Data

    Information security inside companies

    The German Association of the Automotive Industry (VDA) has drawn up measures for protecting data and prototypes. The current, fifth version of the ISA catalog is available in German and English

    The German Association of the Automotive Industry (VDA) has drawn up measures for protecting data and prototypes. The current, fifth version of the ISA catalog is available in German and English

    Guidelines

    Business processes depend mainly on information and information systems as well as their secure processing. Information security is more than just securing the technical infrastructure – it also means securing the entire information flow. This is a central task for corporate management.

    The networking and globalization of the digital future within the automotive industry has numerous advantages, yet the internal and external risks for companies are also increasing. To counter these, suitable protective measures must be introduced. The digitalization of business processes across company boundaries therefore requires a comparable level of information security for all those involved, one which is guaranteed along the entire value chain.

    Experts from the automotive industry work together in the VDA's Information Security working group to develop common standards and appropriate protective measures. One major result of this cooperation is an industry standard for information security assessments, the VDA Information Security Assessment (ISA) catalog.

    The VDA recommends that companies involved in the automotive industry's value chain establish information security based on this VDA ISA.

    Further details of the recommendations regarding information security are available here:

     

    Information security – Recommendations of the 2nd law

    The first IT security law was published in 2015. At that time, only critical service areas were defined. With the IT Security Act 2.0, the legislature is taking a more holistic approach for the first time. On May 27, 2021, the German government published the "Second Act to Increase the Security of Information Technology Systems" (IT Security Act 2.0, IT-SIG 2.0). New additions are companies of significant economic importance as well as those suppliers working for such companies and who can also demonstrate a unique selling proposition.

    However, the exact audience has yet to be determined in the form of a separate legal ordinance. The VDA working group on information security has published a recommendation for the German automotive industry on how to deal with the IT-SIG 2.0, as the industry, as a provider of digital services and with companies in the special public interest, is expected to fall under this regulation.

    VDA ISA catalog version 6.0

    VDA-ISA Catalog Version 6.0, valid as of April 1, 2024 Information and cybersecurity are more important than ever. This is especially true for the automotive industry, particularly concerning the significance of the supply chain.
    Suppliers and service providers are deeply involved in both the product development and production processes. As part of product development, suppliers and service providers receive sensitive and confidential information. Therefore, they must demonstrate compliance with information security requirements, particularly with regard to confidentiality.
    As suppliers of production materials and serialized parts, the smooth production of vehicles depends on you. Such suppliers and service providers must possess an appropriate level of resilience against disruptions, both in the cyber realm and physical security.
    Experts from vehicle manufacturers, as well as suppliers and service providers, have collaborated within VDA and ENX to jointly develop a standard with adequate protective measures. Two significant outcomes of this collaboration are the industry standard for information security assessments, the VDA Information Security Assessment (VDA-ISA) Catalog, and the ENX audit and exchange mechanism Trusted Information Security Assessment Exchange (ENX TISAX).
    VDA recommends that companies involved in the automotive industry's value chain establish information security based on the current VDA-ISA Catalog. To ensure a high-security standard as the basis for the Information Security Management System (ISMS) in the automotive industry, the VDA catalog has been revised.
    In the future, suppliers and service providers in the automotive industry can demonstrate their compliance with cybersecurity and information security requirements in the availability area, in addition to the confidentiality label. The "availability" label has been newly incorporated into the VDA-ISA Catalog 6.0, and this catalog will come into effect on April 1, 2024.
    With these two standards, VDA-ISA and ENX TISAX, the automotive industry already has recognized state-of-the-art standards. These two standards also serve as a significant foundation in the industry for compliance with legal regulations, such as the NIS 2 regulation of the European Union and other EU directives, as well as their national implementations in EU member states.
    Detailed and technical information on the changes in VDA-ISA 6 and the ENX TISAX labels, as well as the specific implications for TISAX audits, can be found at https://enx.com/de-DE/news/.

    Minimum requirements for prototype protection

    Additional requirements must be fulfilled when dealing with prototypes. Prototypes here means vehicles, components, and parts that are classified for non-disclosure and have yet to be presented to the public by an automobile manufacturer and/or published in a suitable form.

    The objective of prototype protection is to establish appropriate measures and to regularly review their effectiveness.

    The following document lists the minimum requirements for prototype protection. The requirements are also part of the VDA ISA catalog.

    A catalog of minimum requirements for prototype protection is available in both English and German.

    Risk management in information security

    A project group of the VDA working group on Information Security has created a white paper on "Information Security Risk Management".

    The aim of this white paper is to sensitize companies in the automotive industry to risk-oriented information security management and to enable them to establish effective risk management. Furthermore, the white paper is intended to support companies in the preparation or execution of a TISAX assessment to fulfill the requirements of the corresponding control of the VDA ISA in its current version 5.0.

    The essential process stages of information security risk management are presented in compact form, while the concrete steps of assessing, treating, and monitoring information security risks are described in detail.

    At the same time, all process steps are illustrated using two consistent examples, contributing to a better understanding of the topic.

    The VDA recommends its member companies to use the white paper as a guide.

    Harmonization of security levels

    One fundamental element in achieving a needs-oriented level of information security is the classification of information. A comparison within the automotive industry revealed differences between companies regarding both the number and the designation of the classification levels. 

    The VDA's Information Security working group has developed a standardized scheme for classifying information, which is published as a white paper. In conjunction with the requirements of the VDA ISA, it helps to avoid misunderstandings and risks when exchanging information and thus allows the appropriate handling of such.

    The VDA recommends its member companies use this white paper for orientation and to implement the scheme for information classification so described within their companies.

    Coordination Unit for Security & Data

    Martin Lorenz

    Acting head of Department

    Read on