Kyocera Product Security

In recent years, cyberattacks have increased around the world. The various products connected to networks improve convenience while also exposing those products to the risks of the cyberattacks such as malicious unauthorized access and information leaks. To ensure that customers can use Kyocera Document Solutions Inc. (referred to as “Kyocera”, hereafter) products securely with ease, we commit to provide rigorous protection against these threats and minimize the risks with our security measures described in this document.

The security of products and services is always our top priority. Kyocera implements appropriate security measures in all phases of the product development life cycle. Especially given the “Security by Design” principle that security should be engineered into products at the earliest stage. Kyocera works hard not to create any vulnerabilities in the product from the outset. Also, after products are released to the markets, we continuously provide customers with secure products and services.

Kyocera takes strong security measures in product development lifecycle security, including planning, development, evaluation, production, and sales:

• In the planning phase, we continuously check for the newest security trends and vulnerability information. We learn from the vulnerability information to incorporate them into our new models and solve any security issues at an early stage.
• In the development phase, we actively utilize security design, secure programming, or static analysis tools for development. We also strictly check throughout the development process for potential vulnerabilities to ensure we do not embed any known issues.
• In the evaluation phase, we conduct testing not only within Kyocera but also conduct another security evaluation using an objective, independent third-party organization before releasing our products.
• In the production phase, we establish a secure environment and ensure secure production by strictly following procedures that enable us to perform precise operations.

Even if sufficient security measures are taken at the time of product release, they may become insufficient later because new vulnerabilities are discovered daily. We continuously work hard to identify a security vulnerability, mitigate its impact, and take appropriate security measures against them after product release and operation.

Kyocera conducts threat analysis to proactively eliminate any vulnerabilities at the upstream stages of development. More specifically, we consider what assets need to be protected, what potential threats to the assets are, what the risks caused by the threats are, and what security measures should be taken against the risks. These are all incorporated in security requirements before development.

To avoid embedding any vulnerabilities into our products during the early design and development phases, Kyocera conducts security training on an employee-level basis, such as from new recruit security training up to a relatively professional level of cybersecurity training. Through this education, improving employee’s security knowledge, skills, and awareness continuously enhances Kyocera products and services to provide customers with security and peace of mind.

When an incident occurs, an organization must take immediate action. Kyocera has established a team called PSIRT (Product Security Incident Response Team) internally. PSIRT is composed of representatives from development, quality assurance, risk management, public relations, and Kyocera Group sales companies to quickly respond to security issues (i.e., vulnerabilities and incidents). PSIRT is an organization focused on risk management related to security vulnerabilities that potentially threaten the confidentiality, integrity, or availability of Kyocera’s products and services.

PSIRT has roles such as early detection of critical vulnerabilities in our products, prompt response to vulnerabilities in our products, and communication management with stakeholders.

When a vulnerability is found in practical, PSIRT takes appropriate action in accordance with the following incident handling process.