Information security for auto parts manufacturers is becoming a priority. Suppliers of global automotive brands are among the first to learn about new models due for release in a year or two. Their customers protect themselves in their contracts with very restrictive provisions. In addition to contracts, so-called client audits are used for information security.
To meet the requirements of global automotive brands, companies working with them are increasingly choosing to implement the most popular standard in this area: ISO/IEC 27001 – Information Security Management System. Obtaining certification to ISO/IEC 27001 is a great help during customer audits, as it is the requirements of this standard that are used during such audits. An example excerpt from a checklist developed by the VDA (Verband der Automobilindustrie) organization includes points taken from the ISO/IEC 27001 standard.
Knowing the importance of information security in its industry, Plastic Omnium Auto Sp z o.o. decided to implement an Information Security Management System compliant with ISO 27001, with support from BCC (currently All for One Poland). The project was carried out from March to December 2011.
What does the ISO/IEC 27001 project and its certification give the company? First and foremost, it puts the company’s processes in order and creates awareness among employees. The implementation of appropriate procedures also protects the company against information leakage, and in the event of sabotage or other critical incident, it defines clear procedures to follow.
An ISO/IEC 27001 project is not a cost for a company, but an investment. A company that has a built information security management system (ISMS) monitors its status on an ongoing basis and makes decisions appropriate to the situation. A risk management plan is one of the tools that allows you to plan investments and activities related to minimizing risks. The planned activities do not have to be directly related to IT security projects. They can also be periodic training for employees – building awareness is one of the most important pillars of an effective ISMS.
Where to start?
Audit. This is the first step to verify where the company’s security management stands.
During the initial audit, IT processes, the HR department, ISO systems procedures and other areas were verified, among others. During such an audit, it is a good idea to check the entire scope to be covered by the ISMS. Attention should also be paid to external service providers (e.g., security, server room air conditioner service or room cleaning company) and customer requirements for information security. The audit report allows us to take the direction of the work.
Risk analysis
In the next steps of the project, a risk analysis was conducted. At this stage of the project, information was collected, followed by the identification and classification of this information, business processes and information systems. A risk management process was also carried out, as well as the identification of the organization’s potential and capabilities – the risk handling plan. The classified information and assets provided input to the risk estimation process. The project team formalized the risk management procedure, describing in the document such areas as:
- Risk management methodology,
- main risk factors,
- risk identification and assessment,
- risk assessment criteria,
- risk mitigation activities,
- Acceptance of the implementation of new and modifications to existing products, services and processes,
- risk incidents,
- Ensuring business continuity for the company,
- Emergency and crisis management,
- handling the detection of crime or suspected crimes.
The methodology follows the so-called Deming circle, also known as the PDCA (Plan-Do-Check-Act) cycle, which is an internationally recognized standard used for risk management. Risk management should be understood as a consistent, ongoing practice, including the following elements:
- risk identification and assessment,
- Containment through action,
- level monitoring,
- Re-evaluation and corrective actions.
Tests, tests
The next phase of the project involved process testing through audits, corrective and remedial actions of individual units of the organization where the ISMS was implemented, and presentation and training on the ISMS to all members of the organization (training on the implemented system). The products of the third phase of the project are:
- declaration of Applicability,
- Domain-specific operating procedures, policies and instructions:
- A.5 Security Policy,
- A.6 Security organization,
- A.7 Asset management,
- A.8 Human Resource Security,
- A.9 Physical security and environmental security,
- A.10 Communication and operations management,
- A.11 Access Control,
- A.12 Acquisition of information systems their development and maintenance.
It is worth noting that each domain element is very important from the point of view of the SMS. An example is A.9 Physical security. This term includes access to office space and lockers. If the company does not have its own office space, when renting, it is important to pay attention to whether and how the building is protected, whether it is equipped with an access control system. If you use your own premises, consider that installing an access control system is not a high cost these days.
Work culture is of great importance here. So, it is important to make sure that rooms or lockers are locked when employees leave the workplace. It is also important that they do not leave confidential information in an easily accessible place. And security? It’s worth verifying the process of access control for guests and visitor identification. Is ID checked? Can he bring a laptop, tablet or smartphone onto the premises? Can he move around the company’s premises on his own?
At the end of the project, a training course in the form of a lecture/workshop was conducted to present the ISO/IEC 27001 information security management system in operation at the company. Applicable procedures/instructions and other organizational solutions were presented. The training participants were also able to learn about the principles of external auditing. Topics that were covered during the training:
- ISO/IEC 27001 implementation – project goals achieved,
- Plastic Omnium’s information security organization,
- information security policy,
- application statement,
- risk management,
- clean desk and screen policy,
- IT operational documents,
- IT Plastic Omnium regulations,
- incident management process,
- business continuity management at Plastic Omnium,
- Internal audits, corrective/preventive actions,
- The certification audit process – what questions/example scenes may arise.
The introduction of an ISO 27001-compliant Information Security Management System at Plastic Omnium was verified by a certification audit conducted by the renowned certification body TÜV Nord. The audit took place on December 16, 2011, and concluded with a positive recommendation regarding the system’s compliance with the standard’s requirements, Plastic Omnium Auto Sp. z o.o.’s information security policy, and internal regulations and good practices in ICT security.
Information – our most valuable resource
Michal Latocha, IT Manager for Poland and project manager of ISO 27001 implementation at Plastic Omnium Auto Sp. z o.o., talks about the rationale for implementing an ISO 27001-compliant Information Security Management System at the company.
What prompted Plastic Omnium to implement a management system based on ISO 27001 requirements?
The reason for finding the right IT department management system for us was the need to optimize expenses while increasing the competitiveness of our company’s offerings. The need became very apparent during the first wave of the global crisis in the automotive industry. The requirements of the ISO TS 16949 system, present in the automotive industry, do not fully cover the issue of quality assurance of services provided by IT departments. In order not to reinvent the wheel, we decided to use an existing solution on the market. ISO 27001 seemed to more than cover all our requirements.
Why exactly did ISO 27001 seem like the best choice?
In addition to cost optimization, which we achieved through intensive work in the risk analysis process, we achieved an additional goal that every company should set for itself these days – minimizing the risk of information security loss.
We live in an information society, where information has become a commodity with its sometimes very high price. Our customers, i.e. car manufacturers, are outdoing themselves, proposing newer and newer solutions that are unique on the market. All this is done to stay ahead of the competition in acquiring customers. The case is similar with suppliers to the automotive industry.
Michal Latocha, IT Manager for Poland, Plastic Omnium
What Plastic Omnium’s IT department has been able to offer internal (business) customers and external customers who provide us with their classified production plans is the security of information processing in our IT systems.
We all use the same commonly available equipment on the market. What sets us apart from our competitors is the way we produce a given product or service. In other words, knowledge, or information, is the greatest value of any company, which should be protected in the best possible way.
Nowadays, moving production from one factory to another is a matter of days. Assuming that all of us (who specialize in a particular production) use similar or sometimes the same tools, having knowledge of production parameters becomes the key to success.
What Plastic Omnium’s IT department has been able to offer our internal customer (business) and our external customers who provide us with their classified production plans is the security of information processing in our IT systems.
What other benefits come from implementing an information security management system?
The safeguards provided for in ISO 27001 and the requirement to measure the effectiveness of implemented safeguards fit perfectly with ISO TS 16949’s requirement to measure the process implemented by the IT department. The analysis of indicators of the effectiveness of implemented safeguards gives the business an accurate description of the health of the IT process.
However, this is not the last of the advantages of implementing the system in question. There is also a noticeable increase in the motivation of those who took part in the implementation work and then became participants in the system themselves. Awareness of the fact that we are able to meet the challenge of implementing a system seemingly reserved for entities with special information security needs makes us proud of our achievement.
What are the plans for the future?
It is extremely important when implementing an information security management system to have the full approval and support of management, which is aware that operating the system will require additional work and sometimes additional resources. By treating the product of such a project as an investment, one will quickly find that the return on this investment exceeds the input.
To date, only Plastic Omnium’s Gliwice plant has implemented an information security management system that complies with the requirements of ISO 27001. As it turns out, the direction we proposed two years ago is the one the corporation wants to follow, keeping in mind the perverse words of William Edwards Deming – “It is not necessary to change, survival is not mandatory."
Information security and the requirements of the automotive industry
No one needs to be convinced that information in today’s time is of enormous value. We are producing more and more of it, so it is becoming increasingly difficult, but also increasingly important, to secure it properly. From the beginning of civilization until 2003, humans produced 5 exabytes (5,000,000,000 gigabytes) of information. In 2010, such an amount of data was produced by the world in two days, and the pace continues to accelerate.
Concern for information security is no longer just indicative of an organization’s high level of awareness, but is slowly becoming a standard. Large companies are responsible for this state of affairs, and they are beginning to demand that their suppliers properly secure the information they transmit. Legislation is finally emerging, according to which the ISO 27001 standard is supposed to minimize the risk of violating one of the three attributes of information, namely confidentiality, integrity and availability.
Przemysław Szczurek, Product Manager for Information Security, TÜV Nord Polska Sp. z o.o.
Concern for information security is no longer just indicative of an organization’s high level of awareness, but is slowly becoming a standard.
Efforts to secure critical information do not bypass the automotive industry. In the media, we can encounter information about leaked photos of a new car model, about new drive units, comfort or safety solutions. Of course, some of this information is only meant to look like a leak to generate more interest, but certainly not all of it.
This is evidenced by the actions of VW and the VDA organization (Association of the German Automotive Industry), but also Fiat, Toyota and BMW. The specific nature of the automotive industry determines the need to take care of the security of information entrusted to cooperating companies. According to ISO 27001, it is not enough to secure information within an organization. It is also necessary to secure it when we send it outside the company walls.
Imagine a situation where, in a plant producing components for several automakers, the designs of specific components would not be properly secured and available to competitors. And what about the case when, upon entering the production floor, we come across information on the recipients of the components in question? From the point of view of the competition, this would be quite a treat. Automotive corporations have long-standing strategic plans for development, the appearance of new vehicles or solutions on the market. This is critical information, so automotive companies secure it in-house. Sometimes, however, they need to send a new engine or designs for parts and components to cooperating companies. In that case, they need to be sure that this information will still be properly secured.
How to check it? The easiest way is to ask the contractor for an ISO 27001-compliant information security certificate. If the contractor does not have one, you should check the level of security on your own. VDA and VW sends its partners forms to complete – Information Security Assessment. They include questions about the security measures in place. The form is based on ISO 27002 (which is a substantive and descriptive development of ISO/IEC 27001) and contains 51 security features. For each security feature, we assign a value between 1 and 5, depending on the degree of implementation of specific security features. The clarification questions included in the form are helpful in this regard. Out of all the questions, the 10 most important are selected, which must be met at least at level 3.
As an indication of how important it is for auto manufacturers to secure the transmitted data, let it be said that the result received in the test affects the possibility of further cooperation.
I believe that information security in the automotive industry is not just for car corporations. In every organization there is information (know-how, contracts, plans, projects, personal data) that absolutely must be protected, the leakage of which outside the company is associated with great consequences. It’s good that there are companies that expect their suppliers to keep their information secure. It helps to take a moment to reflect – is the information processed in my form properly secured?