In 2017, German automotive group Verband der Automobilindustrie (VDA) set up the Trusted Information Security Assessment Exchange (TISAX), a mechanism through which organizations can submit to audits in compliance with VDA’s Information Security Assessment (ISA).
Governed by the ENX Association whose members include automobile manufacturers, suppliers, and four national automotive associations, TISAX is meant to ensure a unified level of information security and bring standardization, quality assurance, and mutual recognition of audits to VDA ISA compliance. TISAX applies to auto manufacturers and original equipment manufacturers (OEMs), but also partners and companies part of the automotive supply chain, whether they are based in Germany or not.
The need for a TISAX assessment report is triggered by a request from a partner to prove VDA ISA compliance. TISAX has eight assessment objectives, each corresponding to a different label that a partner may require a company to obtain. Organizations must choose the objectives corresponding to their desired label. Each TISAX assessment objective maps to a criteria catalog of the VDA ISA.
Data Protection in TISAX assessments
As expected, data protection plays a key role in TISAX assessments and accounts for half of its objectives, with the remaining, such as the “Protection of prototype parts and components” objective automatically requiring organizations to also achieve additional data protection requirements.
The first two objectives that include data protection refer to the security of information with high protection needs and information with very high protection needs. The level of security needed (i.e. high or very high) has to be inferred from the document classification of the entity requesting an organization to undergo TISAX auditing. These objectives cover categories of data deemed sensitive in the context of the automotive industry such as intellectual property assets, auto vehicle statistics, and prototype testing data.
The last two objectives are tied to regulatory compliance with the EU’s General Data Protection Regulation and address the protection of personally identifiable data (PII), special categories of sensitive data as defined under GDPR’s Article 9, the handling of data subject rights, and ensuring subcontractors meet the same criteria.
The VDA ISA criteria catalog includes two separate sections, one addressing the requirements for information security and one for data protection. Information security requirements are split into seven categories comprising 41 control questions that cover, among others, asset management, operations security, identity and access management, incident management and encryption.
The data protection section meanwhile has only four control questions relating to the appointment of a data protection officer, the processing of PII, ensuring that processes and data flows are compliant with legal data protection obligations and that documentation of processing procedures can be used to prove compliance.
Data Loss Prevention’s role in TISAX assessments
Data Loss Prevention (DLP) solutions help support compliance with a number of data protection regulations including GDPR and international standards such as ISO/IEC 27001 and 27002 on which VDA ISA is largely based on. Depending on the product, DLP tools can also help protect intellectual property and data deemed sensitive in the automotive industry. In this way, DLP can help support a successful TISAX audit in all four objectives relating to data protection and information security.
DLP technology protects data using definitions of sensitive information. These can be predefined based on GDPR requirements, PII or intellectual property, or custom definitions according to a company’s needs. Policies that control and monitor data can then be applied to all files and information that meet the criteria. This is an essential step towards achieving the VDA ISA requirement of securing data during transfer and limiting the transfer of data only to known and approved channels.
Using powerful contextual scanning and content inspection tools, DLP solutions like Endpoint Protector can identify sensitive data in over a hundred file types, blocking its transfer through insecure channels such as messaging apps, personal emails, cloud, and file-sharing services as well as the use of features such as copy-paste or print screen.
Companies can also search for personal information and intellectual property on employees’ computers, identifying sensitive data stored locally and allowing admins to delete or encrypt it remotely when it is found in unauthorized locations. These features are also useful when enforcing requests for information deletion from EU data subjects. Using it, organizations can ensure that no copy of a data subject’s information remains on company computers.
Extensive documentation of data protection is a requirement for VDA ISA compliance and thus essential for a successful TISAX assessment. DLP tools do not only monitor and control the transfer of sensitive data but also log any attempted violation of policies and generate reports for them.
DLP solutions offer a high degree of flexibility in the definition of sensitive data and policies and allow companies to customize and mix and match features according to their needs. As essential tools for the monitoring, control, and documentation of protected information on work computers, DLP tools thus support companies that need to obtain a TISAX label.