When typical non-disclosure agreements (NDAs) are insufficient and business partner audits are burdensome and costly each time; the solution is the standardization of information security management methods. By implementing and using a system that complies with one of the recognized global standards, an organization can apply for a certificate confirming that the organization follows the rules minimizing the risk of an information security incident.
The certificate greatly simplifies the establishment and maintenance of business relationships, and is absolutely required by many customers as a condition of cooperation. And for the organization itself and its employees, it means that all identified threats (e.g. cyber threats) have been properly addressed by organizational and technical measures, in line with the idea of risk minimization
TISAX, GDPR, zero audit
Since the beginning of 2019, Slideworx, a producer of innovative software for business, has been part of mTab – a company providing platforms for data analysis and visualization for the largest enterprises, including those in the automotive industry. One of the elements of integrating Slideworx into the new structure was to review and update of the applied security solutions. Since Slideworx has among its clients one of the largest automotive companies, an important part of the Information Security Management System is the organization’s compliance with the VDA ISA/TISAX standard – a mutually recognized standard for information security audits in the industry. Due to the growing requirements for the protection of personal data, this review was also a good opportunity to check compliance with GDPR.
The ISMS implementation project uses the proprietary All for One Poland methodology successfully used in the implementation of the ISO 27001 standard in companies from various industries.
The first step in ISMS implementation is usually a zero audit, verifying the current level of compliance of the organization with a specific standard. In this case, it was conducted based on the criteria of the Verband der Automobilindustrie survey, and additionally, the legal requirements resulting from the GDPR were taken into account. The audit allowed for the diagnosis of all areas of non-compliance, as well as for the determination of possible synergies with the existing good practices and procedures functioning in the company. The previously implemented partial system and operational documentation in the area of information security management constituted a solid base and was incorporated into the system built in subsequent stages of the project.
Remote work with a guarantee of business continuity
Before we started working on the documentation, our biggest concerns were that employees would resist following the changed procedures and that the changes could paralyze the work of teams.
The key to avoiding both risks turned out to be inviting the leaders of all teams to collaborate on the documentation. Regular meetings aimed at discussing the considered changes in the documentation were of significant importance in the creative process. This helped us raise awareness among employees of the existence of risks and the resulting need for changes (even those that were less convenient). We also gained confidence that the proposed changes would not conflict with existing processes.
From today’s perspective, a big advantage of the diligent implementation of security policies and procedures (i.e. not only “on the shelf") is that thanks to the existing documentation on remote work and secure file exchange protocols, we were able to quickly make a decision to switch the organization into remote work mode, without the risk of interrupting the continuity of production processes.
Przemysław Rejman, Finance Executive / Controller, mTab
Designing an ISMS
Slideworx is a young company that already has extensive experience in working for clients from various industries. These experiences also include the need to meet the expectations of business partners in terms of a high level of information security. For this reason, a great project challenge was to take into account not only the requirements contained in the VDA ISA check list, but also other obligations of the organization made towards other partners.
The information security management system under construction was designed on the basis of risk assessment and business impact analysis (BIA), addressing the identified threats and vulnerabilities. The requirements from the necessary VDA ISA assessment sheets and selected control mechanisms resulting from Annex A of ISO 27001 were taken into account. The issues of physical, personal and environmental safety were regulated. In particular, policies and procedures for IT security, logical and physical access, backup copies, remote work, classification of assets and rules of dealing with them for employees, change management in the organization, including in the field of equipment, purchases and supervision over contractors, and many others were developed, also in the area of personal data protection.
TISAX certification
The TISAX secure information exchange platform is a response to the need for information security management in the automotive industry. While at the beginning it seemed that the system based on meeting the requirements of VDA ISA was dedicated to car manufacturers and suppliers of parts, over time it turned out that companies providing services constitute a significant part of the beneficiaries of the implemented information security system. One of such companies is Slideworx from Poznań.
In the case of Slideworx, the requirements related to GDPR are not only the obvious necessity to meet legal requirements. In connection with the services provided by the company, the requirements related to the protection of personal data were particularly emphasized by their clients.
Fulfilment of the defined requirements translated into a quick and efficient audit, which ended with a positive assessment that resulted in giving Slideworx the appropriate labels".
Mariusz Koszeluk, TISAX auditor, TUV Nord Polska
Adopting this approach enabled the successful completion of the TISAX audit. Moreover, the developed system documentation is a solid basis for potentially fast ISO 27001 certification.
Integrating the organization’s external and internal context with policies and procedures that meet TISAX criteria and customer expectations took a significant part of the implementation schedule. This allowed for the creation of a very structured and adequate structure of documents that at the same time is open to expansion. In total, over 100 system documents were created. The workshop developed in this way is a know-how base and a pattern of organizational solutions that can be successfully adapted in other branches of the organization.
mTab (formerly Slideworx) is a software producer that offers web-based data analysis and visualization solutions for international organizations around the world. It specializes in software for standardizing and integrating data and customer opinions obtained from various sources, and provides reporting and business analysis tools that allow customers to quickly present and visualize critical research results and better understand their consequences. The company employs over 60 people in its development center in Poznań. Since 2019, it has been part of the mTAB company, providing database solutions for corporate clients from various markets, including automotive, consumer electronics, insurance, media, new technologies and consulting.