Product Information Security Basic Policy
The Brother Group's mission is to place our customers first everywhere, every time, with the "At your side." policy. In order to provide secure products from Information security point of view and ensure that customers can use the purchased products with confidence, we establish the following basic policy to firmly implement and promote this.
1. Compliance with laws, regulations and contracts related to information security
We shall understand and comply with information security related laws and regulations of each country, and contracts with customers and partner companies.
2. Company regulations and organizational structure
In order to maintain and improve the information security level of Brother products, we shall establish internal rules concerning product information security, build a company-wide organizational structure and make continuous improvements as advised by top management.
3. Response to product information incident
Regarding the use of Brother products, if an information incident, reputational damage, violation of laws and regulations occurs, or if such a risk is discovered, we will make efforts to minimize damage. This can be through investigation of the cause of incident, investigation of the scope of impact, risk assumption, implementation of necessary measures, promptly providing necessary information to customers, partner companies, and other external organizations related to security. We will also implement corrective measures to prevent recurrence.
4. Prevention of product information incident
To prevent product information incidents, we shall establish standards and implementation procedures, and implement security measures throughout the full product lifecycle of planning, research and development, manufacturing, market use, repair, and disposal.
In addition, we will continuously review the standards and implementation procedures, and reflect countermeasures against new threats in products.
And we will continue to send information for customers to use the product securely.
5. Implementation of education on product information security
In order to ensure that all officers and employees involved in product information security can perform their work with information security literacy, we shall thoroughly familiarize them with this basic policy and continue to implement education on product information security.
Structure and Initiatives Related to Product Information Security
Brother Industries, Ltd. (hereinafter referred to as "BIL") has built a company-wide organizational structure to maintain and improve the Brother Group's product information security level, and is promoting various initiatives to respond to and prevent product information incidents.
B-PSIRT
BIL has established the Brother Product Security Incident Response Team (B-PSIRT) as an organizational structure for responding to product information incidents of the Brother Group. B-PSIRT works to prevent information incidents arising from the products of the Brother Group, and in the event of an incident, strives to provide confidence and safety to customers and society through swift response and other measures.
Structure of B-PSIRT
B-PSIRT is established within the Information Management Secretariat of BIL's Information Management Committee. It comprises the B-PSIRT Secretariat, which oversees and supports the PSIRT*1 activities of each business, as well as the respective businesses' PSIRTs which work with the respective businesses' product, development, and business structures to respond to information incidents that has occurred.
B-PSIRT has an external hotline for vulnerability reports to receive information related to products of the Brother Group, such as vulnerabilities and threats, from those who discover vulnerabilities, such as external agencies related to product information security, companies, and individuals.
Structure of B-PSIRT
- Abbreviation of Product Security Incident Response Team, which is an organization for responding to security incidents related to each company's products
- Abbreviation of Japan Computer Emergency Response Team Coordination Center
- Abbreviation of Information-technology Promotion Agency
- Abbreviation of Computer Security Incident Response Team, which is an organization established within the information department of companies and other organizations for responding to events which occur in internal systems, etc. that may lead to security problems
Initiatives of B-PSIRT
B-PSIRT initiatives such as those below for products of the Brother Group.
| Type | Overview |
|---|---|
| Violation of laws, contracts, etc. |
In the functions of Brother's products, or in the process of product use by customers
|
| Handling of information incidents* | Responding when there are information incidents that cause damage to customers who use Brother's products as well as other individuals and companies |
| Handling of vulnerabilities |
|
| Prevention activities |
|
| Awareness and education |
|
- Undesired or unexpected problems and incidents in business operation and information security, such as unauthorized access and information leaks
Collaboration of organizations related to product information security
BIL is registered with JPCERT/CC as a product developer and undertakes responses based on the Information Security Early Warning Partnership.
Activities to prevent product information security incidents
Secure development process
B-PSIRT promotes the secure development process, which implements security measures in the product lifecycle from planning to disposal, so that customers can use products safely and with peace of mind.
Secure development process in product lifecycle
Response process during occurrence of product information security incident
BIL has established the escalation process* when there is a product information security incident or when a suspicious event has been discovered. We strive to response appropriately to the incident and limit damage and losses to the minimum.
When a product information security incident occurs or a vulnerability is detected at a company or organization within the Group, the respective organization's PSIRT person-in-charge will grasp the situation and report to the B-PSIRT Secretariat.
The reported incident will be shared with the management and relevant organizations depending on the details and measures to prevent reoccurrence will be undertaken. Urgent and critical cases will be immediately reported to the Chairman of Information Management Committee and executive officers supervising related businesses, and we will seek to minimize damage by responses such as actions to prevent the spread of damage faced by customers and disseminating information about avoidance methods.
Response process during occurrence of product information security incident
- This is a procedure for reporting to the superior (organization) to undertake response at a larger scope during the occurrence of an urgent major incident
Disclosure of product information security information
Information regarding vulnerability of Brother's products as well as information about methods for solving or avoiding problems caused by vulnerabilities are disclosed on the website, translated into 22 languages, so that customers can check them.
Security support informationExternal evaluation and certification regarding product information security
With the spread of IoT devices*1, there are increasingly more cyberattacks targeting them. In the domain of business machines such as printers and All-in-Ones which are used in a variety of environments, there is rising importance for security measures due to the rapid spread of remote work and telecommuting.
Under such circumstances, BIL has strengthened the information security of its products and obtained external evaluations and certifications.
Passed the rigorous testing of the BLI Security Validation Program
BIL's printers have passed the Device Penetration Testing of the Buyers Lab (BLI) Security Validation Program from Keypoint Intelligence, an independent research and testing agency in the United States, and obtained the Security Verification Testing Seal.
The Security Validation Testing Seal is a certification that indicates that a product has passed the device penetration testing offered by Keypoint Intelligence and indicates that the device firmware and OS contained no serious vulnerabilities likely to be exploited by an outside hacker.
For more information, including a list of products that have passed the BLI Security Validation Program, please visit the Security Validation Program website.
Compliance with BMSec (Business Machine Security Program)
As part of efforts to strengthen product information security measures of printers and All-in-Ones, BIL complies with the Business Machine Security Program (BMSec*2) by the Japan Business Machine and Information System Industries Association (JBMIA).
For information and details about products that comply with BMSec, please see the official website of BMSec(the link to the site of "JBMIA")(in Japanese).
* BMSec is a registered trademark of Japan Business Machine and Information System Industries Association.
BMSec is also introduced on Brother's product information website.
- Security responses of printers and All-in-Ones (This will link to Brother's product information (printers and All-in-Ones) website.)(in Japanese)
- Devices which can pass information and orders to each other through LAN or the Internet
- This is a program where manufacturers and sales companies carry out self-evaluation of compliance with the Security Guidelines for Business Machines with Network Functions formulated by JBMIA and declare compliance, while JBMIA confirms and discloses compliance results
Efforts for personal information protection
In the Brother Group, personal information protection policies or privacy policies are formulated at Group companies following the Codes of Practice under the Brother Group Global Charter. For products, personal information is also handled by Group companies in accordance with the aforementioned Codes of Practice.
Basic Product Safety Policies
Brother Industries, Ltd. (hereinafter referred to as "BIL") stands on the principles that offering products to meet customer needs is our way of contributing to society, that product safety is our basis for quality assurance, and that delivering safe products to customers must be our top priority. Based on the above principles, BIL has established "Basic Product Safety Policies" as described below that are to be observed at BIL and its group companies in order to ensure the safety of our products.
1. Compliance with Regulations
We will commit ourselves to comply with regulations, guidelines and other rules relevant to product safety, and to behaving with ethical standards while paying serious attention to the standards of safety culture.
2. Establishing and Practicing Voluntary Action Plans
Based on the above basic policies, we will establish, practice, and continuously upgrade voluntary product-safety action plans in order to realize product safety based on our credo that "customers" and "product safety" come first.
3. Securing Product Safety
In order to offer safe and reliable products to customers, we will establish voluntary safety criteria and continuously upgrade them in addition to observing the safety criteria stipulated in applicable laws and industry standards. In addition, we will do our best to provide safe and reliable products by giving necessary education and training to our employees to ensure product safety and prevent accidents resulting from product failures.
4. Collection and Disclosure of Information Related to Product Failures
We will actively collect information relevant to product failures from customers, and disclose such information to customers at an appropriate time and in an appropriate manner.
5. Reporting Product Failures
If a serious product failure occurs, we will immediately report the factual details about the failure to the responsible authorities as ordered by their decrees.
6. Product Recall
If a product failure accidentally occurs, we will immediately collect facts about the failure and investigate the cause. Furthermore, if necessary, we will take every measure required to prevent the occurrence of further hazards or expansion of the existing hazard by reporting the facts to customers and recalling affected products.
7. Measures for Preventing Improper Use
We will do our best to prevent accidents resulting from improper or careless use of our products, by placing reminders in instruction manuals and on products to reinforce correct use.
Brother Industries, Ltd.
Representative Director & President
Efforts Regarding Product Safety
Safety Data Sheets (SDS)
To allow our products to be used safety, BIL creates Safety Data Sheets (SDS)—by language and product—that consolidate information such as the safe handling of chemical substances found in products.
For details, please see the download site for Safety Data Sheets (SDS).
