Additionally, it supports confidentiality-aware information management by issuing alerts when files labeled with sensitivity levels are stored in inappropriate folders. Furthermore, the platform monitors activities such as downloads to promptly detect and contain potential data leaks in the event of unauthorized access.
Encryption of critical information on the Fujitsu Developers Platform is mandatory. Any unencrypted data is flagged on dashboards to prompt remedial action. Through these measures, we safeguard valuable information assets across diverse business operations and support secure, reliable business continuity.
Response to Incidents
While proactive measures are in place to prevent security incidents, it is equally important to ensure a prompt response in the event an incident does occur, in order to minimize potential impacts. For this reason, we have preemptively established scheme and procedures based on the assumption that security incidents may occur during normal times. This allows us to quickly implement a series of procedures in the event of an incident, including escalation, response, recovery, and notification.
(1) Escalation
When a security incident is confirmed to have caused damage to the system managed by a department or to a personal terminal, the incident and the extent of the damage are assessed according to preestablished procedures, and immediate emergency measures to be carried out, while also escalating the incident to the appropriate level. After escalation, a specialized team will be assigned by the Security Control Organization to assist with incident response, allowing them to work together to resolve the incident.
(2) Incident response
The Security Control Organization and the department managing the affected system cooperate to prevent the spread of damage by shutting down the affected system and/or disabling specific functions. The cause of the incident is investigated and eradicated thereafter. ( e.g., application of patches).
(3) Recovery
After eradicating the cause of the incident, system and business-related data are restored to resume the system and business operations to a normal state.
(4) Notification
Incident details is shared and reported to fulfill our accountability to stakeholders, including public authorities, affected customers, and business partners.
The Incident Response Handbook & Guidelines, which defines the above procedures has been developed and deployed at Fujitsu Headquarters and Group companies in Japan. In addition, for international group companies, alignment is being carried out to accommodate country-specific requirements.

<Sophistication of Incident Response>
Responding to a security incident requires an accurate understanding of the event from a technical perspective through log analysis, malware analysis, disk forensics, and other methods. A quick and fitting response also requires determining an overall policy and collaborating with parties involved inside and outside the company.
At Fujitsu, technical experts and members who take the lead on the path to the solution work together to respond to security incidents, following several processes, including the escalation process.
We have been accumulating data on attacker’s tools, processes, and access methods and improving technical knowledge and skills of our response team members through continuous training. We also conduct reviews of the result of past incidents we have handled with our global Group companies to continuously improve our incident response capabilities, including upgrading our structure, rule and processes and accumulating know-how, to enable immediate responses and minimize the impact of incidents.
Risk Prevention in Our Products and Services
<xSIRT Regime>
To protect customers who use Fujitsu’s products and services, we centrally manage product configuration information, IT asset information, and threat intelligence information, which includes vulnerability information. In addition, to enable prompt and proactive response to risks arising from vulnerabilities in products and services, we have established an xSIRT (*6) regime by assigning PSIRT managers and System Security Managers, who are responsible for managing vulnerabilities in their departments.
*6: xSIRT: Security Incident Response Team
An organization or regime that handles incidents that affect products and services offered by Fujitsu.
<Process Formulation>
In order to estimate risks to products and services, and to promptly consider and execute countermeasures against vulnerabilities based on risks to products and services, we have established criteria and processes for addressing risks associated with vulnerabilities. In addition, we are continuously improving these processes based on statistical analysis and our past incident response results.
With these regime and processes in place, we ensure prompt remediation of vulnerabilities in order to shorten the vulnerability response time and resolve them in a timely manner, thereby preventing secondary damage to our customers and minimizing the impact on their business continuity.
As an example of the successful achievements of implementing this solution, at the time when a vulnerability-induced cyber attack occurred in the past, which caused significant damage and had an impact worldwide and resulted in a major risk warning from CISA (*7), Fujitsu has been able to avoid damage from information exploitation based on its prompt identification of the affected system and appropriate remedial action taken.
*7: CISA: The U.S. Cybersecurity and Infrastructure Security Agency

Information Management
Fujitsu and its Group companies in Japan implemented the Information Protection Management System in order to appropriately protect confidential information (including personal information) of the Group and third parties. We also apply a PDCA cycle that covers from the “(1) Roles & Responsibilities” to ”(7) Review”. In order to clarify information assets that must be protected, we establish appropriate management according to the status of our customers and suppliers, and take initiatives for protecting information. These steps are taken for the autonomous information protection activities (regulations by industry, business type, etc.) conducted by each division while unifying the classification of information on a global scale.
Furthermore, we utilize various support tools such as information management dashboards to support appropriate information management, while also making improvements as necessary to realize effective and secure operations. In addition, a number of internal departments have obtained ISMS certification.
The main activities of the Information Protection Management System are described below.

<Information Protection Management System>
(1) Roles & Responsibilities
Under the CEO, we are building a system to manage and protect confidential and personal information through a global network that is centered on the CISO and overseen by the CEO. We appoint information management staff for each department, clarify roles, and promote the appropriate handling of confidential and personal information.
(2) Policies & Regulations
In order to handle confidential and personal information appropriately, necessary rules (such as policies on information management, handling of third party confidential information and personal information management), procedures, and an annual activity plan have been formulated.
Policies and rules are updated on a regular basis, along with changes to the law.
(3) Training & Cultivation of Awareness
In order to improve the information security awareness and skills of each employee, we provide relevant information according to employees’ positions and roles. We also provide various training sessions and information in response to changes in the work environment, such as working from home.
Information management training (e-Learning) (*8) is provided at least once annually for all employees including executives. Information management training materials are also available to employees at any time.
*8: Number of participants in 2024: 37,234

(4) Self-Inspection
Inventory is conducted regularly to identify and classify and perform risk analysis on the information assets retained by each department.
(5) Incident Response
Scheme, escalation routes, procedures are being developed on a global basis to ensure that incidents are addressed appropriately in a timely manner.
(6) Audit
The Information Management and Audit Division confirms the status of information management in each division from a third-party perspective and provide instructions and suggestions for corrections and improvements.
(7) Review/Modification
The Information Protection Management System is reviewed and modified in consideration of external opinions, including audit results, incidents, and complaints, as well as legal revisions, and changes in the environment.

Protection of Personal Information

Fujitsu has established a global Personal Information Protection System to strengthen the protection of personal data. Under the leadership of the CISO organization and the Legal Division, we work with each region and Group company to comply with the laws and regulations of each country, including the GDPR (*9). In regard to the handling of personal information, we post and announce privacy policies on public websites in each country.
*9: GDPR: General Data Protection Regulation
A European regulation that was put into effect on May 25, 2018 and that requires companies, organizations, and groups to protect personal data. Includes rules on the transfer of personal data outside the European Economic Area (EEA) and the obligation to report within 72 hours of a data leakage at cybersecurity incidents
In Japan, with the objective of protecting personal information, Fujitsu Group obtained certification for the PrivacyMark (*10) by the Japan Information Processing and Development Center (JIPDEC) in August 2007 and we are continually working to strengthen our Personal Information Protection System. Group companies also obtain the PrivacyMark as necessary to ensure thorough management of personal information. The Information Management Promotion and Audit Division conducts third-party reviews of each division’s information management practices, providing guidance and recommendations for remedial actions and improvements as needed. Internal audits were conducted in all departments in FY2024.
*10: The PrivacyMark
The PrivacyMark is granted to businesses that handle personal information appropriately under a personal information protection management system that conforms to JIS Q 15001.
In FY2024, Fujitsu Customer Service Center Personal Information Protection Desk did not receive any consultations or complaints regarding customers’ privacy. No customer information was provided to government or administrative agencies in accordance with the Act on the Protection of Personal Information.
Acquisition of Information Security/ Information System Certification
Fujitsu Group is actively promoting the acquisition of third-party evaluation and certification in our information security efforts.
Initiative to Promote Autonomous Improvement at the Operational Level
Aligned with the Company-Wide Security Risk Management Scheme, we are driving initiatives that are primarily led by the control layer to enhance organizational resilience against cyberattacks as an attack-resilient company. However, if response efforts at the field organization level are initiated only upon receiving notifications or guidance from the control layer, there is a risk of lagging behind the speed at which attackers operate. To address this, it is imperative that each organizational unit proactively complies with security standards and independently executes timely countermeasures. This self-directed approach is essential to identifying and mitigating risks before they can be exploited.
Visualization of Organizational Maturity
<Maturity Monitor>
At Fujitsu, we digitally score factors such as the occurrence of vulnerabilities within organizations and the speed at which they are remediated, and visualize them as indicators of organizational maturity.
By visualizing the maturity level of each department at Fujitsu headquarters and Group companies on a monthly basis, we aim to foster a culture of autonomous implementation of specific solutions and remedial actions based on an understanding of current circumstances and gaps from targets.
Inspired by the C2M2 (*11), or Cybersecurity Capability Maturity Model, and SIM3 (*12), or Security Incident Management Maturity Model, both of which have been proven globally, our security maturity level evaluation indicators incorporate a unique method of scoring maturity mechanically from data taken from our security measures. The maturity levels are scored on six axes: governance, human security risk management, system security risk management, information asset risk management, incident detection and response capabilities, and organizational culture and mindset.
In addition to Fujitsu’s internal metering, we aim to strengthen our cybersecurity incident response capabilities by using external security rating services to continuously check Fujitsu’s security scoring, which is objective from a third-party perspective.
*11: C2M2:Cybersecurity Capability Maturity Model
*12: SIM3:Security Incident Management Maturity Model


Third-party Assessments
As a global provider of IT services, the Fujitsu Group places strong emphasis on the continuous implementation of security measures and maintaining accountability to stakeholders regarding the health of our security posture. As part of these efforts, we have adopted industry-recognized security rating services—SecurityScorecard and Bitsight—to enable objective, third-party assessments. These services provide risk evaluations from an attacker’s perspective and incorporate publicly disclosed security incidents to visualize overall security hygiene as a quantified score. Through proactive management based on these insights, we have successfully achieved and sustained advanced ratings across both SecurityScorecard and Bitsight.
SecurityScorecard: A Rating; Bitsight: Advanced Rating (As of May 2025)
The Fujitsu Group is committed to continuously enhancing its security measures based on objective assessments provided through security rating services. Through these efforts, we aim to further strengthen stakeholder trust and contribute to positive business outcomes, including garnering deeper partnerships and expanding the customer base.
Security-Related Human Resource Development
To foster greater autonomy at the field organization, we deliver security education and training that covers the latest threat landscape, as well as incorporates real-world lessons learned from recent incidents that have occurred within Fujitsu. Through these efforts, we are committed to developing a strong security mindset and strengthening the skills of all executives and employees.
<Security Education and Training>
In addition to providing basic education on cyber-security and information management, we thoroughly disseminate the latest trends, as well as current status and lessons learned from response to incidents occurred at Fujitsu . We work to improve the skills of our professional personnel by issuing guidelines on system monitoring for system managers. Moreover, as incidents cannot be 100% prevented, we have shifted our approach from “efforts to prevent contingencies”, to “efforts based on the premise that contingencies will occur”, thereby strengthening our company-wide incident response capabilities.
As part of this effort, the Fujitsu Group conducts company-wide training for executives and employees every six months. Specifically, with the aim of responding quickly and minimizing the impact of incidents that have a social impact, we conduct incident drills in which executives and personnel from various departments participate. We also provide practical training scenarios for SEs and sales personnel who are involved in external business and internal operations. Insights gained from these training sessions are reflected as appropriate in the Incident Response Handbook & Guidelines described in the "Incident Response" section, and are shared across the Group. In addition, targeted e-mail drills are conducted on an ongoing basis to foster a security mindset among each employee.
* Number of training sessions conducted in FY2024: 1 time company-wide training sessions, 2 times targeted e-mail training session
<Strengthening Information Security Structure and Human Resource Development>
In an effort to change employees’ mindsets and behavior regarding information security within the Fujitsu Group, the CISO and the CISO organization regularly disseminate information across the Fujitsu Group, and security measures are taken through security managers assigned to each department.
In 2023, the Fujitsu Group redefined the profile of its ideal security personnel and revised the Professional Certification System. In addition to clearly outlining the expected competencies of personnel contributing to security enhancement across the organization, we also launched training programs and aligned compensation schemes to reflect such professional expertise.
Through these initiatives, we are expanding skilled security personnel and reinforcing security frameworks across all departments.