Center for Financial Industry Information Systems (FISC)

FISC overview

The Center for Financial Industry Information Systems (FISC) is a not-for-profit organization established by the Japanese Ministry of Finance in 1984 to promote security in banking computer systems in Japan. Some 700 corporations in Japan are supporting members, including major financial institutions, insurance and credit companies, securities firms, computer manufacturers, and telecommunications enterprises.

In collaboration with its member institutions, the Bank of Japan, and the Financial Services Agency (a government organization responsible for overseeing banking, securities and exchange, and insurance in Japan), the FISC created guidelines for the security of banking information systems. These include basic auditing standards for computer system controls, contingency planning in the event of a disaster, and the development of security policies and standards encompassed in more than 300 controls.

Although the application of these guidelines in a cloud computing environment is not required by regulation, most financial institutions in Japan that implement cloud services have built information systems that satisfy these security standards, and it can be difficult to justify diverging from them. (The latest guidelines, Version 8 Supplemental Revised, issued in 2015, added two revisions relating to the use of cloud services by financial institutions and countermeasures against cyberattack.)

Conformance with this framework is not required by regulation, and not audited or otherwise validated by the FISC.

Microsoft and FISC

Microsoft engaged outside assessors to validate that Microsoft Azure, Dynamics 365, and Microsoft Office 365 meet requirements of the FISC Security Guidelines on Computer Systems for Financial Institutions 9th Edition Revised. Microsoft provided evidence of compliance in each of the following areas:

  • Datacenter guidelines for buildings and computer rooms, power, air conditioning, datacenter, and facilities monitoring.
  • Operational guidelines for organizations, training, access control, system development, and auditing.
  • Technical guidelines for measures to improve the reliability of hardware and software, and for countermeasures against security risks including data protection, prevention against unauthorized use, threat detection, and disaster recovery.

Financial institutions can rely on this evaluation of the compliance of these three areas for the in-scope infrastructure and platform services of Azure, Dynamics 365, Office 365, and Microsoft Cloud App Security.

Learn more about validation of external assessors and links to assessor’s sites (Japanese Only.

Microsoft in-scope cloud services

  • Azure
  • Microsoft Cloud App Security
  • Intune
  • Office 365
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Frequently asked questions

To whom do the FISC guidelines apply?

Banks and other financial institutions in Japan that want to validate their approach to system security, reliability, and auditing, and align with established best practices in Japan, follow the FISC guidelines.

Where can I get more information on Version 8 of the FISC requirements?

The FISC has published two reports from its Council of Experts:

Where can I get the details of Microsoft's responses to the FISC framework?

You can also see security references (in Japanese) from third parties who have evaluated the FISC compliance of Microsoft cloud services.

Can I use Microsoft’s responses to this framework in my organization’s qualification process?

Yes. However, although Microsoft responses to this framework are confirmed compliant by third parties, customers are responsible for validating the compliance of solutions they have implemented on Azure or Office 365.

Resources

Resources in Japanese