Information security of Konecranes products and services is achieved by implementing a relevant set of security controls. The list below describes security controls implemented by Konecranes to protect its information assets and ensure the confidentiality, integrity and availability of the Konecranes products and services. More details on the measures are available upon request.
Konecranes established the following technical and organizational security measures, under the ISO 27001 standard, to protect its information assets:
- Information security policies: Konecranes information security policy provides management direction and support for information security in accordance with business requirements, relevant laws and regulations. The policy covers information technology and operational technology.
- Organization of information security: Information security programs and processes are defined, implemented and developed by a dedicated staff, guided by the Information Security Steering group.
- Human resource security: Information security requirements are taken included into employee onboarding and exit processes.
- Asset management: Konecranes maintain an asset inventory for servers, databases, workstations and mobile devices. The disposal of assets is done in a secure and environmentally friendly way. Konecranes is implementing an information classification system and labelling to ensure that information assets are protected.
- Access control: Konecranes identity and access management processes and systems ensure that employees, suppliers and customers access to IT systems are authorized and restricted based on the business and security requirements. Internal employees account lifecycle is linked with HR system for real time entry – exit process. Supplier user accounts have defined ownership and lifecycle management.
- Cryptography: Cryptography controls ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Konecranes equipment containing company information, such as workstations and mobile devices, are encrypted. Konecranes utilizes cryptographic protocols (TLS) to protect information in transit over public networks.
- Physical and environmental security: Konecranes prevents unauthorized physical access, damage and interference to the organization’s information by setting secure areas at our facilities and data centers. These physical security perimeters are controlled by electronic systems. All Konecranes employees, external workers and visitors have unique badges with access rights to the defined facilities.
- Operations security: Konecranes monitors devices and networks and uses security information and event management (SIEM) to identify abnormal behaviour or potential cyberattacks. Konecranes has processes in place for vulnerability management, malware protection and information system audits. Information Technology function and IT suppliers also follow incident, problem and change management processes to ensure the availability, stability and security of our IT environment.
- Communications security: Konecranes uses network security controls, such as enterprise firewalls, layered DMZ architectures, intrusion detection and managed security services. Konecranes network domains are segregated based on trust levels.
- System acquisition, development and maintenance: The information security requirements are included in the requirements for acquiring new information systems or enhancements to existing systems.
- Supplier relationships: Suppliers must comply with Konecranes information security policy, processes and practices. Konecranes conducts supplier background checks, uses NDAs and contractually requires all relevant IT suppliers to define their information security processes and controls.
- Information security incident management: Konecranes has a defined information security incident management process, working 24/7 across all countries where Konecranes is present.
- Information security aspects of business continuity management: Information security risks are evaluated as part of the Konecranes yearly risk management process.
- Compliance: Konecranes ensures its compliance with legal and contractual requirements by following legislation, keeping a register of information systems including personally identifiable information, and providing personal data privacy statements for such systems.