Hello folks again, let's continue the talk about automotive cybersecurity.
In my last video, you learned why a cybersecurity management system matters.
Now let's take the next step.
How can you design a CSMS to benefit your company?
My is Thomas Leake.
I am a Cybersecurity Expert at Kuglermark & Company.
I trained Practitioners on Cybersecurity in the automotive sector and otherwise.
with topics since over a decade.
As you know from last time, you mustn't you aware that your products are designed to be secure over a lifetime.
New information on vulnerabilities is constantly being evaluated, is acted upon accordingly.
These tasks require ongoing efforts at both the enterprise and operation levels.
To formally coordinate these activities, regulators expect a cybersecurity management system.
I can hear you scream, what another management system paperwork eats creativity for breakfast?
If you are considering deploying a isolated management system, your fear will indeed come true.
But you can try to avoid a snipe mirror, incorporate the CSMS into your leading management system.
That way, your orchestrate cybersecurity concerns along with over-life cycle requirements.
Carefully define when your staff needs to refer to the appropriate subsystem.
when they will take care of the right concern at the right time.
Sounds better, right?
Let's look how you can integrate your concerns into a higher-level management system.
By definition,
of UNICEE regulation a CSMS means a systematic risk-based approach defining organizational processes,
responsibilities and governance to treat risk associated with security threats to vehicles and protection.
In our words, management systems structure your company's approach to safety and security.
Your employees can concentrate on the various tasks at hand.
With the management system, they bring them together and operate the interfaces.
Aspects of a management system include the cybersecurity culture,
the organizational structure,
the documentation of required development processes and procedures, monitoring whether the work actually performed is in accordance with your processes and procedures, monitoring the work.
presides in appropriately secure products, the necessary infrastructure, the required skills and competencies.
The latter are how to maintain the security of a product over its lifetime.
How to interact with customers and suppliers while ensuring cybersecurity in the supply chain.
Don't forget, a management system needs to follow a PDA process.
Plan, do, check, act.
The processes should be regularly evaluated for effectiveness and This includes audits by independent inspection bodies.
So, to summarize, a management system is about structures, processes, measures and competences.
Let's have a first look to a blueprint of an integrated management system.
Be awesome.
three lines for the different levels of concerns from a corporate level to a business unit to the projects.
From a corporate perspective, the risks are different from those of a shop floor level, for example.
The enterprise is interested in business continuity, while the projects have to be deal with the of engineering solutions.
The level of detail in a management system relates to the types of risks.
The subsystem governs the appropriate way to deal with the latter.
The dashed line in the middle also serves with distinction.
It separates the business list from the risk in your projects.
Now we have implemented the leading management system on the corporate level.
In our sample company, a car manufacturer, imagine a development of electronic systems and car production.
So the management has to integrate, recreate, requirements from a set of international standards.
If you work for a company with multiple product lines, there may be additional requirements such as off highway vehicles or the like.
Let's now switch to the business unit level.
Here you need a mediation function.
The here, first, should on the one hand meet the requirements of the higher level system.
And secondly, on the other hand, enable the downstream systems at the project level.
If this business unit is a research and development unit, you can focus on the requirements of functional safety and cyber security.
The industrial network requirements in the plan are the responsibility of a management system in another system.
On the left, you see the feedback loop, measures that ensure learning and improvement are an integral part of the management systems.
When we now move to the project level, we also cross the threshold from company-related to project-related risk.
Derive specific processes to guide the implementation of cybersecurity measures for you.
For example, when does a project lead must conduct risk assessments?
As a project lead, you are also confronted with requirements from third parties, especially from your customers.
Therefore, you also need to know how you can cope with additional customer specifications, some of which go beyond those of the standards.
As you can see...
An integrated management system addresses cybersecurity concerns at the appropriate levels.
There, you should derive corresponding subsystems with structures, processes, measures and not-to-be-forgotten competencies.
There one more concern.
Continuous of a cybersecurity posture.
You have learned more about this in my previous video.
The function of a cybersecurity operation center is also linked to your management.
A security operations center performs continuous field monitoring.
To do this, base can external sources for information and see if they can find evidence of potential vulnerabilities.
They even hold back bounty parties to get hints about possible vulnerabilities.
Analytical and forensic teams operate in VSOC.
They use penetration tests to check whether their own system is vulnerable.
They make a triage decision and assess events on whether a potential vulnerability is available.
in-house systems.
VINORBILITY management team works with development teams on affected projects.
If the system is already compromised, cybersecurity emergency response teams investigate what kind of measure is appropriate.
You can also design this unit as a center of accidents for cybersecurity.
When the unit acts as a powerhouse, supporting developers in the field with training and in-depth expertise.
With the inclusion of a CSMS in your integrated management system, you ensure all necessary cybersecurity services.
security and complementary activities are synchronized.
This starts at the enterprise level in terms of business risk and continues
throughout the product life cycle from the beginning and the concept phase through the development to production and the end of operations.
Implement the management system.
system carefully to foster and establish a cybersecurity culture in your corporation.
Cybersecurity concerns will become second nature to you and your colleagues.
We have prepared a more detailed white paper for free.
You will find the link in the video description below.
If learned something, please give the video a thumbs up.
Just subscribe to our channel so you won't miss any thorough video.
Click on the displayed video and keep on learning.
See you soon!
You
