KONE maintains technological and organizational measures to protect solutions, networks, devices, and information from unauthorized access or criminal use and to ensure the confidentiality, integrity, and availability of information.
Governance: KONE has business driven security governance, defined security management system, incl. security policies, processes, guidelines, and monitoring and metrics to follow security performance throughout KONE's business operations.
Asset Management: KONE maintains an asset inventory of technology assets, such as applications, platforms, servers, workstations, and mobile devices. The asset inventory includes the asset lifecycle, owner, and criticality. The assets are disposed of in a secure and sustainable manner.
Information Protection: KONE uses information classification to ensure information is protected in accordance with its importance. The protection measures include access controls, cryptography, data masking etc.
Identity and Access Management: KONE’s IAM controls enable the right individuals to access the right resources at the right times for the right reasons. All KONE employees, externals and customers have a unique identifier to separate them from other users. The User IDs must be coming from identified master data systems and have a lifecycle.
Application Security: KONE’s secure development lifecycle ensures that application security requirements are identified early in the lifecycle.
System and Network Security: The outgoing internet traffic in KONE network is secured by cloud-based proxy solution, on-premise firewalls on larger locations and/or by central firewalls in regional hub locations.
Secure Configuration: KONE requires hardware, software, services, and network configurations to be hardened according to the best security practices, for example using the Center of Internet Security’s (CIS) benchmarks.
Threat and Vulnerability Management: KONE’s vulnerability management process defines how the vulnerabilities are identified, remediated and reported. KONE uses Centralized Vulnerability Management System (CVMS) to process vulnerability information from various sources. Regular vulnerability scans cover internet-facing services and infrastructure. Penetration tests are conducted on a case-by-case basis for prioritized solutions, including IoT devices.
Information Security Event Management: KONE’s Security Operations Center (SOC) monitors Security Information and Event Management System’s (SIEM) logs, analyzes events and detects and responds to security incidents. The SOC operates 24/7.
Human Resource Security: Reference and other background checks are performed to ensure the candidate is eligible and suitable for the role for which the candidate is considered. All employees are enrolled to regular, role-based cybersecurity training program.
Physical Security: KONE premises are classified based on a risk assessment. The classification sets the minimum amount of physical security requirements that must be implemented at the site. All KONE premises have physical security perimeters and physical entry controls.
Supplier Relationships Security: KONE has global and unified supplier segmentation model which includes identifying supplier cyber risk profile. Based on the supplier cybersecurity profile, KONE defines mandatory security requirements.
Legal & Compliance: KONE monitors the legal, statutory, regulatory, and contractual requirements impacting KONE and our products and services offered to customers. KONE is actively participating in industry standardization work, such as ISO 8102-20:2022 Electrical requirements for lifts, escalators and moving walks — Part 20: Cybersecurity.
Continuity: KONE Business Impact Assessments set the requirements for recovery time objectives (RTO) and recovery point objectives (RPO). The solutions with high criticality require a documented Disaster Recovery Plan (DRP) which is regularly rehearsed. KONE has requirements towards backup management and capacity management which support KONE’s continuity objectives.
Information Security Assurance: KONE has an annual internal audit program for security and a KONE-wide process and supporting system to manage corrective actions. KONE has IEC 62443 4-1 certification for secure development lifecycle. External security audits and assurance are conducted regularly.
