Safety and Standards

Information Security

Information protection and risk management: Security requirements in the automotive industry/ ISO 2700x

Information security requirements

Protecting business processes and information, sometimes under difficult conditions, is a key task for the corporate management. To date no standard requirements have been drawn up for protection measures.

Increasing corporate globalization brings additional demands. When business processes are networked beyond company borders, a similar level of protection is required for all those involved.

In the automotive industry in particular, such networking harbors not only a large number of opportunities; at the same time it makes users more vulnerable and more susceptible to both external and internal threats.

 

 

VDA Information Security Assessment: version 4.1.0 now available

In 2005 the VDA issued a recommendation for information security requirements at companies in the automotive industry. To support the member companies a catalog of questions was developed to guide those familiarizing themselves with the topics of ISO/IEC 27001 and ISO/IEC 27002.

Based on the previous version 4.0.4 from June 2018, the catalog has now been reworded and the requirements are described in more detail. The current version 4.1.0 of the document, dated December 13, 2018, is now available in German and English.

The “Prototype protection” module has been revised and now follows the same structure as the main catalog. The “Connections to third parties” module describes the specific requirements to be considered when space is rented by suppliers or service providers and a connection to the network of the other company is to be established on the premises. The “Data protection” module applies when service providers are mandated to process information in the meaning of Art. 28 of the European General Data Protection Regulation (GDPR).

The revised catalog will be valid from January 1, 2019. In justified exceptional cases the previous catalog may continue to be used for a transitionary period up to June 30, 2019. The additional modules mentioned above supersede all company-specific “special catalogs” stipulating other requirements.

The VDA provides the documents “Information security recommendation” and the “Information Security Assessment” to support its member companies in this process of alignment (see “Further information”).

Based on the results of the Working Group “Information Security,” the VDA has recommended its members to bring their information protection into line with the international standard ISO 2700x.

The VDA supports its member companies in this process of alignment, with the documents “Communiqué on Information Protection” and the “Information Security Assessment” (see Further Information).

Harmonization of security levels

One key element in achieving a needs-oriented level of information security is the classification and labeling of information. A comparison within the automotive industry revealed differences between the companies both regarding the number and the designation of the classification levels. In recent months the VDA’s Information Security working group has developed a standard scheme for classifying information which has been published now as a White Paper. In conjunction with the requirements of the VDA’s Information Security Assessment (VDA ISA), it helps to prevent misunderstandings and risks during the exchange of information and thus fosters appropriate information handling.

The VDA recommends its members to use this White Paper for orientation and to implement the described scheme for information classification in the companies.

Nach oben springen