Professional Documents
Culture Documents
Welcome to
the Information Security Assessment (ISA) of the Verband der Automobilindustrie (Association of the German Automotive Industry,
VDA).
VDA ISA consists of several tabs; the content and function of which are explained below:
Maturity levels:
VDA ISA provides assessment of the implementation by means of a maturity model defined in this table sheet.
A simplified sequence of the maturity levels is as follows:
Level 0: The implementation of requirements is incomplete. A process does not exist or the existing process does not achieve the required results.
Level 1: The requirements necessary for the respective information protection needs are performed. A process is in place and shows signs of its working. It
is, however, not completely documented. Therefore, its working at all times cannot be ensured.
Level 2: The process for achieving the objective is managed. It is documented and proof (e.g. documentations) is available.
Level 3: The process for achieving the objective is established, the processes are linked in order to show existing dependencies. The documentation is up
to date and maintained.
Level 4: Requirements from Level 3 and, in addition, results are measured (e.g. KPI) making the process predictable.
Level 5: Requirements from Level 4 and, moreover, additional resources (e.g. personnel and finances) are being implemented in an optimizing manner.
The process is subject to continuous improvement.
Explanation:
The explanation includes the definition of the terms “must”, “should” and “may” to provide different grades within the requirements in the questionnaires
below.
Minimum requirements are listed under “shall”. Without their implementation, the objective cannot be achieved.
Generally, implementation of the requirements defined under “should” is necessary in order to achieve the objective. However, the selection of adequate
measures may also be acceptable if they allow the objective to be achieved.
Depending on the size of a company and the case of application, it may be necessary to implement the requirements listed under “can” in order to achieve
the control objective.
Another specific feature are the additional requirements depending on the protection needs of the information. This is due to the fact that information of
high/very high protection requires specific measures. The protection needs are related to the essential protection objectives of information security, namely
confidentiality, availability and integrity.
Cover:
The cover contains boxes for information on the respective organization, the scope of the review, the auditor and the contact person of the organization
under review.
Results:
Here, the results of the single tab (review catalogue pages) are summarized and presented in printing format.
The spider diagram provides an overview of all controls.
The list of all controls shows the target maturity levels to be achieved.
Depending on the significance of the controls, the target maturity levels vary from Level 2 to Level 4.
When calculating the overall result, the results of controls overachieving their target maturity level are shortened and averaged. This ensures that
requirements are comprehensively fulfilled and that there is no compensation of overachieved and underachieved controls.
Information Security:
The tab “information security” includes all basic controls based on the standard ISO/IEC 27001. The controls themselves are formulated as questions. The
answer can be documented in the additional box “Implementation description” (marked by table extension “+”). Further boxes (“Reference documentation”,
“Findings” and “Measures”) allow extended documentation and are usually used to support the auditor.
The objective of the respective control and the requirements for achieving it are listed in accordingly designated boxes. Here, each control shall always be
assessed according to the degree to which the objective is achieved.
The assessment of the maturity levels (see tab “maturity levels” for description) of each control is recorded in the box (column B) by means of a drop-down
and then automatically transferred to the tab “Results”.
KPIs:
This tab shows examples of Key Performance Indicators (KPI) for measuring process results both for controls for which VDA ISA has defined a target
maturity level of 4 and for controls where a measurement appears useful. The tab content provides support for identifying own suitable KPIs. It does not
present mandatory requirements for achieving maturity level 4. For controls having a target maturity level of 3 or less, definition of KPIs is not mandatory,
but may be helpful for a central management of information security at many locations.
400375344.xlsx /
Printed on: 10/26/2018 Page 1 of 98
Welcome
References:
This tab gives further information and definitions regarding the topics “Security zones”, “Optics”, “Personnel”, “Off-premises workplace” and “Protection
classes”. The topics listed on this tab may be considered examples of best practice.
Glossary:
The glossary describes abbreviations and other terms.
License:
License conditions under which the VDA ISA is published.
We recommend you to start with the table sheet “Information security” thereby gaining an overview of the state of your information security.
AG Audit of the Working Group Information Security of the VDA wishes you every success.
400375344.xlsx /
Printed on: 10/26/2018 Page 2 of 98
Welcome
Information Security Assessment -
Maturity level model
Explanation of the maturity level model
The maturity level assessment is carried out based on a generic process maturity level model. The maturity level model differentiates between six individual
levels:
- Level 0: Incomplete
- Level 1: Performed
- Level 2: Managed
- Level 3: Established
- Level 4: Predictable
- Level 5: Optimizing
Activities are assigned to the single levels which ensure that the results are systematically derived and will be available in the defined quality at the end of
the process.
During assessment, conformity with the requirements of the corresponding level shall be objectively demonstrated. This can be done, for example, by
means of work products resulting from the processes of the controls or by means of interview statements by persons carrying out the process.
Level 0: Incomplete
he process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the
process purpose.
Level 1: Performed
- The implemented process achieves its process purpose.
- There is evidence that the intent of the base practice is being performed.
- Work products are produced that provide evidence of process outcomes.
Level 2: Managed
Control of process implementation (PA 2.1):
- Objectives for the performance of the process are identified.
- Performance of the process is planned and monitored.
- Performance of the process is adjusted to meet plans.
- Responsibilities and authorities for performing the process are defined, assigned and communicated.
- Resources and information necessary for performing the process are identified, made available, allocated and used.
- Interfaces between the involved parties are managed to ensure effective communication and clear assignment
of responsibility.
Level 3: Established
Process definition (PA 3.1):
- A standard process, including appropriate tailoring guidelines, is defined that describes the fundamental elements that
must be incorporated into a defined process.
- The sequence and interaction of the standard process with other processes are determined.
- Required competencies and roles for performing a process are identified as part of the standard process.
- Required infrastructure and work environment for performing a process are identified as part of the standard process.
- Suitable methods for monitoring the effectiveness and suitability of the process are determined.
400375344.xlsx /
Printed on: 10/26/2018 Page 3 of 98
Maturity levels
Level 4: Predictable
Process measurement (PA 4.1):
- Process information needs in support of relevant defined business goals are established.
- Process measurement objectives are derived from process information needs.
- Quantitative objectives for process performance in support of relevant business goals are established.
- Measures and frequency of measurement are identified and defined in line with process measurement objectives and
quantitative objectives for process performance.
- Results of measurement are collected, analysed and reported in order to monitor the extent to which the quantitative
objectives for process performance are met.
- Measurement results are used to characterise process performance.
Level 5: Optimizing
- Process improvement objectives for the process are defined that support the relevant business goals.
- Appropriate data are analysed to identify common causes of variations in process performance.
- Appropriate data are analysed to identify opportunities for best practice and innovation.
- Improvement opportunities derived from new technologies and process concepts are identified.
- An implementation strategy is established to achieve the process improvement objectives.
400375344.xlsx /
Printed on: 10/26/2018 Page 4 of 98
Maturity levels
Information Security Assessment -
Explanation of requirements
Requirement level
Different levels of protection needs and special characteristics of organizations are reflected by different requirements. For the purpose of describing the
requirements for the respective control, differences are made between the following five requirement types:
400375344.xlsx /
Printed on: 10/26/2018 Page 5 of 98
Definitions
Information Security Assessment
Group:
Company:
Location:
Address:
Homepage:
Scope/TISAX Scope-ID
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
400375344.xlsx /
Printed on: 10/26/2018 Page 6 of 98
Cover
Information Security Assessment
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels:
Maximum score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
400375344.xlsx /
Printed on: 10/26/2018 Page 7 of 98
Results
Information Security Assessment
Results
Result with cutback to target
maturity level:
Maximum score: 3.00
Details:
400375344.xlsx /
Printed on: 10/26/2018 Page 8 of 98
Results
Information Security Assessment
Results -
Connection to third parties
Details:
Details:
400375344.xlsx /
Printed on: 10/26/2018 Page 9 of 98
Results
Information Security Assessment - Questions
Maturity level
In case a question does not apply, please insert na (not applicable).
Level 0-5; na
1
1.1
Objective:
Requirements:
1.2
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 10 of 98
Information security
Requirements:
1.3
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 11 of 98
Information security
5.1
Objective:
Requirements:
6
6.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 12 of 98
Information security
Requirements:
6.2
Objective:
Requirements:
6.3
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 13 of 98
Information security
Requirements:
6.4
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 14 of 98
Information security
Requirements:
7
7.1
Objective:
Requirements:
7.2
400375344.xlsx /
Printed on: 10/26/2018 Page 15 of 98
Information security
Objective:
Requirements:
8
8.1
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 16 of 98
Information security
8.2
Objective:
Requirements:
8.3
Objective:
Requirements:
8.4
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 17 of 98
Information security
Requirements:
9.1
Objective:
Requirements:
9.2
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 18 of 98
Information security
Requirements:
9.3
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 19 of 98
Information security
Requirements:
9.4
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 20 of 98
Information security
9.5
Objective:
Requirements:
9.6
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 21 of 98
Information security
Requirements:
10
10.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 22 of 98
Information security
Requirements:
Requirements:
11
11.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 23 of 98
Information security
Requirements:
11.2
Objective:
Requirements:
11.3
400375344.xlsx /
Printed on: 10/26/2018 Page 24 of 98
Information security
Objective:
Requirements:
11.4
Objective:
Requirements:
12
12.1
400375344.xlsx /
Printed on: 10/26/2018 Page 25 of 98
Information security
Objective:
Requirements:
12.2
Objective:
Requirements:
12.3
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 26 of 98
Information security
Requirements:
12.4
Objective:
Requirements:
12.5
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 27 of 98
Information security
Requirements:
12.6
Objective:
Requirements:
12.7
400375344.xlsx /
Printed on: 10/26/2018 Page 28 of 98
Information security
Objective:
Requirements:
12.8
Objective:
Requirements:
12.9
400375344.xlsx /
Printed on: 10/26/2018 Page 29 of 98
Information security
Objective:
Requirements:
13
13.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 30 of 98
Information security
Requirements:
13.2
Objective:
Requirements:
13.3
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 31 of 98
Information security
Requirements:
13.4
Objective:
Requirements:
13.5
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 32 of 98
Information security
Requirements:
14
14.1
Objective:
Requirements:
14.2
400375344.xlsx /
Printed on: 10/26/2018 Page 33 of 98
Information security
Objective:
Requirements:
14.3
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 34 of 98
Information security
14.4
Objective:
Requirements:
15
15.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 35 of 98
Information security
Requirements:
15.2
Objective:
Requirements:
16
400375344.xlsx /
Printed on: 10/26/2018 Page 36 of 98
Information security
16.1
Objective:
Requirements:
16.2
Objective:
Requirements:
17
400375344.xlsx /
Printed on: 10/26/2018 Page 37 of 98
Information security
17.1
Objective:
Requirements:
18
18.1
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 38 of 98
Information security
Requirements:
18.2
Objective:
Requirements:
18.3
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 39 of 98
Information security
Requirements:
18.4
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 40 of 98
Information security
urity Assessment - Questions
SO 27001:2013
General aspects
To what extent is an Information Security Management System approved by the organization’s management and is its sco
Systematic control and review of information security within the specified scope is effected by means of the establishment, operatio
development of an Information Security Management System (ISMS) and the assignment of responsibilities. The ISMS must define
procedures in order to achieve the information security objectives with respect to adequate confidentiality, availability and integrity o
based on the security policy.
This must include:
+ The organization’s requirements for an ISMS are determined.
+ An ISMS approved by the organization’s management is established.
+ The scope of the ISMS is specified (e.g. organization in whole or in part).
+ A Statement of Applicability (SoA) is provided (e.g. filled-in VDA ISA catalogue).
To what extent is a process for identifying, assessing and handling information security risks defined, documented and im
The objective of an organization-specific ISMS is an adequate balance between information security efforts and the assets to be pr
achieve this, the assets, their protection needs and threats shall be identified, analysed, assessed and documented by means of ris
of an information security risk assessment rises the danger that information security risks remain undetected leading to potential ha
400375344.xlsx /
Printed on: 10/26/2018 Page 41 of 98
Information security
This must include:
+ Risk assessments are carried out both at regular intervals and in case of events.
+ Information security risks are divided into levels according to their protection needs, e.g. normal, high and very high.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried o
The ISMS must be reviewed at regular intervals (e.g. annually) with respect to its effectiveness. This includes verifying the achievem
the compliance with applicable requirements.
Only an ISMS adapted specifically to the organization’s requirements can fulfil its purpose. Since influencing factors such as organ
conditions may change, the effectiveness of the ISMS must be reviewed regularly.
400375344.xlsx /
Printed on: 10/26/2018 Page 42 of 98
Information security
To what extent is an information security policy created, published or distributed and is it reviewed at regular intervals?
An organization must define a policy reflecting the importance and significance of information security to the organization. This mus
business strategy, regulations, legislation and potential threat situations regarding information security. It must be evident to all of th
information security is supported by the management of the organization, that it is of relevance to everyone and that requirements a
be met.
This must include:
+ The information security requirements adapted to the company’s objectives with respect to information protection are documente
approved by the management of the organization.
+ The policy includes objectives and significance of information security within the organization.
Successful implementation of an ISMS requires adequate assignment of information security responsibilities. This requires the defi
the tasks for achieving the protection objectives. Qualified employees who are known to the organization’s staff and, if appropriate,
must be required to fulfil those tasks.
400375344.xlsx /
Printed on: 10/26/2018 Page 43 of 98
Information security
This must include:
+ Responsibilities for the information security within the organization are defined, documented and assigned.
+ The responsible employees are defined and are qualified for their task.
+ The contact persons are known within the organization and to relevant business partners.
To what extent are information security requirements taken into account in project work (irrespective of project type)?
(Reference to ISO 27001: Control A.6.1.5)
The information security requirements must be taken into account irrespective of the project type (this includes non-IT projects). Th
handling of information security and information security risks in the organization’s project management methods.
To what extent is a policy in place regarding the use of mobile devices and remote access to organization's data?
(Reference to ISO 27001: Control A.6.2.1 and A.6.2.2)
The handling of mobile devices, particularly in unprotected environments, is associated with increased risks (e.g. loss, theft, malwa
protect the information stored on the device, technical protective measures must be implemented. Additionally, employees must be
involved in the handling of mobile devices.
400375344.xlsx /
Printed on: 10/26/2018 Page 44 of 98
Information security
This must include:
+ The use of mobile devices (e.g. smartphones, notebooks) is subject to regulation.
To what extent are the roles and responsibilities defined which are shared between IT service providers (particularly cloud
own organization?
(Reference to ISO 27017: Control CLD.6.3.1)
When using IT services (particularly cloud services), the relationship between provider and the own organization is of particular sign
security due to the shared responsibilities for the implementation of requirements. The own organization must continue to independ
security requirements while other requirements are fulfilled in whole or in part by the provider. The exact allocation of responsibilitie
services used and cannot be generally answered.
If common understanding regarding the allocation of responsibilities is lacking among all parties involved, the security system may
rendered entirely ineffective. Therefore, the service user must ensure at all times that a mutual understanding regarding the allocat
given and that it is clarified for each requirement, that and by whom it is fulfilled.
400375344.xlsx /
Printed on: 10/26/2018 Page 45 of 98
Information security
This must include:
+ The security requirements relevant to the service are determined and documented:
- At least the applicability of the VDA ISA controls is verified and documented.
+ For each requirement, it is documented who is responsible to what extent for its implementation.
- For the applicable VDA ISA controls, it is documented who has the responsibility for implementation or how it is shared.
+ The own organization fulfils its responsibilities.
+ Proof is provided that the service provider fulfils his responsibility.
Organizations are subject to legislation, regulations and internal rules. Already at the hiring of staff, it must be ensured that both inte
employees commit to compliance with the policies and are aware of the consequences of misconduct.
This must include:
+ A non-disclosure obligation is in effect - even beyond the employment contract or assignment.
+ An obligation to comply with the information security policies is in effect (see 5.1)
To what extent is staff (internal and external) made aware of and trained about the risks arising from handling and process
400375344.xlsx /
Printed on: 10/26/2018 Page 46 of 98
Information security
Information security must be a natural and integral part of the work environment and must be adopted into the daily work of all emp
information security training, employees shall gain the necessary knowledge and competence for security-conscious behaviour. Th
aware of what is expected of them with respect to information security and how to react to security-critical situations.
Asset Management
To what extent are directories existent for objects (assets) that contain information in different versions?
(Reference to ISO 27001: Control A.8.1.1, A.8.1.2, A.8.1.3 and A.8.1.4)
Beside the conventional inventory of physical objects, it is essential to obtain an overview of the information processed within the o
purpose, information assets are elements of information-related character such as documents, illustrations/phtographs, files, progra
facilities, vehicle prototypes, tools and equipment. An information owner takes on the role of responsible person for the respective i
400375344.xlsx /
Printed on: 10/26/2018 Page 47 of 98
Information security
To what extent is information classified according to its protection needs and are there regulations in place regarding labe
transport, storage, retention, deletion and disposal?
(Reference to ISO 27001: Control A.8.2.1, A.8.2.2 and A.8.2.3)
Information must be classified according to its value to an organization. During this assessment, the value of information to the orga
evaluated based on factors such as confidentiality, integrity and availability. The handling of information according to its classificatio
implemented by all employees.
This must include:
+ A consistent scheme for the classification of documents/information is in place and implemented.
To what extent are appropriate procedures implemented for the management of information on mobile storage devices?
Information on mobile storage devices are generally exposed to increased risks. In order to prevent loss or theft of information in ca
device is lost, regulations to reduce these risks must be defined and measures must be taken.
This must include:
None.
To what extent is the secure removal of information assets from IT services (particularly cloud) ensured?
(Reference to ISO 27017: Control CLD.8.1.5)
It must be ensured that it is known how the use of a service can be terminated in a controlled way. Particular consideration must be
can be securely removed from external systems (e.g. cloud systems).
400375344.xlsx /
Printed on: 10/26/2018 Page 48 of 98
Information security
This must include:
+ A withdrawal strategy (termination process) including the deletion and removal of assets from the cloud service is defined.
+ It is ensured that the provider will fulfil his responsibilities.
Access Control
To what extent are policies and procedures regarding the access to IT systems in place?
(Reference to ISO 27001: Control A.9.1.2)
The identity of the user of a network service, an IT system or an IT application must be clearly verifiable to enable to a trace of actio
user. In order to ensure this, authentication (registration) procedures and mechanisms of IT systems or IT applications must be des
clearly identified and authenticated.
This must include:
+ The procedures applied for user authentication are deemed secure and comply with the current state of the art.
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have been ta
possibility of direct access from the internet).
+ Further interactions must only be possible after successful authentication.
To what extent are procedures for user registration, change and de-registration implemented with the associated access r
the authentication information handled confidentially?
(Reference to ISO 27001: Control A.9.2.1, A.9.2.2, A.9.2.4 and A.9.2.5)
The use of unique and personalized user IDs (user accounts) ensures clear traceability of actions. The authentication information (
known to the authorized user only. Defined processes for the lifecycle of user accounts are in place. It is regularly reviewed whethe
are needed.
400375344.xlsx /
Printed on: 10/26/2018 Page 49 of 98
Information security
This must include:
+ The process of user ID management is documented and established.
+ The use of unique and personalized user accounts is specified.
+ The use of collective accounts is regulated (e.g. restricted to cases where proof of actions is dispensable).
+ User accounts are disabled immediately after the user has left the company (e.g. upon termination of the employment contract).
+ The authentication information is provided securely to the user.
To what extent is the allocation and use of privileged user and technical accounts regulated and is it subject to reviews?
The use of unique and personalized administrative user accounts ensures clear traceability of administrative actions. Administrators
account provided with privileged rights for administrative tasks only and must use their standard user account for all other activities
Thus, it must be ensured that only activities requiring privileged rights are actually carried out in this context.
400375344.xlsx /
Printed on: 10/26/2018 Page 50 of 98
Information security
This must include:
+ The use of unique and personalized administrative user accounts is regulated and established.
+ Distinction between user accounts (privileged user account, “office user account”) is ensured, e.g. by having two or more user ac
+ The management process (allocation/change/deletion) for privileged user IDs is documented and established.
+ Privileged rights are allocated upon approval only.
+ Secure authentication procedures are in use for privileged user accounts.
+ User accounts with privileged rights are documented and reviewed regularly.
To what extent is the user subject to binding policies concerning creation and handling of secret authentication informatio
Where authentication information is used in an IT system or application, information security critically depends on the correct use o
passwords, PINs). Therefore,user awareness regarding the correct handling of this authentication information must be regularly rai
400375344.xlsx /
Printed on: 10/26/2018 Page 51 of 98
Information security
To what extent is access to information and applications restricted to authorized persons?
(Reference to ISO 27001: Control A.9.4.1 and A.9.4.2)
Authorization must ensure that only authorized users have access to information and IT applications. For this purpose, access righ
users. These access rights must be reviewed regularly.
This must include:
+ The requirements for access to information and applications are determined.
+ An authorization policy is created including at least the following aspects:
- procedures for request, review and approval
- application of authorization roles
- separation of functions
- application of the minimalistic (“need-to-know”) principle
+ The policy is binding to all users of information and applications.
+ The access rights allocated to users and technical accounts are reviewed regularly.
To what extent is the separation of data within an environment shared with other organizations ensured?
(Reference to ISO 27017: Control CLD.9.5.1 and CLD.9.5.2)
Cloud solutions are characterized by enhanced standardization and a high level of virtualization on infrastructure the use of which i
customers. Such a collaborative environment enables numerous cloud customers to work. In order to protect own information at all
separation of data must be ensured.
400375344.xlsx /
Printed on: 10/26/2018 Page 52 of 98
Information security
This must include:
+ Effective separation prevents access to own information by unauthorized users of other organizations.
Cryptography
To what extent are rules for encryption, including the management of cryptographic keys (complete lifecycle process) for
information during storage and transport existent and have they been implemented?
(Reference to ISO 27001: Control A.10.1.1)
Protection of the confidentiality of information during both storage and transfer (e.g. when gaining physical access to data storage d
infrastructure) must be ensured. This is generally achieved by means of encryption. For handling encryption, it is essential that it pr
security characteristics at all times without simultaneously creating inadequately high availability risks. For this purpose, reliable ide
necessity of encryption must be ensured. Whenever such a need is identified, procedures deemed secure according to the scientifi
the art must be selected. Additionally, it must be ensured that the secrets (key material) are adequately protected against technical
to confidentiality as well as integrity and availability throughout the lifecycle.
400375344.xlsx /
Printed on: 10/26/2018 Page 53 of 98
Information security
This must include:
+ Any productively used encryption technologies shall be according to the technical state of the art.
+ The legal conditions for the use of encryption technologies are taken into account.
Processing of information assets outside the area affected by the measures intended for the target information security level must b
generally not possible to implement corresponding measures for all areas of the location, a zone concept should be applied definin
type of information may be processed.
400375344.xlsx /
Printed on: 10/26/2018 Page 54 of 98
Information security
This must include:
+ Requirements for the protection of affected assets are determined (see Control 8.1).
+ Security zones are specified under consideration of terrains/buildings/rooms and documented.
+ The concept of security zones is established and known to all persons handling sensitive information.
+ The security zones are secured by adequate protective measures according to the assigned risk level. (See notes for examples).
To what extent has the company taken measures against the effects of natural disasters, deliberate attacks or accidents?
Natural disasters, deliberate attacks or accidents can critically impair the availability of IT systems. It must be ensured that effects o
identified and assessed according to their criticality and that adequate protective measures have been defined and implemented.
To what extent are protective measures taken to prevent access to delivery and shipping areas by unauthorized persons?
400375344.xlsx /
Printed on: 10/26/2018 Page 55 of 98
Information security
It must be ensured that all means of access to protected zones are protected against unauthorized access by means of adequate m
associated with specific requirements in delivery and shipping areas, particularly where those have to be designed for the delivery
objects (e.g. vehicles or large tools).
This must include:
+ The requirements for protecting the delivery and shipping areas are identified.
+ The shipping areas are integrated into the security concept.
+ Necessary protective measures are defined and implemented.
+ Access is permitted by identified and authorized personnel only.
To what extent are policies and procedures regarding the use of assets, including off-site use, disposal and re-use in plac
Where assets (e.g. IT equipment, information) are taken off the premises of an organization, they are exposed to increased risks. F
exposed to the risk of theft or unauthorized viewing. As an adequate reaction to those risks, the security requirements associated w
identified. This also applies to the disposal or re-use of assets (e.g. notebooks).
Operations Security
To what extent are changes to the organization, business processes, information processing facilities and systems contro
according to their security relevance?
(Reference to ISO 27001: Control A.12.1.2)
400375344.xlsx /
Printed on: 10/26/2018 Page 56 of 98
Information security
In case of changes to the organization, business processes, information processing facilities and systems, aspects of information s
considered. The objective is to ensure that all changes are made under consideration and adherence of the information security req
To what extent are development and testing environments kept separate from productive environments?
(Reference to ISO 27001: Control A.12.1.4)
The objective of separating development and testing environments from productive environments is to prevent faults during develo
productive environment. A testing environment serves for example as an intermediate step for testing software developments with t
variables of a productive environment and for verifying the availability, reliability and integrity of their functions.
To what extent are protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans, spyware, ...) imp
combined with appropriate user awareness?
(Reference to ISO 27001: Control A.12.2.1)
Two aspects must be addressed since they are of particular importance for malware protection - The malware protection software o
awareness on the other. User training is particularly important since, despite all protective measures for hardware and software, ma
inadvertently by the actions of a user.
400375344.xlsx /
Printed on: 10/26/2018 Page 57 of 98
Information security
This must include:
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.
To what extent are backups created and tested regularly in accordance with an agreed backup policy?
(Reference to ISO 27001: Control A.12.3.1)
The objective of a working backup strategy is to allow recovery of the functionality or availability of information within the required ti
failure or another type of data loss (e.g. ransomware). For this purpose, data backups must be created in compliance with a corres
regularly.
This must include:
+ Backup requirements are determined and include: the systems to be secured, associated backup intervals and the storage and tr
media.
+ Adequate protective measures, e.g. by means of encryption, taken during storage.
+ Backup media are stored in separate locations (different fire protection zones).
+ A backup concept is created and implemented.
+ An adequate backup verification is carried out.
To what extent are event logs (which may contain e.g. user activities, exceptions, errors and security events) created, stor
protected against modification?
(Reference to ISO 27001: Control A.12.4.1 and A.12.4.2)
Event logs support the traceability of events in case of a security incident. This requires that events which are necessary for determ
be recorded and stored while being protected against modification.
400375344.xlsx /
Printed on: 10/26/2018 Page 58 of 98
Information security
This must include:
+ Information security requirements regarding the handling of event logs are determined.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are obtained
- e.g. attack detection and report options (incident response)
+ Legal requirements such as storage durations and protection of personal rights are observed.
+ Rules and procedures for fulfilling the determined requirements are defined and implemented.
To what extent are the activities of system administrators and system operators logged, the logs protected against modifi
reviewed?
(Reference to ISO 27001: Control A.12.4.3)
System administrators and operators can use their comprehensive access rights to modify IT systems significantly. Logging and an
accordance with valid legislation (such as Data Protection and Works Constitution Act) are required to enable determining who has
systems in case of information security events.
This must include:
+ Security-relevant requirements regarding the logging of activities of system administrators and operators are determined and imp
+ The IT systems used are assessed regarding the necessity of logging.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are obtained and ta
assessment.
- e.g. audit logs for configuration changes and use of/access to e-discovery functions or backup.
+ Procedures for handling violations of regulations are defined.
+ Logs are regularly reviewed for violation of rules in accordance with permissible legal and operational provisions.
+ The type of logging with respect to time, activity level and storage durations is defined and implemented.
To what extent is information regarding technical vulnerabilities of IT systems acquired at an early stage, evaluated and ar
measures taken (e.g. patch management)?
(Reference to ISO 27001: Control A.12.6.1 and A.12.6.2)
400375344.xlsx /
Printed on: 10/26/2018 Page 59 of 98
Information security
Known weaknesses increase the risk that IT systems can no longer fulfil the requirements for confidentiality, availability and integrit
access to the IT system or compromise the stability of the system.
This must include:
+ Information on technical weaknesses of the used assets are collected and assessed.
+ Potentially affected systems and software (assets) are identified. (e.g. manufacturer, version, installation site)
To what extent are audit requirements and activities for reviewing IT systems planned, coordinated, aligned and are those
subsequently subjected to technical review (system audit)?
(Reference to ISO 27001: Control A.12.7.1, A.18.2.3)
During audits (particularly technical audits), problems with the stability of the IT systems under review may occur. Audit activities inv
systems must be planned and agreed in order to avoid disturbances of the corresponding processes.
This must include:
+ Requirements for auditing IT systems are determined.
+ The scope of the audit is specified in a timely manner.
+ System audits are coordinated with the operator and users of IT systems.
+ The results of system audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.
+ The derived measures are traced under the ISMS.
To what extent have effects due to critical administrative functions of external IT services (particularly cloud services) bee
400375344.xlsx /
Printed on: 10/26/2018 Page 60 of 98
Information security
Many cloud services provide functions which may lead to major changes to services in operative use. These functions may jeopard
information, be irreversible or reversible only with significant effort which then may impair availability or integrity. These functions ar
administrative users via an easy-to-use automated configuration interface. When an administrative user executes such functions, s
out without further human supervision.
It must be ensured that such functions can neither inadvertently nor by a wilful administrator be used without particular effort to cau
confidentiality, availability or integrity.
Communications Security
To what extent are networks managed and controlled to protect information in IT systems and applications?
(Reference to ISO 27001: Control A.13.1.1)
The protection of information in networks, IT systems and IT applications must be ensured. For this purpose, measures ensuring pr
unauthorized access must be implemented. This includes taking suitable control measures supported by means of monitoring the n
IT applications.
400375344.xlsx /
Printed on: 10/26/2018 Page 61 of 98
Information security
This must include:
+ Procedures for management and control of networks are defined.
To what extent are requirements for security mechanisms and service levels and also management requirements for netw
and documented in service level agreements?
(Reference to ISO 27001: Control A.13.1.2)
Security mechanisms, quality of service provision and requirements for the management of all network services must be determine
agreements (Service Level Agreements, SLAs) for both internal and external networks.
This must include:
+ Requirements regarding the information security of network services are determined and implemented.
To what extent are groups of information services, users and information systems segregated on networks?
(Reference to ISO 27001: Control A.13.1.3)
IT systems on the network usually have different protection needs. Thus, IT systems directly connected to the internet are generally
threats than IT systems on the office network. In order to detect and prevent undesired data exchange between IT systems of differ
corresponding groups must be formed on the network and then segregated from other groups.
400375344.xlsx /
Printed on: 10/26/2018 Page 62 of 98
Information security
This must include:
+ Requirements regarding network segmentation are determined.
- Where cloud services are used, the possibilities of (virtual) network separation is considered
During exchange and transfer of information, the information security requirements must be considered. For this purpose, it must b
within the organization may be used for which type of data and which protective measures are to be taken when using those servic
To what extent are non-disclosure agreements applied prior to an information exchange and are the requirements or need
information documented and regularly reviewed?
(Reference to ISO 27001: Control A.13.2.4)
Even where sensitive information is passed on outside the organization, it must be ensured that external organizations are obliged
security requirements and to implement the required measures. Non-disclosure agreements provide the necessary legal basis for t
it must be ensured that sensitive information is only passed on if a corresponding non-disclosure agreement has been entered and
400375344.xlsx /
Printed on: 10/26/2018 Page 63 of 98
Information security
This must include:
+ All service providers and employees working with sensitive information have entered valid non-disclosure agreements.
+ Rules and procedures for applying non-disclosure agreements are defined and made known to all persons passing on sensitive i
+ The requirements, rules and procedures for applying non-disclosure agreements are reviewed regularly.
Information security must be an integral part of the entire lifecycle of IT systems. This includes in particular that information security
into account in the development, acquisition and maintenance of IT systems.
This must include:
+ The information security requirements associated with the acquisition or extension of IT systems are determined.
To what extent are security-relevant aspects considered in the software development process (incl. change management)
400375344.xlsx /
Printed on: 10/26/2018 Page 64 of 98
Information security
Information security requirements must be taken into account in the development process of software and IT systems. They must b
requirements and milestones into the respective process model.
This must include:
None.
To what extent are test data created, protected and used in a careful and controlled manner?
(Reference to ISO 27001: Control A.14.3.1)
Test data is often required for testing purposes in the course of software development or change management. Testing is conducte
the access to which is often controlled less strictly and often allocated to persons (e.g. service providers or developers) who do not
productive data. It must be ensured that the test environment does not increase the risk of loss or disclosure of productive data.
400375344.xlsx /
Printed on: 10/26/2018 Page 65 of 98
Information security
To what extent is it ensured that only evaluated and approved external IT services (particularly cloud services) are used fo
data?
-
Particularly cloud services, whose use is often related to little or no cost, present an enhanced risk that established acquisition proc
also leading to acquisition and commissioning without adequate compliance with technical and contractual information security req
cannot be ensured in cases where external IT services are used without considering security requirements.
Therefore, it must be ensured that external IT services will not be commissioned unless the intended processes are completed and
security processes and provisions are met prior to commissioning.
Supplier Relationships
To what extent are information security requirements contractually agreed with suppliers to mitigate risks when suppliers
corporate assets (particularly information and communication services and in case such assets are used by subcontracto
In collaboration with external companies (e.g. subcontractors), the requirements regarding the protection needs of transferred infor
considered. Therefore, relevant risks and requirements regarding information security must be addressed in the contracts.
400375344.xlsx /
Printed on: 10/26/2018 Page 66 of 98
Information security
This must include:
+ External companies/third parties (e.g. subcontractors) shall be subjected to an information security assessment.
+ Contractual agreements with external companies regarding measures for protecting information (e.g. non-disclosure agreements
+ Requirements for other subcontractors of the supplier are taken into account in procurement.
To what extent are the services performed by a supplier or subcontractor monitored, reviewed and audited on a regular ba
The provision of services by service providers shall be monitored regularly by an organization. By means of monitoring and verifyin
must be ensured that the conditions of an agreement regarding information security are fulfilled.
400375344.xlsx /
Printed on: 10/26/2018 Page 67 of 98
Information security
To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an effective
information security incidents or weaknesses?
(Reference to ISO 27001: Control A.16.1.1 - A.16.1.3)
Detection of and defence against security events generally require an effective and consistent approach. For this purpose, the resp
procedures for handling information security events must be specified in order to ensure a prompt reaction to those events. Suitabl
awareness of all employees are essential elements of these procedures and must be considered.
Information security events must be assessed. There shall be an adequate reaction to information security events based on defined
aftermath of information security events, findings must be used to reduce the probability of future events occurring.
400375344.xlsx /
Printed on: 10/26/2018 Page 68 of 98
Information security
To what extent are information security requirements (including redundancy of corresponding facilities) and the continuity
event of a crisis defined, implemented, verified and evaluated?
(Reference to ISO 27001: Control A.17.1.1 - A.17.1.3 and A.17.2.1)
In events of crisis, information security is particularly at risk. Therefore, it must be ensured that even in those cases the defined ISM
provide effective protection or previously defined supplementary measures must be taken.
Compliance
To what extent is compliance to relevant legal (country-specific) regulations and contractual requirements ensured (e.g. p
property rights, use of encryption technology and protection of records)?
(Reference to ISO 27001: Control A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.5)
An essential aspect of compliance is the adherence of legal, regulatory, contractual and business-related requirements and specific
must know relevant requirements and specifications and meet them. This also includes consideration of intellectual property rights.
requirements for records regarding their protection against loss, destruction, forgery, unauthorized access and unauthorized disclos
additionally cryptographic measures shall be implemented while taking the relevant agreements, legislation and provisions into acc
400375344.xlsx /
Printed on: 10/26/2018 Page 69 of 98
Information security
This must include:
+ Legal, regulatory and contractual requirements and specifications of relevance to information security, such as e.g. in relation to c
regularly.
+ Regulations regarding the compliance with legal, regulatory and contractual requirements are defined, implemented and commun
persons.
To what extent is confidentiality and the protection of personally identifiable information ensured (according to national le
Privacy and protection of personally identifiable information must be ensured as required in relevant legislation and regulation wher
purpose, processes and procedures ensuring adequate protection of personally identifiable information shall be implemented.
To what extent is the ISMS reviewed by an independent third party at regular intervals or in case of significant changes?
Assessing the effectiveness of the ISMS only from an internal point of view is not sufficient to serve as an essential control tool. Ins
and therefore objective assessment must be obtained at regular intervals and in case of significant changes.
400375344.xlsx /
Printed on: 10/26/2018 Page 70 of 98
Information security
This must include:
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of significant
+ Measures for correcting potential deviations are initiated and pursued.
To what extent is the compliance of procedures and processes with policies, regulations and other relevant information se
ensured?
(Reference to ISO 27001: Control A.18.2.2, A.18.2.3)
The effectiveness of policies, regulations and relevant information security standards must be ensured continuously. For this purpo
applicable security policies and standards must be verified at regular intervals. This also includes verification of compliance with tec
the information security policies. The results of the conducted tests must be recorded and the records must be retained.
400375344.xlsx /
Printed on: 10/26/2018 Page 71 of 98
Information security
Information Security Assessment -
Additional requirements for connection to third parties
based on ISO 27002:2013
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
23
23.7
23.7.2
Objective:
Requirements:
23.9
23.9.2
Objective:
400375344.xlsx /
Printed on: 10/26/2018 Page 72 of 98
Connection to 3rd parties (23)
Requirements:
23.11
23.11.1
Objective:
Requirements:
23.13
23.13.3
400375344.xlsx /
Printed on: 10/26/2018 Page 73 of 98
Connection to 3rd parties (23)
Objective:
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 74 of 98
Connection to 3rd parties (23)
rity Assessment -
ements for connection to third parties
O 27002:2013
Information security must be a natural and integral part of the work environment and adopted in the daily work of all employees. By
security training, employees must gain the necessary knowledge and competence for security-conscious behaviour. They must be
is expected of them with respect to information security and how to react to security-critical situations.
Access Control
To what extent are procedures for the registration, modification and deletion of users with the corresponding access right
particular is the authentication information handled confidentially?
(Reference to ISO 27001: Control A.9.2.1, A.9.2.2, A.9.2.4 and A.9.2.5)
The identity of the user of an IT system or an IT application must be clearly verifiable to allow the assignment of actions. In order to
authentication (registration) procedures and mechanisms of IT systems or IT applications must be designed such that users are cle
authenticated.
400375344.xlsx /
Printed on: 10/26/2018 Page 75 of 98
Connection to 3rd parties (23)
This must include:
+ User related access to customer systems shall not be used by multiple users.
+ Changes to the employment contract or the authority of an employee shall be reported to the system operator immediately or use
adapted accordingly.
Processing of information assets outside the area affected by the measures intended for achieving the target information security le
Since it is generally not possible to implement corresponding measures for all areas of the location, a zone concept must be applie
which type of information may be processed.
This must include:
None.
Communications Security
To what extent are groups of information services, users and information systems segmented within the network?
(Reference to ISO 27001: Control A.13.1.3)
400375344.xlsx /
Printed on: 10/26/2018 Page 76 of 98
Connection to 3rd parties (23)
IT systems on the network have different protection needs. Thus, IT systems directly connected to the internet are generally expos
than IT systems on the office net. In order to detect and prevent undesired data exchange between IT systems of different protectio
groups must be designed on the network and these must be segregated from other groups.
400375344.xlsx /
Printed on: 10/26/2018 Page 77 of 98
Connection to 3rd parties (23)
400375344.xlsx /
Printed on: 10/26/2018 Page 78 of 98
Connection to 3rd parties (23)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
25
25.1
25.1.1
Requirements:
25.1.2
Requirements:
25.1.3
Requirements:
25.1.4
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 79 of 98
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
25.1.5
Requirements:
25.1.6
Requirements:
25.1.7
Requirements:
25.1.8
Requirements:
25.2
25.2.1
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 80 of 98
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
25.2.2
Requirements:
25.2.3
Requirements:
25.2.4
Requirements:
25.2.5
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 81 of 98
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
25.2.6
Requirements:
25.2.7
Requirements:
25.3
25.3.1
Requirements:
25.3.2
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 82 of 98
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
25.3.3
Requirements:
25.3.4
Requirements:
25.3.5
Requirements:
25.3.6
Requirements:
25.3.7
Requirements:
400375344.xlsx /
Printed on: 10/26/2018 Page 83 of 98
Prototype protection (25)
urity Assessment -
ngen Prototypenschutz
Prototype Protection
To what extent is perimeter security existent preventing unauthorized access to protected objects of the properties?
(Reference to ISO 27001: Control A.11.1.1)
To what extent is the outer skin of protected buildings constructed such as to prevent removal or opening of outer-skin co
standard tools?
(PT module; no reference to ISO 27001)
To what extent is a view and sight protection ensured in defined protection areas?
(PT module; no reference to ISO 27001)
400375344.xlsx /
Printed on: 10/26/2018 Page 84 of 98
Prototype protection (25)
urity Assessment -
ngen Prototypenschutz
To what extent is the protection against unauthorized entry regulated in the form of an access control?
(Reference to ISO 27001: Control A.11.1.1, A.11.1.2 and A.11.1.3)
To what extent is a functioning intrusion detection system implemented on the premises to be secured?
(Reference to ISO 27001: Control A.11.1.2)
Organizational Requirements
To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
(Reference to ISO 27001: Control A.13.2.4)
400375344.xlsx /
Printed on: 10/26/2018 Page 85 of 98
Prototype protection (25)
urity Assessment -
ngen Prototypenschutz
To what extent are requirements for commissioning subcontractors known and fulfilled?
(Reference to ISO 27001: Control A.13.2.4, A.15.1.1, A.15.1.2 and A.15.1.3)
To what extent are the employees and project members evidently trained for and made aware of risks associated with han
To what extent are security classifications of the project and the resulting measures for protection known?
(Reference to ISO 27001: Control A.8.2.2)
To what extent is a process defined for allocation of access to defined security areas?
(Reference to ISO 27001: Control A.11.1.2)
400375344.xlsx /
Printed on: 10/26/2018 Page 86 of 98
Prototype protection (25)
urity Assessment -
ngen Prototypenschutz
To what extent are regulations for image recording and handling of created image material existent?
(Reference to ISO 27001: Control A.11.1.5)
To what extent is a process for carrying along and using mobile video and photography devices in(to) defined security are
Handling Prototypes
To what extent are the predefined regulations for camouflage implemented by the project members?
(PT module; no reference to ISO 27001)
To what extent are transports in need of protection arranged according to the specifications of the customer?
(PT module; no reference to ISO 27001)
400375344.xlsx /
Printed on: 10/26/2018 Page 87 of 98
Prototype protection (25)
urity Assessment -
ngen Prototypenschutz
To what extent is it ensured that vehicles, components or parts which require confidentiality are parked/stored in accorda
requirements?
(PT module; no reference to ISO 27001)
To what extent are security requirements of approved test and trial grounds observed/implemented?
(PT module; no reference to ISO 27001)
To what extent are security requirements for approved test and trial drives in public observed/implemented?
(PT module; no reference to ISO 27001)
To what extent are security requirements for presentations and events with scope/contents subject to confidentiality impl
To what extent are security requirements for film and photo shootings with scope/contents subject to confidentiality imple
400375344.xlsx /
Printed on: 10/26/2018 Page 88 of 98
Prototype protection (25)
Control 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management
Coverage degree of Effectiveness of awareness Coverage degree review “user Coverage degree review Coverage degree Change
ID Collective accounts Change - error rate
awareness measures measures accounts” “authorizations” Management
Employees with raised awareness The contents of awareness Regular reviews of user accounts Collective accounts should
Regular reviews of systems for
represent an important pillar for the measures should consider for unnecessary authorizations is a principally not be used or used only A comprehensive and consistently A high quality of the change
unnecessary accounts is a
information security in a company. outcomes of information security prerequisite for a consistent and in exceptional cases since an adhered change management management process leads to
prerequisite for a consistent and
Awareness measures should reach incidents. The KPI measures the current authorization basis explicit allocation of user activities process is the basis for secure lower error rates of the performed
Description all employees, as far as possible. effectiveness of awareness
current user basis according to the
according to the need-to-know is impeded. The KPI measures the operation. The KPI measures the changes and contributes to secure
need-to-know principle. The KPI
The KPI measures the coverage measures by collection (number or principle. The KPI measures the number of used collection accounts coverage degree of changes that operation. The KPI measures the
measures the coverage degree of
degree of trainings such as e- cost based) of security incidents coverage degree of the measure in consideration of approved are compliant with the guidelines. error rate of changes.
the measure “regular user review”
learnings, classroom trainings. with human errors as a cause. “regular authorization review”. exceptions.
All employees are trained with No information security incidents All systems have valid user All authorizations comply with All collective accounts are reviewed Guidelines-compliant performance
Objective (Vision) respect to information security with human error as a cause accounts only current needs for their need of all changes
Error-free performance of changes
Recipient Information Security; supervisors Information Security Information Security Information Security Information Security Information Security Information Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (reporting) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (measurement) annually) annually) annually) annually) annually) annually) annually)
HR - Training Department - IKS - Data Owner, User Management, Data Owner, User Management, IT Operations, Change IT Operations, Change
Interfaces Internal Audit Department
Incident Management
supervisors supervisors
User Management
Management Management
400375344.xlsx /
Printed on: 10/26/2018 Page 89 of 98
KPIs
12.7 Detection of vulnerabilities
12.3 Protection against malware 12.4 Backup 16.2 Processing of information security incidents
(Patch management)
4 4 4 4
Coverage degree Endpoint Effectiveness of updating Degree of restoration test Coverage degree Patch Effectiveness of patch Detection rate of information
Degree of backup coverage Backup effectiveness
Security Endpoint Security coverage Management installation security incidents
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Local IT, Information Security Local IT, Information Security Local IT, Information Security Local IT, Information Security
service owner service owner service owner Compliance
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually)
Quotient: number of protected Quotient: number of systems Quotient: number of currently Quotient: number of information
time comparison Quotient: number of systems with Quotient: number of restorations time comparison
systems/total number of systems covered with backups/total number patched systems/total number of security incidents reported in the
average actual rollout state vs. tested restoration from backup/total with errors/total number of all average actual rollout state vs.
(adjusted for authorized of systems (adjusted for authorized systems (adjusted for authorized incident management/number of all
target state number of all systems with backup restoration tests target state
exceptions) exceptions) exceptions) incidents (of the surveying unit)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
monthly) annually) annually) monthly) annually) monthly) monthly) annually)
400375344.xlsx /
Printed on: 10/26/2018 Page 90 of 98
KPIs
.2 Processing of information security incidents 5.1 Information security policy 6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones
4 3 3 3 3
Local IT, Information Security, Information Security, Corporate Information Security, Corporate Information Security, Corporate Information Security, Corporate IT Security, Information Security, Information Security, Corporate
IT Security, Information Security
Compliance Security, IT Security, HR, Business Security, IT Security, HR, Business Security, IT Security Security, IT Security Corporate Security Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Initial creation
annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) monthly) monthly) annually)
IT, CERT, Incident Management, Information Security, Corporate Information Security, Corporate Project customer, project Project customer, project Plant security, local security
IT operation, IT Security IT operation, IT Security
Helpdesk, Service Management Security, IT Security, HR, Business Security, IT Security, HR, Business management office (PMO) management office (PMO) functions, specialized departments
400375344.xlsx /
Printed on: 10/26/2018 Page 91 of 98
KPIs
11.3 Protection measures in the
11.1 Security zones 12.5 Event logging 12.6 Logging administrative activities 12.8 System audits
delivery and shipping area
3 2 3 2 2
Information Security, Corporate Corporate Security, Logistics, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Local IT, Information Security Local IT, Information Security
Security authorities Compliance Compliance Compliance Compliance
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
quarterly) annually) annually) quarterly) annually) quarterly) monthly) monthly)
Plant security, local security IT, System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner, Audit Management, IT Operation, Audit Management, IT Operation,
Logistics, Access Management
functions, specialized departments Risk Owner Risk Owner Risk Owner, User Management Risk Owner, User Management System Owner System Owner
to be defined individually (if to be defined individually (if to be defined individually (if to be defined individually (if
5 years 10 years 5 years 5 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
400375344.xlsx /
Printed on: 10/26/2018 Page 92 of 98
KPIs
14.1 Requirements for the
13.2 Network services 13.5 Non-disclosure agreements 14.2 Security during the software development process 18.4 Effectiveness review
acquisition of information systems
3 3 3 3 3
Coverage degree review Effectiveness of risk handling Coverage degree of risk Coverage degree of activities Timely elimination of
Effectiveness of observing Coverage degree non- Effectiveness of risk handling
service level agreements in information service assessment in software to eliminate vulnerabilities vulnerabilities determined
SLAs disclosure agreements in development process
(SLA) acquisition processes development process determined during audits during audits
Acquisition, Information Security, Information Security, Local IT, Information Security, Local IT, Risk Information Security, Local IT, Risk Information Security, Corporate Information Security, Corporate
Local IT, Information Security Local IT, Information Security
specialized department Procurement Management Management Security, Local IT, Internal Audit Security, Local IT, Internal Audit
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
monthly) monthly) monthly) quarterly) quarterly) quarterly) quarterly) quarterly)
Internal Auditors, Information Internal Auditors, Information
Acquisition, Information Security, Procurement, specialized Procurement, specialized Procurement, specialized
Local IT, Information Security Local IT, Information Security Security, IT, specialized Security, IT, specialized
specialized department departments (requisitioner), IT departments (requisitioner), IT departments (requisitioner), IT
departments (Auditees) departments (Auditees)
Acquisition register, ordering Development system, development Development system, development Audit data base, follow-up data Audit data base, follow-up data
CMDB CMDB Acquisition system
system project data base project data base base base
400375344.xlsx /
Printed on: 10/26/2018 Page 93 of 98
KPIs
Security zones
Zone White (public) Green (controlled zone) Yellow (restricted zone) Red (high risk zone)
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk Area with technical or organizationally controlled safety measures, not freely accessible, Area with additional safety measures, restrictive, protection of special scopes, limited Area with the highest security requirements, protection of sensitive values strictly
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists. usually internal scopes number of persons, usually confidential scopes as well. regulated access rights, usually secret scopes.
(e.g. visitors' parking space, connecting routes)
Aspect
Accessibility No special requirements Values cannot be viewed freely, Clean Desk Temporary measures (according to the risk analysis) for sight protection/noise reduction Permanent sight protection/noise reduction
Visitor requirements Appropriate signs Only registered visitors, explicit reference to confidentiality/non-disclosure Restricted group of visitors, written confirmation of the non-disclosure, in permanent Only in exceptional cases: additionally to “Yellow” four-eyes principle, householder’s
personal escort by own staff consent
Driving on/parking Permitted Vehicles are allowed to drive on/park only after registration. Special restrictions Special restrictions
Access control and protection None Area must be protected against unauthorized access (personnel or technical measures) Monitoring the entering/exiting of the zones via online access reader, compensating Monitoring the entering/exiting of the zones via online access reader
locking system with limited circle
Monitorings If required, camera surveillance (prevention of damage to property) Camera surveillance and/or patrolling (prevention of unauthorized penetration) Camera surveillance, motion detection at least in the access areas or easily accessible Camera surveillance, glass breakage detector, windows with sight protection, double
areas (e.g., ground floor windows) illumination with motion detectors, central circuit, intrusion detection system installed by
professionals
Resistance values . Fences 2.2m with anti-climbing protection and undermine protection/building shell At least RC 2 or compensating measures At least RC 2 (resistance time 5 minutes) with additional measures
consisting of windows, doors, walls, roofs
Response time (alarm to visual . 30 minutes 10 minutes 5 minutes
inspection and acknowledgment)
Photography/use of optics . No internal information, otherwise only using business devices No use of private devices, business devices only in case of professional assignment No private devices, business devices in exceptional cases only Four-eyes principle,
approval by company management
Optics
Zone Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk Area with technical or organizationally controlled security measures, not freely Area with additional security measures, restrictive, protection of special scopes, limited Area with the highest security requirements, protection of sensitive values strictly
without particularly sensitive values. None or only preventive safety requirements. Subject to householders accessible, usually internal scopes number of persons, usually confidential scopes as well. regulated access rights, usually secret scopes.
rights (e.g. visitors' parking space, connecting routes)
Aspect “carrying along” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Company owned devices No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
(independent from Mobile Device Carrying along unsealed devices forbidden
Management (MDM))
Private devices of company No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
employees (wearables with Carrying along unsealed devices forbidden
optics as well)
Devices of contractors and No special requirements Carrying along unsealed devices allowed Carrying along sealed devices allowed Carrying along even sealed devices forbidden
visitors (wearables with optics as Carrying along unsealed devices forbidden
well)
Aspect “use” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Video telephony/video No special requirements Allowed in all areas Allowed in office workplaces and meeting rooms, otherwise upon approval In defined meeting rooms with permanently installed equipment, otherwise upon approval
conferencing (without recording)
Photography/video recordings No special requirements - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors
- Allowed with company owned devices allowed with company owned devices upon approval - Allowed in exceptional cases upon approval (e.g. four-eyes principles, consent of the
management)
Recording of persons and sound Declaration of consent required Declaration of consent required Declaration of consent required - Allowed only in exceptional cases upon approval
recording with company owned - Declaration of consent required
devices
Personnel
Type of employment
Standard validation Certificate of good conduct/criminal record certificate Intensive verifications of the CV, references Validation of certificates, diplomas and vocational training
relationship
X
Ordinary employee/worker
Head of department X X
IT department employees
with special access rights
Department Manager X X X
Off-Premises workplace
400375344.xlsx /
Printed on: 10/26/2018 Page 94 of 98
References
temporary working environment (e.g. hotel) regular alternative working environment (in particular home office)
Confidentiality of the
information
Highest protection class Paper: principally not Paper: principally not
“secret”
Local data storage: principally not Local data storage: principally not
Remote Access: principally not Remote Access: principally not
Medium protection class Paper: continuously under personal control Paper: principally only temporarily
“confidential”
Local data storage: strongly encrypted or Mobile Device Management (MDM) active (remote deletion Local data storage: strongly encrypted or Mobile Device Management (MDM)
on demand) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity of the access device Remote Access: strongly authenticated & strongly transport encrypted, integrity
ensured, data “non-permanent” of the access device ensured, data “non-permanent”
Lowest protection class Paper: under personal control Paper: in office furniture with special closing
“internal”
Local data storage: encrypted or Mobile Device Management (MDM) active (remote deletion on Local data storage: encrypted or Mobile Device Management (MDM) active
demand) (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity of the access device Remote Access: strongly authenticated & strongly transport encrypted, integrity
ensured, data “non-permanent” of the access device ensured, data “non-permanent”
Protection classes
Description
Normal The potential damage is marginal, short-term nature, and limited to a single entity.
High The potential damage is significant or medium-term nature or is not limited to a single entity.
Very high The potential damage threatens the existence of the company or long-term nature or is not limited to
a single entity.
400375344.xlsx /
Printed on: 10/26/2018 Page 95 of 98
References
Information Security Assessment -
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is applicable for each process.
Evaluation basis:
Cutback result
In the “Result with cutback to target level”, the cutback of achieved results to the target maturity level ensures that
“overachieved” controls do not compensate underachieved controls in the overall result.
Maximum score:
The variations in the maximum score arise when individual controls are marked with “n.a.” (not applicable) and
therefore the average value of the target maturity levels changes.
Spider diagram:
All results are shown without cutback. The line for the target maturity level considers controls that were marked as n.a.
400375344.xlsx /
Gedruckt am: 10/26/2018 Seite 96 von 98
Glossar
Author:
Study group Information Security of the
German Association of the Automotive Industry
License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
400375344.xlsx /
Gedruckt am: 10/26/2018 Seite 97 von 98
License
1.0 First release (Initial build)
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 13.5 revised
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
400375344.xlsx /
Gedruckt am: 10/26/2018 Seite 98 von 98
Change history