Security is embedded in all aspects of our innovation, in products, systems, and services—from secure system development, to device, network and cloud security, system monitoring, and secure device updates.

Our security processes are built on a strong foundation of industry standards, governance, and procedures. When selecting Signify as a partner, you can trust that we have dedicated abundant attention to security across the ecosystem of our offerings, and that Signify will support you throughout the entire lifecycle of a connected lighting system.

At Signify, the Corporate Security Office manages security governance, provides overarching guidance and assurance.

The Product Security Leadership Team, which includes members from the Corporate Product Security organization, business division, and Innovation team coordinates our security efforts. A network of security architects and security champions embedded in the development teams supports security activities related to product development.

Signify policies and processes are aligned with global standards such as ISO/IEC 27001—Information Security Management Systems (ISMS), the ISA/IEC 62443 standards suite and ETSI EN 303 645 for product development.

Through our Standards and Regulation department, we collaborate with many worldwide standardization organizations, such as IEC, ANSI, and CENELEC, and with industry alliances such as the IoT Security Foundation. Signify business processes are internally and externally audited on a regular basis.

All Signify employees are required to attend regular cybersecurity and privacy awareness trainings. System architects and development engineers must also receive specific additional training and internal security certifications.

Signify security experts hold various industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA).

The Signify SDL is certified on IEC62443-4-1.

All of our internal and external development activities follow the Signify Security Development Lifecycle (SDL), which codifies industry accepted best practices. The major components of the SDL are security risk analysis and threat modeling, code analysis and review, and vulnerability management. We apply the SDL to all of our hardware products, systems, services, software, and cloud solutions.

In accordance with the SDL, Signify takes the following actions during design, development, and testing:

• A security risk analysis, based on Signify security requirements aligned with the ISA/IEC 62443 standards suite, is performed for every new project and for every significant change to an existing project.
• Automated code analysis and manual code reviews are regularly performed during development. These analyses and reviews are based on, but not limited to, such frameworks as OWASP IoT Project and the OWASP Top Ten Project.
• Third-party code, including open source code, is automatically analyzed to identify and mitigate vulnerabilities.
• Hardening of the operating system is performed for embedded devices and cloud-based solutions.
• Appropriate network security and firewall rules are implemented and reviewed regularly.
• Encryption of data in transit and at rest is implemented according to generally accepted industry standards as described in the Federal Information Processing Standard Publication 140-2 (FIPS 140-2).
• Penetration tests by internal and/or external parties are performed regularly.

The Corporate Product Security and Innovation research team is responsible for evaluating the latest IoT security technologies, and supports the development teams in making the right choices when introducing new security algorithms, solutions, and technology partners.

Signify regularly audits its partners and supply chain to maintain the appropriate level of security in the manufacturing process.

Signify partners with leading global cloud service providers to deliver a resilient platform for our cloud-based systems. Deployment of those cloud-based services within data centers across various geographical areas, in accordance with data jurisdiction requirements, enables business continuity.

Our cloud-based systems are managed by a specialized team to ensure proper segregation of duties for system administration purposes. Responsibilities of the team include producing operational specifications and performing maintenance, security updates, vulnerability management, backup, logging, monitoring, and management of events and incidents. The team also performs periodic review of network and application security.

Signify has a strict protocol for deploying updates to cloud-based systems, which defines a formal test, development, and acceptance process prior to approving systems for production.

Signify addresses product security as an integral part of our quality process. Assigned responsibilities and established procedures ensure an adequate response to suspected security events and incidents. Each suspected security event is assessed against a set of criteria to determine whether it qualifies as a security incident. When security incidents occur, immediate and appropriate mitigation measures are taken.

Lessons-learned activities are conducted periodically, and additionally after major incidents, to improve security measures in general and the incident handling in particular.

Signify recognizes that the security of our products and services is an important part of our customers’ in-depth security strategy. In practice, however, security is a shared responsibility between manufacturers, providers of products and services and their customers.

Appropriate evaluation of risks and proper care in installation, maintenance, and operations are essential to mitigate internal and external threats.