2.2 ｜ Compliance and Risk Management Structure of Information Security Rules at Fujifilm Group Information Security Policy Global Information Security Regulations Information Security Guidelines (2) Information security PDCA cycle and other measures The Fujifilm Group secures its information based on an ISO/IEC 27001-compliant PDCA cycle. We assess the information risks and create an action plan each year, and based on this plan, the information security manager appointed in each organization leads following activities. ① Improved security quality of products The Fujifilm Group has implemented a design and development process for better security quality throughout the product lifecycle from product planning, design and development to maintenance and operation. Specifically, we are implementing threat analysis in the upstream process of design and development, secure coding, response to supply chain vulnerabilities and regular vulnerability inspections before and after product release, based on a policy of “security by design.” ② Response to vulnerabilities The Fujifilm Group collects vulnerability data from JPCERT/CC and other external organizations and disseminates information as needed to relevant organizations in the Group. If there is information on a vulnerability that will have a significant impact, we hold a vulnerability response meeting for each vulnerability theme to decide on the response policy and solution. If a vulnerability in one of our products is reported from an outside whistle-blower, we disclose the vulnerability information and provide security patches, in accordance with the Information Security Early Warning Partnership Guideline and in coordination with IPA and JPCERT/CC. ③ Response to internal frauds The Fujifilm Group imposes strict restrictions on employees taking company information outside of the company, whether by online or offline methods. Especially, we are monitoring all online transfers of company information to individual email addresses or external cloud services. If any suspicious conduct is detected, we investigate the evidence where necessary. ④ Cyber-training To ensure a versatile and appropriate response in the event of an incident stemming from a cyberattack, the Fujifilm Group participates in joint annual cyber drills with NISC (National Center of Incident Readiness and Strategy for Cybersecurity) organized by the Nippon CSIRT Association. Cyber drills are also organized independently by FUJIFILM CERT to confirm response procedures and upgrade response skills. In fiscal 2022, an initial response drill for a cyber incident was held with the participation of executive officers and department heads responsible for cybersecurity. In these drills, details of the incident are not disclosed in advance. During the designated time frame, an interim report from Fujifilm CERT is organized and prepared by the department head for submission to the director responsible, who in turn decides how to limit the damage and the impact on business activities. Issues were revealed during the first drill and the findings were fed back to improve the incident initial response procedure. A second drill for executive management was held in FY2023 to improve management’s initial response to an incident. 42 FUJIFILM Holdings Corporation Sustainability Report 2023