On 6 August 2017, in advance of proposed legislation, the UK government published 8 ‘Key Principles' regarding the cyber security of connected and autonomous vehicles. This is the third of a series of 4 blogs regarding those principles.
As well as requiring security by design, ongoing monitoring and collaboration between the various auto-industry organisations (see blogs 1 and 2 in this series), the government expects organisational security to be “owned, governed and promoted at board level” (Key Principle 1). The requirement is not just that vehicles should be secure, but that the processes and practices of manufacturers, sub-contractors and suppliers should be equally rigorous.
Organisations are expected to “embed a ‘culture of security'” (Key Principle 1.3) via awareness and training, and (under Key Principle 1.2) organisations are expected to be able to identify one or more directors with “personal accountability” for product and system security. Oddly, Key Principle 1.2 also suggests, wrongly, that accountability is delegable: it is thought that the guidelines are instead intended to refer to delegation of responsibilities. Clarification from the Department for Transport would be welcome.
Although the 8 Key Principles are non-binding guidelines, the outcomes they seek are closely aligned with the responsibilities and requirements of an organisation under the General Data Protection Regulation (GDPR). It is likely appropriate for a director charged with implementing and monitoring compliance with data protection law to also have “accountability” for organisational security under these guidelines. It is important to remember, however, that the information security expectations under this guidance are broader than under the GDPR and its predecessor. Data protection will be considered further in the next blog.