January 31, 2023

Reading Time: 22 minute(s)

Ep #110 – Understanding TISAX (Trusted Information Security Assessment Exchange)

January 31, 2023

Trusted Information Security Assessment Exchange (TISAX) is a vendor due diligence standard used in the automotive industry to verify that third-party suppliers’ cybersecurity programs provide adequate protection for the information the automotive supplier shares.

In this episode, your host John Verry, CISO and Managing Partner at Pivot Point Security, sits down with Ed Chandler, Account Executive and Cybersecurity lead for TÜV SÜD America, who provides answers and explanations to what TISAX is, how it operates, and helps you better understand the implications surrounding it.

Join us as we discuss:

Where did TISAX come from, why does it exist, and why is it increasingly important worldwide?
Why so many North American firms are now facing TISAX requirements
How the TISAX assessment/audit process works
TISAX assessment objectives and assessment levels
How aligning your org with comprehensive cybersecurity standards like ISO 27001 can also help with TISAX

To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.

To Stay up to date with the newest podcast releases, follow us on LinkedIn here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

See Below for the full transcription of this Episode!

Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:19):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast, uh, with you as always, John Ver your host, and with me today, ed Chandler. Hey, ed.

Ed Chandler (00:28):

Hey. Hi John.

John Verry (00:32):

How are we doing this fine. Monday post Thanksgiving afternoon.

Ed Chandler (00:37):

Well, I’m still working off a little bit of that Turkey

John Verry (00:40):

<laugh>. Well, hopefully you’re not tired from all the trip to F cuz I’m expecting you to be up and about on this, right. Because we got some fun stuff to talk about. Um, before we begin that conversation, I always like to start easy. Uh, tell us a little bit about who you are and what is it that you do every day?

Ed Chandler (00:56):

Yeah, so, um, I am, uh, I’m currently on the National Sales Manager for Tiffs of America. And, uh, my role is specific, specifically helping organizations meet different types of, um, standards and requirements around certification. Um, you know, cybersecurity is a, is a deep passion of mine. It’s something that I’ve done for quite a while. I’ve been in the cybersecurity industry in one form or another since 2010. Um, it’s, you know, all different types of things. Anything from different types of assessments to technologies, managed services. And then I came back to assessments, which is where I feel the most at home.

John Verry (01:37):

Um, always ask, what’s your drink of choice?

Ed Chandler (01:41):

Oh, boy. Um, if it’s a cocktail, I think I’d have to go with an old fashioned, but if I’m, uh, if I’m gonna be drinking it on the rocks or, or neat, I would say I’m a big fan of SCOs from East le

John Verry (01:52):

Ooh. Yeah. I’m not a peak guy. I think that’s a, a whiskey spoiled <laugh>. But, uh, but I, but I do enjoy, I’m a more of a men if I’m gonna, I, I like bourbon a lot, but if I’m gonna drink a bourbon drink, it tends to be a Boulevardier or Manhattan over a old fashioned, although my sister-in-law on Thanksgiving made old fashions and she did a fantastic job. So I gotta be honest with you, I, I had a couple. All right. So, um, thank you for coming on today. Uh, and really what I wanted to chat with you about is, is a information security standard that a lot of people have not been traditionally familiar with. Uh, and although most recently it seems a lot more people are getting familiar with it because we’ve seen an absolute surge of interest over the last three or four months. Uh, you know, that standard is Tacs, T I S A X. So I’ll ask you to start easy. Um, what is Tex?

Ed Chandler (02:48):

Sure. It’s a great question. Um, you know, it’s, it’s a standard that was created by, um, many of the automakers, specifically a group in Germany, uh, called, uh, vda, which is Verband or Automobile Industry, which is a consortium of basically different OEMs as well as tier suppliers. And the intent of t sacks was when they were building it was instead of having one set of subset of requirements under Volkswagen, another under bmw, and another under Daimler, was to be able to create a standard that these different OEMs would accept. And as of today, they’re currently accepted by the three major German OEMs.

John Verry (03:32):

Yeah. Now, uh, I’m curious, are you seeing the same surge interest? Uh, if so, what would you attribute it to? You know, is it just a matter of our, are we seeing other non-German manufacturers being to use it? Is it just that the German manufacturers are getting a little bit more serious about managing supply chain risk? Is it flow down, you know, from major parts providers? Wh what, why do we, why am I hearing so much about it in the last, uh, three or four months?

Ed Chandler (03:59):

Yeah, it’s, uh, so it’s, it’s not a new standard. It’s been around for about four or five years. Um, it was initially rolled out in Europe. And the reason why we’re starting to see a significant impact today is that, you know, over time this has slowly been, you know, brought out into the Americas. Um, the initial rollout was in Europe and after, you know, the, after the last, you know, three or four years of talking about it, they finally, you know, set the sand, set the line in the sand stating that, you know, organizations do need to follow it. Um, you know, European organizations in general are, um, are, you know, much more ahead in regards to tacs. Um, there’s a much, much larger subset, um, when it comes to the OEMs that are following it. As I mentioned earlier, Volkswagen, Daimler and BMW are the ones that are pushing it down from an OEM perspective.

(04:50):

There’s been talks about other organizations joining in cuz the other, for instance, American, some American OEMs will use, um, different types of standards that they’ve built together with A I A G. But, you know, overall as a whole, this is the first time that any of the OEMs have come together to, you know, build that same standard and have that same subset. With that being said, um, as well, you know, we are starting to see not only OEMs pushing it down, but as you read through the participant handbook and you look at different types of things and how they explain it, some of tier one s are also starting to talk about this as well. In particular, people that are supplying under ZF or Bosch are also organizations that are starting to reach out, you know, for, for t sacks because they like the standard so much within that business segment that they wanted their, their suppliers to follow it as well.

John Verry (05:42):

Yeah. That specific instance is one that I was on the phone just a couple days ago with somebody and I asked them, I said, oh, I’m, I’m assuming this is a slowdown from, you know, one of your, one of the German OEMs. And they were like, Nope, this is from one of their primary, you know, subcontractors. Right. And we’re getting flow down through them. So, so I I I’m guessing that that is part of the reason why we’re seeing a lot more focus on it. And do you know offhand whether or not these OEMs focus in increased focus is at the behest of, or at the direction of the OEMs? Cuz they want, you know, it’s really at that point it’s full supply chain, right? It’s third party? Third party. Third party’s third party.

Ed Chandler (06:25):

Yeah. So I, I think a lot of it comes down to when they’re, when they’re looking at the requirements of t sacks themselves as being a tier one supplier, one of the requirements is how do you manage the security of your suppliers downstream? And you can do that a few different ways. And then not to say one way is right or one way is wrong. It just depends on how your organization wants to handle this. The, um, the security challenges of your supply chain. Um, one way that an organization will handle it is they’ll do it through the use of questionnaires, which is typically most common. We see that, you know, quite frequently here in the United States. Uh, another way that organizations will do it, and we see this a lot in Europe, is around organizations will actually go out and do a lot of supplier audits.

(07:07):

So they’ll have cybersecurity professionals go out on behalf of the organization and actually audit the company. The third way is they do it through the path of certification. And I think that’s kind of that happy medium. We’re starting to see a lot of organizations take through because, you know, they have more, more trust in it know, knowing that a third party has taken a look at the organization’s cybersecurity footprint at, you know, what, what, uh, things that they’re doing in place and they’re not just necessarily taking, um, their word for it from a questionnaire any longer.

John Verry (07:37):

Um, yeah, you, you just touched on an interesting question that I I I did want to ask you as well. So when you think about information security frameworks, you know, you can either have an attestation associated with them or you can have, quote unquote a certification associated with them Now, you know, so as an example, SOC two is a, an attestation, ISO 27,001 is a certification, TACS is indeed a certification.

Ed Chandler (08:03):

So it’s more of a, and I, and I use the word a little bit, you know, vaguely, it’s not necessarily a certification in that sense. It’s more of an attestation in the sense of there’s different types of levels. There’s not an actual certificate that comes along with it. Okay. It’s a third party assessment if, if I were to use the correct terminology

John Verry (08:19):

Though. Okay, good. Yeah, I never, I, I wasn’t quite sure about that. And I, and I’m always hesitant to use the, use those terms because we all do use them interchangeably, but technically there is a slight, uh, uh, delta between them. Um, so, so you know, perhaps the most critical element, you know, so if, if you are a, a provider to an OEM or, uh, work through their supply chain, uh, and somebody says, Hey, you know, we want you to attest to Tex. Um, I think perhaps the most critical element of, of understanding what your TEX requirements are, are something referred to as assessment objectives. Uh, can you explain the assessment objectives?

Ed Chandler (09:04):

Yeah. So if I were to take them and put them into three bundles, there’s, there’s three main objectives and there’s some sub objectives behind it. There’s the information security objectives, there’s the prototype objectives, and then there’s the data protection objectives. When you look at information security, um, the first one, there’s, there’s two ones that you can choose from. You can either choose high protection needs or very high protection needs. And that question is an, is a, um, or question. So you want to, you have to choose one or the other in regards to prototype protection and data protection. Prototype has another four, um, subset requirements for, based off of the different types of, um, prototypes that you’re dealing with, whether they’re parts or the actual full vehicles, um, or data protection depends on the type of data that you’re doing. And there’s, there’s another six requirements between those two. Um, between prototype protection and data

John Verry (10:00):

Protection. Right. And, and to be specific, right, the data protection requirements are around personal information. And largely, I would argue it’s a validation that you’ve got a GDPR compliant or GDPR aligned, uh, privacy program. Fair to say

Ed Chandler (10:18):

That, that’s fair to say. Uh, most organizations that are going down the, the realm of data protection are usually service providers mm-hmm. <affirmative> that we see. Um, and that can be in the realm of like HR type providers mm-hmm. <affirmative> like, um, you know, different types of, you know, dependent on, you know, how your information your’re you’re handling that type of information if they’re sharing that with

John Verry (10:39):

You. Yeah. We’re actually working with a company that does, does just that HR consultative work, uh, uh, and they’ve been asked to pro, uh, provide tacs, uh, attestation, uh, also, um, speaking with someone that does marketing on behalf of one of the companies. So, you know, more B2C marketing. So they’re, you know, they’re kind of promoting, uh, you know, when, when someone’s, uh, lease expires as an example. Um, so yeah, they’re being asked for the, for the same, same type of thing. And now, uh, in a, in a alignment where in concert with assessment objectives, I think another important component is, um, what they refer as assessment levels. Can you talk a little bit about the assessment levels please?

Ed Chandler (11:18):

Yeah. So there’s, there’s three assessment levels. Um, there’s assessment level one, assessment level two, and assessment level three. If you think about assessment level one, it’s a, it’s a self attestation means that you’ve completed what they call as your ISA or internal security assessment. Um, it’s not, you’ll never find that you’ll have an OEM requirement that requests a level one assessment, though the level one assessment is really for organizations that are, that find t ssac Cs to be helpful as a cybersecurity standard for themselves, and something that they can, you know, they can put forward as, you know, that first step into the, the realm of cybersecurity. Um, assessment level two is what they call as a, um, a validity check. And basically an organization such as mine would come in and take a look at the validity of what you’ve done within your isa. It’s not what you would think of as a traditional audit. We would rely heavily in regards to your internal security assessment that you’ve done, and we want to ensure that, you know, that we’re spot checking specific areas to ensure that it was done correctly. When you get into assessment level three, that’s what you think of as more of your traditional, um, cyber security assessment. And that’s gonna be more in depth, there’s more time that comes associated with it, there’s gonna be more documentation that’s gonna be reviewed, et cetera.

John Verry (12:37):

And there is, if I recall correctly, a link between them. Right. So by definition, if you’re going to be, let’s say the very high, your AO is very high, then that would mean that they’re going to be, it’s going to be an assessment level three, correct? Isn’t there a, there’s a, the AOS and ALS kind of, they, there’s a chart in the, in there, if I recall correctly, that kind of a align those two and specify typically, which type of an assessment goes with which types of, uh, assessment objectives.

Ed Chandler (13:07):

That That’s correct. So rule of thumb is that if you have, you know, high, typically you’ll, you’ll find that it’s an AL two. Um, I use the rule as lowest common or the highest common denominator. So meaning that if you have all these different assessment levels and you have one that’s three, and you have two that’s, you know, that re requires assessment level two, then you’re gonna automatically go to a level three, um, you know, with very high, it automatically requires that you have an assessment level three, anytime you have prototypes in, you’re touching prototype vehicles, prototype part parts that also requires assessment level three. And then finally, you know, if you have special categories under data protection, that does require level three

John Verry (13:48):

As well. Right. So the, so the, you know, for most providers, anyone that’s pro touching prototypes, anyone who’s touching, uh, personal information or highly sensitive information, the, the level three is what we’re gonna mostly see, correct?

Ed Chandler (14:02):

That’s correct. And a lot of that has to do with the physical security requirements. Mm-hmm. <affirmative>, especially under prototypes. So they want to ensure that, you know, you’re not, you’re not putting in the same garage or BMW next to a, you know, prototype BMW next or prototype Volkswagen next to a prototype Mercedes

John Verry (14:18):

<laugh>. Right. Or your testing techs are not, are not taking un disguised vehicle out for a into town to have to have lunch so that the, um, MotorTrend paparazzi can take pictures of it and post it in their magazine.

Ed Chandler (14:31):

Exactly. Exactly. <laugh>,

John Verry (14:34):

Uh, that’s funny. Um, so one of the things that I, I like as an ISO 27,001 guy so to speak, is that, uh, tacs, uh, the information security component of the, of the three components of it, uh, is aligned, uh, very well with 27,001. And I would argue that the GDPR aligns well with ISO 27 7 0 1. So, you know, if you’re, and we’re seeing this with a lot of our clients, uh, some of them are already certified in, uh, in, in one or both. Um, so for those, we’re seeing that that t ssac certification, I would call it a relatively light lift, um, what do you see regarding either companies which are previously certified or companies that are considering pursuing both concurrently?

Ed Chandler (15:19):

Yeah, no, you, you bring up a good point. You know, when you look at the, the internal security assessment, there’s actually a, a great column in there. If you’ve been certified ISO 27,001 or 27 7 0 1 in the past, that shows the actual requirements of tacs, um, in regards to ISO 27,001 annex a requirements. Um, and you’ll see it, it aligns very closely what we, what we see as an organization. Um, there’s really twofold. Number one, it’s, it’s a, you’re right, it’s a lighter lift for an organization because they’ve taken into account a lot of these factors already. Um, but also when you look at like, larger organizations or, you know, large to mid-size organizations that have multiple sites that need to go through this type of certification, there’s something called a simplified group assessment. And usually organizations that are gonna be going through a simplified group assessment are gonna want to have a mature management system. And that management system usually comes into the form of a, of a multiple site ISO 27,001 or 27 7 0 1 certification.

John Verry (16:24):

Yeah. So that’s, you know, like all frameworks, you know, the concept of scoping is arguably the most important, you know, getting the project off on the right foot. So you talked about this multiple locations. Um, now my understanding is if the assessment objectives are the same, you can do a single assessment that applies across multiple locations, or you could still do a per location assessment. But if you had multiple sites, let’s say one site was doing, um, prototype protection, they, that that requirement was there, while another site didn’t have prototype protection, but did have, let’s say GDPR req, uh, protection, privacy protection, um, that you would then have to actually have separate assessments for each site. Can you talk about what the advantages and disadvantage, what’s best practice there, I guess?

Ed Chandler (17:13):

Yeah, so there’s, there’s a couple things. So the answer is absolutely you want to ensure that, you know, you have the same set, you know, the same thing is happening, which allows for sampling. The one caveat to that is prototypes and they want to ensure that prototype sites are being reviewed on, on, on an every certification basis. But with that being said, the heavy lifting of the information security and other things are, are also being considered, um, from that centralized location. Um, when it comes to, you know, if you have multiple things or multiple standards, or you have an organization that has, um, you know, they’re doing prototypes at this location for some reason, they’ve got, you know, GDPR information or PII at, or personally identifiable information at another, you know, location, then obviously the best path forward will most likely be single site certifications or multiple, multiple site certifications.

John Verry (18:09):

So, so question for you, and I don’t know if you’re, if you know, uh, if you’re an ISO 27,001 person as well, but in ISO 27,001, we have this differentiation, I’ll call it, between the scope of the management system, scope of the is isms versus the scope of the audit. So, you know, it’s very common with ISO that the scope of the management system is, let’s say, global to an organization. But if on the certificate we just list a single location that is the only location that the auditor is attesting, they have validated the operation of that management system. Does that same concept exist? So as an example, if I’ve got three loca, let’s say three locations that all have the, uh, very high information security, uh, assessment objective, but no other assessment objectives, if I’ve got three locations and all of them have that same objective, am I able to have a information security program that manages those requirements across all three locations? But have you only assess one location, or, or by default, do you have to go to each location?

Ed Chandler (19:15):

Yeah, that, that, that’s actually up to the, the eyes of the holder and how they want to go about it. So absolutely, you know, we have the ability to go in and only certify one or, or assess one organization. Okay. And, um, there’s no need for us to hit all three now, you know, there’s gonna be times for that location as we do the audit, they’re gonna be considered a central function of that isms. So when you go into it, there’s gonna be a good chance that global will be called into the audit quite frequently to be able to help, um, help, help with the, uh, um, to help with the, you know, evidence of the audit itself.

John Verry (19:54):

Gotcha. And then one thing we probably should have pointed out, so while assessment objective one and two, you’ll have one or the other. You would, it is possible, and you know, not unlikely for some organizations that they will have multiple assessment objectives apply to them, right? So you could have very high number two, and then you could have one of the prototype, one of the prototype requirements and the, uh, privacy requirement, right? That’s a seven and eight, I think, or six and seven. Uh, you could have up to three assessment objectives or could it e technically it might even be more, right? Cuz you could have multiple prototype assessment objectives apply to you.

Ed Chandler (20:37):

Yeah, I mean technically you, you could have, I’ll say all seven because the first question is an or whether you have high or very high information security needs, but the, the rest of them, you, you, you could add into it. And a lot of the times that makes sense if you have, you know, for instance, you’re typing prototype, you’re touching prototype parts, prototype vehicles, test vehicles, because it’s gonna have the same types of physical security requirements between

John Verry (21:01):

Those, right? And, and assessment objective, the very high assessment objective is just a, a superset of the very, of the high, right? So by definition, if you get to the very high, you already have the high, which is why you’re saying effectively all seven objectives can apply to you.

Ed Chandler (21:16):

That that’s correct. So if you, it’s, it’s an aura question of what, what the label shows up as, but effectively because of the, you know, very high or high, you know, you’re, if you’re gonna have high protection these, you’re automatically gonna get that with very high.

John Verry (21:30):

Gotcha. And one of the other questions that I had for you was, um, you know, I know you see, and actually there’s even a reference reference to it in the participant’s handbook now, um, is there’s, and I know it was more commonly used during the pandemic, uh, a assessment level 2.5.

Ed Chandler (21:48):

Yeah. Um, so 2.5 is something that, um, that was used during the pandemic in particular. Um, it no longer is in full, full fledged, but there are ways that you can do this as a offsite assessment. However, there’s some caveats that come along with it. But the 2.5 assessment was with assessment level three, you’re required to actually be on site to perform that assessment. If we weren’t able to show up on that site due to, um, due to, for instance, you know, covid concerns or something like that, the, the, the organization was able to do a 2.5, which gave them essentially their temporary labels where they had nine months to close that out. Today there’s not necessarily that same 2.5 requirement. The 2.5 is, um, is now really it’s an assessment level three, we’re able to complete the assessment, not do it on site, but then you’ll be issued a non-conformity for not being able to do it on site, which then we have to close. So essentially it’s still there, it’s just a, it’s a different

John Verry (22:48):

One. It’s just, it’s been effectively been denigrated. It was largely something that helped us get through the pandemic. And now that we’re, knock on wood, my desk isn’t real wood, I don’t think, but could try anyway. Right? <laugh>, we’re outta the pandemic, right? Well now we’re just into the endemic, which, which, hey, it’s, it’s still an emmic. Um, what, uh, oh, that was one thing I wanted to ask you as well, cuz you just used the term and I, and I’ve heard people get confused by this. Um, the, you know, you hear that TAC label, uh, explain what a TAC label is.

Ed Chandler (23:22):

Yeah. So the labels are based off of your objectives and it’s basically a label states that you have been assessed towards that objective, for lack of a better term. You could, you could say that it’d be kind of like a certification minus the, um, the background of what a certification means. So it’s basically means that you’ve, you’ve been through the assessment, you’ve received those labels, those labels are based off of the objectives you’ve chosen and been audited against.

John Verry (23:48):

Gotcha. And, um, just to be clear to everyone, uh, E N X administers the program and E N X has established a group of, I, I think the right term is authorized assessment or authorized audit providers. Do they refer as an assessment as an audit formally,

Ed Chandler (24:06):

Uh, correct. So they’re called audit providers. Okay. If you will, if you look at the website.

John Verry (24:10):

Okay. Yeah, yeah, yeah. So, so if, so in, in terms of like taking someone through the process, you know, an organization determines that they have a ts a requirement. They, they first should make sure that they fully understand assessment objectives that apply and the assessment level that goes along with that. Or is the expectation of the, of the entity requesting the certification. Um, they may or may not work with a firm like Pivot Point, uh, helping them get prep for and be prepared for that certification, uh, or attestation, excuse me. Then they would, uh, they would engage somebody who is an authorized audit provider, uh, to have SUD being, I think, is it, is there also a T Nord? Like, aren’t you guys, isn’t tiv like the original, um, the original entity that was authorized to provide these types of certifications?

Ed Chandler (25:02):

Yeah, so there, there’s, there’s the, the history of TUF goes back quite a while. Um, it’s 160 year old history. I won’t get into the details of it, but essentially we, we were founded as the, uh, testing and inspection organization for anything. You know, if you go into an elevator, you get an emissions test, you get your car tiffed at that point. So TV technically stands for Technical Inspection Agency in German. It’s a very long and, uh, German word <laugh>. Um, with that being said, you know, there are, there are a few of us. What, what, initially what happened was that we were, each state had its own tuf, um, and over time, you know, that did be showed to be very inefficient. So there was a lot of period of m and a and now there’s really, there’s four Tufts. There’s really three. One is a subsidiary of Tuf Sud. Tuf SUD is the largest one and SUD stands for South.

John Verry (25:54):

Ah, gotcha. Gotcha. So, uh, so you know, that would be the next thing that they would do, right? Is, is, is pick an authorized, uh, audit provider, uh, and then be subject to this audit. Uh, how long, uh, would a typical audit take place give someone an idea of what they can expect from an audit?

Ed Chandler (26:10):

Yeah, so there’s, there’s three stages to the audit. The first is there’s gonna be a kickoff meeting for the audit usually held, you know, at least a week or two weeks before the audit occurs. As, so you can get to know your auditor a little bit, what the expectations of the audit, and they’ll go through that at that point so that you’re not left in the dark. Um, at that point, you know, there’s an audit that’ll take place the longest that an audit will ever take place for, you know, a specific location will be a week long. It’ll never sur it’ll never go past that week, that week timeline for a specific location. Um, it could be three days. It probably is a minimal just to give it, give the audience an idea, and then there’s a closing meeting that will happen. Usually, you know, it can happen a week or two weeks after, but usually right after the audit, dependent on, you know, what’s found.

John Verry (26:57):

Gotcha. And I’m assuming that there, you know, in the event that there’s a non-conforming identified that there’s a, a corrective action process and, you know, some type of period of, uh, time to cure, said, uh, said, uh, non-conformity and then some validation process that you guys would go through to validate that they have indeed closed said non-conformity.

Ed Chandler (27:18):

Correct. So you have nine months to close your nonconformities after the last day of the assessment. If you have a mi, if you have minor nonconformities, it’s okay. What’s what’ll happen is you’ll receive what they call as temporary labels. And those temporary labels are good for nine months after that last day of the assessment. If there’s a major non-conformity, what’ll happen is, is that you have the ability to implement a corrective action. That corrective action will then be downgraded to a minor non-conformity, potentially based off of what that is. And once that’s then closed out, then you’ll, you’ll be able to receive temporary labels. Um, and then once you’re able to prove the implementation that this is taking place and you can show that, that this is in place and currently working, then we do be able to close out, you know, as a corrective action Gotcha. Those permanent labels

John Verry (28:06):

Will be given. And then, um, does E N X act, um, as a, you know, an entity that maintains the records associated with someone’s, uh, TAC labeling? So in other words, if, if I go through this process, would IB then be listed somewhere, you know, on like the t on the ENEX website so that way if, um, you know, VW wanted to validate my standing, they’re able to do that.

Ed Chandler (28:31):

Yeah, so there’s, there’s actually, and, and, and you mentioned it earlier, the participant handbook. There’s a lot of great information in there, and that’s one area in particular that kind of walks you through what it looks like. But you absolutely, you’ll, you’ll go on to the Enex website, the OEM or whoever, your, um, your passive, there’s a passive and an active participant and you can be both, but your passive participant, which would be your customer, would be able to go in and they’d be able to see, okay, uh, ABC Company has labels for this. They’ve gone through this type of assessment. You have the ability as an organization to show how much information you actually want to share. One, one key note though is that as you go through it and as you look at what information you want to share, once you give access to that information, you can’t revoke that same access.

John Verry (29:16):

Gotcha. And um, it’s a three year certification cycle.

Ed Chandler (29:20):

Uh, correct. It’s not, I would, I

John Verry (29:22):

Three year attestation cycle, I, I keep using the same terms we’re going back and forth.

Ed Chandler (29:27):

Yeah. I wanna be careful just because so many people are so used to like ISO 27,001 where we talk about it being a three year cycle where you have a certification or a re-certification and then you have two surveillance audits for those prior years. Mm-hmm. <affirmative> for tacs, we don’t have those same surveillance audits. So once you go through it, your label is good for three years after the last day of that audit.

John Verry (29:48):

Gotcha. Um, we beat this up pretty good. Uh, anything we missed from your perspective?

Ed Chandler (29:56):

Um, one, one thing that I, you know, I I do want to add in that I think, you know, will be helpful for, um, anybody in the audience that’s going through this today is we do hear quite frequently organizations coming in and they struggle with understanding what those obse, uh, objectives are. And there’s many ways to go about it. I do always, you know, suggest to our, our customers or anybody that we talk to throughout this process that they truly understand from the OEM what their expectations are. Um, because I, I like to think that if I assume I’m usually wrong, um, doesn’t mean that, you know, doesn’t mean that you all or everybody will be wrong with those assumptions, but, um, in, in, in that sense, it’s always good to get direct information whenever possible from your customer what their expectations are.

John Verry (30:40):

Yeah. Cuz it would, it would be painful, you know, to go through the process at either a high and not hit very high and find out you were very high or not realize that, you know, they expected prototypes or they expected the privacy.

Ed Chandler (30:54):

Exactly.

John Verry (30:55):

Yeah. Gotcha. Uh, alright, uh, give me a fictional character or a real world person you think would make an amazing or a horrible ciso and why

Ed Chandler (31:06):

<laugh>? Um, <laugh>, I, I’ll, uh, I’ll, I’ll say Michael, Michael Scott from the office. Um, <laugh>, I, I, uh, I I think that while he would not be a very good ciso, cuz his mind is all over the place and he is not setting his strategies up in a correct manner, you know, I think, you know, he also depicts what CISOs go through every day because there’s so much stuff going on and there’s so many different topics that people want to talk about and things that you need to be concerned about that it’s almost the real life of a, of, you know, when you look at Michael Scott and you look at the way he thinks, it’s almost the real life of what we see today. But I do think you would not be a very good ciso cuz he doesn’t have the best ability to prioritize

John Verry (31:48):

<laugh>. Yeah. What about, what about Dwight Trou? Do you think Dwight Troupe would be a good ciso <laugh>? I mean, he’s got that experience running the beat farm, right?

Ed Chandler (31:56):

He does have the experience running the beat farm. Um, I I I think that anybody who worked for Dwight might might not want to work for Dwight very long. <laugh>.

John Verry (32:06):

I know Jim, Jim wouldn’t want to <laugh> not that I’ve ever seen this show that you’re referring to

Ed Chandler (32:12):

<laugh>. No, no. <laugh> I think, I think Jim and Pam definitely would have some challenges working for Dwight. Yeah. <laugh>. Yeah,

John Verry (32:19):

Abso absolutely one of my favorite shows. And I always smile when somebody, when somebody makes a reference it to it. I almost was gonna say that’s what she said, but I couldn’t find a way to work it in there that may actually was contextual. Uh, so if, uh, if folks wanted to get in touch with you or Tiff Sud head, what’s the best way to do that?

Ed Chandler (32:36):

Yeah, you can reach out to us via our website. Um, you can reach out to me directly. I’m always available, you know, I’m on, on LinkedIn or, um, you know, uh, you can reach out to us via contact us form, you know, we’re happy to help and, you know, provide any information, um, you know, as questions come up.

John Verry (32:53):

Awesome. Thanks man. Appreciate you coming on to chat about Tex. Uh, this was helpful.

Ed Chandler (32:57):

Absolutely. Thank you John.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Ep #110 – Understanding TISAX (Trusted Information Security Assessment Exchange)

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security