TISAX, Trusted Information Security Assessment Exchange, is the automotive industry standard certification that consists of three levels. In the following article you will learn what is Tisax, why you should get the certification, who does TISAX apply to, the process, levels and a data-centric security approach by identifying and minimizing cybersecurity risks on information.
The automotive industry is a highly competitive and collaborative sector where confidential information is continuously exchanged between customers and suppliers belonging to the supply chain. The German Automobile Association (VDA) tried to standardize the information security requirements within the automation environment between different partners through a safety questionnaire (ISA) that finally led to TISAX®. In the following sections, we describe how a data-centric approach to security can help increase security in the exchange of sensitive information in this sector and obtain higher levels of TISAX® assessment.
TABLE OF CONTENTS
- 1. What is TISAX®?
- 2. Why TISAX®?
- 3. Who does it apply to?
- 4. Relationship with ISO 27001 and EU-GDPR
- 5. The TISAX® process
- 6. Scope of the TISAX® Assessment and Levels
- 7. A data-centric security approach to TISAX® Compliance
- 8. CAD Protection.
- 9. How SealPath helps with TISAX compliance®
- 10. Conclusions.
WHAT IS TISAX®?
The automotive sector is particularly active in Europe in relation to the creation of partnerships with the aim, among others, of refining and defining standards tailored to its specific needs. One of them is the German Automobile Industry Association (VDA). TISAX® (Trusted Information Security Assessment Exchange) is an information security standard developed specifically for the automotive sector and the requirements of this industry.
TISAX® provides efficiency in reducing efforts to establish and control information security requirements in the field of the exchange of sensitive information between customer and supplier companies in the automotive industry. TISAX® is a registered trademark of the ENX Association, made up of manufacturers and suppliers in the European automotive sector. ENX acts as a governance organization in the scope of TISAX®: Approves audit providers and oversees the quality of implementation as well as evaluation results. TISAX® is based on the VDA’s Information Security Assessment (ISA) questionnaire.
Imagine two companies in the automotive sector that cooperate with each other as a customer and supplier. These companies exchange confidential information and want to ensure that your information is adequately protected. How can they know that, apart from signing certain confidentiality agreements (NDAs: Non-Disclosure Agreements), their documentation is managed securely?. In this case, the questions arise: What is secure? How to demonstrate that the information is managed securely? Some companies, to assess maturity in information security management, required evaluation questionnaires to their suppliers, other on-site audits.
VDA companies applied different security standards and had differing opinions on their interpretation. Instead of creating individual processes and solutions to this problem, ISA proposed the creation of a standard that, although it involves an additional effort, provides efficiency in the face of subsequent reuse by companies with the same problem. In this way, an auditor’s report could be reused for different business partners. The answer to what is secure and how it is demonstrated that information is managed securely in the automotive sector is given by TISAX®.
WHO DOES TISAX® APPLY TO?
TISAX® applies to companies that want to operate successfully in the automotive industry as a partner or supplier of automotive manufacturers. Being certified in TISAX® is not something required in the legal field, but the truth is that without demonstrating compliance in TISAX®, it is practically impossible to work with any of the main manufacturers. For example, a customer may determine that a vendor is “Relevant to TISAX®” when working with their sensitive data, or has access to their information systems, or receives drawings with intellectual property, etc.
A different provider may be relevant to TISAX® on the part of the customer if it works with prototypes or with personal data of the customer in question. TISAX® can have a double aspect for a company. As a manufacturer face to ask for TISAX® evaluation from its suppliers. Or as a supplier, to share your level of compliance with a client you work for.
RELATIONSHIP WITH ISO 27001 AND EU-GDPR
ISO 27001 is an international standard issued by the International Organization for Standardization (ISO) and describes how to manage information security in a company. It can be implemented in any type of organization, private or public, large, or small. TISAX® was created based on ISO 27001 and, as far as information security requirements are concerned, they are virtually identical.
Additionally, TISAX® covers other areas such as prototype protection and data protection, the latter related to the European Data Protection Regulation (EU-GDPR), where there are requirements in the field of personal data protection derived from EU-GDPR. TISAX® is an adaptation of ISO 27001 for the automotive sector, and its requirements largely coincide with those of ISO 27001.
However, depending on the TISAX® level to which you aspire, it may be necessary to meet additional requirements, for example in the field of prototype protection or data protection. Unlike an ISO 27001 audit, TISAX® is a self-assessment, although depending on the level required to be achieved it will be necessary to involve an external auditor independently accredited by ENX.
THE TISAX® PROCESS
Typically, the process begins when a potential customer requests that they test a certain defined level of information security management, according to the VDA-ISA. To complete the process, you need to take the following steps:
- 1. Registration in TISAX®: Giving the information about the company and data for the evaluation.
- 2. Evaluation: Carry out the evaluation or evaluations, autonomously or carried out by one of the TISAX® audit providers validated by ENX.
- 3. Exchange: Share the result of the evaluation with your business partners.
SCOPE OF THE TISAX® ASSESSMENT AND LEVELS
To perform the information security assessment, whether it is a self-assessment or by an auditor, you need to start somewhere and end somewhere. That is, the scope. There are different types of scope: standard and tailor-made (tailor-expanded, tailor-reduced). The definition of the standard scope is predefined, and you do not need to think of a definition of your own.
The standard scope covers all processes and resources involved in headquarters (e.g., offices, production plants, development centers, data centers) subject to security requirements. The processes and resources involved (e.g., work teams, employees, IT systems, cloud services, platforms, physical headquarters, relevant contractors, etc.) include information collection, storage of information, and processing of information.
There are eight TISAX® assessment objectives within the scope and at least one needs to be selected.
|1. Information in need of high protection|
|2. Information in need of very high protection|
|3. Protection of prototype parts and components|
|4. Prototype vehicle protection|
|5. Handling of test vehicles|
|6. Protection of prototypes during events and filming or photo shoots|
|7. Data protection|
|8. Data protection with special categories of personal data|
Evaluation objectives and “TISAX® Labels” are pretty much the same. If the evaluation for some objectives is passed, the corresponding “TISAX® Labels” are obtained. The greater the protection needs, the more interest the partner will have in making sure it is safe to let them handle their information.
TISAX® differentiates three “assessment levels” (AL). A higher level of evaluation translates into a greater intensity of evaluation and the use of necessary audit methods. They reflect one of three different levels of protection: Level 1 (normal), Level 2 (high) and Level 3 (very high):
- Level 1 (AL 1): Valuations at this level are primarily for internal purposes. No evidence is required. They have a low level of trust and are not used in TISAX®, but your partner may require this assessment outside of TISAX®.
- Level 2 (AL 2): The auditor asks for evidence of the self-assessment, conducting video conference interviews.
- Level 3 (AL 3): Requires more extensive checks with on-site inspection and interviews in person.
|TISAX® Objectives||Assessment Level|
|Information in need of high protection||AL 2|
|Information in need of very high protection||AL 3|
|Protection of prototype parts and components||AL 3|
|Prototype vehicle protection||AL 3|
|Handling of test vehicles||AL 3|
|Protection of prototypes during events and filming or photo shoots||AL 3|
|Data protection||AL 2|
|Data protection with special categories of personal data||AL 3|
TISAX® Objectives and Required Assessment Level
|Method||Level 1 (AL 1)||Level 2 (AL 2)||Level 3 (AL 3)|
|Evidence||No||Plausibility check||Thorough verification|
|Interviews||No||By teleconference||In person, on site|
|On-site inspection||No||If requested||Yes|
Assessment Methods for each TISAX® Assessment Level
TISAX® does not require that all requirements apply to all its suppliers. For example, if according to your security policy, conventional email cannot be used for data in need of very high protection, your email provider does not need the TISAX® label with a very high need for protection.
THE VDA-ISA BASED SELF-ASSESSMENT
The ISA self-assessment (download ISA self-assessment document; v5.1) has three catalogs of criteria, with control questions grouped into 7 chapters.
- Information Security: 7 chapters. 42 questions.
- Prototype protection: 1 chapter. 12 questions.
- Data protection: 1 chapter. 4 questions.
For each control question, the objective to be achieved is marked, detailing those mandatory objectives, optional, additions for high protection needs and additional for very high protection needs. The form is answered by indicating the maturity level in the current ISMS of the company in relation to the objective set. ISA distinguishes 6 levels of maturity.
|0||Incomplete||There is no process, or the process does not achieve the objectives because it is not followed or is not adequate.|
|1||Performed||An undocumented or incompletely documented process is followed and there are indicators that the objectives have been achieved.|
|2||Managed||A process that achieves the objectives is followed. Documentation of the process and evidence of the implementation of the process are available.|
|3||Established||A standard process integrated into the global system is followed. Dependencies on other processes are documented and the necessary interfaces have been created. There is evidence that the process has been used sustainably and actively for an extended period.|
|4||Predictable||An established process is followed. The effectiveness of the process is monitored continuously, collecting key figures. Limit values have been defined from which the process is not effective enough and requires adjustments. (Key performance indicators)|
|5||Optimized||A predictable process is followed with continuous improvement as the main objective. Improvement is actively driven by targeted resources.|
The following table shows the three criteria catalogs with the different chapters and sub-chapters. The amount of control questions is detailed in parentheses.
A DATA-CENTRIC SECURITY APPROACH TO TISAX®
Download our eBook about TISAX Certification with the full mapping between VDA-ISA control questions and SealPath Data-Centric Security Approach.
As mentioned, among the objectives of TISAX® are the management of security in the exchange of information with high and very high need for protection, and the protection of personal data. Security controls over data are based on a security approach that emphasizes the security of the data itself over the security of devices, applications, servers, or networks. There are several key elements to an effective data-centric security system:
- Identification, discovery, and classification of sensitive information: The goal is to determine what types of data to prioritize over others when it comes to protecting it. Not everything must be protected, but those whose loss may pose a problem for the organization.
- Data-centric protection: These controls focus on securing valuable organizational content so that it can be protected regardless of where it is: On the company’s network, on a partner’s or vendor’s computers, and so on.
- Audit and monitoring of access to data: It allows us to see who accesses the information, with what permissions, from where, if someone tries to access without permissions, etc.
- Data policy administration and management: Who should or should not have data access permissions is not something that is established in a static and lasting way. It must be possible to apply dynamic policies on the data so that if you stop collaborating with someone or if it is detected that a certain person may be at risk we can revoke access to it.
SealPath is a data-centric security solution that allows critical and confidential documentation of the organization to be protected, monitored and under control:
- Documentation travels with persistent protection that accompanies you wherever you go, both within the network and in a partner’s infrastructure.
- It allows protection in transit, at rest and in use. The sender of the documentation does not have to decrypt or unprotect it to work with it.
- It is possible to limit the permissions on the documentation: Only view, edit, copy, and paste, print, add users or full control. I can view and edit a document, but not extract its contents or print it.
- Monitoring access to protected documentation, if someone tries to access the document without permission, unprotection of files, etc.
- It allows you to revoke access to the data, so that if you finish a certain project with a partner, you can prevent them from accessing the protected documentation even if they have it in their hands.
- With SealPath, the protection process begins with the identification and prioritization of the documentation to be protected, establishing controls based on the documentation lifecycle.
- The protection can be automated based on the level of classification of a document, being able to apply a protection automatically and without user intervention if the file is labeled as Confidential, etc.
- You can also automate the protection of documentation stored in network folders, in a document library in SharePoint/OneDrive, Box, or other Cloud applications.
These features allow both the encryption and control of information with high or very high protection needs when exchanged with a partner and facilitate TISAX® compliance when a customer gives us their confidential or personal information or data.
THE CHALLENGE OF SECURING CAD FILES
The automotive industry is a complex sector, companies collaborate with a wide variety of suppliers and customers and intellectual property has to travel outside the company. We can have visibility into what’s going on with data within the organization, but this is much more complicated when it comes to tracing access to our information or protecting it throughout the entire supply chain.
In this context, and as we have seen in the origin of VDA ISA or the need behind TISAX®, it is critical to be able to protect the intellectual property contained in digital format both inside and outside the organization. Sensitive information is in different formats. From documentation in Word, Excel or PDF format, images and, of course, CAD.
A good part of the intellectual property is found in 2D and 3D CAD designs that need to be shared both internally and with external collaborators. It is critical to keep this information protected to avoid risks of leakage from internal or external threats. The documentation with confidential content that can be protected within the scope of TISAX® is:
- Support documentation with details of parts, components, to be exchanged with customers, suppliers, or manufacturing partners.
- Research results that can be patented, which we store in all kinds of digital formats (Word, Excel, PDFs, etc.).
- CAD is managed in tools such as AutoCAD, Siemens Solid Edge, Inventor, CATIA, SolidWorks, etc., which contain details of components that must be shared internally and externally.
- Price data that must be exchanged with distribution partners in different markets.
- Proposals that are made to clients where they compete with other companies and that contain sensitive information and competitive advantages of the company.
- Internal quality guides related to the company’s production processes and where the know-how is collected at the process level.
- Information for auditors, keeping the data shared protected and with access control.
The difference of files with CAD compared to a Word or PDF document is that they are files that can integrate multiple parts, with references to third party files (e.g., the design of an engine is formed by the design of the multiple parts of it). These files are usually managed in PDM/PLM (Product Data Management/Product Lifecycle Management) in applications not specially prepared to work with encrypted data or digital rights.
SealPath, in addition to being able to apply the controls described in the previous section on documentation, allows you to protect CAD regardless of their location, being able to control who accesses, when, with what permissions (view the design or modify it, but not print it or save it unprotected).
With SealPath it is possible to include limitations of access to the designs based on the address or to establish expiration dates so that after an agreement or a deadline, the partner no longer has access to the protected designs. All this makes the solution especially useful in the field of TISAX® since in the automotive industry much of the intellectual property is stored in CAD drawings.
HOW SEALPATH HELPS TISAX COMPLIANCE®
This section shows how SealPath’s data-centric security approach helps meet certain TISAX® requirements. The following table shows those chapters where SealPath can give a satisfactory answer to the silver control questions in the VDA ISA questionnaire.
A data-centric security approach like SealPath allows sensitive documentation to travel with a persistent layer of security that accompanies it wherever it goes, being able to maintain protection on data at rest, transit and use beyond the organization’s security perimeter. SealPath helps in TISAX® compliance to increase the level of maturity required by its partners in the automotive sector.
For complete details on how SealPath can help to comply with each one of the control questions of VDA-ISA get the eBook “TISAX® compliance with SealPath” here.
In the following table we include a mapping between VDA-ISA control questions and SealPath capabilities. For more details, download the ebook or contact SealPath.
SUMMARY TABLE OF VDA-ISA REQUIREMENTS AND SEALPATH FEATURES
- Granular permissions: Dynamic policies with granular permissions (view, edit, print, copy and paste, etc.) for users and groups.
- Advanced controls: Advanced controls on data access with watermarks, IP control, dates, etc.
- Least Privilege: Access by least privilege giving only the minimum necessary permissions to those who need them and not to others.
- Revocation: Revocation of permissions on documents, users, groups, or policies.
- Encryption: Protection of information through the possibility of key management through HSM (Hardware Security Module).
- Advanced policy management: Possibility to delegate policies to data managers, multi-organization (multiple tenants with different admins, policies, etc. for the same company), recoverability of deleted policies.
- Monitoring & auditing: Tracking of access to documentation, blocked access attempts, alerts on lack of protections, etc.
- Classified Data: Automatic protection of classified data based on administrator rules.
- File servers, SharePoint and Cloud: Automatic protection of information in network folders, SharePoint, or Cloud repositories.
- DLP: Automatic protection of information discovered or detected by a DLP or documentation identification system.
- SIEM: Possibility of sending logs to a SIEM (Security Information Management System) to have security events for access to confidential information.
- MDM: Integration with MDM (Mobile Device Management) for the distribution of SealPath application for mobile and control and protection of data on mobile devices.
- AD (SSO, MFA): Integration with systems such as AD (Active Directory), LDAP, Multi-factor authentication and Single-Sign-On.
As mentioned above, TISAX® provides efficiency when it comes to reducing efforts in the control of information security between partners in the automotive sector in relation to the transfer and sharing of confidential information. In this area, it is necessary to apply measures to ensure that the information received from a client is treated while maintaining privacy and security.
From another point of view, these measures allow control of information security when corporate data is in the network of another partner. A data-centric security approach like SealPath allows sensitive documentation to travel with a persistent layer of security that accompanies it wherever it goes, being able to maintain protection on data at rest, transit and use beyond the organization’s security perimeter. SealPath helps in TISAX® compliance to increase the level of maturity required by its partners in the automotive sector. Contact us to learn more about how SealPath can help you achieve a high level of maturity in the TISAX field®.
“SealPath is the perfect tool to ensure effective protection of sensitive data regardless of its location and allows you to comply with data protection regulations in our sector.” Chief Information Security Officer. Multinational Company.