In a nutshell: Our guidelines for information security.
- We protect any kind of information.
- We are aware of the problems and importance of security and the protection of information.
- We respect our customers who entrust us with valuable information.
- We operate the protection of information not as an 'annoying must' but with the understanding of the consequences that inadequate protection may have.
- We scrutinize and check our information security regularly and event-related and try to improve them on and on.
What does Information Security mean to us?
With the help of information security, any kind of information should be protected. The more often used term IT security has, according to the definition of information technology, the aim to protect information that are only available in digitized form. Therefore, it is basically a rather narrow definition which does not cope with the claims to a comprehensive security of all kinds of information. Consequently, we use the term information security because we would like to protect any kind of information.
What is ISO/IEC 27002?
The title ISO/IEC 27002 is Information technology - Security techniques - Code of practice for information security management and it gives recommendations for the safe use of information and in particular for the protection of information against unauthorized access. It thus contributes to the legitimate need to protect your information.
A certification to this standard is not possible but can be made by the related standard ISO/IEC 27001.
The standards emerged from the guidelines and procedures that the BSI (Bundesamt für Sicherheit in der Informationstechnik) has developed. On the website of the BSI, these methods can be found with detailed explanations and background information.
ISO/IEC 27002 includes the following topics:
- Instructions and guidelines to information security
- Organizational safety measures and management process
- Responsibility and classification of information values
- Personnel security
- Physical security and public utility services
- Network and operational security (data and telephony)
- Access control
- System development and maintenance
- Handling of security incidents
- Emergency precaution planning
- Compliance of legal requirements, security guidelines and reviews by audits.
As we were examined by an external company.
Volkswagen requested an evaluation of information security at C&S because during our cooperation we get information about secret and confidential processes, products and information.
The assessment is based on standards and guidelines:
- Requirements of VDA: Information Security Assessment VDA (based on ISO/IEC 27001)
- VW guideline: IT security guidelines for partner companies
- VW guideline: Prototype security (basic safety standards for co-developers for the protection of prototypes, components and their data).
The company operational services was authorized with the realization of the assessment.
The assessment is done in several steps:
- Analysis of the current situation (structures, processes, interfaces).
- Comparison of the determined actual state with the 'ideal' situation as an aim; the ideal situation is described in the above mentioned standards and guidelines.
A comparison is done by document analysis, interviews and on-site investigation.
- Definition of measures as a key for the improvement - future-oriented improvement of processes and the security.
At the end of the assessment and, where necessary, the implementation of defined measures, is the release of the secret data.
This release is valid for a maximum of 3 years. No later than at the expiration date, a 're-assessment' occurs.
On September 29, 2014 the release of secret data was given to us.