Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles Identified - UK DfT -

Published byShauna Pearson Modified over 7 years ago

Similar presentations

Presentation on theme: "Principles Identified - UK DfT -"— Presentation transcript:

1 Principles Identified - UK DfT -
Submitted by the co-chair (UK) TFCS-05-15 Principles Identified - UK DfT -

2 Organisational security is owned, governed and promoted at board level.
Principle 1.1: There is a security program. Principle 1.2: Personal accountability is held at the board level and delegated appropriately and clearly throughout the organisation. Principle 1.3: Awareness and training Principle 1.4: All new designs embrace Security by Design. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain. Principle 2.1: knowledge and understanding of current and relevant threats in engineering roles Principle 2.2: Organisations collaborate. Principle 2.3: Security risk assessment and management procedures Principle 2.4: Security risks supply chains, sub-contractors and service providers are identified and managed Organisations need product aftercare and incident response to ensure systems are secure over their lifetime. Principle 3.1: Organisations plan for how to maintain security over the lifetime of their systems Principle 3.2: Incident response plans are in place. Principle 3.3: programme in place to identify critical vulnerabilities and to mitigate them. Principle 3.4: Organisations ensure their systems are able to support data forensics

3 Systems are designed using a defence-in-depth approach.
All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system. Principle 4.1: Organisations, including suppliers and 3rd parties, must be able to provide assurance of their security processes and products Principle 4.2: Validate the authenticity and origin of all supplies Principle 4.3: Organisations jointly plan for how systems will safely and securely interact Principle 4.4: Organisations identify and manage external dependencies. Systems are designed using a defence-in-depth approach. Principle 5.1: System does not rely on single points of failure, security by obscuration or anything which cannot be readily changed, should it be compromised. Principle 5.2: The security architecture applies defence-in-depth & segmented techniques, seeking to mitigate risks with complementary controls such as monitoring, alerting, segregation, reducing attack surfaces (such as open internet ports), trust layers/boundaries and other security protocols. Principle 5.3: Design controls to mediate transactions across trust boundaries, must be in place throughout the system. These include the least access principle, one-way data controls, full disk encryption and minimising shared data storage. Principle 5.4: Remote and back-end systems, including cloud based servers, which might provide access to a system have appropriate levels of protection and monitoring in place to prevent unauthorised access.

4 The security of all software is managed throughout its lifetime.
Principle 6.1: Organisations adopt secure coding practices. Systems to manage, audit and test code are in place. Principle 6.2: Can ascertain the status of all software, firmware and their configuration. Principles 6.3: It is possible to safely and securely update software and return it to a known good state if it becomes corrupt. Principle 6.4: Software adopts open design practices and peer reviewed code is used where possible. The storage and transmission of data is secure and can be controlled. Principle 7.1: Data must be secure (confidentiality and integrity) when stored and transmitted. Incoming communications are treated as unsecure until validated. Principle 7.2: Personally identifiable data must be managed appropriately. Includes: storage, transmission, use and control. Where possible, data is sanitised. Principle 7.3: Users are able to delete sensitive data held The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail. Principle 8.1: The system must be able to withstand receiving corrupt, invalid or malicious data or commands via its external & internal interfaces. This includes sensor jamming or spoofing. Principle 8.2: Systems are resilient and fail-safe

5 Connected vehicles and vehicles with ADT are intended to be fitted with measures ensuring cybersecurity and data protection Data protection. The principle of lawful, fair and transparent processing of personal data means in particular: The means of anonymization and pseudonymization techniques shall be used. Data subjects shall be provided with comprehensive information as to what data are collected and processed Data subjects shall give their consent to the collection and processing of their data on an informed and voluntary basis. The collection and processing of personal data shall be limited to data that is relevant in the context of collection. If applicable, the data subject shall have the right to withdraw his or her consent if it involves functions that are not necessary for the operation of their vehicle or for road safety. In addition, appropriate technical and organizational measures and procedures to ensure that the data subject’s privacy is respected. The design of data processing systems installed in vehicles such shall be data protection friendly, taking data protection and cybersecurity aspects into account when planning ("privacy by design") as well as designing the basic factory settings accordingly ("privacy by default").

6 Safety The connection and communication of connected vehicles and vehicles with ADT: (a) shall not influence on internal devices and systems generating internal information necessary for the control of the vehicle without appropriate measures; (b) shall be designed to avoid fraudulent manipulation to the software of connected vehicles and vehicles with ADT as well as fraudulent access of the board information caused by cyber-attacks through: (i) wireless connection; (ii) wired connection via the diagnosis port, etc. (c) shall be equipped with measures to ensure a safe mode in case of system malfunction, e.g. by redundancy in the system. When connected vehicles and vehicles with ADT detect fraudulent manipulation by a cyber-attack, the system shall warn the driver and, if appropriate, control the vehicle safely according to the above requirements.

7 Security. The protection of connected vehicles and vehicles with ADT requires verifiable security measures according security standards (e.g. ISO series, ISO/IEC 15408). Connected vehicles and vehicles with ADT shall be equipped with: (a) integrity protection measures assuring e.g. secure software updates; (b) appropriate measures to manage cryptographic keys. The integrity of internal communications between controllers within connected vehicles and vehicles with ADT should be protected e.g. by authentication. Online Services for remote access into connected vehicles and vehicles with ADT should have a strong mutual authentication and assure secure communication (confidential and integrity protected) between the involved entities."

Download ppt "Principles Identified - UK DfT -"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cyber vs Legislation and Ethics Colonel John Doody Panel Chair.

Cyber vs Legislation and Ethics Colonel John Doody Panel Chair.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.

ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.

Similar presentations

Ads by Google