Customer Privacy
4:30 minAs a technology-oriented company, we place great importance on safeguarding our customers’ right to privacy and security.
Customers and business partners place a great deal of trust in dormakaba as a premium partner for access and security solutions. The company is aware of the importance of the protection of data and information, given that abuse and misuse can lead to major tangible and intangible damage, for example, due to relevant information being unavailable, rendered unusable or incorrect, or – in the worst-case scenario – made available or accessible to a malicious third party.
dormakaba therefore has a responsibility to protect sensitive information – our own, and that of our customers, stakeholders and partners – against unauthorized access, loss or falsification. There is a strong focus on:
- customer data
- operating and business data
- IT systems
- financial data
- employee data
Considering all information and data available within dormakaba, we pursue the following security aims:
- Confidentiality: Confirmation that access to information is limited to persons entitled to see it.
- Availability: Entitled persons can access information during defined periods and from defined locations.
- Integrity: Warranty that information is correct and complete.
Information Security Management System at the core
To meet this challenge, senior management introduced an Information Security Management System (ISMS) in line with best practice in the industry. Andreas Häberli, Chief Technology Officer (CTO) of dormakaba, is also the Chief Information Security Officer (CISO) within the ISMS. This management system is based on the international ISO/IEC standard 27001:2013, the most recognized standard in the field. Certification to the standard is planned in the 2018/19 financial year.
As outlined in the Group Directive Information Security, the goal of the ISMS is to achieve and maintain an adequate security level leveraging risk management methods, continuous improvement and best practices, adjusted to dormakaba needs. The risk management included in the ISMS is used to identify, assess and treat risks adequately.
Reporting to the CISO, the Group Information Security Manager is responsible for anticipating and assessing new threats regarding information security risks and implementing the necessary security levels for dormakaba, as defined by the Security Board in accordance to its Charter. In addition, Information Security Coordinators (ISC) are responsible for the implementation of the ISMS within an assigned Segment or Group function, and for supporting during security audits.
The confidentiality of information is classified based on its content and the protection required to maintain integrity or availability, in line with the Group Directive Data and Information Classification. Each piece of information must have a classification with its own security requirements. Employees are made aware of the proper means for destroying and disposing of information, as well as what to do in case of loss and misuse of information.
In the 2017/18 financial year, focus was placed on aligning internal processes for compliance to the new EU General Data Protection Regulation (GDPR). The GDPR aims primarily to give control to citizens and residents over their personal data, bringing with it a new set of "digital rights" for EU citizens at a time when the digital economy places increasing economic value on personal data. dormakaba maintains records of data processing activities in accordance with the GDPR and has implemented the required procedures, such as amending the privacy policy and declaration, and ensuring proper data processing by 3rd parties (processors).
Grievance mechanism
dormakaba has a security incident management process in place as part of its ISMS to ensure quick and effective handling of any incidents. Possible security issues are tracked and solved with a ticket system. The process is reviewed once per year and the quality is measured by various performance indicators, such as the ratio of resolved security incidents within the target timeframe.
Evaluation of the management approach
The management approach is evaluated according to ISO/IEC 27001. In addition, security reports are provided to the Executive Committee, and management reviews take place regularly to gauge the suitability, adequateness and effectiveness of the management system.
The management reviews are documented and protocolled. Observations, conclusions, and recommendations for further necessary action from the review are recorded. If any corrective action is required, top management follows up to ensure that the action was effectively implemented.