Simplifying TISAX Compliance: Accessing Data
Section 4 of the VDA ISA security assessment deals with access control. It defines standards for policies and procedures related to user registration, permission management, data access, and other aspects of access management.
PKWARE’s data-centric security technology can help organizations meet TISAX requirements and demonstrate compliance to assessors, customers, and partners.
Here’s a closer look at two of the subsections that make up the TISAX access control standard.
Subsection 4.1.2 asks: “To what extent are policies and procedures regarding the access to IT systems in place?”
In addition to standards for creating and documenting policies, 9.1 also dictates a few specific approaches for controlling access to sensitive information. Data requiring “high protection” should be protected by passwords at a minimum, whereas data requiring “very high protection” must be protected with measures that include multi-factor authentication.
Subsection 4.2.1 goes into more detail on limiting access to sensitive information.
This focuses on internal processes for granting and reviewing access permissions. It also contains one specific requirement for data requiring very high protection: It must be secured using “encrypted data storage in order to prevent access and viewing by unauthorized persons/roles (e.g., administrators) at least on file level.”
Where Does PKWARE Fit in?
PKWARE’s approach to policy management and encryption key management allows organizations to maintain strict control over the protection applied to sensitive data and the access different users and groups have to that data.
PK Protect integrates with Active Directory and associates encryption keys, classification schemes, and other security features to user identities. This means that administrators can create granular policies that allow each user or group to access only the data they are authorized to use.
Automated Encryption with Support for Multi-Factor Authentication (MFA)
PKWARE automatically applies persistent strong encryption to sensitive data based on organizational policy. This protection travels with data wherever it moves, ensuring that only authorized users can decrypt and access the data, even when it’s stored outside the company network.
Due to PKWARE’s integration with Active Directory, encryption keys are used to secure sensitive data associated with user identities. Thus, if an employee has an encryption key but leaves the company, the employee record can be removed from Active Directory and that individual will no longer have access to the file.
It’s as simple as that: No re-encryption is necessary, and there’s no second user database to synchronize or update.
PKWARE supports multi-factor authentication (MFA) for use cases requiring very high protection as described in section 4.1.2 of the TISAX assessment. When a user attempts to access a file that requires MFA, PK Protect will prompt the user to enter a token code (or other MFA credential) and validate the code through an integration with the organization’s MFA technology. If—and only if—the user has entered the correct code, PK Protect will decrypt the file.
Integration with Active Directory—and the enforcement of information access because of it—isn’t available in many data security products , but it’s a standard feature of PKWARE’s data security platform.
See how PKWARE can support your TISAX compliance journey. Request a demo now.
Ben Meyers March 13, 2024
