MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0

MAN Truck & Bus AG
Appendix 17-D - Information Security Assessment
Appendix 17-D
INFORMATION SECURITY ASSESSMENT VDA
Confidential …
MAN Truck & Bus AG Contractor

November 2017, Version 1.0, Seite 1 von 39
INTERNAL INTERNAL
Information Security Assessment
Group of companies:
Company:
Location:
Address:
Homepage:
Short description of the group

company:
Scope:
D&B D-U-N-S® Nr.
Date of the assessment:
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
Version: 3.0.4 / 2017-09-12
402300245.xlsx /
Gedruckt am: 11/18/2018 Seite 2 von 39
Cover
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels: 0.00 Maximum Score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
15 Supplier Relationships 8 Asset Management
14 System acquisition, development and maintenance 9 Access Control
13 Communications Security 10 Cryptography

12 11
Operations
Physical and
Security
Environmental Security
Target maturity level Results
402300245.xlsx /
Results
Results
Details:
Question Target maturity
No. Topics level Results
1.1 Release of an Information Security Management System (ISMS) 3 0
1.2 IS Risk Management 3 0
1.3 Effectiveness of the ISMS 3 0
5.1 Information Security Policy 3 0
6.1 Assigning responsibility for information security 3 0
6.2 Information Security in projects 3 0
6.3 Mobile devices 3 0
7.1 Contractual commitment to information security of employees 3 0
7.2 Awareness and training of employees 4 0
8.1 Inventory of assets 3 0
8.2 Classification of information 2 0
8.3 Handling of information (especially mobile storage) 3 0
9.1 Access to networks and network services 3 0
9.2 User registration 4 0
9.3 Privileged user accounts 3 0
9.4 Confidentiality of authentication data 3 0
9.5 Access to information and applications 3 0
10.1 Cryptography 3 0
11.1 Security zones 3 0
11.2 Protection against external influences and external threats 3 0
11.3 Protection measures in the delivery and shipping area 2 0
11.4 Use of equipment 2 0
12.1 Change Management 4 0
12.2 Separation of development, test and operational environment 2 0
12.3 Protection from malware 4 0
12.4 Back-up procedures 4 0
12.5 Event Logging 3 0
12.6 Logging administrational activities 2 0
12.7 Prosecution of vulnerability (patch management) 4 0
12.8 Review of information systems 2 0
13.1 Management of networks 3 0
13.2 Security requirements for networks / services 3 0
13.3 Separation of networks (network segmentation) 3 0
13.4 Electronic exchange of information 3 0
13.5 Confidentiality agreements with third parties 3 0
14.1 Requirements for the procurement of information systems 3 0
14.2 Security along the software development process 3 0
14.3 Management of test data 2 0
15.1 Risk Management in collaboration with suppliers 3 0
15.2 Services check of supplier performance 3 0
16.1 Reporting system for information security incidents (Incident Management) 3 0
16.2 Processing of information security incidents 4 0
17.1 Information Security Aspects of Business Continuity Management 3 0
18.1 Legal and contractual provisions 3 0
18.2 Protection of personal data 3 0
18.3 Audit of the ISMS by independent bodies 3 0
18.4 Efficiency tests, including technical tests 3 0
Method: comparison of the top 47 security topics 3.00 0.00
based on ISO 27002 controls
evaluated with SPICE ISO 15504
402300245.xlsx /
Results
Results -
Connection to third parties
Result with cuttback to target

maturity level:
0.00 Maximum score: 3.00
Details:

23.7.2 Training and raising the awareness of employees 3 0
23.9.2 User registration 3 0
23.11.1 Security zones 3 0
23.13.3 Separation of networks (network segmentation) 3 0
3 0

Results - Prototypenschutz
Result with cuttback to target
maturity level:
0.00 Maximum score: 3.00
Details:

25.1.1 Safety concept 3 0
25.1.2 Perimeter safety 3 0
25.1.3 Outer skin protection 3 0
25.1.4 View and sight protection 3 0
25.1.5 Access control 3 0
25.1.6 Intrusion detection system 3 0
25.1.7 Documented visitor management 3 0
25.1.8 On-site client separation 3 0
25.2.1 Non-disclosure agreement 3 0
25.2.2 Relationships with subcontractors 3 0
25.2.3 Training and raising the awareness of employees 3 0
25.2.4 Security classification of the project 3 0
25.2.5 Process of allocation of access 3 0
25.2.6 Fiming and photography 3 0
25.2.7 Bringing along image recording devices 3 0
25.3.1 Camouflage of prototypes 3 0
25.3.2 Transport of prototypes 3 0
25.3.3 Storage / parking of prototypes 3 0
25.3.4 Own test and trial ground 3 0
25.3.5 Test and trial ground in public area 3 0
25.3.6 Safety requirements for presentations and events 3 0
25.3.7 Safety requirements for film and photo shootings 3 0
3 0
402300245.xlsx /
Results
Version KPI References
Information Security Assessment - Questions
3.0.4
Company: 0
Location: 0
Date: 12/30/1899
Maturity Level
In case a question does not apply, please insert na (not applicable).
0-5; na
1 General Aspects 3.0.3
1.1 To what extent is an ISMS approved by the Top Management and is the scope documented? 3.0.3
(Reference to ISO 27001: 4 and 5.1)
1.2 To what extent is an Information Security risk management as well as risk treatment defined, documented and implemented? 3.0.4
(Reference to ISO 27001: 8.2 and 6.1.2)
1.3 To what extent is the effectiveness of the ISMS ensured? 3.0.3

(Reference to ISO 27001: 8.1, 9.1, 10.1, and 10.2)
5 Information Security Policies 3.0.3
5.1 To what extent are information security guidelines created, published (internally and to external partners), communicated and are they checked 3.0.4
in regular time intervals?
(Reference to ISO 27002: Control 5.1.1 and 5.1.2)
6 Organization of Information Security 3.0.3
6.1 To what extent are responsibilities for information security defined and allocated? 3.0.3
(Reference to ISO 27002: Control 6.1.1)
6.2 To what extent are information security requirements taken into account in project work (irrespective of project type)? 3.0.3
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to company data? 3.0.3 Off-Premises
7 Human Resources Security 3.0.3
7.1 To what extent is staff (internal and external) contractually bound to comply with information security policies? 3.0.4 Personel
7.2 To what extent is staff (internal and external) made aware of and trained about the risks that arise when handling and processing information? 3.0.3 KPI 7.2
8 Asset Management 3.0.3
8.1 To what extent are directories existent for objects (assets) that contain information in different versions? 3.0.3 Protection classes
(Reference to ISO 27002: Control 8.1.1, 8.1.2, 8.1.3, and 8.1.4)
8.2 To what extent is information classified regarding the corresponding protection level and are there regulations regarding labelling, handling, 3.0.4
transport, storage, retention, deletion and disposal in place?
(Reference to ISO 27002: Control 8.2.1, 8.2.2, and 8.2.3)
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage devices? 3.0.3
9 Access Control 3.0.3
9.1 To what extent are policies and procedures existent regarding access to networks and network services? 3.0.3
9.2 To what extent are procedures for a formal user registration, change and de-registration implemented to enable assignment of access rights and 3.0.3 KPI 9.2
is the allocation of secret authentication information controlled?
(Reference to ISO 27002: Control 9.2.1, 9.2.2, 9.2.4, and 9.2.5)
9.3 To what extent is the allocation and use of privileged user and technical access rights restricted and controlled? 3.0.3
9.4 To what extent have binding policies been defined concerning creation and handling of secret authentication information? 3.0.3
9.5 To what extent is access to information and applications restricted to authorized personnel? 3.0.4
10 Cryptography 3.0.3
10.1 To what extent are regulations for encryption, including the management of cryptographic keys (entire lifecycle process) for the protection of 3.0.3
information during storage and transport, developed and implemented?
11 Physical and Environmental Security 3.0.3
11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing facilities defined, protected and 3.0.4
monitored (entrance control)? Safety zones
(Reference to ISO 27002: Control 11.1.1, and 11.1.2)
11.2 To what extent has the company established measures to protect itself against the effects of natural disasters, malicious attacks and accidents? 3.0.3
11.3 To what extent are protective measures established to protect delivery and loading areas from being accessed by unauthorized persons? 3.0.3
11.4 To what extent are policies and procedures defined and implemented regarding the use of company equipment, including off-site use, disposal 3.0.4
and re-use?
12 Operations Security 3.0.3
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems in accordance with their KPI 12.1
relevance to Information Security controlled?
12.2 To what extent are development and testing environments kept separate from productive environments? 3.0.4
12.3 To what extent are protection controls (e.g. endpoint security) against malware (Viruses, Worms, Trojans, Spyware, ...) implemented and 3.0.3 KPI 12.3
combined with appropriate user awareness?
12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy? 3.0.3 KPI 12.4
12.5 To what extent are event-logs (containing e.g. user activities, exceptions, errors and security events) created, stored, reviewed and protected 3.0.3
against modification?
402300245.xlsx /
Information Security
12.6 To what extent are system administrator and system operator activities logged, the logs protected against modification and regularly reviewed? 3.0.3
12.7 To what extent is information regarding technical vulnerabilities of information processing systems acquired at an early stage, assessed and 3.0.3 KPI 12.7
appropriate measures are taken (e.g. patch management)?
12.8 To what extent are audit requirements defined and activities that are used to check information processing systems planned, coordinated and 3.0.3
executed?
(Reference to ISO 27002: Control 12.7.1, 18.2.3)
13 Communications Security 3.0.3
13.1 To what extent are networks managed and controlled to protect information in systems and applications? 3.0.4
13.2 To what extent are requirements related to security mechanisms and service levels and also management requirements related to network 3.0.4
services identified and documented in service level agreements?
13.3 To what extent are groups of information services, users and information systems segregated on networks? 3.0.3
13.4 To what extent are protective measures taken when information is exchanged or transmitted? 3.0.3
13.5 To what extent are non-disclosure agreements applied before an exchange of information and are the requirements or needs for the protection of 3.0.3
information documented and regularly reviewed?
14 System acquisition, development and maintenance 3.0.3
14.1 To what extent are security-relevant requirements taken into account for new information systems (incl. systems that are accessible from the 3.0.3
public) and for extensions to existing systems?
(Reference to ISO 27002: Control 14.1.1, 14.1.2, and 14.1.3))
14.2 To what extent are security-relevant aspects taken into account within the software development process (incl. change management)? 3.0.3
(Reference to ISO 27002: Control 14.2.1 - 14.2.9)
14.3 To what extent are test data created, protected and used in a careful and controlled manner? 3.0.3
15 Supplier Relationships 3.0.3
15.1 To what extent are information security requirements agreed with suppliers to mitigate risks contractually when suppliers have access to 3.0.3
corporate assets (particularly information and communication services and in case such assets are used by sub-contractors)?
15.2 To what extent are the services performed by suppliers/sub-contractors monitored, reviewed and audited on a regular basis? 3.0.3
16 Information Security Incident Management 3.0.3
16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an effective response to 3.0.3
information security incidents or vulnerabilities?
16.2 To what extend is the handling on security events performed? 3.0.3 KPI 16.2
17 Information Security Aspects of Business Continuity Management 3.0.3
17.1 To what extent are information security requirements (including the redundancy of corresponding facilities) and the continuation of the ISMS in 3.0.3
the event of a crisis defined, implemented, checked and evaluated?
(Reference to ISO 27002: Control 17.1.1 - 17.1.3, and 17.2.1)
18 Compliance 3.0.3
18.1 To what extent are relevant legal (country-specific), statutory, regulatory and contractual requirements ensured (e.g. protection of intellectual 3.0.3
property rights, use of encryption technology and protection of records)?
(Reference to ISO 27002: Control 18.1.1, 18.1.2, 18.1.3, 18.1.5)
18.2 To what extent is confidentiality and the protection of personal data ensured (taking national legislation into account)? 3.0.3
Note: In case of commissioned data processing according to §11 BDSG, the module "Data Protection (24)" must be mandatorily included and
evaluated.
18.3 To what extent is the ISMS reviewed independently on a regular basis or in the course of significant changes? 3.0.3
18.4 To what extent is the effectiveness of policies, guidelines and other relevant information security standards reviewed and documented? 3.0.3
(Reference to ISO 27002: Control 18.2.2, 18.2.3)
402300245.xlsx /
Information Security
Version
Information Security Assessment -
Additional requirements for connection to third parties
based on ISO 27002:2013 3.0.3
Company: 0
Location: 0
Date: 12/30/1899
Maturity
Level 0-5; na
23 Additional requirements for connection to third parties 3.0.3
23.7 Human Resources Security 3.0.3
23.7.2 To what extent are the employees (internally and externally) trained and made aware about the risks in dealing with information and its 3.0.3
processing?
23.9 Access Control 3.0.3
23.9.2 To what extent are procedures for the registration, modification and deletion of users with the corresponding access rights implemented, and in 3.0.3
particular is a confidential handling of the registration information ensured?
(Reference to ISO 27002: Control 9.2.1, 9.2.2, 9.2.4 and 9.2.5)
23.11 Physical and Environmental Security 3.0.3
23.11.1 To what extent are security zones defined for the protection of sensitive or critical information as well as information processing facilities, 3.0.3
protected and monitored (access control)?
23.13 Communications Security 3.0.3
23.13.3 To what extent are groups of information services, users and information systems segmented within the network? 3.0.3
402300245.xlsx /
Connection to third parties(23)
Version Hinweise
Additional Requirements Prototype Protection
3.0.3
Company: 0
Location: 0
Date: 12/30/1899
Maturity
Level 0-5; na
25 Prototype Protection 3.0.3
25.1 Physical and Environmental 3.0.3
25.1.1 To what extent is a safety concept available that describes minimum requirements regarding object safety for prototype protection? 3.0.3
(PT-module; no reference to ISO 27002)
25.1.2 To what extent is perimeter security existent, that prevents unauthorized access to protected objects of the properties? 3.0.3
25.1.3 To what extent is the outer skin of the buildings to be protected constructed in a form that does not allow the removal or opening of outer skin 3.0.3
components using standard tools?
25.1.4 To what extent is a view and sight protection ensured in defined protection areas? 3.0.3
25.1.5 To what extent is the protection against unauthorized entry regulated in the form of an access control? 3.0.3
(Reference to ISO 27002: Control 11.1.1, 11.1.2 and 11.1.3)
25.1.6 To what extent is there a functioning intrusion detenction system implemented in the premises to be secured? 3.0.3
25.1.7 To what extent is a documented visitor management available? 3.0.3

25.1.8 To what extent is on-site client separation existent? 3.0.3

25.2 Organisational Requirements 3.0.3
25.2.1 To what extent are non-disclosure agreements / obligations existent according to the valid contractual law? 3.0.3
25.2.2 To what extent are requirements for commissioning subcontractors known and fulfilled? 3.0.3
(Reference to ISO 27002: Control 13.2.4, 15.1.1, 15.1.2 and 15.1.3)
25.2.3 To what extent are the employees and project members evidently trained and made aware regarding risks when handling prototypes? 3.0.3
25.2.4 To what extent are security classifications of the project and the resulting measures for protection known? 3.0.3
25.2.5 To what extent is a process for allocation of access to specified security areas defined? 3.0.3
25.2.6 To what extent are regulations for image recording and handling with created graphical material existent? 3.0.3 Optics
25.2.7 To what extent is a process for carrying along and use of film- and photograph enabled devices into defined security areas established? 3.0.3
25.3 Handling Prototypes 3.0.3
25.3.1 To what extent are the predefined regulations for camouflage implemented by the project participants? 3.0.3
25.3.2 To what extent are transports in need of protection arranged according to the specifications of the customer? 3.0.3
25.3.3 To what extent is it ensured that vehicles, components or parts which are in need of confidentiality are parked / stored in accordance with the 3.0.3
requirements of the customer?
25.3.4 To what extent are safety requirements of approved test and trial grounds observed / implemented? 3.0.3
25.3.5 To what extent are safety requirements for approved test and trial drives respected / implemented in public? 3.0.3
25.3.6 To what extent are safety requirements for presentations and events implemented with scope / contents subject to confidentiality? 3.0.3
25.3.7 To what extent are safety requirements for film and photo shootings with scope / contents subject to confidentiality implemented? 3.0.3

Additional questions for Data Protection in case of
commissioned data processing according to §11 BDSG
Company: 0
Location: 0
Date: 12/30/1899
fulfilled
[yes / no]
24 Data Protection
24.1 To what extent is the implementation of Data Protection organised?

Comments:
Reference assessment file:
Findings:
Measures:
References
+ Appointment of the data protection officer
+ organisational implementation of the data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department "data protection") depending on the company size
- Supporting data protection officer by data protection coordinators in the company areas depending on the size of the company (e.g., marketing, sales,
personnel, logistics, development, etc.)
24.2 To what extent are organisational measures taken so that the processing of personal data is made according to the law?
Comments:
Findings:
Measures:
References
+ Establishment of principles for data protection (collection, processing or use of personal data) in a company-internal policy.
+ Implementation of company-internal steering committees - with the cooperation of the data protection officer - in which data protection relevant topics are
addressed.
+ Implementation of a process which ensures the involvement of the data protection officer in the case of data protection relevant topics (e.g. in the context
of a preliminary check or a subsequent assessment).
+ Documentation of work processes during the collection, processing or use of personal data.
+ Documentation of statements and comments from the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which the implementation of necessary measures (e.g. contractual regulation) is ensured in order to ensure the
collection, processing or use of personal data by the employees entrusted with it (including subcontractors) of the customer.
+ Company-internal work instructions or manuals in specific areas of activity concerning the collection, processing or use of personal data.
+ Employees' commitment to data and telecommunication confidentiality.
24.3 To what extent is it ensured that the internal processes or workflows are carried out according to the currently valid data protection regulations
and that this is regularly subjected to a quality check?
Comments:
Findings:
Measures:
References
+ Certification of the data protection management system depending on its company size
+ Ensuring the integrity when transmitting personal data.
+ Implementation of a control system that reveals unauthorized access to personal data.
+ Training of employees (e.g. classroom training, WBT, voluntary / obligatory).
+ Internal audits of the processes and regular optimizations.
24.4 To what extent are the relevant processing procedures documented with regard to the admissibility of data protection law (e.g. prior checks)?
Comments:
Findings:
Measures:
Additional questions for Data Protection in case of
commissioned data processing according to §11 BDSG
Company: 0
Location: 0
Date: 12/30/1899
References
+ Implementation of prior checks and / or data protection impact assessments and documentation of the arising results.
+ Management of an external procedure directory
+ Management of an internal processing overview
+ Implementation of privacy / data protection by design and by default principles.
+ Verifying admissibility of data processing, taking into account different national legislations, if necessary
Control 7.2 Awareness and training of the employees
scope COVERAGE EFFEKTIVENESS
coverage degree of effectiveness of awareness

ID
awareness measures measures
Employees that were made aware The contents of awareness

represent an important pillar for measures should consider
the information security in the outcomes from information
company. Awareness measures security incidents. The KPI
description should reach at most all measures the effectiveness of
employees. The KPI measures awareness measures by
the coverage degree of trainings collection (number or cost
such as e-learnings, classroom based) of security incidents
trainings. with human errors as a cause.
minimization of information
regular trainings of all employees
objective for information security
security incidents with human
error as a cause
recipient Information Security; supervisors Information Security
to be determined individually to be determined individually

frequency (reporting)
(e.g. annualy) (e.g. annualy)
to be determined individually (0-

20…low, 20-50 medium, 50+ high)
to be determined individually (e.g. possible characteristic for
threshold level green: > 90%, yellow: 70-90%, comparability of business units: in
red: < 70%) relation to the number of
employees e.g. unit: incidents /
100 employees
evaluation
training management collecting the number of security
measurement quotient: number of incidents with human error as a
participants / total number of cause
employees

frequency (measurement)
HR - training department - IKS -

interfaces internal Audit department
Incident Managment
e-learnings, classroom training, Incident Mgt. tool, ticket system,
components training plan, training register ISMS tool
data archiving 5 years 5 years

9.2 User registration
COVERAGE COVERAGE EFFECTIVENESS
coverage degree review coverage degree review

collection accounts
"user accounts" "authorizations"
Collection accounts should not

Regular reviews of systems for Regular reviews of user accounts basically be used or only in
not necessary accounts is a for not necessary authorizations is exceptional cases as an
prerequisite for a consistent and a prerequisite for a consistent and explicit allocation of user
current user basis according to current authorization basis
the need-to-know principle. The according to the need-to-know
activities are impeded. The KPI
KPI measures the coverage principle. The KPI measures the measures the number of used
degree of the measure "regular coverage degree of the measure collection accounts in
user review" "regular autorization review" consideration of approved
exceptions.
minimization of group identities by

regular review of user accounts regular review of all authorizations
allocating personal accounts to all
on all systems of all users
employees on all systems
Information Security Information Security Information Security
to be determined individually to be determined individually to be determined individually

(e.g. annualy) (e.g. annualy) (e.g. annualy)
to be determined individually (e.g. to be determined individually (e.g.

green: > 90%, yellow: 70-90%, green: > 90%, yellow: 70-90%,
red: < 70%, special case, red: < 70%, special case, number of red: >0, green = 0
accounting relevant systems: accounting relevant systems:
target coverage = 100 %) target coverage = 100 %)
quotient: number of performed quotient: number of performed collecting the number of

reviews / total number of reviews / total number of users collection accounts (adjusted
systems in scope in scope for authorized exceptions)

Data Owner, User Management, Data Owner, User Management,

supervisor supervisor
User Management
user directory, authorization user directory, authorization
user directory, authorization
management tool, IAM management tool, IAM platform
management tool, IAM
platform, CMDB platform
10 years 10 years 5 years

12.1 Change Management 12.3 Protection against malware
COVERAGE EFFECTIVENESS COVERAGE
coverage degree Change coverage degree Endpoint

Change - error rate
Management Security
The essential protection

A high quality of the change against malware for the
A comprehensive and consistently
management process leads to company is a comprehensive
adhered Change Management
lower error rates of the performed
process is a basis for a secure Endpoint Security. The KPI
changes and contributes to
operation. The KPI measures the measures the part of the
secure operations. The KPI
coverage degree of changes that protected systems having
measures the error rate of
are compliant with the guidelines. regard to the approved
changes.
exceptions.
guidelines-compliant performance comprehensive protection of all

error-free performance of changes
of all changes system threatened by malware
Information Security Information Security Local IT, Information security

to be determined individually (e.g.

green: > 90%, yellow: 70-90%, to be determined individually (e.g. to be determined individually (e.g.
red: < 70%, special case, green: < 10%, yellow: 10-30%, green: > 90%, yellow: 70-90%,
accounting relevant systems: red: > 30%) red: < 70%)
target coverage = 100 %)
quotient: number of protected

quotient: number of approved and quotient: number of reversed
systems / total number of systems
requested changes (RFC) / total changes / total number of
(adjusted for authorized
number of performed changes performed changes
exceptions)

(e.g. annualy) (e.g. annualy) (e.g. monthly)
IT Operations, Change IT Operations, Change

AV Management, IT Operations
Management Management
Project Management, Change Project Management, Change
AV console, CMDB
Management Management

Protection against malware 12.4 Backup
EFFECTIVENESS COVERAGE COVERAGE
Effectivenes of updating the degree of restoration test

degree of backup coverage
Endpoint Security coverage
A regular review of backup

Current virus signatures are the A regular and complete backup
functionality (e.g. by restoring
prerequisite for an effective protects the loss of data e.g. in
data or systems) is essential for
Endpoint Security. The KPI case of a system failure or
the availability of business
measures the target and the malware infection. The KPI
information. The KPI measures
actual state of virus definitions on measures the degree of backup
the degree of the restore test
reporting deadline. coverage.
coverage.
regular restoration tests for all

prompt installation of AV updates regular backups of information
backed up systems
Local IT, Information Security, Local IT, Information Security,

Local IT, Information Security
service owner service owner

Individually defined (e.g. green: =
objective: 100% after max. 30 to be determined individually (e.g.
100% (of systems to be
minutes, green: >90%, yellow: 70-90%,
protected), yellow: 70-99%, red:
green: > 90%, yellow: 70-90%, red: <70%)
<70%)
red: <70%)
quotient: number of systems quotient: number of systems with

time comparison
covered with backups/ total tested restoration from backup /
the average of the actual rollout
number of systems (adjusted for total number of all systems with
state vs.target state
authorized exceptions) backup

(e.g. annualy) (e.g. annualy) (e.g. monthly)
AV Management, IT Operations backup process, IT Operations backup process, IT Operations

AV console, CMDB backup software, CMDB backup software, CMDB

12.7 Detection of vulnerabilities
p
(Patch Management)
EFFECTIVENESS COVERAGE EFFECTIVENESS
coverage degree Patch effectiveness of installing

backup effectiveness
Management Patches
A comprehensive Patch The contemporary installation of

Backup quality must be ensured Management protects the patches ensures the security of
by correlating controls. Measures company against the impacts of systems and applications and
are e.g. data restore, system malware and exploits. The KPI therefore reduces the window of
restoration. The KPI measures the measures the inclusion of vulnerability for the company. The
number of incorrect data restores. systems and applications in the KPI measures recording of the
Patch Management process. target and actual state of Patches.
ensuring a comprehensive update

correct backups prompt installation of Patches
of systems and applications
Local IT, Information Security,

Local IT, Information Security Local IT, Information Security
service owner

objective: 100% after max. 10
number of red: > 0,green = 0 green: >90%, yellow: 70-90%,
days, green: > 90%, yellow: 70-
red: <70%)
90%, red: <70%)
quotient: number of currently

quotient: number of incorrect time comparison
patched systems / total number
restores / total number of restores the average of the actual rollout
of systems (adjusted for
tests state vs.target state
authorized exceptions)

(e.g. annualy) (e.g. monthly) (e.g. monthly)
Patch/Change Management, IT Patch/Change Management, IT

backup process, IT Operations
Operations Operations
Change Management console, Change Management console,
backup software, CMDB Software Distribution Platform, Software Distribution Platform,
CMDB, WSUS CMDB, WSUS

16.2 Processing of information security incidents
COVERAGE EFFECTIVENESS
timely proccessing of
coverage rate of information
information security
security incidents
incidents
Information security incidents

have to be detected and timely Information security incidents
handled in order to protect the have to be prioritized and handled
accordingly depending on their
company from damages. The criticality. The KPI measures the
KPI measures the compliance appropriate timely handling of
of incident reporting processes information security incidents.
with the involved interfaces.
All information security incidents

will be detected, reported and All information security incidents
handled within the framework of will be handled in appropriate time
the incident management frames.
process.
Local IT, Information Security, Local IT, Information Security,

Compliance Compliance

depending on the category
maximum solution period:
-PRIO 1: days
number of red: > 0,green = 0 -PRIO 2: weeks
-PRIO 3: months
open incidents within a time
period, e.g. green: < 2%, yellow:
2-5%, red: >5%)
quotient: number of information

respectively for every individual
security incidents that are
criticality level: all open incidents
reported in the incident
in a defined time period / all
management / number of all
incidents
incidents (of the surveying unit)

IT, CERT, Incident Management, IT, CERT, Incident Management,

Helpdesk, Service Management Helpdesk, Service Management
Incident Management- Incident Management-
System/Workflow System/Workflow
10 years 10 years
Zone
Explanation / notes
Aspect
Accessibility
Visitor requirements
Driving on / parking
Access control and protection
Monitorings
Resistance values
Response time (alarm to visual

inspection and acknowledgment)
Photography / use of optics
Zone
Explanation / notes
Aspect "carrying along"

Company owned devices
(independent from Mobile Device
management (MDM))
Private devices of company

employees (wearables with
optics as well)
Devices of contractors and

visitors (wearables with optics as
well)
Aspect "use"
Video telephony / video
conferencing (without recording)
Photography /video recordings
Recording of persons and sound

recording with company owned
devices
Type of employment
relationship
Ordinary employee / worker

Head of department
employee in the IT
department with special
access rights
Department Manager
General Manager, directors,

executive assistants, Security
Manger
Contractors & suppliers

Contractors & suppliers for
critical infrastructure
components
Off-Premises workpla
Confidentiality of the
information
highest protection class
"secret"
medium protection class

"confidential"
lowest protection class

"internal"
Protection classes
normal
high
very high
white (public)
Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists.
(e.g. visitors' parking space, connecting routes)
no special requirements
appropriate signs
permitted
None
if required, camera surveillance (prevention of damage to property)
public area
Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists.
(e.g. visitors' parking space, connecting routes)
public area
No special requirements
public area
Declaration of consent required
Stndard validation
Off-Premises workplace
temporary working environment (e.g. hotel)
Paper: basically not
local data storage: basically not

Remote Access: basically not
Paper: continuously unter personal control
local data storage: strongly encrypted or Mobile Device management (MDM) active (remote deletion
on demand)
Remote Access: strongly authenticated & strongly transport enrypted, integrity of the access device
ensured, data "non-permanent"
Paper: under personal control

local data storage: enrypted or Mobile Device management (MDM) active (remote deletion on
demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity of the access device
ensured, data "non-permanent"
Protection classes
Description
The potential damage is marginal, short-term nature, and limited to a single entity.
The potential damage is significant or medium-term nature or is not limited to a single entity.
The potential damage threatens the existence of the company or long-term nature or is not limited to
a single entity.
Safety zones
green (controlled zone)
Area with technical or organizationally controlled safety measures, not freely accessible,
usually internal scopes
Values cannot be viewed freely, Clear Desk
Only registered visitors, explicit reference to confidentiality / non-disclosure
Vehicles are allowed to park only after registration.

Area must be protected against unauthorized access (personnel or technical measures)
Camera surveillance and / or patrolling (prevention of unauthorized penetration)
Fences 2.2m with anti-climbing protection and undermine protection / building shell
consisting of windows, doors, walls, roofs
30 minutes
no internal information, otherwise only using business devices
Optics
green (photo-security area 1)
Area with technical or organizationally controlled safety measures, not freely accessible,
usually internal scopes

Carrying along unsealed devices allowed

allowed in all areas
no use of private devices or devices of contractors / visitorsit
allowed with company owned devices
Personnel
Certificate of good conduct / criminal record certificate
place
regular alternative working environment (in particular home office)
Paper: basically not
local data storage: basically not

Remote Access: basically not
Paper: basically only temporary
local data storage: strongly encrypted or Mobile Device management (Mobile

Device management (MDM)) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity

of the access device ensured, data "non-permanent"
Paper: in office furnitures with special closing

local data storage: enrypted or Mobile Device management (MDM) active
(remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity
of the access device ensured, data "non-permanent"
yellow (restricted zone)
Area with additional safety measures, restrictive, protection of special scopes, limited
number of persons, usually confidential scopes as well.
temporary measuers (according to the risk analysis) für visual protection / noise
reduction
Restricted group of visitors, written confirmation of the non-disclosure, in pemanent
personal accompaniment by own staff
Special restrictions
Monitoring the entering / exiting of the zones via online access reader, compensating
locking system with limited circle
Camera surveillance, motion detection at least in the access areas or easily accessible
areas (e.g., ground floor windows)
at least RC 2 or compensating measures
10 minutes
no use of private devices, business devices only in case of professional assignment
Foto-security area 2
Area with additional safety measures, restrictive, protection of special scopes, limited
number of persons, usually confidential scopes as well.
Carrying along sealed devices allowed

Carrying along unsealed devices is forbidden
allowed in office workplaces and meeting rooms, otherwise after an approval
no use of private devices or devices of contractors / visitors
allowed with company owned devices after an approval
Intensive verfications of the CV , references
X
red (high risk zone)
Area with the highest safety requirements, protection of sensitive values, strictly
regulated access rights, usually secret scopes.
permanent visual protection / noise reduction
only in exceptional cases: additionally to "yellow" four-eyes principle. Consent of the

housholder
Special restictions
Monitoring the entering / exiting of the zones via online access reader
Camera surveillance, glass breakage detector, windows with sight protection, double
illumination with motion detectors, central circuit, intrusion detection system installed by
professionals
at least RC 2 (resistance time 5 minutes) with additional measures
5 minutes
no private devices, business devices only in exceptional cases: four-eyes principle,

consent of the management
Area with the highest safety requirements, protection of sensitive values strictly
regulated access rights, usually secret scopes.

Carrying along even sealed devices is forbidden
in defined meeting rooms with permanently installed equipment, otherwise after an
approval
no use of private devices or devices of contractors / visitors
allowed in exceptional cases after an approval (e.g. four-eyes principles, consent of the
management
allowed only in exceptional cases after an approval
Validation of certificates, diplomas and vocational training
X
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is applicable for each process. .
Basis for the evaluation:
Result, reduced:
In the "result with reduction to the target level", the reduction of the achieved results to the target level ensures that
"overloaded" controls in the overall result do not compensate for unfulfilled controls.
Result, maximum achievable:
The variations in the maximum achievable result arise when individual controls are marked as n.a. (Not applicable)
and therefore the average value of the target maturity levels changes.
Spider-Diagram:
All results are shown without shortening. The line for the target maturity level considers controls that were marked as
n.a..
402300245.xlsx /
Glossar
Author:
Study group Information Security of the
German Association of the Automotive Industry
License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
402300245.xlsx /
Lizenz
1.0 First Release (Initial build)
1.1 Change open questions to enclosed questions

More precise level descriptions
Inserting examples from practises
Spelling errors corrected
1.2 8.2 and 10.1 reference adjustment

10.2 change from production to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 change of the translation
11.3 and 11.4 restructuring of controls
1.3 11.4 add "IT systems"

9.4 revise Maturity Level 2
2.0 Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
2.01 Fix for error in calculation and spider digram
2.1.0 Revision of the maturity levels, corrections of some controls
2.1.1 Release version 2.1
2.1.2 Print area adjusted
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
Control 13.5 revised
All other controls with version 2.1.3 translation revised
2.1.4 Maturity Control changed from 12.4 into 4
Maturity Control changed from 16.3 into 3
Addition of KPIs
3.0.0 Revision for TISAX

Module Connection of third parties included
Module Prototype protection (25) included, derived from the Whitepaper from 6.10.2016
Module Data Protection (24) included, reference to 18.2 removed, maturity levels removed from the module,
references from the Level 1 generated instead. Reference included (ISMS, 18.2) showing that the Data
Protection module will be used only once in a commissioned data processing according to §11 BDSG,
implementation of questions "fulfilled [yes/no]"
402300245.xlsx /
Change History

MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0

Hochgeladen von

Copyright:

Verfügbare Formate

MAN Truck & Bus AG

Appendix 17-D - Information Security Assessment

INFORMATION SECURITY ASSESSMENT VDA

MAN Truck & Bus AG Contractor

Short description of the group

D&B D-U-N-S® Nr.

Date of the assessment:

Version: 3.0.4 / 2017-09-12

15 Supplier Relationships 8 Asset Management

14 System acquisition, development and maintenance 9 Access Control

13 Communications Security 10 Cryptography

Result with cuttback to target

Question Target maturity

Information Security Assessment

Question Target maturity

Information Security Assessment - Questions

1 General Aspects 3.0.3

(Reference to ISO 27001: 8.2 and 6.1.2)

1.3 To what extent is the effectiveness of the ISMS ensured? 3.0.3

5 Information Security Policies 3.0.3

(Reference to ISO 27002: Control 5.1.1 and 5.1.2)

6 Organization of Information Security 3.0.3

7 Human Resources Security 3.0.3

(Reference to ISO 27002: Control 7.2.1 and 7.2.2)

8 Asset Management 3.0.3

(Reference to ISO 27002: Control 8.3.1, 8.3.2, and 8.3.3)

9 Access Control 3.0.3

(Reference to ISO 27002: Control 9.2.1, 9.2.2, 9.2.4, and 9.2.5)

(Reference to ISO 27002: Control 9.3.1 and 9.4.3)

11 Physical and Environmental Security 3.0.3

(Reference to ISO 27002: Control 11.1.4)

(Reference to ISO 27002: Control 11.1.6)

12 Operations Security 3.0.3

(Reference to ISO 27002: Control 12.4.3)

13 Communications Security 3.0.3

14 System acquisition, development and maintenance 3.0.3

(Reference to ISO 27002: Control 14.2.1 - 14.2.9)

15 Supplier Relationships 3.0.3

(Reference to ISO 27002: Control 15.1.1 - 15.1.3)

(Reference to ISO 27002: Control 15.2.1)

16 Information Security Incident Management 3.0.3

17 Information Security Aspects of Business Continuity Management 3.0.3

(Reference to ISO 27002: Control 17.1.1 - 17.1.3, and 17.2.1)

(Reference to ISO 27002: Control 18.1.4)

(Reference to ISO 27002: Control 18.2.2, 18.2.3)

23 Additional requirements for connection to third parties 3.0.3

23.7 Human Resources Security 3.0.3

23.9 Access Control 3.0.3

23.11 Physical and Environmental Security 3.0.3

23.13 Communications Security 3.0.3

25 Prototype Protection 3.0.3

25.1 Physical and Environmental 3.0.3

(PT-module; no reference to ISO 27002)

(Reference to ISO 27002: Control 11.1.1)

25.1.7 To what extent is a documented visitor management available? 3.0.3

25.1.8 To what extent is on-site client separation existent? 3.0.3

25.2 Organisational Requirements 3.0.3

(Reference to ISO 27002: Control 7.2.1 and 7.2.2)

(Reference to ISO 27002: Control 11.1.5)

25.3 Handling Prototypes 3.0.3

(PT-module; no reference to ISO 27002)

(Reference to ISO 27002: Control 11.1.5)

24.1 To what extent is the implementation of Data Protection organised?