TISAX, an information security mechanism in the automotive industry

Based on the standard ISO 27001 and adapted to the requirements of the automotive field, the TISAX® (Trusted Information Security Assessment Exchange) mechanism was developed by the VDA (Verband der Automobilindustrie, the German automotive industry association) in partnership with an association of European automotive manufacturers, called the European Network Exchange (ENX).

The TISAX® security audit mechanism allows the mutual acceptance of information security assessments (carried out by trusted and certified third parties) in the automotive industry and provides a common evaluation mechanism for professional exchanges. The TISAX® mechanism is deployed by manufacturers such as Volkswagen, BMW, Audi, Porsche, Mercedes, Daimler. It is also used by equipment suppliers such as Continental, Bertrand, Bosch, Magna Steyr, to check their IT security.

The idea is to create added value to data exchanges between manufacturers and suppliers in order to reduce costs and save time. For instance, to what extent can a partner (a manufacturer) “trust” a supplier or another partner? And how will the confidential information be properly handled and protected?

To answer these questions, the TISAX® assessment allows, based on objective criteria, to certify the implementation of security measures in relation to objectives. Thus, a “community” of TISAX®-certified users can work together in a network and most importantly with complete trust.

The four main themes of the TISAX® assessment are information security, connections to third parties, prototype manipulation and data protection.
In particular, the TISAX® assessment ensures that an ISMS (Information Security Management System) is deployed and controlled (without the need to be ISO 27001 certified). The implementation of a thoughtful and structured ISMS already provides a guarantee of trust and quality.
As a software publisher, Systancia offers solutions that meet the security needs of any organization.

Systancia provides the new generation of application delivery infrastructure, focused on security and users. It is a known European player in the virtualization, cybersecurity and digital trust markets, and its product portfolio includes :

Systancia Workplace, formerly AppliDis Fusion, for application and desktop virtualization (VDI)An access window to a remote desktop or applications. The virtualization of desktops or applications consists of displaying applications or a desktop on the user's computer, which are installed or run on a group of machines remote and independent of the user's computer. The user's workstation is thus transformed into a simple access window. This group of machines (virtual or not) can be located in an internal corporate network or in the cloud. In the case of application virtualization, the user sees the virtualized applications on his own desktop like other applications. Virtualized applications are independent of the operating system on the user's desktop. In the case of desktop virtualization (VDI Virtualisation Desktop Infrastructure), it is the user's desktop with its applications that is virtualized. The virtualized desktop or virtualized applications are independent of the user's operating system. The advantages of desktop virtualization include speed of execution (the user benefits from the power of remote machines), ease of use for the administrator who manages as many machines as they wish centrally, enhanced security, excellent overall cost, ease of managing updates, etc....;
Systancia Gate, formerly IPdiva Secure, for identification, authenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external...... and access control;
Systancia Cleanroom, formerly IPdiva Safe, for the monitoring of privileged users (PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure the information system by removing unauthorized access to sensitive resources. This protection is based on two main axes: management of the injection and life cycle of passwords used in administered resources and administration applications, the traceability of all the actions carried out when connecting users with a power of nuisance on the information system, in the form of audit or video traces. The users with malicious power concerned by the PAM may be internal users of the information system, such as system administrators or users handling sensitive data, as well as external users such as infomanagers or remote maintenance personnel....);
Systancia Cleanroom, formerly IPdiva Cleanroom, for the separation between the administration environment and the usual environment;
Systancia Access, formerly Avencis SSOX for unified authentication (SSO) and more secure connections to IS resources;
Systancia Identity, formerly Avencis Hpliance, for identity and access management (IAM)A set of processes that manage a user's identity on the network. Identity and Access Management (IAM) is the set of processes that manage a user's identity on the network. It includes the following different segments: access management (AM), authentication, privilege account management (PAM), identity administration and governance (IGA). It is generally misused to refer to IGA. The functional scope of IAM is very broad. It will include functionalities allowing - to authenticate a user on the network (primary authentication), - manage its authorizations, the life cycle of its identity and the accounts associated with it, - to guarantee the traceability of his rights, as well as the actions carried out by/on him. To illustrate, the IAM makes it possible to simply assign the rights of a collaborator and to make them evolve according to his current situation. The fact that they belong to the company, and the function that determines their access authorization to certain applications, are taken into account in real time and integrated into the information system.... to allow the organization modeling and the definition of automatic permission assignment rules.

Since 2018, all companies wishing to work for customers in the German automotive industry need a TISAX® certificate. Systancia is able to provide the technological components to meet the technical needs required for the TISAX® certification process.

Systancia is not a TISAX® certification organisation. Its solutions can only help you to obtain it.

TISAX® is a registred trademark.

TISAX®, an information security mechanism in the automotive industry

Do not miss these events:

GITEX 2020 – Xlabs with Redington Gulf “Never Trust, Always Verify”

GITEX 2020 – XLabs PAM

GITEX 2020 – Xlabs ZTNA

These articles may interest you :

Continuous Authentication : When Behavioral Analysis Guarantees Your Identity

Cybersecurity: a cost that generates savings

Teleworking: how to protect companies against the resurgence of cyber attacks