Framework Requirements for Product Security in the German Automotive Industry (Prototype Protection)



Similar documents
Home Security Assessment Checklist DATE

Customs-Trade Partnership Against Terrorism (C-TPAT) Security Guidelines for Suppliers/Shippers

C-TPAT Self-Assessment - Manufacturing & Warehousing

Physical Security Assessment Form

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Guidance Notes FSR 2014

A Message for Warehouse Operators And Security Guidelines for Warehouse Operators

Supply Chain Security Audit Tool - Warehousing/Distribution

welcome to Telect s Minimum Security Criteria for Customs-Trade Partnership Against Terrorism (C-TPAT) Foreign Manufacturers Training Presentation

WAREHOUSE SECURITY BEST PRACTICE GUIDELINES CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM

C-TPAT Security Criteria Sea Carriers

How To Destroy Data From A Hard Drive

Identity Theft Prevention Program Compliance Model

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

Global Supply Chain Security Recommendations

Security Criteria for C-TPAT Foreign Manufacturers in English

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

MODESTO CITY SCHOOLS Administrative Regulation

Intermec Security Letter of Agreement

Surveillance Equipment

Security Tools. Forms. Physical Security Assessment Security Plan Template Traffic Control Plan Template

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Title of the Policy: Surveillance Policy

C-TPAT Importer Security Criteria

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

Chapter 8 Security Systems

Contra Costa Community College District Business Procedure SECURITY CAMERA OPERATING PROCEDURE

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

SECURITY IN TRUCKING

Safety and Environmental Information for External Companies Koehler Oberkirch

CORPORATE PROCUREMENT UNIT SITE & SECURITY PROCEDURES BOSTON SPA VERSION 9 SEPT12

Physical Security for Drinking Water Facilities

SAFETY AND ENVIRONMENTAL INFORMATION FOR EXTERNAL COMPANIES. Koehler Kehl

LONDON DOWNTOWN CLOSED CIRCUIT TELEVISION (CCTV) PROGRAM CODE OF PRACTICE CITY OF LONDON, ONTARIO

How To Ensure Security At A Site Security Site

Information Security Management Criteria for Our Business Partners

Understanding Sage CRM Cloud

WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business

Partners in Protection / C-TPAT Supply Chain Security Questionnaire

SECURITY SURVEY AND RISK ASSESSMENT. any trends or patterns in the incidents occurring at the school; the efficiency of the chosen security measures.

Home Security Inspection

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

Best Practices For. Supply Chain Security

Crime Prevention through Environmental Design (CPTED) - Checklist

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV

Hazardous Material Security Training and Testing for CDL Drivers and HAZMAT Employees

For the 8th time will take place International Exhibition INDELEX which is organized with great success since 2002.

Guide for Non-Profit Housing Societies Security Guide Table of Contents

Return the attached PPG Supply Chain Security Acknowledgement by , fax, or mail within two weeks from receipt.

SCHOOL SECURITY POLICY & PROCEDURES

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

E3211. DOT Hazmat Security Awareness. Leader s Guide

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

Policy for the Design and Operation of Closed-Circuit Television (CCTV) in Advanced Traffic Management Systems September 4, 2001

Security Profile. Business Partner Requirements, Security Procedures (Updated)

Corporate Policy and Procedure

Wellesley College Written Information Security Program

ABBVIE C-TPAT SUPPLY CHAIN SECURITY QUESTIONNAIRE

Seventh Avenue Inc. 1

Customs -Trade Partnership Against Terrorism (C-TPAT) Vendor Participation Overview

Safety and Environmental Information for External Companies

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Security Systems Surveillance Policy

Policy Rules for Business Partners of Siemens

RULES OF THE DEPARTMENT OF PUBLIC SAFETY

Draft Information Technology Policy

Appendix G. Security management plan

Middleborough Police Electronic Security Narrative

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

BRANCH SECURITY REVIEW CHECKLIST

Current as of 11/10/08 1 of 1

Our Hosting Infrastructure. An introduction to our Platform, Data Centres and Data Security.

How To Protect A Water System

Volkswagen Aktiengesellschaft strategy for compliance with recycling and recovery rates

Camera Use. Policy Statement and Purpose. Table of Contents

Safety and Environmental Information for External Companies

Cyber Security Response to Physical Security Breaches

MINIMUM SECURITY GUIDELINES FOR SOURCE MANUFACTURER/WAREHOUSEMEN C-TPAT INFORMATION

1. Perimeter fencing or walls should enclose the vicinity around cargo handling and loading areas, as well as storage facilities.

KCI Communications, Inc Ensell Road, Suite 100 Lake Zurich, IL

Site Security and Access Policy and Procedures. Written By. Kent Walmsley Creation date Summer 2010 Adopted by Governors 7 December 2010 Reviewed By

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Site Security Standards and Strategy

Policy Document. IT Infrastructure Security Policy

Transcription:

Framework Requirements for Product Security in the German Automotive Industry (Prototype Protection) Version: 1.0 As at: 13 Dec. 2005 Status: Released Authors: Audi: Mr. Jablonowski BMW: Mr. Ackermann, Mr. Driftmann, Mr. Himpsl DaimlerChrysler: Mr. Amend, Mr. Wittmann, Opel: Mr. Mannel VW: Mr. Maretzke TGA: Mr. Goertz 1/14

Table of Contents 1 General Information... 3 2 Requirements for handling prototypes... 4 2.1 The management process for product security... 4 2.1.1 General requirements... 4 2.1.2 Strategy... 4 2.1.3 Responsibility... 4 2.1.4 Process / organization... 4 2.1.5 Resources... 5 2.2 Camouflage... 6 2.2.1 General requirements... 6 2.2.2 Strategy... 6 2.2.3 Responsibility... 6 2.2.4 Process / organization... 6 2.2.5 Resources... 6 2.2.6 Notes:... 7 2.3 Testing grounds, test stations / simulations... 8 2.3.1 General requirements... 8 2.3.2 Strategy... 8 2.3.3 Responsibility... 8 2.3.4 Process / organization... 8 2.3.5 Resources... 9 2.4 Testing and experimental operations... 10 2.4.1 General requirements... 10 2.4.2 Strategy... 10 2.4.3 Responsibility... 10 2.4.4 Process / organization... 10 2.4.5 Resources... 10 2.4.6 Notes... 11 2.5 Photography / photographic equipment... 12 2.5.1 General requirements... 12 2.5.2 Strategy... 12 2.5.3 Responsibility... 12 2.5.4 Process / organization... 12 2.5.5 Resources... 12 2.6 Transport... 13 2.6.1 Strategy... 13 2.6.2 Responsibility... 13 2.6.3 Process / organization... 13 2.6.4 Resources... 13 2.6.5 Notes... 14 2/14

1 General Information The framework requirements for product security were drawn up on behalf of the VDA Working Group Integral Information Protection with IT Security, Prototype Protection and Risk Management. These requirements are intended to act as a basis for product protection in the German automotive industry and to complement the requirements set down in ISO 27001. The developing and testing of prototypes and automotive components require special protection for the design and the innovations, as does the construction of design models. In the processes special attention should be paid to analyzing the risks, putting effective protection measures in place and monitoring the efficacy of the protection measures. Suitable procedures have to be applied to ensure that all this is carried out. These framework requirements do not apply to car clinics, photoshoots and media events (marketing / presentations). Such events are regulated by the OEMs individually. 3/14

2 Requirements for handling prototypes Prototypes are subject to confidentiality, but they have to be moved and tested in various environments (e.g. testing on test tracks and public roads, transportation by agencies, experiments at partner companies, etc.). These situations necessitate appropriate technical, organizational and awarenessbuilding measures. 2.1 The management process for product security 2.1.1 General requirements To ensure that prototypes are protected, appropriate management processes must be in place at the OEMs and the development partners. 2.1.2 Strategy The departments involved in development and the users of prototypes must be made aware of how to deal with confidential prototypes and enabled to comply with the requirements. Technical and organizational protection measures must be defined and implemented. 2.1.3 Responsibility a) The company must have a central office or department that organizes and implements the security process for prototype protection. b) There must be a specific body at the OEMs (representatives from development, security office, sales) that decides on the technical and organizational protection measures (camouflage and handling regulations) for each project. c) The organization of the vehicle project must include a person responsible for prototype protection. 2.1.4 Process / organization a) A vehicle s development process must include a description of milestones used for defining and imposing protection measures, dependent upon the degree of maturity and the purpose of the prototypes. b) All persons involved in the project and all vehicle users must be familiar with the regulations on how to handle prototypes currently in force in their area of work. c) When prototypes are entrusted to external co-developers and / or other partners, the security process must be extended to include them (confidentiality, voluntary personal information, security certificate, on-site check by the security organization responsible). 4/14

2.1.5 Resources a) There must be sufficient personnel available (both centrally and in the project itself). b) There must be sufficient funding available (awareness-building and training, compiling and communicating the handling regulations, etc.). 5/14

2.2 Camouflage 2.2.1 General requirements The scope of the camouflage and the amount of work/resources involved must be based on an assessment of the protection requirements for the object in question (vehicle). The camouflage must be determined. Typical design features must be either altered or hidden. The camouflage on the prototype must not be altered or removed without consultation with the person responsible for the project. 2.2.2 Strategy a) The company s camouflage philosophy and camouflage strategy must be described (orientation framework for specific project camouflage). b) The camouflage concept must be drawn up and implemented for each product on a case-by-case basis. It must be adapted to the development status of the vehicle. 2.2.3 Responsibility There must be a specific body (representatives of the departments involved in development, project managers, etc.) with responsibility for decisions concerning the camouflage concept specific to the project and its development status; if such a body does not exist already, one must be set up. 2.2.4 Process / organization a) The camouflage required for the prototypes at the various stages must be determined. b) A document for decision must be drawn up (virtual / graphic or hardwarerelated). c) Acquisition of the items used for camouflage must be organized. d) The camouflage must be accepted and passed by representatives of the body responsible (e.g. for the first vehicle to be built). e) The responsible technical departments must accept each case individually. f) If applicable, comparative wind tunnel measurements must be carried out (with and without camouflage). 2.2.5 Resources a) The camouflage materials for the interior and the exterior (hard shell or plastic film camouflage) must be available. b) Lockable protective tarpaulin and interior covering must be available. c) The necessary costs must be planned. 6/14

2.2.6 Notes: The following additional requirements must also be met by the individual company: a) A non-local registration must be used as camouflage if required. b) If required, a coding / indicator must be applied to allow prototypes appearing in publications to be identified. c) During the period of confidentiality, recycling / disposal must be secure. 7/14

2.3 Testing grounds, test stations / simulations 2.3.1 General requirements The experimental requirements for new products make it essential to drive the vehicles on testing grounds. When protection is being considered, a distinction must be made between the company s own testing grounds and those that are hired. 2.3.2 Strategy a) Testing grounds must offer special protection (e.g. from unauthorized photography) against both internal and external attacks (unauthorized persons / spy photographers), and allow screened off / undisturbed testing. b) In the case of mixed operations with other vehicle projects (the company s own products together with the competition) or at hired testing grounds, special protection measures must be put into effect. 2.3.3 Responsibility a) For each location, the security organization responsible must draw up a security concept in consultation with the operator. b) The relevant operator must ensure compliance on site with the measures in the protection concept. c) The project manager / test manager is responsible for compliance on site with the protection measures for each vehicle. 2.3.4 Process / organization a) Testing by the operator on the testing grounds must be centrally recorded, documented and coordinated. b) Protection measures must be defined in writing and communicated to the relevant persons. c) Additional measures may be required for individual products: 1. Use of camouflaged or uncamouflaged prototypes according to the need for protection. 2. Night drives according to the need for protection. 3. Security patrols if required. d) Access checks (general) and control and documentation are essential each time a prototype is used. e) Alarm and emergency planning measures (radio link, protective tarpaulins, bunker-type garages concealing the prototype, etc.) must be in place. 8/14

2.3.5 Resources a) Fenced-off grounds / buildings must have physical perimeter protection (protection against visibility and climbing, secure parking spaces for prototypes, etc.). b) Surveillance measures must be in operation (CCTV, infrared cameras or patrols, etc.). c) Signs indicating that photography is prohibited must be attached to the perimeter fence if required. d) All persons involved must agree to abide by the security regulations (e.g. prohibition of photography); the regulations must be posted at the entrance. 9/14

2.4 Testing and experimental operations 2.4.1 General requirements It may also be necessary to move and test prototypes on public roads, close to customers. 2.4.2 Strategy The proving grounds / tracks must be analyzed and assessed for risk. The scope of the protection measures (camouflage, screening personnel, night-time drives, etc.) depends on this assessment. 2.4.3 Responsibility The following responsibilities must be allocated: a) The test manager is responsible for prototype protection on site. b) The driver of a prototype is personally responsible for compliance with the defined protection measures during experimental operations. c) Risk analyses of the proving grounds / tracks must be carried out by the departments responsible (security, test manager, etc.). 2.4.4 Process / organization a) Experimental drives must comply with the current protection measures / handling regulations (see 2.1 above). b) Test runs on public roads must be approved by the departments responsible (project management, security, etc.). c) The testing team must be sensitized to the following aspects: 1. Current security situation and risks associated with travel. 2. Confidentiality concerning the destination and scope of testing, when dealing with unauthorized persons. 3. Regulations concerning the handling of new developments (interior covers, etc.). 4. Appropriate behavior in specific situations (e.g. photographers, accidents, breakdowns) and at neuralgic points / weaknesses in the routes. 5. Information to be given to people who are curious must be coordinated (story, e.g. driver training by automobile clubs, etc.). d) Changes to the camouflage must be coordinated with the persons responsible (security, project manager) on a case-by-case basis. e) Individual corporate regulations for prohibiting photography of prototypes must be observed. f) For PCs / laptops, etc. the relevant IT security guidelines (virus check, data security, encryption, theft protection, etc.) must be observed. 2.4.5 Resources 10/14

Testing grounds and workshops at the proving grounds must be made secure in relation to visibility and unauthorized access, using construction, technical and / or personnel measures. 2.4.6 Notes a) Any emblems / signs indicating company facilities must be avoided. The same also applies to personnel (e.g. clothing, hotel registration, etc.). b) Transfer of confidential data must conform to the requirements of ISO 27001. 11/14

2.5 Photography / photographic equipment 2.5.1 General requirements Unauthorized persons must be prevented from photographing confidential objects. 2.5.2 Strategy If any devices for recording or transmitting images (camera phones, PDAs, compact cameras, video cameras, etc.) are brought on site, this must be regulated appropriately, especially in zones requiring a special level of protection. When picture documentation is essential, the owner of the property / client (OEM) is required to have a photography permit and to produce evidence of this if required. 2.5.3 Responsibility a) The management is responsible for regulation. Every member of staff (of the company and of partners) and every visitor must be familiarized with the procedure. b) The series development partner must comply with the requirements of the client OEM. c) Every member of staff is responsible for compliance with the regulations on photography / photographic equipment. 2.5.4 Process / organization a) The procedure for issuing permits for photography (applications for the purposes of documentation during development, testing, events, etc.) must be defined and regulated. b) Any authorized picture documentation must be kept securely and protected from viewing by unauthorized persons. c) Secure disposal of the picture / data material must be arranged. d) To protect against unauthorized copying, if required the client must demand from the development partner technical / optical source protection measures as needed. e) Zones requiring a special level of protection must be marked as such (signs, posters, etc.). f) Compliance with the procedure must be monitored. 2.5.5 Resources The following relevant resources (including costs) must appear in the planning: a) Deposit box / safe, b) Secure access-protected data storage devices and systems, c) Shredder, secure deletion tool. 12/14

2.6 Transport 2.6.1 Strategy During transport (by air, water, overland) prototypes must be protected from unauthorized viewing, unauthorized photography and access. 2.6.2 Responsibility a) The coordination office / logistics department of the relevant company is responsible for engaging suitable transport companies that have been approved by the OEM s security organization. b) The department of the OEM awarding the contract must define the need for protection. c) If the contract for transport is not awarded by the coordination office / logistics department but instead directly by the technical department, the OEM s responsible security office must approve the transport company. d) The department awarding the contract must ensure that the management of the transport company obliges its staff and subcontractors to maintain confidentiality, and that it informs them regularly (at least once a year), or when changes are made to the protection measures, of the correct way to handle prototypes. Upon request from the security department of the OEM, evidence of this must be provided. 2.6.3 Process / organization a) The transport company must be aware of the confidentiality status and comply with the defined protection goals. b) Confidential transports must be carried out in accordance with the OEM s requirements. c) The transport company must report all risk situations and incidents to the appropriate office or person. 2.6.4 Resources The following resources (including costs) must appear in the planning: a) Suitable means of transport that is secure in traffic (e.g. enclosed / locked, under seal, air-conditioned, alarmed). b) Suitable means of communication (e.g. cell phone without photo function, radio). 13/14

2.6.5 Notes a) When the contract is awarded by the coordination office / logistics department, attention must be paid to restrictions on approval imposed by the security organization. b) Image-recording devices brought onto the premises (e.g. to document damage involving the transport company) must be declared spontaneously upon entry to the plant / proving ground / testing ground. 14/14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information