How Access Rights Manager Can Help You Become TISAX Compliant

What is TISAX^®?

TISAX® is a European automotive industry-standard information security assessment (ISA) catalog based on key aspects of information security such as data protection, integrity, and connection to third parties. It was developed by the German Association of the Automotive Industry (VDA) for the specific needs of the automotive industry.

Why should you care about TISAX^®?

If you’re in the automotive sector, it certainly can’t harm your business since the TISAX label is recognized by all VDA members and vehicle manufacturers such as Audi, BMW, Mercedes Benz, and Volkswagen.

Key elements of TISAX and how SolarWinds^® Security can help

Individual products aren’t certified to be TISAX compliant but the environment and processes used by entities are. This is where our products can help, as there are many requirements that we can help you fulfill in a certification process or audit.

If we look at the actual requirements outlined by TISAX, there are three main areas:

• Information Security
• Prototype Protection
• Data Protection

Our products help meet the requirements of TISAX in the same way they help with other regulations. Depending on the product, we can help by monitoring activities, events, and configurations—which can then be stored in a database for alerts, rules definition, future analyses and reporting.

Installing our products may be the first step towards achieving compliance. However, further customization is needed since it depends on the customer’s chosen protection level and environment.

The following are questions referenced from the Information Security tab in the ‘VDA Information Security Assessment (ISA), catalogue version 5.0.4’and are designed to help you asses the state of information security within your organization in accordance with TISAX regulations.

Throughout this blog we highlight ways that SolarWinds Security, in this case, SolarWinds Access Rights Manager (ARM), can help keep you secure and compliant. 

‘To what extent are information security responsibilities organized?’ (1.2.2)

With Role & Process Optimization, access rights management becomes an optimized business process with clear responsibilities. Data owners (managers) assign access rights to their employees. In contrast to the administrator, they know which information is worth protecting in the department and who should have access to it.

Learn more about how to assign the administration of access rights to a Data Owner

‘To what extent are user accounts and login information securely managed and applied?’ (4.1.3)

It's key to protect login information and ensure visibility into user access and who has access where. Access Rights Manager controls the entire user account lifecycle (joiner, mover, leaver process). A user account is created using a template. A department profile assigns a base set of permissions. In cross-departmental collaboration, permissions are granted temporarily. When leaving the company, all rights are revoked in a controlled manner, and the user account is deactivated.

Learn how to do the following with Access Rights Manager

• Create a user account
• Customize ARM templates
• Create a new department profile
• Edit temporary group memberships
• Deactivate user accounts in bulk
• Deactivate users

‘To what extent are access rights assigned and managed?’ (4.2.1)

An access rights management solution is designed to ensure only users authorized receive permissions to information and applications in their organization. Access Rights Manager works strictly according to the need-to-know principle. After that, only as many access rights should be assigned as are necessary to perform the task of the role.

For additional resources on permission analysis, understanding who has access where, and user provisioning with Access Rights Manager, please reference the following:

Permission Analysis

• Identify overprivileged users based on Kerberos token size
• Identify access rights on a resource
• Where do users and groups have access?
• Identify multiple access paths

Documentation & Reporting

• Who has access where?
• Where do employees of a manager have access?
• Who has access through which permission groups?

User Provisioning

• Manage group memberships
• Remove a user and their permissions
• "Soft" delete a user

‘To what extent are event logs recorded and analyzed?’ (5.2.4)

With ARM security monitoring, you increase the level of security and record activities carried out outside of ARM. If an employee gains insight into protected directories, ARM immediately triggers an alarm. File access to file servers, AD manipulations, and interventions in selected mailboxes are fully documented. If you own SolarWinds Security Event Manager (SEM), ARM also enables you to forward user-based alerts and events via syslog to SEM, so you can view your events in one place.​

See below further reading on setting alerts within Access Rights Manager, for effective user account analysis.

• AD Logga (solarwinds.com)
• Set alerts for user accounts (solarwinds.com)
• Set alerts for groups (solarwinds.com)
• Set alerts for OUs/domains (solarwinds.com)
• Monitor access to sensitive file server data (solarwinds.com)
• Enable alerts for suspected cases on ransomware on file servers (solarwinds.com)
• Enable alerts for data deletion (solarwinds.com)
• Enable alerts for file server directories (solarwinds.com)

In this blog we have covered only a subset of the functionalities available in Access Rights Manager (ARM), but as you can see, you have the tools to tackle TISAX with ease with the SolarWinds Security products.