Compliance Solutions
How IS Decisions supports
TISAX compliance

Started in 2017, TISAX® (Trusted Information Security Assessment Exchange), has quickly become a key information security standard for European auto manufacturers.

TISAX® compliance is a standardized assessment framework specifically designed for the automotive industry. Based on the German Association of the Automotive Industry (VDA) catalogue of Information Security Assessment (ISA) questionnaire, the requirements largely follow the international ISO/IEC 27001 standard.

The TISAX® framework enables auto manufacturers to assess and demonstrate their adherence to strict data protection and information security requirements.

By achieving TISAX® compliance, companies can share a standardized assessment of their information security status to establish trust with their partners, customers, and regulatory bodies throughout the automotive industry.

How information is managed and organized, access control, monitoring, and lines of responsibility are all key elements of TISAX requirements that IS Decisions’ software UserLock and FileAudit support.

Here is a helpful checklist of ways UserLock and FileAudit protect the network – and sensitive information within – against unwanted access, to support you on your way to becoming TISAX compliant.

Section 2: Human Resources

2.1.4 – To what extent is teleworking regulated?

"Working outside the specifically defined security zones (teleworking) creates particular risks requiring corresponding protective measures."


Do your users access the corporate network via a secured connection (e.g. VPN) with strong authentication?

Must

Logo UserLock

Ensures strong 2FA to secure remote user access to the network, including VPN, Remote Desktop, offline and off-domain connections.


Section 4: Identity and Access Management

4.1.2 – To what extent is the user access to network services, IT systems and IT applications secured?

"Only securely identified (authenticated) users are to gain access to IT systems. For this purpose, the identity of a user is securely determined by suitable procedures."


Do you apply state of the art user authentication procedures?

Must

Logo UserLock

Offers secure TOTP and HOTP two-factor authentication (2FA) to verify each user’s identity.


Do you use superior procedures to authenticate privileged user accounts (e.g. Privileged Access Management, two-factor authentication)

Should

Logo UserLock

Enables the administrator to set granular access rights for different types of employees, including privileged users, by individual user, groups of users, or organizational units. Strong 2FA makes access controls more robust and enhances the ability to authenticate privileged user accounts.


Depending on the risk assessment, do you enhance authentication procedure and access control with supplementary measures (e.g. permanent access monitoring with respect to irregularities or use of strong authentication, automatic logout or disabling in case of inactivity)

High protection needs

Logo UserLock

Monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device. Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised timeframes for certain users’ access and force workstations to log off outside these hours.


Before gaining access to data of very high protection needs, do you authenticate users with state-of-the-art strong authentication (e.g. two-factor authentication)?

Very high protection needs

Logo UserLock

Applies strong authentication (2FA) at the login, before they access any data of very high protection needs that you may store on your network.


4.1.3 – To what extent are user accounts and login information securely managed and applied?

"Access to information and IT systems is provided via validated user accounts assigned to a person. It is important to protect login information and to ensure the traceability of transactions and accesses."


Do you use unique and personalized user accounts?

Must

Logo UserLock

Ensures that nobody can log on to the system without uniquely identifiable credentials, and prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.


Do you immediately ensure login information is changed if potential compromise is suspected?

Must

Logo UserLock
Logo FileAudit
  • Alerts admins in real time of suspicious activity, and can automatically end sessions after idle time or from a refused logon.
  • Allows admins to set up potential ransomware alerts, and run scripts to disable a user when alerts are set off.

Do you ensure the use of medium (e.g. ownership factor) is secure where you apply strong authentication?

Should

Logo UserLock

Provides 2FA via the secure medium of a device the user owns (a mobile phone or token).


4.2.1 – To what extent are access rights assigned and managed?

"The management of access rights ensures that only authorized users have access to information and IT applications. For this purpose, access rights are assigned
to user accounts."


Do you apply the minimum (“need-to-know”) principle?

Must

Logo UserLock

Enables admins to set granular access rights for different types of employees to ensure they can only access the information they need to do their job.


Do you allocate rights on a need-to-use basis and according to the role and/or area of responsibility?

Should

Logo UserLock

Gives admins the ability to create temporary policies for users that need access on a need-to-use basis.


Do you ensure that normal user accounts are not granted privileged access rights?

Should

Logo UserLock

Ensures normal user accounts can be blocked from accessing resources such as servers that are reserved for privileged accounts.


Do you adapt user access rights after the user has changed (e.g. to another field of responsibility)?

Should

Logo UserLock

Enables administrators to apply security policies by AD group or OU, which are updated automatically when a user moves from one group or OU to another.


Section 5: IT Security / Cyber Security

5.2.4 – To what extent are event logs recorded and analyzed?

"Event logs support the traceability of events in case of a security incident. This requires that events necessary to determine the causes are recorded and stored. In addition, the logging and analysis of activities in accordance with applicable legislation (e.g. Data Protection or Works Constitution Act) is required to determine which user account has made changes to IT systems."


Do you determine and fulfill security-relevant requirements regarding the logging of activities of system administrators and users?

Must

Logo UserLock
Logo FileAudit
  • Records, audits and archives all network logon events, across all session types, from a central system.
  • Audits all access and changes to files and folders, and immediately alerts administrators to suspicious behaviour.

Do you have a defined, established procedure for escalating relevant events to the responsible body (e.g. security incident report, data protection, corporate security, IT security)?

Should

Logo UserLock
Logo FileAudit
  • Allows admins to automatically send alerts and reports based on user access events.
  • Allows admins to automatically send alerts and reports based on Windows file, folder or server access events.

Do you have adequate monitoring and recording of any actions on the network that are relevant to information security?

Should

Logo UserLock
Logo FileAudit
  • Monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. Administrators can also set up customized alerts on suspicious access based on user risk level.
  • Monitors all files and folders and alerts in real time on any suspicious file access activity on your network. FileAudit also records all file access events per user.

Do you log cases of access during connection and disconnection of external networks (e.g. remote maintenance)?

High protection needs

Logo UserLock

Enforces MFA and monitors and protects user access from VPN, IIS and Remote Desktop connections, even without internet access or access to the domain.


Do you log any access to data of very high protection needs as far as technically feasible and as permissible according to legal and organizational provisions?

Very high protection needs

Logo UserLock

Monitors and logs all user access to and changes to files and folders, allowing administrators to tie access events to specific users.


Find out more for yourself with our FREE Fully Functional Trials

Download UserLock Download FileAudit