20
11th Edition Fuji Xerox Information Security Report
11th Edition
Fuji Xerox
Information Security Report
2
Information Security at Fuji Xerox 3
Information Security Governance 4
Safety Proposal to Our Customers 7
Internal Information Security 11
Third Party Evaluations and Certifications 18
ContentsBasic Information
The objectives of Fuji Xerox in publishing this Information Security Report, and the time period and organizations covered by the report are as follows.
ObjectivesThe objectives of this report are to explain Fuji Xerox Co., Ltd.’s approach to information security to its stakeholders1) and to increase their trust in its business.The report includes information considered appropriate for disclosure to Fuji Xerox's stakeholders, inasmuch as it does not impede the effectiveness of information security.
Reporting PeriodThe report covers the period from April 1, 2018 to March 31, 2019.
1) In this report, "stakeholders" refers to customers, employees, partner companies, shareholders, local communities, and other concerned parties.
2) "Affiliates" are companies in which Fuji Xerox holds the majority of voting rights, either directly or indirectly.
For information relating to individual affiliates, please refer to the following:
Affiliates (Japan): http://www.fujixerox.com/eng/company/profile/
group-japan/
Affiliates (Worldwide): http://www.fujixerox.com/eng/company/profile/
group-worldwide/
Responsible Department and InquiriesInformation Security Center, CP&RM Department, Fuji Xerox Co., Ltd.9-7-3 Akasaka, Minato-ku, Tokyo, JAPAN1070052Tel: (Main)+81-3-6271-5145
Organizations CoveredThe organizations covered by the report (referred to by the expression "company-wide") are Fuji Xerox and its affiliates.2)
1. 0bjective of information securityThe objectives of this information security policy include the preservation of personal and confidential information, to ensure its confidentiality, integrity and availability to authorized parties.This policy relates specifically to the protection of assets, including reputation, intellectual property and sensitive data or information that is internal to the company, or received from customers and business partners.The policy intends to eliminate information security incidents which may result in unauthorized information tampering, disclosure, theft, or destruction, that could have a negative impact on Fuji Xerox and its customers and partners.Especially, Fuji Xerox executes control over information disclosed or entrusted to us by our stakeholders.We take appropriate measures to ensure it is protected with the same importance level as that of the information or asset, in order to avoid an information security incident.
2. 0peration of information securityInformation security is managed according to corporate policy, legal regulations and contractual obligations.Fuji Xerox promotes appropriate information security controls through enforcing, checking and improvement, and conducts risk assessment across its operation, to avoid risks and ensure the mitigation measures are being executed, as well as to get our staffs aware and prepared for it with training programs in place.
3. Response to information security incidentIn the event of any information security incident, we will take immediate action to minimize its impact and take necessary steps to prevent recurrence.
Fuji Xerox and its affiliated companies execute appropriate information security controls and will continually improve its information security management in order to safeguard information assets. Information security governance is a key part of our corporate culture, enabling Fuji Xerox to remain a trusted partner to its customers and business partners.
Information Security Policy Statement
3
President and Representative DirectorFuji Xerox Co., Ltd.April 2019
Koichi Tamai
Message from Top Management
Position of Information Security at Fuji XeroxSince our establishment, Fuji Xerox’s basic philosophy is to promote mutual understanding in customers’ communities and society through better communications. In this diversifying social environment, Fuji Xerox is now conducting business transformation under compliance management to become a company that is more reliable from our stakeholders.
In March 2018, Fuji Xerox announced Smart Work Innovation. Smart Work Innovation is a program that aims to solve issues that customer has through various technologies including Fuji Xerox’s unique Document AI technology, next-generation security technologies, IoT, and IoH1). The objectives of the activity include relieving people from various constraints such as “repetitive tasks” and establishing a mechanism of enabling more people to carry out jobs that require specialized knowledge. These efforts will improve productivity and, at the same time, helps to create a work environment where employees can exert their creativity.
In order to solve issues that customer has through Smart Work Innovation, customers need to be able to rest assured when using our products and services. Therefore, we must provide environments in which the personal information and confidential information of customers are always protected from threats of leakage, falsification, and unavailability. We regard information security as a very important management theme.
Information Security Measures Bolstering InnovationFuji Xerox is focusing on various information security measures in our internal information systems and our products and services.
Seeking a more powerful organization for reinforcing information security measures, we launched Information Security Center within Compliance and Risk Management Department (CP&RM Dept., hereafter). Information Security Center promotes a company-wide activity called Fuji Xerox CERT to respond to cybersecurity threats.
As for our products and services, we are working to comply with a new cybersecurity standard, NIST SP800-1712), to protect our customers from cybersecurity threats and to support their business continuity.
In ApeosPort-VII C / DocuCentre-VII C series, which are the flagship models of the Smart Work Innovation program, we will introduce TPM3) chips to protect the information assets of customers from security threats. We also support the elliptic curve cryptosystem, which is the next-generation encryption, to provide stronger security compared with the conventional RSA encryption, which had been used as a standard until now.
In the promotion of these information security measures, we use the integrated management system4) as a compliance management tool for continued improvement of our business processes.
Aiming to be a Company Offering Information SecurityWe are working on various measures based on the basic policy of information security. In addition to working on information security activities throughout the company, including in Japan and overseas, we will also promote measures in cooperation with partner companies, aiming to become a company that is trusted by customers and society.
It will be a pleasure if you read this report on the information security activities of Fuji Xerox.
1) IoT: Internet of Things, IoH: Internet of Humans2) NIST SP800-171: Standards for protecting managed non-rated information in systems and organizations outside the U.S. federal government3) TPM: Trusted Platform Module. This module provides stronger security by including and protecting the root encryption key in this chip.4) Integrated management system: A mechanism that provides the total control of the management of information security, quality, environment, industrial health and safety,
and other managerial tasks.
Information Security at Fuji Xerox
4
Information Security Governance
Fuji Xerox has undertaken a variety of information security efforts so that our customers feel secure when using our products and services. This section will introduce you our approach and governance system regarding information security.
Regulations
Guidelines
Manuals &Explanatory Materials
•Information security rules• Regulations on handling of
corporate information• Regulations on the management
personal information
• Information security incident response procedures
• Personal information protection handbook
Information security guidelines•Basics & conduct• Information systems•Customer contact operations
President
Chief Information Security Officer
Information Security Center,CP&RM Department
Cyber-Security Response Organization (Fuji Xerox CERT)
Dom
estic sales com
panies
Overseas sales
companies
Production and developm
ent affiliates
Dom
estic Sales
Overseas sales
Research, development
and production
Company-wide information security Divisional-level information security
Information & CommunicationSystems Department and FXIS
Affiliated com
panies
Fuji Xerox strives for a management (CSR management) that places importance in its responsibility towards the society. We believe risk management that offers organizational support against external threats and internal vulnerabilities is one very important management theme. Also, information security is positioned as a part of risk management and is applied to our various activities.The information security risk that Fuji Xerox perceives as the most
Fuji Xerox's Approach Regarding Information Security
serious is the leakage of personal information and confidential information entrusted to us by our customers. To enable our customers to feel secure in entrusting their information assets when using our solution services, we have setup an internal information security system, and are applying the PDCA cycle to our system in effort to eliminate information security incidents, and to maintain and improve our management.
Fuji Xerox has established company-wide information security rules, which incorporate a variety of perspectives, such as classification of information, regulatory compliance, and information ethics.More specifically, these rules are composed of regulations which define information security policies and universal rules, guidelines which define specific management measures, and manuals & explanatory materials.These regulations, guidelines and manuals & explanatory materials are reviewed regularly, and updated to reflect the latest conditions.
Information security-related rule system
Information Security Promotion System
In April 2018, we established Information Security Center in the CP&RM department to control and promote company-wide information security. This center promotes information security throughout the company by collaboration with our Cyber-Security
Response Organization in charge of handling cyber-attacks, the Information & Communication Systems Department in charge of IT governance, and Fuji Xerox Information System Co., Ltd. (FXIS) in charge of IT infrastructure development/operations.
5
Fuji Xerox offers products and services not only in Japan but also globally. In order to ensure that our customers are offered safe and secure services and products, it is essential that we are prepared for various security threats such as cyber-attacks that exist on the information network. Fuji Xerox has assembled an expert team to handle those threats on the information network.
Fuji Xerox has assembled an incident response organization (CSIRT1)) in 2015 for cyber-security as a company-wide activity. Operations began under the name of Fuji Xerox CERT. Fuji Xerox CERT is an expert team that collects information relating to cyber-attacks, and escalates it to the relevant department within the company, detects illegal intrusion to networks and systems by attackers, prevents damages from expanding when an intrusion has occurred, and preserves
evidence and implements countermeasures to prevent a recurrence of the attack.If an attack occurs, responses are implemented to minimize damages through quick action. Furthermore, this team is linked beyond organizational frameworks to foresee and detect cyber-attacks, to share information related vulnerabilities that could be maliciously attacked, and to prevent access to external servers related to the attack.
Management Level
Controlling Executives(Person in charge of risks and security)
Onsite Support
Product DevelopmentDepartment
Production Department
Research Department
Domestic SalesDepartment
Overseas SalesDepartment
Fuji Xerox CERTCorporate Support
Product Support
Overseas Affiliates Domestic AffiliatesOverseas Affiliates
Domestic SalesSubsidiaries
Domestic Affiliates
Internal IT Infrastructure Support Actions for production system
Fuji Xerox CERT Activity Structure
Fuji Xerox CERT is a cross-department virtual organization whose members have been collected from various departments in charge of products and services, the company internal IT infrastructure, production, and so forth. As shown in the figure on the right, Fuji Xerox CERT is working to ensure the safety of information security as a governance function of the head office, that implements cybersecurity measures at the company-wide level.
1) CSIRT: Acronym for Computer/Cyber-Security Response Team
Fuji Xerox CERT Organizational Structure
Without CSIRT With CSIRT
Having a cyber-security response team allows us to take quick action, thereby minimizing any damages.
ResponseBefore
ResponseAfter
Risk of further damage
Minimize damage
Invasion incident occurs Invasion incident occurs
Incident response (expand prevention/investigate cause/recover information)
Preparation of support structure in case of invasion incidents
Detect foreseen attacks (information collection/monitoring)
Incident response (expand prevention/investigate cause/recover information)
Response after incident
Detection of incident
Establishment of incident support system
Response after incident
Risk of delayingdiscovery due to insuff icientinformation
Risk of delaying response to incident due
to internal adjustments
Fuji Xerox's Activities in Cyber-Security
Response to Cyber-Security
6
Incidentresponsemanual
Create implementation plan
Explain plan, approve,and consent to related personnel
Schedule, adjust and secure venue
Create training scenario
Dry-run practice, create presumed Q&A
Implement training and review
Post-training questionnaire
Results report
Start
End
Receive contactof incident
Secondary damage (spread of damage)
Primary damage
Receive information ofsuggested causes
Class Content of Activities
Prevention
• Setup incident response system• Obtain and deploy vulnerability information, and threat
information• Support of vulnerability inspections, development of
examination skills, and management to respond to vulnerabilities
• Training (trainings to respond to incidents and handling of suspicious emails)
Detection
• Detection of abnormalities, such as malware infections• Invasion detection (organize detection environment and
response flow)• Detection of internal frauds (organize detection environment
and response flow)
Response After the Incident
• External security incident response contact window• Incident response support (preserve evidence, collaboration
with those related)• Accumulation of response examples and know-how, and
support to study measures to prevent any recurrences
Fuji Xerox CERT promotes the following activities. Partnership with external incidentresponse organizations
We mutually collaborate with cyber-security response organization in a variety of organizations to handle the risks of cyber-security that changes on a daily basis. This is necessary to share the latest information about threats and vulnerabilities, to exchange knowhow to handle incidents, and to improve the team's skill level.In order to accomplish this, Fuji Xerox CERT has become a member of the international cyber-security support teamcommunity known as FIRST1), and Nippon CSIRT Association2). This was to build a structure to cooperate with outside associations and actively become involved in the various working group activities that are administered by these communities to improve the safety of information security not only for our company, but for the overall network society.
1) FIRST: Acronym for Forum of Incident Response and Security Teams http://www.first.org/ Fuji Xerox joined the organization in June 2015. It is the 24th team from Japan.2) Nippon CSIRT Association : http://www.nca.gr.jp/ Fuji Xerox joined the organization in march 2014.
In the event of a cyber attack, it is necessary to respond quickly without leakage in accordance with the response procedures.Therefore, Fuji Xerox CERT regularly conduct training on cyber attacks (theoretical training) jointly with the operational departments, such as those related to services and products. And
Academic Training Implementation Procedures Training Scenario Template
it is working to improve the incident response manual used in the event of an actual incident through the implementation of training scenarios.Also, training scenarios are created, using training scenario templates to assume various types of attacks.
Incident Response Training (Academic training)
7
Safety Proposal to Our Customers
Against the backdrop of the advancement of the network, IoT, and digitalization, both of the importance of cyberspace in the customer business and the security threat to the information assets used in business are increasing. In response to increasing cybersecurity threats, in Europe and the United States, security requirements are being materialized and institutionalized, especially in the defense industries and critical infrastructure industries. A cyber-attack against a single company could spread to multiple companies. Therefore, it is important to protect not only one company but also the entire supply chain beyond each company.For example, the United States issued Executive Order 13636 of a cybersecurity framework in February 2013, in which, under the leadership of U.S. National Institute of Standards and Technology (NIST), security measures were classified into five categories: (1) Identify, (2) Defend, (3) Detect, (4) Respond, and (5) Recover. Until then, security measures had been implemented focusing on proactive measures related to (1) Identify and (2) Protect. With
the sophistication of cyber-attacks, however, there are increasing cases of silent intrusion, which makes it important to quickly (3) Detect and (4) Respond to intrusions and (5) Recover the system, from the standpoint of business continuity.With this in the background, the U.S. Department of Defense (DoD) made it mandatory for bidding companies and their supply chains to abide by the security requirements defined by NIST, SP800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), by December 31, 2017.Fuji Xerox aims to build a cloud-based environment through Smart Work Innovation, where people can concentrate more on innovative works. To achieve this, security that is stronger than ever is indispensable.Fuji Xerox will provide increased value in solutions and services leveraging the next-generation security technologies that we learned through our experience of offering products. Thus, Fuji Xerox will work toward the realization of Security 5.0 by providing products that enable customers to continue their business.
Countermeasures against security threats in cyberspace
2020-
2019 New procurement criteria of Ministry
of Defense (equivalent to SP800-171)
Realization of Smart Work Innovation Society 5.0
Safe and secure use of data (realization of trustworthiness)
Innovation of digital technology that promotes the use of data
Policies and laws related to security
Revised Basic Act on Cybersecurity Cyber-physical framework Launch of the Cybersecurity Council Revised Unfair Competition Prevention Act2018
Act on Strengthening Industrial Competitiveness "System for authorizing industrial data sharing" GDPR(EU General Data Protection Regulation, enforced in May 2018) NIST SP800-171(U.S., enforced in January 2018)
2016-17 Basic Act on the Advancement of Public and Private Sector Data Utilization (December 2016) Revised Act on the Protection of Personal Information (Fully enforced in May 2017)
2014-15 Basic Act on Cybersecurity U.S. SP800 series
8
HardwareOur products have the functions of preventing unauthorized installation by code signing and the function of protecting software from unauthorized modification. These functions prevent the installation of unauthorized software and add-on applications that may falsify or corrupt the software of multifunction peripherals.
NetworkCommunication data exchanged between clients/servers and multifunction peripherals on the network can be protected by a strong encryption method that satisfies the encryption criteria of government procurement.
Data (document)Data (documents) stored temporarily or permanently in HDD, SDD, or other storage media of multifunction peripherals are protected by the function of encrypting them when stored and the function of erasing data by overwriting.
Operation (people)By enabling user authentication during mFP operations, it becomes possible to provide identity management of users and access privileges for individual users.
In order to reduce careless mistakes of administrators and end users, we provide functions of warning for global IP address setting, that for reducing mistaken fax transmission such as restriction on fax transmission destinations (restricted to those registered in the address book) and retyping of the destination address.There are functions for protecting administrator functions such as presenting a warning if the administrator password has not been changed from the initial password and locking the account in the event of repeated login failures.Activities of shutting down, starting, and changing the setting of a multifunction peripheral are recorded in the audit log, which can be used for tracking fraudulent activities.
Obtaining ISO/IEC 15408 certificationIn order to ensure reliable security, Fuji Xerox multifunction peripherals have obtained the certification of an international standard (ISO/IEC15408 Common Criteria) that defines the design and operation of information technology security. https://www.fujixerox.co.jp/product/multifunction/promotion/security_measure/isoiec.htmlhttps://www.fujixerox.co.jp/product/multifunction/promotion/security_measure/isoiec.html
Multifunction peripherals are information devices that output data (documents)—important information assets of our customers—and input paper documents. Japan Network Security Association (JNSA) listed numbers of incidents of information leakage from different media types in the investigation report on information security incidents of 2017. According to the report, information leakage from electronic media increased sharply from 24% of 2014 to 61% of 2017. On the other hand, information leakage from paper media still accounts for 39% of the total. While information security measures for electronic media (cyber media) is advancing with the development of ICT, we must also implement measures for paper media (physical media) to eliminate the security threats on data (documents), which is important information assets of our customers.Fuji Xerox has been responding to security issues of customers by enhancing security functions for protecting customers’ data (documents), receiving IT security evaluations, and obtaining certification of the certification system (JISEC).
Data security provided by Fuji Xerox
Until nowFuji Xerox has provided products that have obtained the certification of international standard ISO/IEC 15408 to support customers in data protection.
From now onFuji Xerox will provide products and services that conform to the new cybersecurity standard (NIST SP800-171) to avoid increasing cybersecurity risks.
Operation (people)
Data (document)
Network
Hardware Prevention of the falsification and corruption of
the multifunction peripheral software Reinforced management of root encryption keys using TPM chips
Strengthened confidentiality of data (support NIST FIPS140-2)
Enhancement of the audit log for intruders' activities Reinforcement of user management in accordance with the security
operation rule Provision of multi-factor authentication function
Support SMB3.0 Disabling TLS1.0/1.1 at the time of shipment
Prevention of the wiretapping and falsification of communication data
Protection of the data stored in multifunction peripherals
Prevention of fraudulent operation by unauthorized users Protection from unauthorized access to administrative functions Control of information leakage through careless mistakes Prevention of the falsification and unauthorized deletion of the audit log
9
Security requirements for business activities are increasingly sophisticated and complicated on the global level. Security measures have now become the most important issue in the utilization of IT for businesses.Fuji Xerox is extracting and analyzing various security issues and needs.In order to realize the value of Smart Work Innovation, as a new security measure in the cloud age, we will flexibly support various connection configurations such as internet connections, mobile communications and IoT devices. Thus, we will continue to extend the next-generation security services that are excellently reliable and stable.Fuji Xerox will support new cybersecurity standard NIST SP800-171 for our products and services. With this and other efforts, Fuji Xerox will not only provide products and services that are well accepted by our customers but also products that satisfy the high-security requirements that our customers are requested by their customers. Especially, we will contribute to the construction of safe and secure data environments for entire supply chains of our customers that handle important data.
Future effort
Office/Human
1 Smart Work Intelligence
2 Smart Work Security
3 Smart Work Gateway
Document AI
Next-generation security
IoH
Intelligent Portal
Technology
Cyber
Network
Physical
Smart Work IoHSmart Work MPS4 Smart Work IoH5
Smart Work Innovation
(1) Multifunction peripherals (MFP)
(2) Network security (beat)
Systematization of knowledge
Extraction of information
10
Overview of beat
Main security functions
Fuji Xerox implements various information security measures also for its services to allow the customers to use services at ease.In 2002, Fuji Xerox started the beat service (secure network outsourcing service that can be used at ease, simply, and conveniently) with the basic philosophy of providing budget-friendly IT outsourcing and support services that are highly secure in the broadband era.With this "beat", small and mid-sized businesses can minimize IT investment risks and can build the newest broadband network environment that suits their operations with strong support as if they have dedicated system administrators.
beat: Broadband Extensible and Attractive Technology
Office
Secure communication
24 hours a day 365 days monitored
Alerting
Operator support on the phone
Automatic update of software
Detection and shut-offbeat-box beat-noc
beat contact center
Threats from the Internet
(beat network operation center)
Firewall Virus/spyware countermeasures (POP3, SMTP, HTTP, FTP) Nuisance email filtering function IPS (Intrusion Prevention System) / Restriction on the use of communication application Self-monitoring and notification to noc Contents filter (optional)
Connection failure between beat-box and beat-noc Internet connection failure of beat-box beat-box hardware failure Usage rate of the HDD system area of beat-box Reception of virus detection alerts Reception of serious update/modification errors
Help desk (questions on how to use machines) Identification of fault cause and arrangement of repair service On-site maintenance by the service network of Fuji Xerox
New procurement criteria of Ministry of Defense (equivalent to SP800-171)
Shuts off access from WAN to LAN.
Firewall
Monitors unauthorized access, and blocks it if detected.
IPS (Intrusion Prevention System)
Checks sent/received emails for viruses, and blocks suspicious emails.
Anti-virus
Filters received unsolicited emails and puts tags on them.
Countermeasures to unsolicited emails
Security measures to protect customers’ network environment
11
This section introduces information security measures conducted within our company, efforts that we will continue to make, efforts of our overseas sales companies, efforts for Individual Number collections, and examples of collaboration with our partner companies.
Internal Information Security
Based on our approach to information management, we at Fuji Xerox are implementing a variety of information security measures, from personnel and organizational, physical and technical perspectives. We are dedicated to the appropriate protection and management of information assets.
Main Continuing Information Security Measures
Three Facets of Information Security Measures
ID CARD
123456
富士 太郎Taro Fuji
Personnel and organizational measures
OO Establishment of information security-related regulations and guidelinesOO Utilization of handbooks which provide explanations of rules, and instructional videos regarding actual incidents
OO Information security governance by key persons elected from individual companies and divisionsOO Regular training sessions on information security and personal information protectionOO Thorough enforcement of prompt reporting (first report) of information security incidents on the day of detection
OO Conducting cyber-security training
Physical measures
OO Establishment of zoning, i.e., division of important areasOO Securing of computers by cable lockOO Connection of straps to mobile phones and USB drivesOO Measures for strict security areas (zone setting, monitoring cameras, and prohibition of bringing personal devices and random inspection)
OO Locking control and key control for confidential document cabinets
Technical measures
OO Access control to servers and systems on a user-by-user basisOO Collection and management of the log of computer operations by employees
OO Controlling of writing to unregistered devices such as personally-owned devices, and log management
OO Monitoring of Internet communications (web access, e-mail transmission)
OO Encryption of all PCs that are carried outside the companyOO Monitoring of appropriate software usage and avoiding use of prohibited software via computer management tools
OO Filtering of web access to prohibited-category sites and malicious sitesOO Secure access card authentication for document (paper) printingOO Embedding of copy prevention codes in printed confidential documentsOO Monitoring and shut-off of fraudulent communication
Controlling of writing to unregistered devices
Writing prohibited
UnregisteredUSB drive
12
Information security activities began in mid-2006 for the Asia Pacific Operations (APO), which oversees sales companies in the Asia Pacific and China region. All the sales companies under the group participate in the activities.
Information Security at Asia Pacific Operations Group
Information security in APO sales companiesWith today’s high technology environment, organization has changed how we conduct the business and we have become even more dependent on Information System. Whist the technology has had a positive impact for all of us; the technology also creates significate challenges. APO continues to work with Fuji Xerox headquarters to enrich information.
Information Security Management System (ISMS)In FY 2015, APO took up the management direction of implementing ISMS across the whole corporate business operation. It’s a strategic decision by the APO Senior Management to change the future of Fuji Xerox and strive towards the goal of solution and service business.The business operations were able to identify and improve on the existing process while the entire management system is established. Also, APO reviewed the conventional business processes and obtained certification in FY 2016.A comprehensive Information Security risk management program was established throughout the organization. The business operations were able to identify and improve on the existing process while the entire management system is established. APO expects the entire business operation will be certified by Q3 FY 2016.
Information Security incidents reportingInformation security incidents are not completely avoidable.Overseas affiliate companies are required to report security incidents to Fuji Xerox headquarters.Information security incidents are reported into the web-based reporting system hosted in Fuji Xerox headquarters. This system gives the security team a detailed picture of the security situation over time. Incidents were reviewed, grouped, and reported to APO Senior management. It also aids us to plan and improve our security practices and developed better awareness training.
Information Security awareness & trainingEmployees are the best defense in Information Security and they are also the weakest link. To strengthen Fuji Xerox defense, APO continues to develop various awareness activities.Information Security training plays a major role in the program. The content was developed to meet the current security threats and requirements. The training maturity roadmap has been developed and implemented roles based training to enhance the security effectiveness. Competency checkpoints are developed and ensured all employees completed the training as per the schedule. Awareness activities continued with the Information Security Newsletter on latest security threats and
Management and Initiatives in Asia Pacific Region
countermeasures, security posters, leaflet and stickers. Half yearly phishing awareness exercise has been introduced to enhance employee acquaintance and response measures. The activities are reviewed by the APO Senior management for reporting, directions and further improvements.
Cyber Security assessmentCyber-attacks could lead to a serious incident and is the biggest concern today. Thus, we evaluated the impact of cyber-attacks.APO performed a current state assessment to measure the sufficiency and effectiveness of security controls in place by performing; network security architecture, Information System security configuration review, advance persistent threat analysis and penetration testing of our networks and internet gateway.APO is now working with Fuji Xerox headquarters to develop cybersecurity strategy plan and implementation roadmap to mitigate and strengthen from cyber risk.
Information security assessmentAPO enhanced the self-assessment activity for information security from FY 2015. The revised program covers all relevant component to ensure an effective framework is established to review Information Management and governance and operation. The results continues as part of the PDCA (Plan-Do-Check-Act) improvement principles to better plan and manage security programs.APO has initiated a process to strengthen the information security risk assessment and annual audit for vendors. A vulnerability assessment process has been implemented for the entire APO information systems to ensure systems compliance with the internal standards and requirements set forth in the policy.
Personal Data ProtectionOver the last few years, countries has been establishing new regulation or revising its existing personal data protection across the Asia Pacific region. This has prompted APO to review its existing policies and legal compliance.As Fuji Xerox Singapore and APO HQ are based in Singapore, the PDPA (Personal Data Protection Act) of Singapore affects its operations. APO Information Management Department has established monitoring process and ensure compliance with the act. While working with other APO departments on the requirements and implementing audit, APO continues to ensure compliance with the act.As required in the PDPA, a Data Protection Officer is appointed. Relevant policies and procedures for complaints handling and compliance checks are built, developed and kept up-to-date.
13
Fuji Xerox conducts all business activities by the support of various partner companies (outsourcing companies for operations) such as with product development, provision of solutions and services, and mission-critical tasks inside the company. We strive to deliver security and peace of mind to our customers as part of our quality by maintaining information security through close coordination with partner companies because valuable information entrusted to us by our customers may be handled by our partner companies depending on the operational contents. Also, when our partner company sub-contracts the outsourcing work to a different company, activities are implemented in consideration that the range of management by Fuji Xerox is to include the subcontractor.
Fuji Xerox has prepared and been practicing a guideline to be followed when providing important information of a customer or Fuji Xerox itself to a partner company. Triggered by an incident of massive personal information leakage in other company, we investigated the security status of business activities that consign important information outside the group.
Company-wide Initiatives
When we outsource works, we ask our partner company to respond to the survey sheet that corresponds to the outsourced work. The survey sheet included in the guideline consists of questions on security status from the perspective of
Examples of Initiatives
Obtaining Written Pledges from Outsourcing Operators of Partner Companies
Fuji Xerox obtains pledges for appropriate use of information assets and equipment from contract employees, temporary employees, and employees of partner companies. The pledges aim to maintain thorough security throughout the entire company and the specific goals are outlined on the right column.
1. Prevention of information leakage by putting in place nondisclosure agreements
2. Appropriate use of resources of the Fuji Xerox such as facilities and equipment
3. Preservation of our assets including information assets4. Thorough enforcement of entry/exit control rules at Fuji Xerox business
facilities5. Appropriate use of internal networks and internal information systems6. Lending of ID cards
Scope of Fuji Xerox's Control
Fuji Xerox Contractor SubcontractorCustomer
Information Security Coordinated with Partner Companies
As a result, through a joint task of the department in charge of security and the procurement department, we streamlined and reinforced the governance of the selection process of partner companies that are appropriate for individual projects, and updated the guideline so that the process of investigation and improvement request is correctly carried out.
“organizational safety control measures”, “personnel safety control measures”, “physical safety control measures”, and “technical safety control measures”. The results are accumulated under the corporate central management.
(1) Partner company selection
(2) Contract negotiations
(3) Arrangements prior to commencing outsourced work
(4) Outsourced work execution
(5) Outsourced work completion
Audit Results Report
Audit Plan
Information securitysurvey sheet
Partner Company Evaluation Database
Information Security Survey Sheet
Process for improving management and supervision of our partner companies
14
Today, PCs are indispensable tools for business operations. PC security measures are becoming increasingly important every year from the perspective of protecting the information handled by PCs from the various security threats surrounding the PCs, and protecting the continuity of operations using PCs and company credibility and compliance.Fuji Xerox has endeavored to strengthen the security of PCs that are used in the business of the company in general.For example, we conducted a company-wide ISMS activity that educates and enlightens employees about security. As PC security technical measures, we implemented the automatic update of anti-malware software and the automatic application of security patches, as well as connection control on external storage media, which may lead to an information leakage.In the company network environment to which PCs are connected, we practice security measures such as connection restriction on unauthorized PCs, malware inspection on sent/received emails, and the restriction of access to fraudulent websites.In order to prevent the loss and theft of PCs taken out from the office, we encrypt the entire data of each PC. By using remote access and cloud services, we have built a dataless PC environment that does not store data in the PC as much as possible, and we are using the environment that can work safely anytime, anywhere.
Microsoft Windows 7 OS, which is used for Fuji Xerox standard PCs, will no longer be supported in January 2020, so we are moving to windows 10 OS throughout the company.As a practice of Smart Work Innovation, by combining the various features installed in the Windows 10 OS with the Microsoft Office 365 cloud environment that has already been introduced globally throughout the company, Fuji Xerox will expand the dataless structure that were previously implemented on mobile PCs which can be taken out to outside the office. By applying it to PCs for internal use, we are working to build a PC environment that enables us to operate with a single PC anywhere inside and outside the office.
Reform through the use of PCs Reinforcement and management of PC security
Security reinforcement through the introduction of Windows 10 PCs
The Internet
Intranet Central management
Monitoring and automatic delivery
from the center
Cloud Service�
Data-less
Office, etc.
OS patches/DAT
Access control
Encryption of PC
Firewall
Data-lessInternal systems
We must raise the level of PC security than ever in order to realize an environment in which employees can use the same PC for their work everywhere inside and outside the office.Therefore, we are implementing various measures to raise the security level for new PCs.OO Firewall function in each PCOO Migration to new anti-malware software that also combats unknown malware
OO Monitoring of fraud behaviors by collecting the PC operation log
OO Implementation of an information-leakage-prevention mechanism for each file
We also practice the following security measures in a centralized manner to relieve the employees from the labor and risks of managing PCs and to raise the level of information security level.OO Vulnerability response such as applying security patches and updating security programs
OO Partial restriction of user PC operationOO Reinforcement of PC management tools
15
Organization for promoting personal information protection
Fuji Xerox integrates the promotion of personal information protection with the domestic ISMS (ISO/IEC 27001) promotion system.For example, items related to personal information protection are included in the check sheet used for annual self-checks and internal audits. The check sheet is reviewed every year to add new elements.
Maintenance of internal regulations
Fuji Xerox establishes and issues guidelines in addition to the basic rules on personal data protection as listed below, to disseminate necessary knowledge to employees.
OO Regulations on the Control of Personal InformationOO Specific personal information management regulations (Management rule of the social security and tax number)
OO Information security guideline —Information system edition: Defines high security requirements on the system that handles the social security and tax number etc.
OO Personal information protection handbook: Booklet for all employees that provides plain explanations on Personal Information Protection Law using many figures
OO Manual for handling queries on personal information: Describes the procedure of responding to queries and requests from individuals.
OO Guideline of personal information handling in fairs, seminars, and exhibitions
OO Guideline of personal information handling in human resource functions
We categorize personal information into three levels of confidentiality to focus on important aspects in the management of the information.
Ledger system for personal information databases
Fuji Xerox has built its own web system for the proper ledger management of personal information databases, and the system is used by all affiliate companies in Japan.The system has following functions to keep the registered information up to date: The function that handles the transfer and retirement of the person in charge or the management representative, and the function of sending an email that reminds the operator to check the personal information that has not been updated over a year.
Efforts for personal information protection
Management of consignees of personal information handling
When we consign the handling of personal information to a partner company, we conduct an objective evaluation of the level of personal information protection and information security of the partner company based on our own investigation sheet. Especially, our rule stipulates that personal information provided by a customer be consigned to a partner company of the highest evaluation. (For details, see “Information Security Coordinated with Partner Companies” on page 13.)
Response to GDPR
In order to comply with General Data Protection Regulation (GDPR) enforced in EU in May 2018, Fuji Xerox conducted data mapping (inventory of the personal information of people living in EU) in Fuji Xerox and all subsidiaries. As a result, we found that we basically do not have personal information subject to the regulation because our markets are in the Asia Pacific and Oceania regions.Nevertheless, we started to implement necessary measures due to the recent increase of requests for GDPR compliance of Fuji Xerox services from customers operating globally.Because Fuji Xerox has developed a cloud service that interacts with printers and indirectly offers it in Europe, Fuji Xerox improved the GDPR compliance of the service according to an assessment from an established European institution on the service and multifunction peripherals.
Activities for global compliance
Under the influence of the GDPR, the development of new personal information protection legislation is in progress in countries around the world.To cater to this trend, Fuji Xerox watches legislations related to personal information protection and cyber security in countries around the world, collaborates with APO and local subsidiaries to comply with the legislations.
16
New project (service not in operation yet) Existing project (service in operation)
Purpose - Prevention of information security incidents
- Maintenance and improvement of the quality of the service being provided
- Reduction of security risks- Prevention of the recurrence of incidents
Activities
- Sharing and consolidation of know-how items learned from past cases and practiced by individual departments
- Preparation and sharing of the “Standard Risk Management Item Table”
- Maintenance and improvement of operation quality by regular auditing and security measures
- Daily effort of maintaining and improving service quality
Fuji Xerox conducts an activity of preventing security incidents for the Business Process Outsourcing Service (BPO service) in order to protect customer information from leakage risks and allow customers to use the service at rest.
Promotion of a company-wide quality assurance project
Launch of the project
Fuji Xerox and affiliate companies launched a project for reducing the risks of incidents, involving the departments that provide the BPO service. We share risk reduction know-how as well as near-miss experiences and their recurrence prevention measures that different departments have accumulated individually so far, in order to provide for common risks and prevent them from materializing.
Prior assessment of projects
Before providing a service to the customer, related departments assess the project individually. We consolidated risk items that each department had assessed, and standardized them as the “Standard Risk Management Item Table”. With this table, we assess projects from various common viewpoints such as business volume, quality and quantity of resources for required skills, schedule, contract, proposed values, and organization. One of these items is security. In this item, we assess the strength of security with many sub-items including the review of rules for personal information and confidential information,
implementation of training and audit sessions, response to vulnerability, security evaluation of consignees, entrance/exit authentication, access rights, and disposal management.We use this “Standard Risk Management Item Table” in project assessments, and any findings in assessments are reflected to the table. We endeavor to provide customers with securer services by preventing incidents and reducing risks.
Reinforcement of audits
For high-risk projects, multiple organizations conduct audits of existing and new projects to prevent new incidents or the recurrence of experienced incidents. This activity reduces security risks through findings from multiple viewpoints of different audits. After an audit, we continuously watch for improvement activities and confirm our actions for issues pointed out.We do the same also for overseas BPO services with consideration on personal information laws and security regulations in each countries. At the same time, we are fostering human resources that are able to identify and reduce information security risks.
Activities of quality assurance project
Contract/Construction
Construction/PreparationQuotation/Proposal
Contact Judgment on start of operation
Operation/Maintenance
Operation and maintenance
17
Raising Awareness of Policy Deployment and Measures
For the thorough enforcement of information security measures, we hold risk management communication meetings involving responsible people in domestic departments and affiliates. In the meeting, we share information on the latest incidents, preventive measures for similar incidents, and ways of escalation in the event of an incident.In 2017, we held a risk management council in Japan, in which all risk managers of overseas sales affiliates participated. We are strengthening coordination by exchanging information on risks including those of information security, as we do in Japan.
Countermeasures for human errors
Email is a very important tool of communication with customer. However, email also has increasing risks such as mistaken sending and wrong attachments due to the increased frequency of use.Fuji Xerox employs the following measures for the prevention of mistaken email sending.OO Use of an add-in for reducing mistaken sending of emailsOO Active use of file transfer servicesOO Employee trainingOO Use of the function that temporarily suspends file attached emails
Countermeasures for internal frauds
Fuji Xerox monitors and investigates email logs and IT logs in order to prevent the leakage of company information caused by cyber-attacks and to detect and prevent fraudulent/improper retrieval of company information.OO Monitoring and investigation of violations of internal policies such as improper information retrieval
OO Monitoring and investigation of employees who will retire in near future
OO Identifying suspicious incidents from all emails, communication logs, and operation logs by the log management system, and monitoring and investigating most suspicious incidents selected through human evaluation
2019 Information Security PlanOur goal in FY2019 is to continue our activity to achieve both the enhancement of information security governance and improve productivity and plan to implement the following activities.
At the Risk Management Council Conducted in Japan
Other Efforts in 2017, and 2018
Information security activities
OO We will drastically reduce incidents/accidents caused by internal factors and thoroughly prevent recurrence.
OO We will manage risks focusing on those that may obstruct our continued growth, and reinforce proactive risk management.
OO We will promote handling of issues by building an emergency support organization for information security, while quickly responding to incidents when they occur and adopting measures to increase the ability to detect attacks.
OO We will promote training, enlightenment, and inspection in a structured way to properly manage personal information so that we can maintain our global compliance.
OO We will also move further forward with measures to prevent the information leakage from employees and outsourcing companies, caused by internal frauds and human error.
OO We will promote strengthening of security governance and quick escalation in overseas affiliate companies.
18
Organization Name Scope of Registration Cert. No.
Fuji XeroxCo., Ltd.
Headquarters, Research/ Development/ Manufacturing, Sales offices
- Copying machines, printers, facsimiles, scanners, and multifunction peripherals of them; production printers, publisher systems, and their accessory devices (automatic document feeders, sorters, staplers, finishers, stampers, etc.); research, technology, design, development, manufacturing, sales, and maintenance of image materials (developers, photoreceptors); and manufacturing and sales of medical devices and their parts
- Commissioned software development related to document service software products, ICT services, document outsourcing services, and system solution projects; and solution marketing, design, construction, and operation of consulting services, design/construction services, and operation/maintenance services
- Commissioned development, maintenance, and operation of business solutions and network/security solutions; and design, migration, and operation of ICT services
- Training of executives, managers, and employees; and operation, commissioned administration, and consultation of education and training facilities”
- Fuji Xerox brand PPC paper used for multifunction peripherals, copying machines, facsimiles, printers, etc., and electronic trading at e-commerce site “eQix” for office machine tools, office furniture, and stationery
- Marketing, design, construction, and operation of documentation outsourcing services including printing, copying, scanning, administration of multifunction peripherals, writing of manuals and other documents
- Administration services related to contract, billing, and bill collecting associated with sales, call center services, finance services related to accounting, and sales back-office services
- Wholesale of laser printers, multifunction peripherals, and their accessories (optional items), and cartridges (toner, dram, etc.) for offices
- Design, development, operation, and maintenance of public and private BPO (Business Process Outsourcing) services and system solutions
IC03J0033
DomesticSalesNetwork
Fuji Xerox Hokkaido Co., Ltd., Fuji Xerox Iwate Co., Ltd., Fuji Xerox Miyagi Co., Ltd., Fuji Xerox Fukushima Co., Ltd.
Fuji Xerox Niigata Co., Ltd., Fuji Xerox Gunma Co., Ltd., Fuji Xerox Saitama Co., Ltd., Fuji Xerox Ibaragi Co., Ltd., Fuji Xerox Tochigi Co., Ltd., Fuji Xerox Nagano Co., Ltd., Fuji Xerox Chiba Co., Ltd.
Fuji Xerox Kanagawa Co., Ltd., Fuji Xerox Tokyo Co., Ltd., Fuji Xerox Tama Co., Ltd.
Fuji Xerox Hokuriku Co., Ltd., Fuji Xerox Shizuoka Co., Ltd., Fuji Xerox Aichi Co., Ltd., Fuji Xerox Aichi-Higashi Co., Ltd., Fuji Xerox Mie Co., Ltd., Fuji Xerox Gifu Co., Ltd.
Fuji Xerox Kyoto Co., Ltd., Fuji Xerox Osaka Co., Ltd., Fuji Xerox Hyogo Co., Ltd., Fuji Xerox Shikoku Co., Ltd., Fuji Xerox Okayama Co., Ltd., Fuji Xerox Hiroshima Co., Ltd., Fuji Xerox Yamaguchi Co., Ltd., Fuji Xerox Fukuoka Co., Ltd., Fuji Xerox Kumamoto Co., Ltd., Fuji Xerox Nagasaki Co., Ltd., Fuji Xerox Kagoshima Co., Ltd.
AffiliatedCompanies(Japan)
Fuji Xerox Information Systems Co., Ltd.
Fuji Xerox System Service Co., Ltd.
Fuji Xerox Learning Institute Inc.
Fuji Xerox Printing Systems Co., Ltd.
Fuji Xerox InterField Co., Ltd
Fuji Xerox Manufacturing Co., Ltd.
Fuji Xerox Service Creative Co., Ltd.
Fuji Xerox Service Link Co., Ltd.
Affiliatedoverseascompanies
Fuji Xerox Hai Phong Co., Ltd.
Fuji Xerox of Shanghai Limited. (China)All work related to the design and manufacture of printers, multifunction devices, consumables and parts
32968-2010-AIS- RGC-UKAS
Fuji Xerox of Shenzhen Ltd. (China)
Work related to the design and manufacture of laser printers, multifunction devices, multifunction devices (copy, facsimile, printer), laser scanners, related parts and consumables
139524-2013-AIS- RGC-UKAS
Fuji Xerox Eco-Manufacturing (Suzhou) Co., Ltd. (China) New CRU production and reuse/recycling business78839-2010-AIS- RGC-UKAS
Fuji Xerox Eco-Manufacturing Co., Ltd (Thailand)Separation, assembly, re-manufacturing, readjustment, refurbishment, etc. of printers, copying machine parts, and copying machines
IS693668
Fuji Xerox Business Force (Australia)* 100% owned subsidiary of Fuji Xerox Document Management Solutions (Australia) which was made a subsidiary in October, 2012
Provision of services for technical information related to BPO (business, process, outsourcing), infrastructure, operation, and data center device management services
ITGOV40016
Status of Obtaining ISO/IEC 27001 Certification
At Fuji Xerox and its affiliated companies, we are actively engaged in obtaining third party evaluation and certifications related to information security.
Third Party Evaluations and Certifications
Since obtaining BS 7799-2:1999 (the UK-based ISMS standard that was the predecessor of ISO/IEC 27001) in 2002 for user authentication services, we have expanded the range of certification obtainment (organizations and operations, etc.)
Status of Information Security Management System (ISMS) Certification Obtainment Management
particularly for operations related to customer point of contact. Currently, certifications have been obtained within the organizations listed below.
19
Product Name Authentication date
Fuji Xerox ApeosPort-VI C7771/C6671/C5571/C4471/C3371/C2271DocuCentre-VI C7771/C6671/C5571/C4471/C3371/C2271 Series Controller Software Controller
2017/5/25
Name of Accredited Organization Accreditation No.
Fuji Xerox System Service Co., Ltd. 11820092(09)
Organization Name Scope of Registration Cert. No.Fuji Xerox (Thailand) Co., Ltd.
The management and operation of Fuji Xerox corporate processes supporting the management of sales and service of document technologies, services, supplies and document-centric outsourcing.
TH17/10073
Fuji Xerox Australia Pty. Ltd. ITGOV40091
Fuji Xerox Asia Pacific Pte. Ltd.12 310 57188/01 TMS
Fuji Xerox Korea Co., Ltd.150156-2017-AIS-KOR-UKAS
Fuji Xerox Asia Pacific Pte. Ltd. (Myanmar Branch)12 310 57188/05 TMS
Fuji Xerox Singapore Pte Ltd12 310 57188/02 TMS
Fuji Xerox (Hong Kong) Limited CC 6225
Fuji Xerox New Zealand Limited C38749
Fuji Xerox (China) Limited208061-2016-AIS-RGC-UKAS
Fuji Xerox Asia Pacific Pte. Ltd. (Malaysia Operations) IND16.0721/U
Fuji Xerox Vietnam Company Limited VN17/00023
Fuji Xerox Taiwan Corporation TW17/00069
Fuji Xerox Philippines Inc.12 310 57188/ 06 TMS
Fuji Xerox Malaysia Sdn Bnd12 310 57188/ 04 TMS
Fuji Xerox Global Services12 310 57188/ 03 TMS
As of December 1, 2018
We are continually making improvements in order to properlyprotect our customers' personal information and our owninternal personal information, as well as to firmly establish this practice as our management system.
Status of Privacy Mark Accreditation
Since February 2007, Fuji Xerox and its affiliates have obtained ISO/IEC 15408 certification for products including multifunction devices and printers. The products for which certification was obtained between July 1, 2016 and December 1, 2018 are listed below. In relation to products for which certification was obtained prior to
Status of ISO/IEC 154081) Certification Obtainment
June 30, 2016, please refer to the website of the independent administrative agency, Information-Technology Promotion Agency, Japan.https://www.ipa.go.jp/security/jisec/jisec_e/certified_products/certfy_list_e31.html
1) ISO/IEC 15408 is an international security standard for evaluating, from an IT security perspective, whether IT-related products and systems have been designed in an appropriate way and whether those designs have been correctly implemented.
As of December 1, 2018
Status of Privacy Mark Accreditation
As of December 1, 2018
Status of ISO/IEC 15408 Certification
Fuji Xerox Co., Ltd.
Xerox, Xerox and Design, as well as Fuji Xerox and Design are registered trademarks or trademarks of Xerox Corporation in Japan and / or other countries.
