To eliminate a wide variety of risks that could be damaging to its business activities, Canon is undertaking a number of security measures, including those related to physical security, information security, and the protection of personal data.
Canon is implementing a comprehensive security management system to protect its companies and employees from increasingly diverse risks and maintain the trust of our stakeholders and society, while at the same time establishing a crisis management system to ensure a swift and flexible response should an incident occur.
System of Security Rules
Basic Policies and Priorities
Such regulations as the Protection of Personal Information Law in Japan and the Sarbanes-Oxley Act highlight the growing importance of information management. In this environment, companies have the vital responsibility of protecting personal and customer information from leaking.
In light of this situation, Canon has set three objectives: strengthen measures to prevent information leaks; raise the awareness of all employees regarding information security; and strengthen our security management system at the global level. We are working to bolster information security in accordance with these objectives.
Ongoing Review and Implementation of Information Security Measures
Based on the company’s information security rules, Canon Inc. has regularly carried out since 2002 information security audits of all of its division headquarters.
In 2006, we conducted Group-wide audits based on revised rules. The results were sent back to chief executives at each division headquarters, where the respective information security measures were reviewed, improved and subsequently implemented.
In response to technological trends and the implementation of in-house information systems, Canon continuously revises and improves its systems and strategies by formulating midterm and annual plans as well as contingency plans in the event of viruses and other disasters.
In 2005, Canon’s IT Infrastructure Promotion Headquarters acquired information security management system (ISMS) certification and completed the transition to the international specification ISO/IEC27001.
Bolstering a Global Information Management System
Since 2003, Canon has built up its information security system for the entire Canon Group, including its operational sites outside Japan.
In 2006, we put into action measures to reinforce information security governance at all of our major Group companies worldwide, and we are now moving ahead with plans to gradually standardize auditing items and auditing standards.
Preventing Information Leaks and Raising Employee Awareness
To prevent incidents involving information leaks, Canon has developed rules for computer and email use, and conducts employee training programs through e-learning. As part of our efforts to raise awareness of this topic among all employees, we also created an information security site that spells out in easy-to-understand terms the importance of Internet information security and specific actions to achieve security.
In December 2005, we published the Information Security Handbook. We used this manual in various activities in 2006 to reinforce to employees the importance of security in their immediate surroundings. Going forward, we will examine case studies from other companies, utilizing such knowledge in our efforts to prevent the outflow or leakage of information.
Information Security Handbook
Canon Inc. launched a project in 2002 for protecting personal information, and in 2003 acquired Privacy Mark certification. We subsequently revised our manual on protecting personal information, developing internal rules for each division. Since 2005, we have been working to maintain or improve management levels by starting an e-learning-based employee education program.
Thirty-seven of our major Group companies in Japan are currently taking steps to acquire Privacy Mark certification, and as of March 31, 2007, 27 companies had been certified, while nine others had either completed the application process or undergone testing. The remaining company is making preparations with a view to applying in December 2007.
To move forward in our efforts to ensure unified management of personal information throughout the Canon Group, we established in 2006 a global personal information protection policy and action plan. In line with these plans, our personal information management activities are also being taken up by our subsidiaries outside Japan.
In 2007, we also intend to update our Privacy Mark certification to the JIS Q15001: 2006 standard.
Canon conducts diverse business in various regions around the world, so we consider the appropriate protection and management of trade secrets and technological information an important element of our business performance. Our activities in this field are described below.
Trade Secret Management
Canon creates trade secret rankings, promotes the reinforcement of information systems and other infrastructure, and works to prevent information leaks and outflows. Canon has drawn up trade secret management guidelines for each Group company worldwide and is working to develop a firm Groupwide trade secret management system.
| 2003 | Ministry of Economy, Trade and Industry announced a policy on managing trade secrets (complying with the Unfair Competition Prevention Law in Japan) |
|---|---|
| 2004 | Drew up Trade Secret Management Guidelines |
| 2005 | Created an intracompany trade secret management system |
| 2006 | Created English version of the Trade Secret Management Guidelines Canon Europe began formulating pan-European guidelines |
Technology Outflow Prevention Management
In 2004, Canon drew up guidelines for the prevention of technology outflow. In 2006, the company established Confidential Information Management guidelines in Japanese, English and Chinese, which it distributed to Group manufacturing companies in Asia, and promoted the full-fledged local adoption of these guidelines at production companies. In addition, Canon introduced education programs for employees being sent to manufacturing companies in Asia.
| 2002 | Began holding regular meetings on the prevention of technology outflow, attended by the presidents of manufacturing companies in Asia and key executives of Canon Inc. |
|---|---|
| 2003 | Ministry of Economy, Trade and Industry announced a policy to prevent the outflow of technology (preventing technology from flowing to countries where systems to protect intellectual property have not been established) |
| 2004 | Drew up Technology Outflow Prevention Management Guidelines |
| 2005 | Began training and raising the awareness of employees being sent to manufacturing companies in Asia |
| 2006 | Prepared confidential information management guidelines in Japanese, English and Chinese Began training local managers at Canon Dalian Business Machines, Inc. |
Basic Policies
As one aspect of the company’s efforts to strengthen security, Canon is working to bolster physical security systems according to the needs of each operational site, based on the following three policies:
Physical Security Promotion System
Canon has formulated the Canon Group Physical Security Guidelines to direct policy and rules regarding the physical security of Group companies. From the planning of new operational sites to building construction, these guidelines form the basis for aggressively promoting security activities and determining original policies and rules for each site, taking into consideration geographical conditions, operational content and entry and exit routes. Additionally, in recent years we have promoted Canon Group Physical Security Reinforcement Measures and introduced an Integrated Entry and Exit Management System.
To advance these activities, the Physical Security Committee regularly meets at Canon Inc.’s General Affairs Headquarters to review overall control of Group companies. In addition, auditors appointed to this committee carry out a physical security audit according to standards consistent across the Group. The results of this audit are scrutinized to improve and revise physical security measures. Furthermore, new-employee and rank-based training sessions are conducted to promote education on both physical and information security.
Integrated Entry and Exit Management System
Canon introduced an Integrated Entry and Exit Management System as its base physical security system. This system uses non-contact ID cards to manage and restrict entry and exit for buildings, individual rooms and offices. Hence, access to such facilities as clean rooms and development sites, which require a higher security management level, can be monitored using biometric verification. Individual entry/exit logs are recorded in the Integrated Entry and Exit Management System, where they are securely stored and managed.
An integrated control room coordinates such facility equipment and devices as surveillance cameras, magnetic sensors and flipper gates. Centralizing entry/exit logs and other information facilitates efficient and secure information management. It is also used for safety management in facilities such as clean rooms, where operations are carried out by an individual worker. In future, we intend to further strengthen our security systems using Canon’s camera technologies and other resources.
Business continuity plans, which commonly comprise disaster prevention and recovery plans, are increasingly attracting interest as a means to mitigate many business risks by preventing the suspension of business activities or ensuring rapid recovery in the event of suspension. At the Central Disaster Prevention Council meeting hosted by the Japanese Cabinet Office in 2005, Business Continuity Guidelines were established. On the other side, the Nippon Keidanren, Japan’s foremost business federation, established a Committee on Risk Management.
As part of its measures to ensure business continuity in the event of a disaster, Canon is upgrading the earthquake resistance of older buildings, concluding disaster prevention agreements with local entities, and creating a structure to gather and report information. We developed a disaster contingency plan based on the outcome of an earthquake with an intensity of five or higher on the Japanese scale, taking into account the economic, social and environmental impact on each of our operational locations. Given the key role of our Shimomaruko offices in Tokyo as the company’s global headquarters, we have reconstructed all the buildings on site, set up backup generators, stockpiled facilities, fuel, equipment and supplies, and established a multiplex communication system to ensure that communications continue even if disaster strikes. In 2005, Canon set up a disaster recovery center to back up its information systems, providing a fail-safe structure for its mainframe system. For external communications, the Company has assembled a public relations team to transmit and share information in times of disaster. We also plan to be proactive in providing community support in the case of disaster, in line with the Disaster Agreement for Ota Ward, Tokyo.
Shimomaruko offices
