Security
Information Security
Information Security Management Structure
Canon has established the Global Information Security Committee as a decision-making body for information security measures. This committee is made up of experts from information security departments and is responsible for the information security management of the entire Canon Group.
To maintain and improve information security across the entire Group, in 2007 Canon established the Canon Group Information Security Rules, which are common to Canon Group companies worldwide and constitute the rules and guidelines concerning security controls and information security in accordance with the actual situation at each company.
The regional marketing headquarters conduct regular inspections to confirm how information security is being implemented at each Group company and uses this data to review and improve information security controls.
During 2011, self-inspections were carried out by each Group company and reported to the committee in addition to field inspections that were conducted by regional marketing headquarters to confirm the actual status of each company's operations. These confirmed that the status at each company was generally good. Information security measures were also enhanced by sharing the efforts made at each company, such as USB memory management methods and awareness campaigns using posters, throughout the Group.
We will continue to work to enhance the security level throughout the Group by regularly executing measures and conducting examinations of information security at each company, and achieve prompt sharing of measures and information by strengthening the collaborative system.
Conceptual Diagram of the Information Security Management Structure
Prevention of Information Leaks
Aiming to prevent information leaks, Canon implements measures to ensure the confidentiality*1, integrity*2, and availability*3 of its corporate information. Valuable information is stored using a specialized system with reinforced security. By controlling access and recording usage, we prevent improper use and information leaks.
The removal from Company premises of recording media and PCs with stored data is as a rule prohibited, but if the need arises and no other measures are available, specially secured PCs or recording media may be removed with the prior approval from the division headquarters. Countermeasures, such as encryption and verification features, have also been put in place to prevent leakage in the event of loss or theft.
In addition, we have constructed a Group-wide system that allows remote access to Company information, thus eliminating the need for employees to take PCs and recording media when traveling to other Group companies.
If an incident were to occur, the Global Information Security Committee would immediately receive a report and the department responsible for security would respond promptly to prevent further issues.
As a part of our effort to strengthen leak prevention measures, in 2011 we installed software on employee PCs that restricts the writing of data to external memory media connected via USB ports.
We will continue strengthening measures to prevent e-mail-related security leaks.
- *1Confidentiality
Only authorized personnel can access the information. - *2Integrity
Ensures the data and processing methods are accurate and cannot be modified without authorization. - *3
Availability
Data is accessible to authorized personnel when needed.
Protecting Personal Information
Canon recognizes that personal information is an important asset, and protecting this asset is one of its social responsibilities. In 2002, Canon Inc. established the Personal Information Protection Policy and the Personal Information Protection Rules. Every year since 2005, Canon Inc. has reviewed its personal information protection management system under the direction of the president and has conducted ongoing personal information audits through the Corporate Audit Center.
In 2011 we revised our Contractor Selection Standards and established information management methods according to the degree of importance with the goal of strengthening the personal information management structure for work contractors.
Furthermore, we place great emphasis on employee education, implementing a personal information protection e-learning program each year for all employees and carrying out other educational initiatives.
As a result of these activities, no incidents of personal information loss or leakage occurred in 2011.
In 2012, we plan to revise the management methods leading to a restructuring of the personal information management system, and to strengthen the employee education system with intensive training for employees requiring it.
Employee Awareness Training
In order to maintain and improve information security, Canon is raising the awareness, from the perspectives of both education and consciousness, of employees who comprise the user base for its information systems.
Measures include group training that teaches employees the importance of information security and emphasizes company rules, as well as an e-learning system. Canon Inc. executed information security training programs involving personal information protection education for all employees and dispatch employees in 2011, with a total of approximately 26,000 attendees. We also improved the study program by incorporating hypothetical case studies based on risk analysis to prevent the occurrence of problems.
Similar training was conducted at Group companies in Japan as well.
Furthermore, Canon has posted an easy-to-understand information security website and information security handbook on the company intranet that employees can refer to at any time.
We will continue to conduct security consciousness efforts utilizing the information infrastructure within the Group to improve employee awareness.
| Target | Participants | Training type |
|---|---|---|
| New employees (Fixed annual hiring and mid-career entry) | All employees |
|
| Existing employees | All employees |
|
Trade Secrets and Technology Outflow Prevention Management
As a global company involved in wide-ranging development, production and sales activities, Canon recognizes the importance of taking appropriate measures to protect and manage trade secrets and technological information. The Company is making various efforts in this area.
Trade Secrets Management
In accordance with the Trade Secrets Management Guideline drawn up by Canon Inc. in 2004, trade secrets management rules have been drawn up for each division headquarters. We are promoting PDCA activities, including education programs and audits, in accordance with each division's operational characteristics. Further, Group companies in Japan and overseas have formulated their rules based on the above-mentioned guideline, and are progressing with the same framework of measures.
We updated our Trade Secrets Management Guideline in 2011 to reflect revisions made to the Unfair Competition Prevention Act and changes made to the "Trade Secret Management Guidelines" issued by the Japan's Ministry of Trade, Economy and Industry. Also, we issued practical handling procedures for four types of data of strong concern to manufacturers: new product planning, production planning, product cost, and drawings. Inspections of the trade secrets management situation at 45 domestic and overseas Group companies were conducted based on these procedures. Each Group company also conducts e-learning and seminars based on these procedures to increase employee awareness.
In addition to the above, we also inaugurated the "i-Library," our standards document management system, enabling management in accordance with the Trade Secrets Management Guideline.
We have improved and strengthened the management structure for the entire Group through the above series of measures.
We will continue to firm up our trade secrets management structure through continuous inspections and educational programs such as e-learning.
| 2004 |
|
|---|---|
| 2005 |
|
| 2007 |
|
| 2008 |
|
| 2009 |
|
| 2010 |
|
| 2011 |
|
Technology Outflow Prevention Management
Canon recognizes technology as a critical asset and has been working since 2002 to prevent inappropriate technology outflow.
Canon's Technology Outflow Prevention Management Guidelines, formulated in 2004, form the foundation of this drive. Each products operations group has drawn up its own rules in line with these guidelines to manage the prevention of technology outflow in accordance with its own operational characteristics.
To strengthen management for the prevention of technology outflow in countries and regions where the legal provisions for the protection of intellectual property rights are still insufficient, in 2002 we established the Overseas Manufacturing Company Security Management Committee. The Committee comprises key executives from Canon Inc. and the presidents of 11 manufacturing companies in Asia. In 2006, this body issued the Confidential Information Management Guidelines 2006 for Manufacturing Companies in China and Asia. Each subsidiary has implemented a management system based on these guidelines and is following strict regulations.
We reviewed our technology outflow prevention management system in 2010 by overhauling the operations and policies of the Overseas Manufacturing Company Security Management Committee. We plan to improve the activities of the Committee based on new operational policies.
| 2002 |
|
|---|---|
| 2004 |
|
| 2005 |
|
| 2006 |
|
| 2007 |
|
| 2008 |
|
| 2009 |
|
| 2010 |
|
Physical Security
Basic Physical Security Measures
Aiming to strengthen physical security, Canon has been working to establish physical security systems at each of its operational sites since 2000 based on the following three policies:
- 1. Establish and put into practice at operational sites an overall design from the viewpoint of disaster prevention, crime prevention, and health and safety to optimize entry and exit routes for all persons.
- 2.Fully implement strict internal and external security measures to comprehensively prevent company assets (physical objects, information, etc.) from being removed, suspicious objects from being brought in, and suspicious individuals from entering.
- 3.Limit entry to certain areas to people who have been authorized by area managers, and integrate management of room entry and exit logs.
Physical Security Promotion System
In 2002, Canon established the Canon Group Physical Security Guidelines, which outline the policies and rules regarding room entry and exit management and other kinds of physical security at Group companies. Since then, security measures have been aggressively promoted, from the planning of new operational sites to building construction, with the guidelines forming the basis for site-specific policy, taking into consideration geographical conditions, operational content, and entry and exit routes.
In recent years, we have strengthened the Group's physical security and introduced an Integrated Entry and Exit Management System. We installed an Integrated Entry and Exit Management System at Hita Canon Materials, a manufacturer of high-function toner cartridge parts, in 2011.
We have implemented a particularly thorough audit system due to the serious risk to society in the event of the theft of toxic materials. Since 2007 we have carried out physical security audits of all Group sites that deal with toxic materials with the objective of preventing theft and loss. Improvements and revisions to physical security measures are implemented based on the results of these audits. In 2011, an entry and exit management system for toxic material storage was inspected at all sites storing such materials, with the placement of such systems at each site confirmed.
Additionally, to raise employee awareness, education on physical security has been included in the program for new-employee and rank-based training sessions. This training continued to be included in new-employee and mid-career employee education in 2011, and also was included as a facet of information security education.
Integrated Entry and Exit Management System
The Integrated Entry and Exit Management System introduced by Canon in 2002 is the basis for the entry and exit management systems being installed at each site while taking the special features of the individual sites into consideration.
This system uses IC-equipped noncontact ID cards to manage and restrict entry and exit to buildings and individual rooms. Moreover, access to such facilities as clean rooms and development sites, which require a higher level of security management, is monitored using biometric verification.
An integrated control system coordinates facility equipment and devices such as surveillance cameras, sensors and flap gates. Centralization of alarm logs, room entry/exit records and other information facilitates efficient and secure information management. The system is also used for safety management in such facilities as clean rooms, where operations are carried out by a single worker.
Efforts toward consolidated management of room entry and exit histories at Group companies by our Shimomaruko headquarters began in 2011. Until now, room entry and exit histories for operational sites where an Integrated Entry and Exit Management System had not been installed were managed by the sites themselves, but we are working to build a system for consolidated storage of these histories that can be used in the event of an accident.
Security gate (Shimomaruko Headquarters)
