KONICA MINOLTA

About Konica Minolta

Giving Shape to Ideas

Customer Satisfaction and Product Safety

Enhancing the Security of Products and Services

Click to jump to the corresponding section in this page

Konica Minolta's Approach

Background and Issues

In line with its vision “Imaging to the People,” Konica Minolta is working to develop and provide products and services utilizing the latest digital technologies such as IoT and artificial intelligence (AI). Yet, simultaneously, cyber-attacks targeting individuals and companies continue to rise, their methods becoming subtler and more sophisticated. Products and services offered by Konica Minolta may also pose a risk of exposing customers to security threats. Therefore, efforts are required to ensure secure products and services, and to prevent product security incidents in the marketplace. In the event of a security breach, Konica Minolta is committed to pursuing a quick recovery and resolution to minimize customer damage.

Vision

Konica Minolta aims to raise each employee’s quality assurance awareness from the customer’s point of view, achieve quality of high-reliability in its products and services, and also provide products and services that, in terms of security, can be used safely and securely.

Key Measures and KPIs

Complete elimination of serious product security incidents
KPI Results Targets
FY2020 FY2021 FY2022 FY2022 FY2023 FY2024 FY2025
Number of serious product security incidents* 0 0 0 0 0
Major business losses related to product security (JPY)) 0 0 0 0 -
*
Serious security incidents refer to those product security incidents that cause serious and significant harm to the products and services user’s business

Promoting Secure Development and Operation Processes

Konica Minolta is committed to developing and operating secure products and services.

Konica Minolta is globally committed to preventing serious product security incidents by developing and providing secure products and services and taking initiatives to operate and maintain them securely.

Product Security Guidelines

Konica Minolta has established product security guidelines as internal regulations and procedures for assuring secure development and operation, and it carries out secure development and operation processes for products and services across the Group. Development and operation in conformity with the product security guidelines apply to all products and services of the Konica Minolta Group. This commitment lasts the entire life cycle, from the planning and proposal of products and services to their disposal and end of service, and includes the supply chain, such as development and operation contractors and suppliers.
In addition, Konica Minolta regularly holds company-wide product security promotion meetings to discuss product security issues, and strives to continuously enhance its security level by sharing information on the most effective practices from inside and outside the company.

Company-wide promotion system

Fiscal 2017 results of CSR assessment for suppliers

Konica Minolta, Inc. established a company-wide system for implementing product security, giving the Chief Quality Officer responsibility for it. Under the supervision of the Quality Management Headquarters, the company is expanding the product security promotion activities to all of business divisions.

Threat Analysis and Security Measures

When developing products and services, Konica Minolta conducts threat analyses in the upstream stage of development in order to eliminate system design vulnerabilities and prevent security incidents from occurring down the line. Envisioned security threats to assets that need to be protected are comprehensively identified, and security measures to counter those threats are studied and reflected in the requirements definition.
Moreover, Konica Minolta set up a Secure Development CoE consisting of internal security experts to assist the improvement of professional skills related to product security in each department.

Vulnerability Assessment

Software developed by Konica Minolta, and the Open Source Software (OSS) modules and applications incorporated into it, may have security flaws called vulnerabilities. Since releasing vulnerabilities can lead to security incidents caused by cyberattacks, vulnerability assessments must be performed during the development phase and any problems must be fixed before the launch of the product or service. Konica Minolta centrally manages OSS usage across the company and has made available multiple static analysis tools (SAST) and dynamic analysis tools (DAST) as company-wide vulnerability diagnostic tools to detect and correct software and system vulnerabilities. In addition, regarding products and services for which security risks are of particular concern, Konica Minolta takes even stronger security measures, such as outsourcing penetration testing.

Secure Operation and Maintenance

Konica Minolta has established and deployed within the company guidelines for secure operation and maintenance so that following market launch customers can continue to use products and services with peace of mind. The guidelines are used in an effort to prevent security incidents caused by oversights or errors in market support.

Product Security Education

Konica Minolta has prepared several educational programs for employees to ensure the implementation of secure development and operation processes with the aim of improving employee awareness and skills in product and service security. The company held programs new employee education, product security general education, and threat analysis workshops, executes product security education for all employees involved in products and services which are to be security considered. The company will continue to expand and enhance its educational programs, aiming for a higher level of understanding.

Gathering and Addressing Vulnerability Information

Konica Minolta will continue to gather and address vulnerability information after shipment and/or operation commencement of products and services, to continue providing safe and secure products and services.

Gathering and Addressing Disclosed Vulnerability Information

New vulnerability information for software is discovered and reported daily. More than 20,000 new vulnerabilities (actual result in fiscal 2021) were reported by NIST’s*2 NVD*3 in the United States in that one year alone. That is why it is necessary to gather vulnerability information and address the vulnerabilities even after the launch of products and services. Konica Minolta monitors this information on a daily basis, including open databases of vulnerability information other than NVD. This allows Konica Minolta to catch information that may affect its products and services at an early stage and spread it throughout the company while implementing countermeasures and mitigation steps as necessary to reduce risks for affected products and services.

*2
NIST: National Institute of Standards and Technology
*3
NVD: National Vulnerability Database, released by NIST

KONICA MINOLTA PSIRT

In December 2017, Konica Minolta established and began operating KONICA MINOLTA PSIRT*4 as a company-wide organization for cooperation with external public organizations. PSIRT manages information on product and service vulnerabilities throughout the company and takes necessary measures. It also works with the CSIRT team, which handles security incidents for internal IT assets, to establish a system to roll out necessary responses globally. Furthermore, in May 2019, it joined FIRST*5, an international forum of approximately 500 CSIRT and PSIRT teams from 92 countries, and put in place a system that enables intra-company information coordination and contribution to security.

If PSIRT discovers vulnerability information that could affect Konica Minolta’s products and services, it follows internal rules governing how to handle vulnerability information to verify, triage, and address the vulnerabilities, and consider the disclosure of information as necessary. The internal rules are based on NIST’s Cyber Security Framework*6, FIRST’s PSIRT Services Framework*7, and other Japanese and international guidelines.

An important role of PSIRT is to receive and respond to vulnerability information from external stakeholders. If vulnerabilities in Konica Minolta’s products or services are discovered by security researchers, security vendors, or others, PSIRT acts as a direct or indirect point of contact to report vulnerability information. In the event a vulnerability report is received, PSIRT will take appropriate action in accordance with international vulnerability handling processes*8*9*10.

*4
PSIRT: Product Security Incident Response Team
*5
FIRST: Forum of Incident Response and Security Teams: https://www.first.org/
*6
Cyber Security Framework: https://www.nist.gov/cyberframework
*7
PSIRT Services Framework:
https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
*8
ISO/IEC 29147: Information technology — Security techniques — Vulnerability disclosure:
https://www.iso.org/standard/72311.html
*9
ISO/IEC 30111: Information technology — Security techniques — Vulnerability handling processes:
https://www.iso.org/standard/69725.html
*10
Information Security Early Warning Partnership Guideline:
https://www.ipa.go.jp/security/english/about_partnership.html

Responding in the Event of a Product Security Incident

In the event of a product or service security incident in the market, Konica Minolta will strive to respond promptly.

Escalation System in the Event of a Product Security Incident

Konica Minolta works to prevent security incidents through secure development and operation processes and to gather and address vulnerability information after launch, but the possibility of problems caused by design bugs and operational oversights or errors is not zero. In addition, cyber-attack methods continue to become subtler and more sophisticated, making it nearly impossible to completely eliminate security incidents.
Konica Minolta responds to market quality issues based on its Group Market Quality Control Rules. In the event of a product or service security incident, it registers information in a Group-wide serious accident report database, the same as when product quality-related issues occur, and immediately sends the information to relevant persons within the company, including the Chief Quality Officer. Information is also sent to the Chief IT Officer and to CSIRT, and a company-wide effort is made to quickly recover from security incidents, analyze their causes, and prevent recurrence. In the unlikely event of a leakage of a customer’s confidential information or personal information due to an incident caused by a product or service, Konica Minolta will apologize and explain the facts to the customer and promptly report the incident to the relevant authorities and organizations.