Suggestion for Summarizing Process of the Principles

Slides:



Advertisements
Similar presentations
IS Audit Function Knowledge
Advertisements

ISO 9000 Certification ISO 9001 and ISO
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Information Security tools for records managers Frank Rankin.
T.Russell Shields, Co-Chair, Collaboration on ITS Communication Standards Martin Adolph, Programme Coordinator, ITU ITU activities on secure vehicle software.
FIA MOBILITY & TOURISM Gerd Preuss, FIA Representative at UNECE, WP 29 Protection Against Mileage Fraud Current Status in ITS-AD 110 th GRSG Meeting Geneva,
Status report on the activities of TF-CS/OTA
Principles Identified - UK DfT -
Law Firm Data Security: What In-house Counsel Need to Know
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
Roadmap For An Effective Compliance And Ethics Program
Making the Connection ISO Master Class An Overview.
The Ethics of Telepsychology
Chapter 6 Negotiating access and research ethics
Outcome TFCS-05 // May OICA, Paris
and Security Management: ISO 28000
Status report on the activities of TF-CS/OTA
Issues of personal data protection in scientific research
Common Understanding on Major Horizontal Issues and Legal Obstacles
30-31, August 2017 Den Hague, Netherlands)
Main problems of NL proposal for UN Software Regulation
ASSET - Automotive Software cyber SEcuriTy
General Data Protection Regulation
UNIT V QUALITY SYSTEMS.
Suggestion on software update
Outcome TFCS-11// February Washington DC
Research Ethics Matthew Billington
GDPR Security: How to do IT? IT reediness for competitive advantage
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
6 Principles of the GDPR and SQL Provision
Outcome TFCS-11// February Washington DC
NRC Cyber Security Regulatory Overview
Chapter 6 Negotiating access and research ethics
Proposal for Next Actions - Based on Threats Table Approach -
Internal control - the IA perspective
HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Namibia ICT Ministry and Data Protection Stakeholders.
Japan’s proposal for security regulation
Cryptography and Network Security
Status report on the activities of TF-CS/OTA
How to Mitigate the Consequences What are the Countermeasures?
HIPAA Security Standards Final Rule
Data Management Ethical considerations for educational research
The General Data Protection Regulation: Are You Ready?
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Task Force – Cyber Security, Data Protection and Over-the-Air issues
Status report of TF-CS/OTA
Discussion points for Interpretation Document on Cybersecurity
Privacy and Cyber Security for Payroll Pros: A Global Perspective
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
International Telecommunication Union CITS meeting 8 March 2019 Geneva Status report of the GRVA activities Context, current activities and impact François.
Chapter 6 Negotiating access and research ethics
Security in SDR & cognitive radio
Informal document GRSG Rev.1
Software Update - Type approval related issues -
Data Protection What can I do? GDPR Principles General Data Protection
Overview of the recommendations on software updates
Status report on the activities of TF-CS/OTA
Cryptography and Network Security
Report of Japanese Test Phase <Cyber Security>
A proposal for approach to proceed work in Cybersecurity TF
Operational Risk Management
CR-GR-HSE-414 HSE Requirements for Pipeline Operations
Access to data requirementS
HSE Requirements for Pipeline Operations GROUP HSE GROUPE (CR-GR-HSE-414) EXECUTIVE SUMMARY This rule defines the minimum HSE requirements related to the.
1) Application of Cybersecurity Regulation for new registrations
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Suggestion for Summarizing Process of the Principles TFCS-05-07 Suggestion for Summarizing Process of the Principles Japan (Security TF of ITS/AD 10-11. May 2017 @OICA / Paris)

Background The security TF has worked on threats analysis on the threats table approach which is based on the reference vehicle model. ITU and OICA/CLEPA kindly support the approach. Thanks of dedication of many experts, the security TF has obtained technical elements to support the principles(described in TFSC-01-03e from UK DfT, The security guide line by ITS/AD ). Also, the TF has to manage the time for work considering the time line on the ToR.

Suggestion The security TF is ready to start to unite such technical elements with the principles. This uniting process should be started soon and be proceeded respecting views of road vehicle regulations which WP29 is in charge of. Concerns Describing detailed security measures as open documents of WP29 will give hints to evil hackers to attack vehicles…

HEADLINE PRINCIPLES: (TFSC-01-03e from UK DfT) Organisational security is owned, governed and promoted at board level. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain. Organisations need product aftercare and incident response to ensure systems are secure over their lifetime All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system. Systems are designed using a defence-in-depth approach. The security of all software is managed throughout its lifetime. The storage and transmission of data is secure and can be controlled. The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Security guideline: (TFSC-01-07e by ITS/AD) 2.1 General Everyone’s right to his or her privacy and communications has to be respected. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Automotive manufacturer, component/system supplier and service providers shall respect the principles of data protection by design and data protection by default (see Definitions 1.6 and 1.7). Automotive manufacturers, component/system suppliers and service providers must ensure that there is adequate protection against manipulation and misuse both of the technical structure and of the data and processes. To prevent non-authorized access to vehicles via the “cyberspace” automotive manufacturers, component/system suppliers and service providers shall ensure the secure encryption of data and communications. The system shall be accessible for verifying the measures implemented by automotive manufacturers, component/system suppliers and service providers to ensure cybersecurity and data protection by independent authorised audit.

Security guideline: (TFSC-01-07e by ITS/AD) 2.2 Data protection The principle of lawful, fair and transparent processing of personal data means in particular respecting the identity and privacy of the data subject, not discriminating against data subjects based on their personal data, paying attention to the reasonable expectations of the data subjects with regard to the transparency and context of the data processing, maintaining the integrity and trustworthiness of information technology systems and in particular not secretly manipulating data processing, taking into account the benefit of data processing depending on free flow of data, communication and innovation, as far as data subjects have to respect the processing of personal data with regard to the overriding general public interest. ensuring the preservation of individual mobility data according to necessity and purpose. The means of anonymization and pseudonymization techniques shall be used. Data subjects shall be provided with comprehensive information as to what data are collected and processed in the deployment of connected vehicles and vehicles with ADT, for what purposes and by whom. Data subjects shall give their consent to the collection and processing of their data on an informed and voluntary basis. The collection and processing of personal data shall be limited to data that is relevant in the context of collection. If applicable, the data subject shall have the right to withdraw his or her consent if it involves functions that are not necessary for the operation of their vehicle or for road safety. In addition, appropriate technical and organizational measures and procedures to ensure that the data subject’s privacy is respected shall be implemented both at the time of the determination of the means for processing and at the time of the processing. The design of data processing systems installed in vehicles such shall be data protection friendly, i.e. taking data protection and cybersecurity aspects into account when planning the components ("privacy by design") as well as designing the basic factory settings accordingly ("privacy by default").

Security guideline: (TFSC-01-07e by ITS/AD) 2.3 Safety Standards for the functional safety of critical electric and electronic components or systems in vehicles such as ISO 26262 shall be applied in the light of security-related requirements for connected vehicles and vehicles with ADT. The connection and communication of connected vehicles and vehicles with ADT shall not influence on internal devices and systems generating internal information necessary for the control of the vehicle without appropriate measures. shall be designed to avoid fraudulent manipulation to the software of connected vehicles and vehicles with ADT as well as fraudulent access of the board information caused by cyber-attacks through; wireless connection wired connection via the diagnosis port, etc. shall be equipped with measures to ensure a safe mode in case of system malfunction, e.g. by redundancy in the system. When connected vehicles and vehicles with ADT detect fraudulent manipulation by a cyber-attack, the system shall warn the driver and, if appropriate, control the vehicle safely according to the above requirements.

Security guideline: (TFSC-01-07e by ITS/AD) The protection of connected vehicles and vehicles with ADT requires verifiable security measures according security standards (e.g. ISO 27000 series, ISO/IEC 15408). SEC2) Connected vehicles and vehicles with ADT shall be equipped with integrity protection measures assuring e.g. secure software updates appropriate measures to manage cryptographic keys SEC3) The integrity of internal communications between controllers within connected vehicles and vehicles with ADT should be protected e.g. by authentication. SEC4) Online Services for remote access into connected vehicles and vehicles with ADT should have a strong mutual authentication and assure secure communication (confidential and integrity protected) between the involved entities.

Example of uniting a case of threat and principles

Activities for post-attacks. Present approach: Threats analysis Mitigation Principles To consider defense against threats(attacks) To review the existing principles and modify them To create new principles The principles include activities(warning, (emergency )stopping) for post-attacks. Such activities are not direct countermeasures against the threats(attacks). Such principles could be discussed in a different approach.