The Center for Financial Industry Information Systems (FISC) 金融情報システムセンタhas established “FISC Security Guidelines on Computer Systems for Financial Institutions 金融機関等コンピュータシステムの安全対策基準" (FISC Security Guidelines ) for the promotion of security measures for financial institutions' information systems, in collaboration with its member institutions, the Financial Services Agency, and the Bank of Japan.
Overview of FISC Security Guidelines
The FISC Security Guidelines were first released in 1985 to provide a comprehensive and practical framework for financial institutions to build, maintain, and enhance the security, reliability, and resilience of their computer systems. These guidelines were revised over the years to reflect the changing environment, and the latest 13th edition was released in March 2025.
The latest edition of the FISC Security Guidelines aims to help financial institutions adopt practical and effective security measures for their information systems, based on decisions made by management and the risk profile of the system. The Council of Experts on Outsourcing in Financial Institutions recommended extensive revisions to the FISC Security Guidelines, including expanding external controls and IT governance based on a risk-based approach.
The FISC Security Guideline is composed of four parts: Control, Practice, Facilities and Audit Guidelines.
- Banks (Megabanks, Regional Banks, Trust Banks)
- Securities companies
- Insurance companies
- Credit associations
- Other financial service providers
- Information system services outsourced by financial institutions (including cloud services and shared data center services)
Compliance Brief
FISC Security Guidelines for Japan Financial Institutions
Learn how financial institutions in Japan can comply with FISC Security Guidelines using risk-based controls for data, applications, identities, and cloud systems.
How Thales Helps with the FISC Security Guidelines in Japan
Thales’ solutions can help financial institutions in Malaysia to address the Security Guidelines on the four guidelines – Control, Practice, Facilities and Audit by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
FISC Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, and a secure Content Delivery Network (CDN).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the FISC Guidelines
CONTROL – 1. Internal control
How Thales helps:
- Discover and classify all of your data stores and categorize them based on sensitivity and value.
- Classify file content to understand what it means to the financial institutions from a security or privacy perspective.
- Standardize data security controls across large and complex data environments for full visibility and centralized command across hybrid IT.
How Thales helps:
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
Solutions:
Application Security
Data Security
How Thales helps:
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
How Thales helps:
- Identify the current state of compliance and document gaps.
CONTROL – 2. External Control
How Thales helps:
- Reduce third-party risk by maintaining on-premises control over encryption keys, protecting data hosted in the cloud.
- Enforce separation of roles between cloud provider admins and your organization and restrict access to sensitive data.
- Protect and automate access to secrets across DevOps tools.
- Monitor and alert to anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user, with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
PRACTICE – 1. Information Security
How Thales helps:
- Pseudonymize and mask sensitive information for production or tests while maintaining the ability to analyse aggregate data without exposing sensitive data.
How Thales helps:
- Secure data at rest using a standard protocol (KMIP), primarily for storage devices, virtual environments, and databases.
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Protect data in use by leveraging confidential computing.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Offer security solutions designed for a post-quantum upgrade to maintain crypto-agility.
How Thales helps:
- Protect data in motion with high-speed encryption.
How Thales helps:
- Limit access to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Provide customers with secure access to their information in the organization’s systems.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Leverage smart cards for implementing physical access to sensitive facilities.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Protect the private keys as the root of Trust.
- Offer encryption at Layers 2, 3, and/or 4 to secure data in transit without slowing down the network.
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
- Protect against phishing and man-in-the-middle attacks.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Limit access to systems and data based on roles and context with policies.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Apply contextual security data access monitoring based on risk scoring.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Provide data activity monitoring for structured and unstructured data across cloud and on-prem systems.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
- Offer overall organization risk status that includes risk score and trends.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Streamline key management in the cloud and on-premises environments.
- Unify key management operations with role-based access control and provide full audit log review.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
How Thales helps:
- Detect and prevent cyber threats with web application firewall.
- Reduce third-party risk by maintaining on-premises control over encryption keys.
- Enforce separation of roles between cloud provider admins and your organization and restrict access to sensitive data.
- Monitor and alert to anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable comprehensive secrets management of credentials, certificates and keys, including static secrets, dynamic secrets, SSH keys, API keys and tokens.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Solutions:
Application Security
Data Security
Data Discovery & Classification
Identity & Access Management
How Thales helps:
- Detect system threats with Web Application Firewall, API Security and Database Security and stream logs to SIEM system.
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Apply contextual security measures based on risk scoring.
- Alert or block database attacks and abnormal access requests in real time.
- Monitor file activity over time to set up alerts on activity that can put financial institutions at risk.
- Continuously monitor processes for abnormal I/O activity and alerts or blocks malicious activity.
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
How Thales helps:
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
Solutions:
Application Security
Data Security
How Thales helps:
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Monitor ICT network and protect from DDoS attacks and Bad Bots.
- Detect and prevent cyber threats with web application firewall.
- Monitor data access activity over time to set up alerts on activity that can put financial institutions at risk.
- Alert or block database attacks and abnormal access requests in real time.
Solutions:
Application Security
Data Security
How Thales helps:
- Monitors data access with an audit report, in addition to triggering alerts or automated responses (like blocking access).
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
- Enforce access policies directly on data, any unauthorized access attempt returns only encrypted ciphertext.
How Thales helps:
- Monitor ICT network and protect from DDoS attacks and Bad Bots.
- Use signature, behavioral and reputational analysis to block all malware injection attacks.
- Detect and prevent cyber threats with web application firewall.
- Detect unusual data access patterns that indicate malicious activity.
- Analyze data risks and user behavior anomalies for broader threat detection.
- Monitor I/O and block suspicious activity before ransomware can take hold.
- Prevents malicious software and users from accessing sensitive data.
Solutions:
Application Security
Data Security
PRACTICE – 2. Common system operation
How Thales helps:
- Limit access to systems and data based on roles and context with policies.
- Leverage smart cards for implementing physical access to sensitive facilities.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Analyze access activity and deliver risk intelligence for IT teams to proactively monitor and investigate potential access risks.
- Enforce data access rights and detect policy violations through real-time monitoring.
- Apply contextual security measures based on risk scoring.
- Protect sensitive data with encryption, ensuring confidentiality is maintained even against unauthorized access.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Pseudonymize sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized and to prevent exposure of real data applications and personnel.
- Protect data in motion with high-speed encryption.
How Thales helps:
- Streamline key management in cloud and on-premises environments.
- Unify key management operations with role-based access control and provide full audit log review.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
How Thales helps:
- Reduce third-party risk by maintaining on-premises control over encryption keys, protecting data hosted in the cloud.
- Enforce separation of roles between cloud provider admins and your organization, and restrict access to sensitive data.
- Monitor and alert to anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
PRACTICE – 3. Operation control
How Thales helps:
- Discover and classify all of your data stores and categorize them based on sensitivity and value.
- Classify file content to understand what it means to the financial institutions from a security or privacy perspective.
- Standardize data security controls across large and complex data environments for full visibility and centralized command across hybrid IT.
How Thales helps:
- Gain visibility by monitoring and auditing all database activity.
- Identify abnormal user behavior and translate complex technical events into plain language to accelerate remediation.
- Automatic reconciliation of production changes.
- Vulnerability assessment and risk mitigation.
- Detect changes in data layer schemas.
- Approval process for production-level changes.
PRACTICE – 4. Management of various facilities
How Thales helps:
- Leverage smart cards for implementing physical access to sensitive facilities.
- Limit access to systems and data based on roles and context with policies.
How Thales helps:
- Monitor ICT network and protect from DDoS attacks and Bad Bots.
- Use signature, behavioral and reputational analysis to block all malware injection attacks.
- Detect and prevent cyber threats with web application firewall.
- Detect unusual data access patterns that indicate malicious activity.
- Analyze data risks and user behavior anomalies for broader threat detection.
- Monitor I/O and block suspicious activity before ransomware can take hold.
- Prevents malicious software and users from accessing sensitive data.
Solutions:
Application Security
Data Security
PRACTICE – 7. System development and modification
How Thales helps:
- Enforce security-by-design by ensuring sensitive data is protected during system development and modification.
- Provide developers with accessible data protection tools such as encryption and key management to integrate security early in the development lifecycle and foster DevSecOps practices.
- Shift Data Security operations to Data Security Admins, enabling better segregation of duties and change control for system modifications.
- Deploy data protection controls in hybrid and multi-cloud applications to protect DevSecOps.
- Easily access data security solutions through online marketplaces.
- Protect and automate access to secrets across DevOps tools.
- Secure change management by enabling integration tools for versioning, traceability, and rollback capabilities.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
How Thales helps:
- Pseudonymize and mask sensitive information for production or tests while maintaining the ability to analyse aggregate data without exposing sensitive data.
How Thales helps:
- Remove keys from CipherTrust Manager can ensure secure deletion, digitally shredding all instances of the data.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
PRACTICE – 8. Measures to improve system reliability
How Thales helps:
- Automate CI/CD pipeline with built-in data security such as encryption and key management to ensure that security policies are consistently applied across all development and deployment stages.
- Deploy data protection controls in hybrid and multi-cloud applications to protect DevSecOps.
- Free developers to write custom encryption code or manage crypto standards and minimize the risk of introducing security flaws during development.
- Enable better segregation of duties and change control for system modifications by shifting Data Security operations to Data Security Admins.
- Secure change management by enabling integration tools for versioning, traceability, and rollback capabilities.
- Protect and automate access to secrets across DevOps tools.
- Pseudonymize and mask sensitive information for production or tests while maintaining the ability to analyse aggregate data without exposing sensitive data.
- Easily access data security solutions through online marketplaces.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
PRACTICE – 9. Individual operations and services
How Thales helps:
- Enable secure remote access for employees to all company resources on-premises or in the cloud with a seamless user experience.
- Enable MFA with the broadest range of hardware and software methods.
- Build and deploy adaptive authentication policies.
Solutions:
Identity & Access Management
How Thales helps:
- Identify and classify sensitive data before use by AI applications and LLMs.
- Prevent sensitive data from being used by AI or protect sensitive data during training, fine-tuning and in RAG process when used by LLMs.
- Comply with regulations with automated policy enforcement.
- Detect and prevent malicious AI-powered Bot attacks on AI model, data or application.
- Prevent data extraction and business logic abuse by detecting and protecting vulnerable APIs.
- Mitigate API abuse in real time by monitoring and protecting API traffic.
- Analyze every input and output in real time, detecting and stopping malicious activity.
- Block malicious or manipulative prompts before they reach the model.
- Detect and block exposure of sensitive information or harmful AI outputs.
- Identify, classify, and protect sensitive data before Retrieval-Augmented Generation (RAG) ingestion.
- Protect data during the ingestion, embedding and within the vector database.
- Continuous, real-time monitoring of all interactions with databases and unstructured data across the RAG lifecycle.
Solutions:
Application Security
Data Security
FACILITIES – 1. Data Centers
How Thales helps:
- Protect cryptographic keys in FIPS-validated and tamper-evident hardware.
AUDIT – 1. System auditing
How Thales helps:
- Provide audit trails of API calls, authentication attempts, and authorization decisions, ensuring accountability and facilitating compliance audits.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
- Prevent unauthorized access and alteration to its internals, including the audit logs.
- Gain visibility by monitoring and auditing all database activity.
- Provide a clear audit trail for demonstrating cryptographic control from centralized key management systems, logging all key lifecycle events such as key creation, rotation, and access.
- Offer encryption logs, data access attempts, and encryption/decryption events, providing auditable proof of data protection without application modifications.
Solutions:
Application Security
Data Security
Identity & Access Management
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.