Information Security
The Canon Marketing Japan Group (hereafter, the "Canon MJ Group") helps realize a secure society by working to strengthen the foundations of information security as part of CSR. We will remain aware of information security risks, including cyberattacks, and continue striving to improve information security by regarding it as an important business challenge.
Policies
Under the Kyosei corporate philosophy of the Canon Group, the Canon MJ Group has adopted a vision of becoming a professional corporate group that solves social and customer issues using ICT and the power of humans. Under this vision, we will contribute to building a safe, secure, sustainable society through business activities.
We contribute to customers' IT strategies with our digital technologies, including IoT and cloud services, and high-quality services. At the same time, we understand information security risks, including cyberattacks, and regard the appropriate handling of information assets used in business activities as an important business challenge. To put these ideas into practice, we will strive to make continuous improvements further based on the following policies.
Governance and Management Structure
Because ensuring information security is an important business challenge, we drive information security management under the information security governance provided by the management team. At the same time, we raise awareness of all employees and provide knowledge to them.
Governance Structure
Information security initiatives are also closely related to social demands, including demands for compliance, environmental measures, business continuity, and quality control. Therefore, at the Risk and Crisis Management Committee, which is in charge of these social demands, members of our management team take steps to strengthen the Group's information security governance. This committee implements a cycle of determining information security policies, strategies, and others (giving direction) , regularly checking changes in the business environment and risks and the level of target achievements (monitoring), evaluating them (evaluation), and giving new direction as necessary based on the results of the evaluation.
Management Structure
Our management structure is divided into two, one part that supervises the Group's information security and another for each company/department. Under the Group's information security supervision structure, an organization that has the Group's headquarters functions plans, suggests, and drives the Group's common rules and measures, including IT, physical, and human security measures. Under the management structure for each company/department, a department in charge of information security or a departmental management structure is created based on the characteristics of each company or business. At the same time, each organization appoints an information security promoter, who works to instill rules and implement measures.
Raising Awareness and Providing Knowledge
Employee Training for Knowledge Acquisition
| Training program | Description |
|---|---|
| All employee training | As part of risk and crisis management training, e-learning based on practical contents is provided so that employees can make appropriate judgments and take appropriate actions with respect to information security and the protection of personal information. Check tests are also given to confirm the level of understanding of each employee. |
| Initial orientation training | This training is provided to new and mid-career employees to ensure that they understand the Group's approach to information security and acquire basic knowledge on the handling of information assets. |
| New line manager training | This training is provided in the form of classroom lectures. It is aimed at having trainees understand the Group's approach to information security and the roles of departmental managers and to acquire the knowledge needed to handle information assets appropriately in their departments. |
At the Canon MJ Group, we create an information security training plan each year and provide e-learning training to all executives and employees of the Group. Trainees acquire the necessary knowledge through classroom lectures, and check tests are given to measure the extent to which the knowledge has been entrenched among them. Initial orientation training is provided to new employees and mid-career employees as new members of an organization. This training is aimed at raising their awareness of information security, having them acquire basic knowledge on information security, and ensuring that internal rules are observed. We provide rank-specific training. For new line managers, we give lectures so that they will have a firm understanding of line managers' roles in information security.
Raising Awareness of Risk Management at Workplaces
At each workplace (section) of the Canon MJ Group, a compliance meeting is held twice a year. At this meeting, compliance risks with a significant impact on each department's business and operations are identified from among themes positioned as important management risks, and measures to address the risks are discussed. At these meetings, many themes related to information security, such as the risk of leakage of confidential information and the risk of cyberattacks, are put on the agenda. Measures to address risks are discussed based on the characteristics of each workplace, so as to reduce information security risks and raise awareness of such risks.
Outside Certification and Communication
Third-party Certification
The Canon MJ Group has built an information security management system (hereafter, "ISMS") and personal information protection management system (hereafter, "PMS") based on a third-party certification standard (JIS standard), to enable the systems to be introduced uniformly and promptly. To have these initiatives evaluated objectively, we use third-party certification systems such as the ISMS Conformity Assessment Scheme and the PrivacyMark System.
Affiliation with Information Security Organizations
The Canon MJ Group is affiliated with information security organizations to gain the latest information in a timely manner and to study the different problems associated with the industry in an effort to increase its information security.
| Software Association of Japan | JIPDEC |
| Japan Information Technology Services Industry Association | Japan Users Association of Information Systems |
| Information Processing Society of Japan | Japan Network Security Association |
| Union of Japanese Scientists and Engineers | Council of Anti-Phishing Japan |
| Nippon Computer Security Incident Response Team Association |