The classification and labelling of information are key elements in achieving a needs-oriented level of information protection. These measures belong to what is known as ‘information protection’ and designate the categorization of information into various levels according to its value to a company.
Most companies have already implemented classification levels by defining a system for classifying information and then implementing it through the use of appropriate policies in daily business. A comparison within the automotive industry reveals differences among companies regarding both the number and the designation of the classification levels. In the case of information exchange, in particular, such differences can lead to ambiguity that in turn results in uncertainties.
Therefore, the VDA Information Security working group has created a standard scheme for classifying information and has recently published its work in a whitepaper. In conjunction with the requirements of the VDA’s Information Security Assessment (VDA ISA), the scheme helps to prevent misunderstandings and minimize risks when information is exchanged, thus fostering appropriate information handling.
Key questions in information protection
As business data is distributed more broadly and quickly, companies must ensure that information is protected continuously and at all levels, regardless of where it moves. Therefore, companies must be able to answer the following questions: Do you have a strategy in place that protects and classifies sensitive information? Do you have control over your data while it is being transferred either within or outside of your organization? Examples include the exchange of information with customers or business partners via email, SharePoint websites, or other online services.
Information protection at a glance
The VDA Information Security working group recommends that companies find ways to reliably identify and uniquely classify sensitive or confidential information. By using integrated solutions for information protection, companies can effectively address typical challenges in day-to-day data management.
- Ensure data governance and control of business information
- Prevent ineligible sharing of data
- Encrypt data and files that have been downloaded via an internal SharePoint application, a network share, or other business resources
- Monitor network and data access, as well as data sharing for external applications and mobile apps
- Prevent data leaks and other loss of business data from any type of device
- Minimize user frustration since restrictive data management policies are not needed
With Azure Information Protection, Microsoft provides a platform that companies in the automotive industry can use to implement VDA recommendations. Documents can be classified automatically or by the user and labelled accordingly. Downstream systems can evaluate this information and respond. Azure Information Protection can encrypt documents itself to ensure security.
This solution allows you to share, reliably manage, and protect emails, documents, and confidential data that is sent outside of your company. From simple classification to integrated labels and authorizations, Azure Information Protection broadens the definition of continuous data protection, irrespective of where the data is saved and for whom it is released.
The VDA recommends that its members become familiar with the information in this white paper and implement the described scheme for information classification. Incidentally, Microsoft has implemented this system internally as well, and has nearly completed all steps recommended by the VDA.
Automotive User Group
The Microsoft Automotive Sector in Germany Deutschland organizes an “Enterprise Rights Management User Group”, in which the technical deployment of the VDA recommendation is discussed. Currently the German car manufacturers and numerous suppliers are taking part in this user group. This group is open to other participants and has already been complemented and expanded by companies from the manufacturing and chemical industries.
If you are also interested in a close dialogue about secure document and information exchange and want to participate in the User Group, please contact Uwe Falkenberg directly.