The German association Verband der Automobilindustrie (VDA) is responsible for information security in the automotive industry. Its leading goal is standardisation, research and development of the industry. It also hosts the International Motor Show Germany in Frankfurt. It associates car manufacturers and all participants in the supply chain. VDA members include brands such as BMW, Volkswagen, Mercedes-Benz, Daimler and more than 600 other automotive companies around the world.
In order to meet the market needs in terms of assuring the highest level of protection and information security, VDA has developed a detailed Information Security Assessment (VDA ISA). This survey provides a comprehensive basis for internal and external audit of the organisation.
The origin of its creation is related to the universal approach to the process model of information protection presented in ISO/IEC 27001. VDA ISA expands its scope in order to include issues specific for the automotive industry. Within ten years from the launch of the first working group in the field of the information security by the VDA, VDA ISA has become a new tool for assessing the level of maturity of Information Security Management Systems (ISMS).
In May 2016, the Trusted Information Security Assessment Exchange (TISAX) was stablished, which has recorded a significant increase in the number of participants, especially among companies of German origin. Membership in TISAX is addressed to car manufacturers, suppliers of automotive parts and raw materials and to other supply chain participants, service providers, including IT in particular. The need for TISAX membership has also been noticed by other service providers for customers, including large networks of sales, leasing, warranty and post-warranty service. Members are also research institutes and many other entities related to the automotive industry.
Companies point to several key benefits of joining TISAX. The most important of these are:
- ability to prove to a business partner a certain level of information security in accordance with ISA VDA requirements;
- possibility of verifying the assessment of the level of security of the partner;
- reliability and objectivity of the standard.
Implementation of an information security management system
Before joining TISAX, each organisation must carry out an implementation (or adjustment, e.g. an extension of an implemented ISO/IEC 27001), of own ISMS, using the documentation published by the VDA. Uniform and consistent requirements guarantee the functioning and improvement of the system in all entities that have decided to implement it. As it is the case with ISO/IEC 27001 implementations, it is worth to consult the preparation for certification with SNP (now All for One Poland) experts who will help to design or extend the existing ISMS. What is important from the perspective of the organization – a well-executed implementation guarantees both conformity with the ISA checklist, as well as taking into account all realities of the business. This means that it is not possible to implement the system properly through the use of ready-made documents or without the training of employees. A properly functioning ISMS affects the level of the final assessment of the company.
Already after the implementation, in the process of continuous improvement, it is necessary to monitor its functioning through cyclical audits, verification of IT security, penetration and social engineering tests, password management and other controls allowing to minimize the risk of an incident.
The Information Security Management System implemented and rooted in the organization is then subject to an accredited external audit, at the end of which the company is given the opportunity to present attained level of security to its business partners.
Membership in TISAX
The whole process consists of three stages:
- registration;
- assessment;
- exchange.
The duration of specific stages depends on many factors (e.g. the size of the whole organisation, the level of maturity of its ISMS). Therefore, it is important to be sure that before the formal commencement of membership, the organization has been adjusted to the requirements of the ISA VDA in order to pass through all stages without any problems, especially the certification audit.
Registration
Registration takes place entirely online, using the web form on the following website www.enx.com. As a result of the acceptance of the TISAX Participation General Terms and Conditions, a contract is concluded. The main purpose of registration is to collect information about the company. The scope of the assessment must be defined for the audit provider. It covers all processes and resources involved, e.g. employees, IT systems, cloud services, data centres, work equipment. This assessment shall cover all processes that involve the collection, storage and processing of information. When registering an organisation, the physical location within the scope of the assessment shall be indicated.
Assessment
The next step is to choose the purpose of the evaluation from among those indicated by TISAX. The purpose of the assessment determines the applicable requirements to be met by the functioning ISMS – currently there are 6 assessment objectives defined (e.g. if the company deals with prototypes of its partner with a very high level of protection, then its goal will be the goal no. 6 in the table – “Support for prototypes with a very high level of protection"). Information security goals are always mandatory, while business needs or additional goals may influence the necessary level of assessment.
As part of this phase, it is also mandatory to provide the contact details of the person who is Security Officer for cooperation with TISAX.
Comprehensive security services from SNP (now All for One Poland)
The effect of “information security" in each organization consists of a number of related organizational and technical elements, and the key to success is both the effective implementation of ISMS and its continuous improvement.
A security officer responsible for the system (e.g. as a proxy of the Management Board) is responsible for the following tasks: applying the regulations contained in the documentation of the ISMS in the organisation; conducting audits; organising training courses; co-ordinating the work of the Information Security Management Forum and improving the system. We cooperate with security officers not only during the implementation project, but also in the subsequent maintenance process. We support them in those tasks which, for various reasons, cannot be implemented by the organization’s internal resources, which create an entire ecosystem of information security, such as, for example:
- content-related support in asset inventory and risk management,
- cooperation in the development of system documentation,
- personal data security
- training for employees,
- penetration tests and IT audits,
- security of cloud computing (AWS, Azure),
- hardening of system configurations,
- implementation of network security solutions,
- monitoring of availability, efficiency and incidents,
- password and access management,
- the high-availability architecture
Rafał Grześkowiak, IT Project Team Leader, All for One Poland
The assessment is based on the ISA VDA checklist and the process is carried out in two phases. The first phase consists of a self-assessment by the company. The outcome of the self-assessment is subject to interpretation, the purpose of which is to answer the question of how mature and effective the ISMS is that functions within the organisation, and to what extent it requires corrective action. If, as a result of the self-assessment, the organisation determines that it is ready for an external assessment, a second phase takes place, i.e. an assessment by an accredited TISAX auditor. During the audit, the level of conformity with the requirements specified in the ISA VDA survey is checked. The result of the audit is the determination of conformity or non- conformity (minor or major) with the specified requirements.
In the case of a positive assessment, the audited entity receives the TISAX label, in the case of minor non- conformity – the conditional label, and in the case of major non-conformity, it is not awarded the label. The assessment process carried out by the auditor is documented in a report the initial version of which the entity commissioning the audit receives for review and possible comments. Where the audit finds non-conformity, corrective actions and a follow-up assessment must be implemented. It should be clarified here that the assessment distinguishes between so-called minor non-conformity and major non-conformity. The first one occurs when the auditor does not question the overall effectiveness of the ISMS and the non-conformity does not pose a significant risk to information security. In this case, a temporary TISAX label can be obtained until all non- conformities have been resolved. If a major non- conformity is identified which raises doubts as to the overall effectiveness of the ISMS or poses a significant risk to information security, the problem must first be resolved. The audit of the implemented system based on the criteria of the ISA VDA survey is completed with a rating. The result of this check is available on the TISAX platform in the form of a compliance assessment (label). TISAX members mutually recognise the assessments carried out on the basis of a survey, allowing each TISAX participant to prove the maturity of their ISMS as required.
Exchange
Once the final report has been issued, it is sent by the auditor to the exchange platform, which opens the last, third stage of joining TISAX. The result of the assessment will only be made available to TISAX participants if the auditor has established full conformity. The system can publish general parts of the ratings for review by all TISAX members and make the full or selected parts of the ratings available to specific audiences.
TISAX labels remain valid for three years. The validity period starts from the date of the initial assessment, even before receiving the report from the auditor. The period of validity may be shortened if there are significant changes in the scope of the assessment (e.g. change of location or business profile). Renewal of labels requires all three stages of the process to be completed again. Only the first stage of registration is simplified, where there is no longer a need to present organisation, but the scope of the assessment is again required. TISAX recommends that the process of obtaining the label again should start at least one year before the current assessment expires.
Benefits
Although the presented process of joining TISAX may seem complicated, there are undoubtedly many benefits for the company in undergoing the process and joining TISAX. Adaptation of the company to the standard defined by VDA ISA (and thus to a large extent to ISO/IEC 27001) results in active risk management in the organization and reduces the potential for losses. TISAX members mutually accept each other’s assessments and operate within a standard setting an equal level of data protection, which eliminates the need for mutual auditing. In the event that a partner demands the presentation of the assessment, prior membership of TISAX accelerates the establishment of cooperation. Participation in TISAX is an unquestionable advantage over uncertified competitors. The TISAX assessment demonstrates the maturity of the organisation and the effectiveness of the ISMS implemented.
Differences of TISAX vs ISO 27001
VDA established its own information security team more than a decade ago. It was assigned a task to develop an industrial standard, taking into account the specificity of the automotive industry. Based on pragmatism, the existing, market-tested experience in the field of information security was used. It was decided to build on previous competencies and good practices, thus avoiding the risks associated with new, immature projects.
The ISO/IEC 27001 standard (Information Security Management System) was chosen as the foundation for the new original standard. The standard was extended to include issues of particular importance to the automotive industry, i.e. protection of prototypes, management of contacts with external entities and the problem of a uniform information classification policy. In this way, while preserving the core of ISO/IEC 27001 and 27002, VDA ISA (Information Security Assessment) checklist has been developed.
Building an information security management system, based on both ISO standards and ISA VDA recommendations, often requires a number of changes in the organization, focused on protecting assets qualified as sensitive.
However, due to the common roots, the implementation of ISMS on the basis of criteria from any of these two dictionaries leads to the creation of highly convergent solutions. Thus, an ISO/IEC 27001 certified organisation, with a small additional adjustment, is able to achieve high scores within the goals defined by the VDA ISA. In addition, an organisation with a high VDA ISA rating (level 4-5), with minimal effort, is able to achieve readiness for ISO/IEC 27001 certification. ISA VDA survey on protection of information and supplier relations is directly related to Annex A1 to ISO/IEC 27001 and only recommendations on prototype protection and common classification of information slightly exceed ISO expectations.
Bartosz Frankowski, IT Consultant in IT Project Team, All for One Poland