Security and privacy
Security and privacy are the cornerstone of our product proposition. We work to ensure a common security baseline enforced for all products and services. We emphasize sustainable design and underscore the importance of end-to-end product security testing.
Highlights from our 2022 sustainability report, People & Planet include:
Our commitment to privacy spans every facet of our decision making and product design
About 98% of our employees completed the Information Security Awareness training
We opened the ASTAR 5G end-to-end testing lab, having a singular focus on cybersecurity
In privacy matters, Nokia uses its ‘Three lines of defense’ risk model
Our ‘Three lines of defense’ risk model consists of business groups and corporate functions forming the first line of defense, central privacy experts as the second line, and an independent audit team as the third
Security and privacy are part of everything we do. By design through delivery, and without compromise, we work to ensure your network is seamlessly secure.
- We protect your information as rigorously as we protect our own
- We are transparent in our security practices
- We embed security into all our products and services
- We will inform you promptly of any serious product or service vulnerabilities that affect you
- We independently validate our security practices
We are constantly working to improve our threat and attack prevention, detection and response capabilities.
Through the work of Nokia Bell Labs security research, as well as experts across the company we offer an innovative portfolio as well as end-to-end product testing.
Security
Product Security
In the 5G era, the nature and scale of information networks are evolving, as are the nature and scale of security threats. 5G will interconnect countless new devices, empower new industries, and enable many new applications and use cases. This means that more avenues of attack are available for cyber criminals to compromise critical infrastructure, including the telecommunications infrastructure. Threats and vulnerabilities do not only show up in the individual network components but can also be exploited in the overall solution.
Nokia has taken a new step in safeguarding 5G against such threats by creating the Advanced Security Testing and Research (ASTaR) lab. Throughout 2022, product security and DFSEC requirements have been further enhanced to meet the latest industry standards. For further examples see below.
Customer and Service Security
Nokia has elevated its customers’ trust through the establishment of a security operations governance for services, and a security controls baseline, leading to ISO27001 certification for selected services demonstrating Nokia’s capability to keep up with the ever-increasing legal and regulatory demands of the market. Information Security Nokia relies on enforced security policies and standards, security training and programs to ensure the protection of our most precious assets.
Nokia’s cyber resilience refers to its ability to identify, respond, and recover swiftly from a security incident, ensuring Nokia and its customers can retain business continuity and recover to normality quickly in case of a security incident. We have a Nokia managed Cyber Defense Center covering the Nokia enterprise workloads in our data centers, public Cloud, R&D labs, as well as the Nokia Computer Emergency Response team to address critical security incidents.
Nokia developed and maintains an effective and actionable Cyber Resilience Plan, built on a solid assessment of the cyber risks the business is most likely to experience, leveraging the effectiveness of Nokia’s emergency policies, plans and procedures.
Third-Party Security
Nokia’s security ambition is also reflected in its supplier selection processes, contracts and supplier (re)assessments ensuring effective security to be in place in our supply chain and with our Third Parties.
Governance
As a trusted partner in security for our customers, Nokia aims to meet key regulatory and customer requirements. Nokia’s 2022 information security strategy, cyber risks and programs, which are periodically reported to the executive management level and Board of Directors, embed strong governance and compliance requirements.
End to end optimization Product life cycle
Security and privacy are an intrinsic part of the product life cycle and fully integrated into our design process. It is present and evident at every level and every stage. We have developed a Nokia Design for Security process that enables product security features and controls to identify, mitigate and manage security vulnerabilities.
Making 5G networks secure demands end-to-end optimization of security operations from devices to radio sites and network core.
Security and privacy are an intrinsic part of the product life cycle and fully integrated into our design process. It is present and evident at every level and every stage. We have developed a Nokia Design for Security process that enables product security features and controls to identify, mitigate and manage security vulnerabilities.
Making 5G networks secure demands end-to-end optimization of security operations from devices to radio sites and network core.
In the 5G era, the nature and scale of information networks are evolving, as are the nature and scale of security threats. More avenues of attack are open to hackers, state actors and corporate espionage due to many types of interworking endpoints, extensive use of open-source software and large-scale use of 5G in a variety of industries. Network security resilience must be maintained as the attack scenarios are constantly changing. This is why we have opened the Advanced Security Testing and Research (ASTaR) lab, located in Dallas, Texas. It is the first end-to-end 5G testing lab in the U.S. focused solely on cybersecurity.
To find out more about the ASTaR lab, you can watch this short video.
Nokia’s Core Networks portfolio is in full compliance with all security requirements defined by the GSMA’s bi-annual Network Equipment Security Assurance Scheme (NESAS) audit. NESAS audits and tests network equipment across the telecommunications industry to ensure it conforms to a security benchmark and the requirements of regulators, governments, and mobile operators.
Data privacy
With the growing complexities posed by today’s technology and business environment, enabling strategic and consistent management of privacy helps to ensure we can make the most of the opportunities ahead. With new technologies coming online every day and everyone and everything being increasingly connected, getting privacy right remains a necessity.
Privacy approach
Given the rapidly changing privacy regulatory landscape, we apply a comprehensive company-wide privacy program to ensure accountability for privacy at all levels of Nokia. We use a ‘Three lines of defense’ risk model with business groups and corporate functions forming the first line of defense. A multi-skilled central team of privacy experts forms the second line, and the third line is an independent audit team to provide assurance with oversight by the Audit Committee.
We have also created a privacy steering committee with relevant senior executives representing business groups and central functions, who all have privacy responsibilities and accountability as part of their role for the organization they represent.
The privacy program builds privacy into our processes, products, and services. We have established core principles based on relevant laws and best practices to enable us to exercise the highest standards of integrity in dealing with and protecting personal data. We assess new privacy laws to ensure that we implement the requirements into our program and related processes. We enhanced our central solution for documentation and reporting to catalogue how we use data and conduct privacy assessments that aim to mitigate privacy risk.
We are transparent about how we use personal data and how individuals can contact us with questions about their data that we hold in our systems or to share any concerns.
We observe the concept of data minimization, meaning we endeavor only to collect personal data that is necessary for the purposes for which it is collected and to retain such data for no longer than is necessary. We implement appropriate controls to ensure that only persons with a clear and justifiable need to know can access personal data. We have formal processes and procedures in place to manage and mitigate any related risk to data subjects in the event of a personal data breach. These processes also include mechanisms to communicate in a timely fashion with supervisory authorities, should that be required.
A continuous program of privacy awareness, training, and enablement ensures we effectively address areas of the highest privacy impact. This includes targeted role-based training, and we also have a network of certified privacy professionals that regularly provide coaching on privacy topics. In 2022, there were no substantiated complaints regarding breaches of customer data. For the latest information on our security and privacy visit our website
Standards and Principles
Contributing and driving security standards
We take an active role in security standards such as GSMA SECAG which defined NESAS (security assurance scheme for networks), GSMA Fraud and Security group, 3GPP SA3 (defining security standards for 5G), in ETSI and others. The development and maintenance of our products and services are sustained by a company-wide Information Security Framework to reduce business risks by protecting and managing information in a consistent way, protecting Nokia’s customer data, and enabling transparency and accountability with respect to the handling of all information:
- Our security controls and processes follow the ISO/IEC 27001 standard and NIST Cybersecurity Framework to ensure we identify and detect security threats and risks to our systems
- A critical information protection program protects Nokia’s and its customers’ information
- Our security awareness program drives cultural knowledge of security best practices and avoids potential threats to Nokia’s information
- A Third-party Security Risk Management process for Nokia suppliers ensures supply chain security and complies with legal and regulatory requirements
- Continuous internal and external auditing and external and internal simulated attacks activities validate the security implementation
ISO/IEC 27001 certifications for selected sites assure security compliance is attained. The scope of the certification is continuously expanded.
For further information on the Nokia approach to Security and Privacy you can also visit the dedicated Nokia web page.