Scribd
Upload
141 views

VDA White Paper Harmonization Classification Levels Final

The white paper proposes a standardized 4-level scheme for classifying information across the automotive industry based on potential damage: Public, Internal, Confidential, and Strictly Confidential. It recommends labeling all information with its classification level to ensure proper secure handling. A standardized color-coding system for digital documents would also provide a clear visual indication of the information's sensitivity to recipients in all countries and languages. The proposed classification scheme aims to harmonize practices for effective information security while allowing reasonable protection efforts.

Uploaded by

R J
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
141 views

VDA White Paper Harmonization Classification Levels Final

The white paper proposes a standardized 4-level scheme for classifying information across the automotive industry based on potential damage: Public, Internal, Confidential, and Strictly Confidential. It recommends labeling all information with its classification level to ensure proper secure handling. A standardized color-coding system for digital documents would also provide a clear visual indication of the information's sensitivity to recipients in all countries and languages. The proposed classification scheme aims to harmonize practices for effective information security while allowing reasonable protection efforts.

Uploaded by

R J
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

White Paper “Harmonization

of Classification Levels”
Protection objective: confidentiality

Version: 1.0
Date: April 19, 2018
Classification: public
V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Content

Introduction/motivation ....................................................................................... 3

Classification of information................................................................................ 4

Labeling of information ....................................................................................... 7

Conclusion and recommendation ....................................................................... 8

List of authors ..................................................................................................... 9

Document version history ................................................................................... 9

VERSION 1.0 _ PAGE 2


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Introduction/motivation

Information security is a crucially important issue for companies. Due to increas-


ing connectivity and information exchange within the value chain it will continue
to grow.
The Information Security working group of the German Association of the Auto-
motive Industry (VDA 1) has described the fundamental requirements for infor-
mation security in the VDA ISA 2 (Information Security Assessment) catalog that
is used for security assessments within the automotive supply chain. As the work-
ing group we would like to provide advice on the implementation of the require-
ments.

One key element in achieving a needs-oriented level of information security is the


classification and labeling of information. Information classification designates
the categorization of information in various levels according to its value for a com-
pany.
The VDA ISA catalog defines organizational and technical requirements for the
different classification levels, which are intended to achieve effective information
security with a reasonable and expedient effort.
Most companies have already implemented classification levels, for example by
establishing a system for the classification and protection of information by intro-
ducing appropriate regulations.
A comparison within the automotive industry reveals differences between the
companies regarding both the number and the designation of the classification
levels. Especially in the case of information exchange, such differences can lead
to confusion that in turn results in uncertainties.
The Information Security working group therefore considers the creation of a
standard scheme for classifying information both as useful and supportive for the
business, as well as the recommendation of implementation strategies.
This White Paper describes the working group’s proposal for determining such a
scheme focusing on the protection objective of confidentiality; this means that

1
https://www.vda.de/en
2
https://www.vda.de/en/services/Publications /information-security-assessment.html

PAGE 3 VERSION 1.0


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

information is not made accessible to unauthorized persons, organizations or pro-


cesses. Additionally, the protection objectives such as availability, integrity and
reliability are not the focus of this White Paper.

Classification of information

Both the information security standard ISO/IEC 27001 and the VDA ISA catalog
state classification of information as an essential requirement for effective infor-
mation security.

“Information shall be classified in terms of legal requirements, value, criticality


and sensitivity to unauthorized disclosure or modification.”
“An appropriate set of procedures for information labeling and handling shall be
developed and implemented in accordance with the classification scheme
adopted by the organization.”
[ISO/IEC 27001:2013]

“To what extent is information classified according to its protection needs and are
there regulations in place regarding labeling […]?”
“A consistent scheme for the classification of documents/information is in place
and implemented.”
“Classification of information is done according to defined criteria, e.g. value, le-
gal requirements, confidentiality, integrity and availability.”
[VDA-ISA 4.0]

During classification of information (in terms to confidentiality), the possible ef-


fects (potential damage) for companies are assessed in case of unintentional dis-
closure of information to an unauthorized group of recipients.

VERSION 1.0 _ PAGE 4


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Inappropriate classification of information and the resulting handling can lead to


risks like the loss of information if the chosen classification level was too low or
unprofitable additional effort if the chosen classification level was too high.

The VDA ISA catalog defines the following general protection classes for compa-
nies, depending on the potential damage:

Protection class Description

Normal The potential for damage is low, of a short-term nature


and limited to a single company.

High The potential for damage is considerable, or of a me-


dium-term nature, or not limited to a single company.

Very high The potential for damage threatens the company’s ex-
istence, or is of long-term nature, or is not limited to a
single company.

Table 1: Protection classes as in the VDA ISA

For the protection objective of confidentiality, in practice these protection classes


are allocated to the company’s own scheme for classifying information.
Until now the automotive industry did not possess a unified classification scheme
with the consequence that when information is exchanged between companies,
it is assigned to the company-individual classification levels differently, and, sub-
sequently, also labeled and interpreted differently. This situation can lead to an
unintended different handling of information requiring protection.
As of November 16, 2017, VDA’s Information Security working group agreed on
a four-level scheme for classifying information.

PAGE 5 VERSION 1.0


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Based on that decision the following recommended levels for classifying infor-
mation and their allocation to the protection classes have been defined and spec-
ified in the VDA ISA:

Protection class Classification level Classification level


in VDA ISA (German name) (English name)

- Öffentlich Public

Normal Intern Internal

High Vertraulich Confidential

Very high Streng vertraulich Strictly confidential

Table 2: Standard scheme for classifying information

The classification level “public” is not allocated to any protection class in the VDA
ISA. However, it is included in the White Paper because many companies use
this classification level. Most of them have specific persons or offices authorized
for classifying and processing “public” information (e.g. corporate communication
or marketing departments).

The respective requirements for the secure handling of information (e.g. encryp-
tion) are - derived from the three other classification levels / protection classes
listed in Table 2 - defined and described in the VDA ISA catalog.

VERSION 1.0 _ PAGE 6


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Labeling of information

Proper labeling is a prerequisite for the secure handling of information. Infor-


mation should therefore be labeled in accordance with its confidentiality classifi-
cation.
In addition to the document owner, both the recipient and the processor of the
information have to be familiar with the classification levels and therefore be
aware of and apply the associated requirements for handling the information.
Correct labeling is particularly in the case of transferring confidential or strictly
confidential information between companies (e.g. to partner companies and sup-
pliers) absolutely essential. The form 3 of the information and its classification
level have to be taken into account while labeling information.

Alongside a standardized classification scheme and the corresponding labeling


in the document, the Information Security working group regards a standardized
labeling system, e.g. color-coding when the digital information is opened (e.g. e-
mail, presentation file) as an important feature for sensitization. This is especially
important for IT applications.
Hereby the recipient would have a clear visual indication of the classification level
of the digital information. Furthermore, a colored signal (e.g. a colored bar) would
bring about a unified understanding of the classification levels which would be
the same in all countries and languages (see Table 3).

3
E.g. digital, physical or oral

PAGE 7 VERSION 1.0


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

Protection class Classification level Colored signal (for


in VDA ISA IT applications)

- Public -

Normal Internal Green

High Confidential Yellow

Very high Strictly confidential Red

Table 3: Allocation of colored signals to the classification levels

Conclusion and recommendation

This White Paper provides orientation for harmonized and standardized classifi-
cation levels in relation to confidentiality. In addition, and in conjunction with the
requirements of the VDA ISA, it helps to prevent misunderstandings and risks
during the exchange of information and thus fosters appropriate information han-
dling.

The VDA recommends its members to use this White Paper for orientation and
for the implementation of the scheme described for the classification of infor-
mation in companies.

VERSION 1.0 _ PAGE 8


V D A W H I T E P A P E R – S E C U R T I Y L E V E L S

List of authors

Name Company E-mail address

Jens Frölich AUDI AG [email protected]

Thomas Donner BMW AG [email protected]

Oliver Schmitt Robert Bosch GmbH [email protected]

Jürgen Rilling Daimler AG [email protected]

Thomas Harich MAHLE GmbH [email protected]

Matthias Teuscher Rheinmetall AG [email protected]

Burkhard Kesting ZF Friedrichshafen AG [email protected]

Document version history

Version Date Status, remarks

1.0 April 19, 2018 Final

PAGE 9 VERSION 1.0

You might also like