Customer Satisfaction and Product Safety
Enhancing the Security of Products and Services
Konica Minolta's Approach
Background and Issues
As a “digital company with insight into implicit challenges,” Konica Minolta is working to develop and provide products and services utilizing the latest digital technologies such as IoT and artificial intelligence (AI). Yet, simultaneously, cyber-attacks targeting individuals and companies continue to rise, their methods becoming subtler and more sophisticated. Products and services offered by Konica Minolta may also pose a risk of exposing customers to data security threats. Therefore, efforts are required to ensure secure products and services, and to prevent product security incidents in the marketplace. In the event of a security breach, Konica Minolta is committed to pursuing a quick recovery and resolution to minimize customer damage.
Konica Minolta aims to raise each employee’s quality assurance awareness from the customer’s point of view, achieve quality of high-reliability in its products and services, and also provide products and services that, in terms of security, can be used safely and securely.
Key Measures and KPIs
- Promoting secure development and operation processes (development of product security guidelines)
- Gathering and addressing vulnerability information (KONICA MINOLTA PSIRT)
- Responding in the event of a product security incident
- Number of serious security incidents*1 in products and services: 0
- Serious security incidents refer to those product-security incidents that cause serious and significant harm to the product user’s business
Promoting Secure Development and Operation Processes
Konica Minolta is committed to developing and operating secure products and services.
Konica Minolta is committed to preventing serious security incidents by developing and providing secure products and services and taking initiatives to operate and maintain them securely.
Product Security Guidelines
Konica Minolta has established product security guidelines as
internal regulations and procedures for assuring secure development and operation, and it carries out secure development and operation processes for products and services across the Group. Development and operation in conformity with the product security guidelines apply, in principle, to all products and services of the Konica Minolta Group. This commitment lasts the entire life cycle, from the planning and proposal of products and services to their disposal and end of service, and includes the supply chain, such as development and operation contractors and suppliers.
In addition, Konica Minolta regularly holds company-wide product security promotion meetings to discuss product security issues, and strives to continuously enhance its security level by sharing information on the most effective practices from inside and outside the company.
Thread Analysis and Security Measures
When developing products and services, Konica Minolta conducts threat analyses in the upstream stage of development in order to eliminate system design vulnerabilities and prevent security incidents from occurring down the line. Envisioned security threats to assets that need to be protected are comprehensively identified, and security measures to counter those threats are studied and reflected in the requirements definition.
Software developed by Konica Minolta, and the Open Source Software (OSS) modules and applications incorporated into it, may have security flaws called vulnerabilities. Since releasing vulnerabilities can lead to security incidents caused by cyberattacks, vulnerability assessments must be performed during the development phase and any problems must be fixed before the launch of the product or service. Konica Minolta centrally manages OSS usage across the company and has made available multiple static analysis tools (SAST) and dynamic analysis tools (DAST) as company-wide vulnerability diagnostic tools to detect and correct software and system vulnerabilities. In addition, regarding products and services for which security risks are of particular concern, Konica Minolta takes even stronger security measures, such as outsourcing penetration testing.
Secure Operation and Maintenance
Konica Minolta has established and deployed within the company guidelines for secure operation and maintenance so that following market launch customers can continue to use products and services with peace of mind. The guidelines are used in an effort to prevent security incidents caused by oversights or errors in market support.
Product Security Education
Konica Minolta has prepared several educational programs for employees to ensure the implementation of secure development and operation processes with the aim of improving employee awareness and skills in product and service security. In fiscal 2019, the company held programs in all of these areas for every new employee, product security general education, and threat analysis workshops, with approximately 500 employees having attended the sessions. The company will continue to expand and enhance its educational programs, aiming for a higher level of understanding.
Serious Security Incidents over the Past Five Years
|Number of Accidents||0||0||0||0||0|
Serious security incidents refer to those product-security incidents that cause serious and significant harm to the product user’s business
Scope: All Konica Minolta products
Gathering and Addressing Vulnerability Information
Konica Minolta will continue to gather and address vulnerability information after shipment and/or operation commencement of products and services, to continue providing safe and secure products and services.
Gathering and Addressing Disclosed Vulnerability Information
New vulnerability information for software is discovered and reported daily. In 2019, information on more than 17,000 new vulnerabilities was released by NIST’s*2 NVD*3 in the United States in that one year alone. That is why it is necessary to gather vulnerability information and address the vulnerabilities even after the launch of products and services. Konica Minolta monitors this information on a daily basis, including open databases of vulnerability information other than NVD. This allows Konica Minolta to catch information that may affect its products and services at an early stage and spread it throughout the company while implementing countermeasures and mitigation steps as necessary to reduce risks for affected products and services.
- NIST: National Institute of Standards and Technology
- NVD: National Vulnerability Database, released by NIST
KONICA MINOLTA PSIRT
In December 2017, Konica Minolta established and began operating KONICA MINOLTA PSIRT*4 as a company-wide organization for cooperation with external public organizations. PSIRT centrally manages information on product and service vulnerabilities throughout the company and takes necessary measures. It also works with the CSIRT team, which handles security incidents for internal IT assets, to establish a system to roll out necessary responses globally. Furthermore, in May 2019, it joined FIRST*5, an international forum of approximately 500 CSIRT and PSIRT teams from 92 countries, and put in place a system that enables intra-company information coordination and contribution to security.
If PSIRT discovers vulnerability information that could affect Konica Minolta’s products and services, it follows internal rules governing how to handle vulnerability information to verify, triage, and address the vulnerabilities, and consider the disclosure of information as necessary. The internal rules are based on NIST’s Cyber Security Framework*6, FIRST’s PSIRT Services Framework*7, and other Japanese and international guidelines.
An important role of PSIRT is to receive and respond to vulnerability information from external stakeholders. If vulnerabilities in Konica Minolta’s products or services are discovered by security researchers, security vendors, or others, PSIRT acts as a direct or indirect point of contact to report vulnerability information. In the event a vulnerability report is received, PSIRT will take appropriate action in accordance with international vulnerability handling processes*8*9*10.
- PSIRT (Product Security Incident Response Team)
- FIRST (Forum of Incident Response and Security Teams): https://www.first.org/
- Cyber Security Framework: https://www.nist.gov/cyberframework
- PSIRT Services Framework:
- ISO/IEC 29147: Information technology — Security techniques — Vulnerability disclosure:
- ISO/IEC 30111: Information technology — Security techniques — Vulnerability handling processes:
- Information Security Early Warning Partnership Guideline:
Responding in the Event of a Product Security Incident
In the event of a product or service security incident in the market, Konica Minolta will strive to respond promptly.
Escalation system in the event of a product security incident
Konica Minolta works to prevent security incidents through secure development and operation processes and to gather and address vulnerability information after launch, but the possibility of problems caused by design bugs and operational oversights or errors is not zero. In addition, cyber-attack methods continue to become subtler and more sophisticated, making it nearly impossible to completely eliminate security incidents.
Konica Minolta responds to market quality issues based on its Market Quality Management Rules. In the event of a product or service security incident, it registers information in a Group-wide serious accident report database, the same as when product quality-related issues occur, and immediately sends the information to relevant persons within the company, including the executive officer in charge of quality. Information is also sent to the executive officer in charge of IT and to CSIRT, and a company-wide effort is made to quickly recover from security incidents, analyze their causes, and prevent recurrence. In the unlikely event of a leakage of a customer’s confidential information or personal information due to an incident caused by a product or service, Konica Minolta will apologize and explain the facts to the customer and promptly report the incident to the relevant authorities and organizations.