TISAX Compliance
TISAX
What is TISAX
TISAX (Trusted Information Security Assessment Exchange) is a standardized assessment and exchange mechanism designed specifically for the automotive industry. Developed by the prestigious German Association of the Automotive Industry (VDA), TISAX is built upon the VDA ISA (Information Security Assessment) catalogue, which draws its foundation from the internationally recognized ISO/IEC 27001 standard.
At its core, TISAX aims to foster a trusted environment for information security within the automotive sector. By facilitating mutual acceptance of information security assessments, TISAX eliminates the need for redundant assessments and audits. This streamlines the process and allows automotive industry participants to focus on their core operations with the confidence that robust security measures are in place.
TISAX places paramount importance on safeguarding sensitive information, protecting intellectual property, and establishing secure collaboration channels among manufacturers, suppliers, and service providers within the automotive ecosystem. It sets a high bar for information security standards, promoting a culture of trust, reliability, and secure practices throughout the industry.
What specific principles does it relate to?
Soliton’s solutions are fully aligned with the security framework of TISAX (Trusted Information Security Assessment Exchange). TISAX is a standardized mechanism established by the German Association of the Automotive Industry (VDA) to ensure information security within the automotive industry. It promotes the mutual acceptance of security assessments and audits, reducing redundancies and streamlining security practices.
Our solutions embrace the core principles of TISAX, focusing on safeguarding sensitive information, protecting intellectual property, and facilitating secure collaboration among automotive industry stakeholders. By adhering to the specific requirements of TISAX, our solutions provide a robust security foundation that meets the industry’s highest standards.
Some of the key areas covered by TISAX include access controls, incident management, risk assessment, business continuity, network security, data protection, encryption, vulnerability management, and secure software development. Through comprehensive security measures, we ensure that our solutions address these areas effectively, providing a secure environment for the automotive sector.
While Soliton’s solutions may not encompass all aspects such as awareness and training, incident response, physical protection, risk assessment, and security assessment, they comprehensively cover the remaining requirements of TISAX. Our commitment to information security and adherence to TISAX principles enable us to create a secure ecosystem for the automotive industry, safeguarding critical information and facilitating secure collaboration.
IS Policies and Organization - Information Security Policies
ISA 1.1.1: To what extent are information security policies available?
The organization needs at least one information security policy. This reflects the importance and significance of information security and is adapted to the organization. Additional policies may be appropriate depending on the size and structure of the organization.
How does MailZen support?
With MailZen, administrators are granted the ability to gain a comprehensive overview of all enrolled devices, thereby enabling them to effectively monitor and manage device authorization. By providing this level of visibility, MailZen facilitates the implementation of robust security measures, allowing organizations to ensure that only authorized devices have access to sensitive data and resources.
How does G/On support?
G/On: Upon establishing a connection using G/On, the device’s specific parameters are recorded and utilized for future connections. These parameters are securely stored within the G/On database, ensuring that they can be readily accessed for auditing and compliance purposes.
IS Policies and Organization - Asset Management
ISA 1.3.1: To what extent are information assets identified and recorded?
It is important for each organization to know the information constituting its essential assets (e.g. business secrets, critical business processes, know-how, patents).
They are referred to as information assets. An inventory ensures that the organization obtains an overview of its information assets. Moreover, it is important to know the supporting assets (e.g. IT systems, services/IT services, employees) processing these information assets.
How does MailZen support?
With MailZen, administrators are granted the ability to gain a comprehensive overview of all enrolled devices, thereby enabling them to effectively monitor and manage device authorization.
By providing this level of visibility, MailZen facilitates the implementation of robust security measures, allowing organizations to ensure that only authorized devices have access to sensitive data and resources.
How does G/On support?
Upon establishing a connection using G/On, the device’s specific parameters are recorded and utilized for future connections. These parameters are securely stored within the G/On database, ensuring that they can be readily accessed for auditing and compliance purposes.
ISA 1.3.3: To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?
Particularly in the case of external IT services that can be used at relatively low cost or free of charge, there is an increased risk that procurement and commissioning will be carried out without appropriate consideration of the information security requirements and that security therefore is not ensured.
How does MailZen support?
Policies can be based on the device specific parameters, like OS, version, Hostname etc.
How does G/On support?
Policies can be based on the device specific parameters, like OS, version, Hostname etc.
IS Policies and Organization - IS Risk Management
ISA 1.4.1: To what extent are information security risks managed?
Information security risk management aims at the timely detection, assessment and addressing of risks in order to achieve the protection goals of information security. It thus enables the organization to establish adequate measures for protecting its information assets under consideration of the associated prospects and risks. It is recommended to keep the information security risk management of an organization as simple as possible such as to enable its effective and efficient operation.
How does G/On support?
G/On enables remote working based on Zero Trust Application Access.
Human Resources
ISA 2.1.4: To what extent is teleworking regulated?
Working outside the specifically defined security zones (tele-working) creates particular risks requiring corresponding protective measures.
How does MailZen support?
How does G/On support?
Physical Security and Business Continuity
ISA 3.1.1: To what extent are security zones managed to protect information assets?
Security zones provide physical protection of information assets. The more sensitive the information assets to be processed are the more protective measures are required.
How does G/On support?
ISA 3.1.2: To what extent is information security ensured in exceptional situations?
Exceptional situations (e.g. natural disasters, physical attacks, cyber attacks, exceptional social situations, incidents or infrastructure failures of significant impact) present a great challenge to the organization. Good preparation helps to ensure that information security risks are adequately considered even in exceptional situations.
How does G/On support?
ISA 3.1.4: To what extent is the handling of mobile IT devices and mobile data storage devices managed?
Mobile IT devices (e.g. notebooks, tablets, smartphones) and mobile data storage devices (e.g. SD cards, hard drives) are generally used not only on the premises of an organization, but also in mobile applications. This presents an increased risk with respect to e.g. loss or theft.
How does MailZen support?
Identity and Access Management - Identity Management
ISA 4.1.1: To what extent is the use of identification means managed?
To check the authorization for both physical access and electronic access, means of identification such as keys, visual IDs or cryptographic tokens are often used. The security features are only reliable if the use of such identification means is handled adequately.
How does NetAttest EPS support?
How does MailZen support?
How does G/On support?
ISA 4.1.2: To what extent is the user access to network services, IT systems and IT applications secured?
Only securely identified (authenticated) users are to gain access to IT systems. For this purpose, the identity of a user is securely determined by suitable procedures.
How does NetAttest EPS support?
How does MailZen support?
How does G/On support?
ISA 4.1.3: To what extent are user accounts and login information securely managed and applied?
Access to information and IT systems is provided via validated user accounts assigned to a person. It is important to protect login information and to ensure the traceability of transactions and accesses.
How does MailZen support?
MailZen uses the standard IdP within the organisations exchange environment. Next to this, within MailZen a user needs to be enabled by the administrator.
How does G/On support?
G/On is able to use multiple IdP’s simultaneously.
Identity and Access Management - Access Management
ISA 4.2.1: To what extent are access rights assigned and managed?
The management of access rights ensures that only authorized users have access to information and IT applications. For this purpose, access rights are assigned to user accounts.
How does NetAttest EPS support?
How does MailZen support?
How does G/On support?
IT Security / Cyber Security - Cryptography
ISA 5.1.1: To what extent is the use of cryptographic procedures managed?
When using cryptographic procedures, it is important to consider risks in the field of availability (lost key material) as well as risks due to incorrectly applied procedures in the fields of integrity and confidentiality (poor algorithms/protocols or insufficient key strengths).
How does NetAttest EPS support?
How does MailZen support?
How does G/On support?
ISA 5.1.2: To what extent is information protected during transfer?
When being transferred via public or private networks, information can in some circumstances be read or manipulated by unauthorized third parties. Therefore, requirements regarding the protection needs of the information must be determined and implemented by taking suitable measures during such transfer.
How does MailZen support?
MailZen leverages industry-standard encryption techniques to ensure that all data communication is securely transmitted, effectively mitigating any potential security risks or threats posed by unauthorized access to sensitive data.
By implementing this robust encryption process, MailZen provides a highly secure digital environment that ensures that all data is securely transmitted through encrypted channels, thereby minimizing the risk of data breaches or unauthorized access. This approach to data communication enables MailZen to provide a comprehensive and effective security framework that is optimized to protect sensitive data and resources.
How does G/On support?
IT Security / Cyber Security - Operations Security
ISA 5.2.2: To what extent are development and testing environments separated from operational environments?
The objective of separating the development, testing and operational environments is to ensure that the availability, confidentiality and integrity of productive data are maintained.
How does NetAttest EPS support?
ISA 5.2.3: To what extent are IT systems protected against malware?
The aim is to both technically and organizationally ensure the protection of IT systems against malware.
How does NetAttest EPS support?
ISA 5.2.4: To what extent are event logs recorded and analyzed?
Event logs support the traceability of events in case of a security incident. This requires that events necessary to determine the causes are recorded and stored. In addition, the logging and analysis of activities in accordance with applicable legislation (e.g. Data Protection or Works Constitution Act) is required to determine which user account has made changes to IT systems.
How does NetAttest EPS support?
How does MailZen support?
MailZen securely stores a comprehensive audit trail by logging all operational activities. This enables a detailed record of all actions taken.
How does G/On support?
In G/On, every action is monitored and recorded in a specific database. Only administrators have permission to access the contents of this database.
ISA 5.2.5: To what extent are vulnerabilities identified and addressed?
Vulnerabilities increase the risk of IT systems being unable to meet the requirements for confidentiality, availability and integrity. Exploitation of vulnerabilities is among the possible ways for attackers to gain access to the IT system or to threaten its operating stability. login information and to ensure the traceability of transactions and accesses.
How does NetAttest EPS support?
Through purchasing ongoing support for your NetAttest EPS, you ensure that you always have available a version of the software that is patched against the latest vulnerabilities.
NetAttest EPS is the core authenticator on your network, upgrading should not lead to an interruption of service. NetAttest EPS complies with this requirement and allows you to quickly implement upgrades while users can still authenticate using certificates.
ISA 5.2.7: To what extent is the network of the organization managed?
IT systems in a network are exposed to different risks or have different protection needs. In order to detect or prevent unintended data exchange or access between these IT systems, they are subdivided into suitable segments and access is controlled and monitored by means of security technologies.
How does NetAttest EPS support?
How does G/On support?
G/On employs a micro segmentation-like model that grants users access to applications instead of relying on network-based access.
IT Security / Cyber Security - System acquisitions, requirement management and development
ISA 5.3.3: To what extent is the return and secure removal of information assets from external IT services regulated?
In order to ensure control over the information assets as the information owner, it is necessary that the information assets can be safely removed or are returned, if required, when terminating the IT service.
How does MailZen support?
MailZen uses enhanced encryption technology to ensure that all data is securely stored and protected from unauthorized access. By implementing this encryption process, MailZen provides a highly secure digital environment that effectively mitigates any potential security risks or data leakage.
Additionally, the removal of encryption keys renders the remaining data completely inaccessible, thereby ensuring that any data that falls into the wrong hands remains effectively protected from exploitation.
How does G/On support?
Through the implementation of advanced data security protocols, G/On prioritizes the secure management and handling of sensitive data. In order to mitigate potential security risks or threats, G/On avoids storing any data locally on the end-user device, thereby providing a highly secure digital environment that ensures that sensitive data is only accessible through secure channels and within authorized contexts.
This approach to data management enables G/On to provide a robust and comprehensive security framework, effectively mitigating any potential risks or threats to data integrity.
ISA 5.3.4: To what extent is information protected in shared external IT services?
Clear segregation between individual clients must be ensured such as to protect own information in external IT services at all times and to prevent it from being accessed by other organizations (clients).
How does NetAttest EPS support?
Supplier Relationships
ISA 6.1.1: To what extent is information security ensured among contractors and cooperation partners?
An appropriate level of information security is also maintained while collaborating with cooperation partners and contractors.
How does NetAttest EPS support?
How does MailZen support?
MailZen facilitates secure email access for external contractors.
How does G/On support?
G/On facilitates secure application access, also for external contractors