Information Security

in Nokia
Uvais Momin
March 2016

1 © Nokia 2016
Nokia Internal Use
Information

“Information is an asset that, like other important business assets, is essential to

an organization’s business and consequently needs to be suitably protected.”
-BS ISO/IEC 17799:2005

Information life cycle

2 © Nokia 2016
Nokia Internal Use
Why Information security ?

• Internet connectivity is ubiquitous

• Businesses and government require network inter-connectivity
Business • Infrastructure has expanded as technology and business processes have become inseparable
Environment • Out-sourcing of critical business functions is common
• Migration of critical business functions offshore

• All regulatory compliance requirements that impact business either specify protection of information
Legal / assets or are dependent upon protected assets
Regulatory • Information regulation (any regulation that affects information assets) creates dependencies upon
Compliance effective privacy and security for most, if not all, critical business processes and functions

• Increased awareness amongst the end customers about their privacy rights.
• Increased demand for focus on information security practices.
Customer • Increased focus on audits to control flow of organizations information.
• Inclusion of penalty clauses in the contract agreements.

3 © Nokia 2016
Nokia Internal Use
Nokia Information security functions
Monitor industry practices

Strategy

Metrics, investigation, Policy, Procedure,

Compliance Policy
security escalation Standards, Risk Treatment

Testing, logs,
Metrics & incident Monitor Awareness Training &
management communication

Implement

4 © Nokia 2016 Security architecture

Nokia Internal Use and engineering
Information security concepts

5 © Nokia 2016
Nokia Internal Use
Nokia Information security policy
Nokia Group’s Information Security aims to:
Objective • Protect and Safeguard Nokia’s sensitive information and business processes
• Enable and Enhance the security features of our solutions provided to the customers

The Nokia Security Policy and its standards cover information, data, software, hardware and
Scope networks used globally by all Nokia Group businesses and all the subsidiaries and affiliates
of Nokia Corporation.

Confidentiality: Protection of information by ensuring that information is accessible only

to authorized persons.
Integrity: Assuring the accuracy and completeness of information and associated
information processing methods.
Availability: Ensuring that information and associated assets or systems are available to
Principles authorized users when required.
Accountability: This principle establishes ownership, acknowledgement and assumption
of responsibility of actions performed by an authorized user. This also refers to sufficient
defenses against claims of information forging, and being able to connect an individual to
a transaction beyond reasonable doubt.

Any exception to the above described Security Policy principles is evaluated as per case,
Exceptions using the organizational risk assessment methodology.
6 © Nokia 2016
Nokia Internal Use
Nokia Information classification
Strategy plans, financial information
Secret before release, Merger & Acquisition
(M&A) information etc. Controlled
For named recipients only Information:
• Intellectual
property
Confidential Product design & specifications, financial
data, project plan, budget plan etc.. • Regulated
Information
Limited distribution within a group • Customer
Information
• Competitor
Nokia Internal Use Organization chart, phone directory,
Internal policy documents, internal Collaboration
Within Nokia Group / Partners with communication etc.
NDA

Material owner is responsible for the

classification during the material
creation. Information user is responsible
for the correct storing, distribution,
copying and disposal of the material.

7 © Nokia 2016
Nokia Internal Use
 Nokia Information classification – Customer Information
Nokia Group processes or manages a lot of customer information in various forms, which could be
segregated into three sub-categories.
1. Customer operational data: infrastructural systems including elements, networks and platforms, as
well as benchmarks and performance data used by Nokia Group to assess, deliver, manage and
support Nokia Group solutions that are owned or contracted by the customer.
2. Customer business data: includes any customer’s business operations related information,
excluding the Customer operational data. Customer business data comprises protected customer
employee information that is related to the internal business operations of the customer. It also
includes any data that a customer might require to be separated from other Nokia Group customers.
3. Customer Subscriber data: includes all the information related to the customer’s mobile or other
service subscribers. This data is the “data of our customer’s customers” and therefore it is the most
sensitive data we may come into contact with. This type of data is extremely important and needs to
be protected due to the possible market, regulatory and punitive ramifications of breaches.
All categories of customer related data must be treated as “Confidential”.

8 © Nokia 2016
Nokia Internal Use
Privacy and information types
Example 1: Privacy sensitive
information types e.g. race and sexual
orientation are classified secret if they
are connected to information through
which an individual could be
identified.

Example 2: Some pseudonym

information can be treated as Nokia
Internal Use information. However,
as this often provides a competitive
advantage to Nokia Group, we may
want to label it as “Confidential”.

Example 3: By signing a Nokia Group

employment contract, an employee by
default agrees that certain parts of his
PII (Personal Identifiable Information)
data is treated as Nokia Internal Use
and can be sampled in internal people
search function engines.

9 © Nokia 2016
Nokia Internal Use
Intellectual property
• Intellectual property is any information that provides a competitive economic advantage to Nokia
Group. The term Intellectual property comprises business and professional secrets alike and any
other confidential information that Nokia Group wishes to protect.
• Revealing Intellectual property information without proper approval from the relevant authorities, could
cause financial loss to Nokia Group or to our business or cooperation partner.
• The value of Intellectual Property Rights (IPR) can be determined by using methodologies like
Business Impact Analysis (BIA), Risk Assessment (RA) etc.
• Examples of intellectual property:
• Trade secrets, patents, copyrights, trademark etc.
• Innovations and possible products before they are officially commercialized (up to local management to define
the limits, e.g. university collaboration).
• Strategies until they are communicated widely to all employees.
• Special security measures (e.g. additional access controls to files or premises) that are in place to protect
information or e.g. Fraud prevention methodologies and system configurations.
• Financial information that has not been published, including insider information.
• Software source code: source codes developed for Nokia Group products.
10 © Nokia 2016
Nokia Internal Use
Nokia Incident management

Incident Incidents can be reported by employees, third party, collaborators

All incidents are logged in ARCHER tool for tracking with an owner

An analysis / investigation is carried out as per case requirements.

Analysis Information provided to the relevant stakeholders – Legal / HR / HSS / Line
manager

Based on the inputs from all stakeholders relevant action is taken for the incident
Action This may also lead to initiation of HR / IT disciplinary process

Learning from all critical incidents are captured & published as a case study for
Learning relevant stakeholders to avoid future instances.

Report all information security incidents to security@nokia.com

11 © Nokia 2016
Nokia Internal Use
Nokia Information security violation disciplinary action policy
The objective of the policy is to define and provide guidelines for taking the necessary
disciplinary action by the company to protect Nokia confidentiality of information against
Objective illegal activities, human error, abuse, data leakage, non compliance to Information Security
policy and other forms of criminal activities.

The Policy is applicable to all regular employees of Nokia including full-time, fixed term and
Scope part-time employees, externals (accessing Nokia network and/or infrastructure) involved in
employment or other activities on behalf of the Nokia.

Minor: Unlicensed software installation for local use, unauthorized entry to information
processing facilities, virus incident(s).
Significant: Unauthorized disclosure of confidential information, Peer to peer client
installation with malicious intent, Non adherence to Nokia IT security policy, violation of
electronic communication policy, misappropriation of email services, non adherence to
Categories country specific regulations, multiple instance of Botnet connections, repeated virus
incidents
Major: Hacking or intrusion into Nokia IT systems/applications, unauthorized change
management of IT systems, disclosure of Nokia & customer sensitive information, more
than one incident of spam mail(s) and/or P2P client installation, sensitive personal
information disclosure, disclosure/misuse of IPR, unauthorized use of accounts or access
privileges.

Team Representation from HR, IT, HSS, Line manager, Legal & compliance.
12 © Nokia 2016
Nokia Internal Use
Information Security – Do’s & Don’ts

Critical system Use appropriate

Protect Nokia
access must be classification for
Intellectual
approved Nokia information
property (IPR)

Follow Nokia
Use Licensed USE ‘RME’ password policy.
Software solution for USB Use strong
encryption passwords

Check your Avoid using

Nokia ID’s in Avoid & Report
email recipients tailgating !!!
public domains

Use Encryption for Report Security Act responsibly

confidential data Incidents at when you connect
security@nokia.com your own device to
Nokia IT network!

13 © Nokia 2016
Nokia Internal Use