End to End ISO 27001 certification - success in just 5 months

What is digilab (DL)

Digitization is one of the main strategic pillars which the long standing, pioneering Czech car brand ŠKODA AUTO is focused on for the future. Autonomous driving, car sharing, courier delivery direct to your car boot - all of this should (or could) soon become a reality.

But, as the Volkswagen Group’s complex processes could well slow down some of the innovation, the parent company decided some time ago to set up the DigiLab hub and to give it the freedom and backing to run a proof of concept.

After two very successful years, during which the startup launched a number of projects such as HoppyGo and CareDriver, the moment arrived when the parent company realised that they needed to turn the creative hub into a standalone, self sufficient company able to drive itself forward. 

What could possibly go wrong?

From the beginning, IT security was a pressing concern. Although DigiLab placed and still places great emphasis upon intensive collaboration with external startups and other supporting companies, some security issues still needed to be addressed. And with the ever increasing bank of knowledge, there was a growing risk that potential problems, such as the leak or loss of sensitive data could seriously damage the entire group.

Just imagine losing a laptop with potentially a lot of sensitive company data on the device itself and even worse than that with access to even more sensitive company data. If the device is unprotected and the company doesn‘t have a properly set up data management system, you may lose not just a few pictures from your holiday, but also an entire project if your data is not backed up elsewhere. What's more, maybe no-one has been appointed to handle such situations because no-one foresaw this problem and the need for processes to prevent it happening. The only sure thing is that, the subsequent damage could have enormous consequences.

Do you know what would happen in your company?

• Are you sure that your developers have up-to-date Git code and that there is no chance that they could lose an entire week‘s work?
• Do your employees take corporate laptops to LAN parties? Could their equipment be attacked and serve as an entry point for an attacker?
• Could there be a bugging device somewhere in the building?
• Are you sure that one of your employees couldn't leave the company, perhaps feeling disgruntled, being in possession of secret information, or even a blueprint to a product in development?

Digilab's Case

ŠKODA AUTO was well aware of the potential IT dangers and therefore ordered an IT audit at DigiLab to identify any potential problems. But the challenge was much greater than envisaged

The main task CEO Jarmila Plachá gave us, was not only to comply with the conditions of the security audit, but whilst doing so, ensure that her organization could still think freely and maintain its creativity.

If DigiLab, for whatever reason did not pass the internal audit, it would subsequently have to follow the often very rigid and strict internal guidelines of the parent company. It would not be the first time that, due to strict rules, certain business processes stopped working that otherwise would have continued to work perfectly.

All involved agreed that they did not want this to happen at DigiLab.

Strict ISO rules

ŠKODA AUTO decided that they needed to adhere to ISO 27001, a standard used to certify an organisation's ability to create and maintain a comprehensive information security system. But the problem was that the standard is very rigid and is normally used for really large businesses.

From the outset it was clear that getting the critical evaluation process itself set up and following the correct steps in setting up such a system would be more instrumental to a successful outcome than any subsequent follow-up actions.

The Cliff Face

To get that critical process set up properly, we immediately contacted an authorised auditor. He used the score card below to rate SKODA AUTO’S existing IT security position.

0.

IT security issues are not being addressed at all.

1.

Everything is done as an FYI, ie. the processes are set up on a goodwill basis, with no obligation to actually follow the rules.

2.

Basic processes work, but neither the process demands nor process actions are documented anywhere.

3.

Everything is defined in detail - standard processes, responsibilities, skills and authorisations needed to perform individual tasks, ensuring that the responsible employees have sufficient expertise (e.g. appointing a certified security officer).

Time to roll up our sleeves

Our first job was to correctly define all tasks and specifically in connection with the methodology we had to follow. To do this we had to observe the flow of information, understand the existing information security policy and find out how and if crisis management at the site worked.

Specific questions that we asked:

• Is Antivirus software used and if yes, what software?
  
• Do we have any idea whether people are using illegal software or their own applications?
  
• Does anyone connect their own (potentially dangerous) devices?
  
• How do employees work with documents? Where are they stored, who has access to them?
  
• How do people in the company handle passwords? Are they visible to others?
  
• Can anyone access internal databases from their applications?
  
• Does everyone know what to do if hardware is lost?
  
• Do we have any knowledge of the warranty periods and licenses?
  

Finding the Right Balance

Once we got to grips with all of the information, our next task was to cast the rules in stone in the DigiLab organization - set real goals, processes and how to control them. To attain our score of 3 we also had to identify the people who would own these processes and determine to what extent and frequency the top management would be kept up to date.

In a nutshell, we have established security rules on how to handle information to avoid losing it and describe what to do if something unexpected occurs. Losing a laptop is just one of those scenarios, but what would you do if your office burned down? The resulting document turned out to be 60 pages and was backed up by an employee training exercise

And the main insight? The biggest problem is to avoid having to solve the problem.

The final score

Needless to say, we are over the moon that we were able to help DigiLab attain that score of 3 and help set them on the road to delivering other great projects. And we are even more pleased everything was realized in less than five months - that was down to good team working.

In a situation that required a great deal of creativity, we were able to capitalize on our many years of experience in securing and managing portable devices and deploying Office 365 with maximum focus on classifying and securing data.

We frequently carry out security monitoring for our customers. If a client suspects that he may have some disgruntled employees who are on the verge of leaving, we can trace their IT activities to ascertain whether they have downloaded sensitive data and on the back of that proactively strengthen the company’sIT security and help to mitigate the risks associated with data leaks.

So what about that lost notebook?

So what happens today if a Digilab employee loses their laptop? They just follow the process; report the loss to the appointed number as soon as possible. The responsible person locks the disks remotely and the next day the user has a new pre configured laptop on their desk ready for them to start working.

Compared to the damage that that data leakage could cause, the replacement of lost equipment will be a trifle, we guarantee your employer will agree :)

The danger is real!

Former Tesla employee admits uploading Autopilot source code to his iCloud

Guangzhi Cao, a former engineer at Tesla, admitted in a court filing this week that he uploaded zip files containing Autopilot source code to his personal iCloud account in late 2018 while still working for the company. Tesla sued Cao earlier this year for allegedly stealing trade secrets related to Autopilot and bringing them to Chinese EV startup Xiaopeng Motors, also known as Xmotors or XPeng.

READ MORE ON THE VERGE