Cybersecurity Supply Chain Risk Management in the Automotive Industry
TISAX (Trusted Information Security Assessment Exchange) is an information security standard developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. Since its 2017 introduction, automotive manufacturers, parts manufacturers and suppliers across Europe—and increasingly globally—have widely adopted TISAX to ensure a uniform level of information security within the industry.
Currently on version 6.0.2, the TISAX Information Security Assessment (ISA) evaluates nearly 80 information security, prototype protection, and data protection controls across nine (9) control families.
Because TISAX requires a comprehensive examination of information security controls, automotive manufacturers and parts suppliers should develop a risk assessment and ongoing monitoring strategy that aligns with its requirements to enable greater cyber resilience in global supply chains.
Relevant Requirements
-
Define the scope of the TISAX assessment, identifying which parts of the organization and processes need to be evaluated
-
Implement necessary controls to address gaps and meet the required standards
-
Conduct remediation if the audit identifies any areas of non-compliance
-
Perform a self-assessment using the TISAX ISA questionnaire, evaluating current practices and policies against TISAX standards
-
Engage an ENX-accredited auditor to perform the official audit and an onsite visit
-
Regularly review and update security practices and undergo re-assessment every three years
How to Simplify TISAX Compliance
Evaluate Suppliers Against TISAX Requirements
The Platform includes a risk assessment that maps to TISAX and ISO 27001 requirements and leverages workflow automations, task management, and automated evidence review capabilities to evaluate supplier maturity scores. As well, the Prevalent solution presents assessment results in a central risk register that enables you to quickly visualize, sort, and pinpoint the most important risks.
Define Organizational Risk Management Processes
Partner with Prevalent experts to build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management, and compliance programs
Score Inherent Risks
Prevalent quantifies inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments.
Build a Central Supplier Inventory
Prevalent helps teams build a centralized supplier inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement or supply chain solution.
As all suppliers are reviewed, the Platform creates comprehensive supplier profiles that contain all documentary evidence related to the TISAX assessment, plus insights into a supplier’s demographics, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.
Identify Fourth and Nth-Party Suppliers
With Prevalent, you can identify fourth-party and Nth-party suppliers in your supplier ecosystem with a questionnaire-based assessment of your suppliers or by passively scanning the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk.
Remediate Findings
The Prevalent Platform includes built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
Continuously Monitor Suppliers for Threats
Prevalent continuously tracks and analyzes external threats to suppliers. The solutions monitor the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources include:
– Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
– Databases containing several years of data breach history for thousands of companies around the world
All monitoring data is correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives.
Score and Prioritize Risks
Once all assessment and monitoring data is correlated into a central risk register, Prevalent applies risk scoring and prioritization according to a likelihood and impact model. This model frames risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business.
Entdecken Sie das umfassende GRC-Plattform-Portfolio von Mitratech
Erstklassige, skalierbare Lösungen, die Ihr Risikomanagement, Ihre Reaktionsfähigkeit, Ihre Widerstandsfähigkeit und Ihren Ruf verbessern.
