このページの本文へ

Information Security

The Canon Marketing Japan Group (hereafter, the "Canon MJ Group") helps realize a secure society by working to strengthen the foundations of information security as part of CSR. We will remain aware of information security risks, including cyberattacks, and continue striving to improve information security by regarding it as an important business challenge.

Policies

Under the Kyosei corporate philosophy of the Canon Group, the Canon MJ Group has adopted a vision of becoming a professional corporate group that solves social and customer issues using ICT and the power of humans. Under this vision, we will contribute to building a safe, secure, sustainable society through business activities.
We contribute to customers' IT strategies with our digital technologies, including IoT and cloud services, and high-quality services. At the same time, we understand information security risks, including cyberattacks, and regard the appropriate handling of information assets used in business activities as an important business challenge. To put these ideas into practice, we will strive to make continuous improvements further based on the following policies.

Governance and Management Structure

Under the information security governance provided by the management team, every Group company and every department has developed an information security management structure, to properly manage information assets and minimize information security risks.

Governance Structure

Information security initiatives are also closely related to social demands, including demands for compliance, environmental measures, business continuity, and quality control. Therefore, at the Risk and Crisis Management Committee, which is in charge of these social demands, members of our management team take steps to strengthen the Group's information security governance. This committee implements a cycle of determining information security policies, strategies, and others (giving direction) , regularly checking changes in the business environment and risks and the level of target achievements (monitoring), evaluating them (evaluation), and giving new direction as necessary based on the results of the evaluation.

Management Structure

Our management structure is divided into two, one part that supervises the Group's information security and another for each company/department. Under the Group's information security supervision structure, an organization that has the Group's headquarters functions plans, suggests, and drives the Group's common rules and measures, including IT, physical, and human security measures. Under the management structure for each company/department, a department in charge of information security or a departmental management structure is created based on the characteristics of each company or business. At the same time, each organization appoints an information security promoter, who works to instill rules and implement measures.

Operation of Management Systems

We operate groupwide information security and personal information protection management systems to ensure the safety of information and protect ourselves against the risks of information leaks, falsification and other information incidents.

Information Security of Management Systems

Our information security management system consists of the implementation of activities in conformity with ISO/IEC27001. Based on management reviews, the status of organizations, risk assessment results and other circumstances, all departments set goals for information security activities and we implement an information security management system in which everyone participates.

Personal Information Protection Management System

Our personal information protection management system consists of the implementation of activities in conformity with JISQ15001. We use a personal information database management system to implement activities such as the assessment of risks in every process from identification of personal information handled and its collection to its disposal and the management of contractors.

Training and Awareness-raising

Employee Training for Knowledge Acquisition

Training program Description
All employee training As part of risk and crisis management training, e-learning based on practical contents is provided so that employees can make appropriate judgments and take appropriate actions with respect to information security and the protection of personal information. Check tests are also given to confirm the level of understanding of each employee.
Initial orientation training This training is provided to new and mid-career employees to ensure that they understand the Group's approach to information security and acquire basic knowledge on the handling of information assets.
New line manager training This training is provided in the form of classroom lectures. It is aimed at having trainees understand the Group's approach to information security and the roles of departmental managers and to acquire the knowledge needed to handle information assets appropriately in their departments.

At the Canon MJ Group, we create an information security training plan each year and provide e-learning training to all executives and employees of the Group. Trainees acquire the necessary knowledge through classroom lectures, and check tests are given to measure the extent to which the knowledge has been entrenched among them. Initial orientation training is provided to new employees and mid-career employees as new members of an organization. This training is aimed at raising their awareness of information security, having them acquire basic knowledge on information security, and ensuring that internal rules are observed. We provide rank-specific training. For new line managers, we give lectures so that they will have a firm understanding of line managers' roles in information security.

Raising Awareness of Risk Management at Workplaces

At each workplace (section) of the Canon MJ Group, a compliance meeting is held twice a year. At this meeting, compliance risks with a significant impact on each department's business and operations are identified from among themes positioned as important management risks, and measures to address the risks are discussed. At these meetings, many themes related to information security, such as the risk of leakage of confidential information and the risk of cyberattacks, are put on the agenda. Measures to address risks are discussed based on the characteristics of each workplace, so as to reduce information security risks and raise awareness of such risks.

Outside Certification and Communication

Third-party Certification

The Canon MJ Group has built an information security management system (hereafter, "ISMS") and personal information protection management system (hereafter, "PMS") based on a third-party certification standard (JIS standard), to enable the systems to be introduced uniformly and promptly. To have these initiatives evaluated objectively, we use third-party certification systems such as the ISMS Conformity Assessment Scheme and the PrivacyMark System.

Affiliation with Information Security Organizations

The Canon MJ Group is affiliated with information security organizations to gain the latest information in a timely manner and to study the different problems associated with the industry in an effort to increase its information security.

Software Association of Japan JIPDEC
Japan Information Technology Services Industry Association Japan Users Association of Information Systems
Information Processing Society of Japan Japan Network Security Association
Union of Japanese Scientists and Engineers Council of Anti-Phishing Japan
Nippon CSIRT Association The Japan DataScientist Society
Digital Literacy Council (Japan Deep Learning Association) JAPAN Card Data Security Consortium
Supply-Chain Cybersecurity Consortium