Request to assess business partner´s information security level
Partner companies of the ŠKODA AUTO a.s., as a subsidiary company of Volkswagen Group, receive information on secret and confidential products, processes and strategies of the ŠKODA AUTO. Leaks of this information can cause repercussions for ŠKODA AUTO, e.g. the compromising of competitiveness or security, or the violation of laws of the Czech Republic (in particular Act No. 40/2009 Coll., Criminal Code or Act No. 89/2012 Coll, Civil Code as regards especially the violation of trade secrecy, intelectuall property rights or competition law). For further informations please refer to ŠKODA AUTO internal directive ON.1.022 Confidentiality.
This can involve data on planning, development, human resources, finance, purchasing, logistics, marketing, sales and product data as well as components, test mules and prototypes. This also affects the development and/or production of immobilizer-related components from which technical information and data can be obtained (keys and locking systems, master immobilizer, e.g. in a dash panel insert or a convenience control unit, engine control units and control units for electronic steering lock mechanisms etc.).
The aim is to collaborate exclusively with partner companies which can, on the basis of an evaluation, establish proof of adequate security. Under this condition, collaboration as well as technical access to the ŠKODA AUTO or Volkswagen Group, e.g. via CAx Supplier Network (CSN) link, will be approved.
The company ‘Deutsche Cyber- Sicherheitsorganisation GmbH' (DCSO) has been commissioned by the Volkswagen Group to carry out evaluations of the partner companies. The aim is to issue approval of the partner company for collaboration with the Volkswagen Group in the respective area for a maximum of 3 years. A new evaluation will then be necessary.
The evaluation is arranged using the attached application. Please complete the application form and send it via email for processing to
The Volkswagen Group´s security organisations specify the particular obligatory methods of evaluation suitable for determining the level of data security at a partner company.
Regardless of the method of evaluation used, the evaluation always comprises the following components:
› Preparation: registration, contact with the partner company and the specialist department, provision of the necessary documentation, evaluation of the data from the partner company and coordination of the evaluation’s scheduling and logistics.
› Execution of the evaluation on site or on the basis of documentation from auditors in accordance with Volkswagen Group guidelines.
› Follow-up: creation of an audit report, definition of measures and monitoring, examination of documentation, creation of a final report including a recommendation for approval and archiving.
Schedules and deadlines are generally agreed on individually with all parties concerned.
At least 8 weeks should be planned for the completion of an evaluation.
The partner company bears the costs of the evaluation.
If you have any questions, please contact the information security team through the service support centre of Deutsche Cyber- Sicherheitsorganisation GmbH:
Telephone: +49 30209 664 112
Email:
Please send by email to:
Partner company (location to be assessed)Full name of partner company / DUNS
Address / Country code/Postcode / Location
Name of contact person / Telephone / Email
Customer in the ŠKODA AUTO (e.g. department or Procurement)
Surname, first name, department
Telephone / Email
Collaboration
Field of collaboration within the ŠKODA AUTO / Project title
A technical link of the above-named partner company to the partner company network of Volkswagen and/or ŠKODA AUTO for the purpose of data exchange or system use exists/has been applied for.
The following criteria are to be considered in accordance with the classification and applicable regulations in the evaluation:
Classification and desired approval(s)Information exchange according to document type/ information type catalogue
SECRET information (provision, transfer or independent processing of data)
CONFIDENTIAL information (provision, transfer or independent processing of data)
INTERNAL or PUBLIC information
PROTOTYPES (vehicles and parts relevant to design subject to non-disclosure in accordance with classification by the Development and/or Design departments)
COMPONENTS AND ENGINES subject to non-disclosure, fitted in production vehicles or not relevant to design
IMMOBILIZER COMPONENTS (e.g. development and production sites for keys, locking systems, engine control units, immobilizer master control units, electrical steering lock mechanisms etc.)
Desired period validity for approval(s)
3 years (normal) restricted from until (limited-time project)
The client hereby confirms the accuracy of the information and the existence of a valid confidentiality and non-disclosure agreement between ŠKODA AUTO and the partner company. This is legally valid until (date).
Name of Head of Department ŠKODA AUTO
(not required if the customer is with Procurement) / Date / Signature
The Company
(legal entity, complete address)– hereinafter called Partner –
confirms to Volkswagen AG and ŠKODA AUTO a.s., as the part of the Volkswagen AG, the following
Security Requirements
A written legally binding secrecy agreement is a precondition for the cooperation with Volkswagen AG.
Especially confidential and secret information, prototypes or parts of prototypes of Volkswagen AG (Confidential Values) are subject to secrecy. The Partner has to maintain secrecy. In order to ensure secrecy the partner has to implement suitable technical and organisational security measures.
In order to enable the inspection whether such security measures are implemented, the Partner agrees to submit first a legally binding security self-assessment to Volkswagen AG (see vwgroupsupply.com > Information > Sustainability Compliance Security > Security Standards > „Questionnaire for Physical Security“ and „Information Security Assessment“). The security requirements are based on ISO/ VDA standards and Volkswagen AG specific standards (see vwgroupsupply.com > Information > Sustainability Compliance Security > IT Security Guidelines and … > Security Standards).
Depending on the risk and the submitted security self-assessment Volkswagen AG reserves the right to inspect the implementation of the security measures at the Partner. The inspection results relate to the involved sites, i.e. the infrastructure which the Partner uses. Volkswagen AG or an external third party authorized by Volkswagen AG performs the security inspection. In agreement with Volkswagen AG also another inspection company proposed by the Partner may carry out the inspection and its documentation according to the requirements of Volkswagen AG.
The Partner carries the costs for the security inspection and for any essential security measures which may arise. Basically, achieving a positive inspection result is a precondition for dealing with Confidential Values by the Partner.
A positive inspection result is valid for three years. After expiration of the validity a security inspection has to be performed again by request of Volkswagen AG, based on an up-to-date security self-assessment and following the procedure described above. There is a right to perform a premature security inspection before the validity expires due to occurrences influencing directly or indirectly the security of Confidential Values (e.g. security breaches).
Changes affecting the inspection results at a later date must be reported immediately (e.g. change of company address, subcontractors, change of location etc.), as well as major security relevant events affecting the Partner.
Place, date: / Supplier-No.:and/or
SUPPLIER/TRUSTEE / DUNS-No.:______
(please print name in block capitals, legally binding signature)
DODAVATEL / ZMOCNĚNEC
Ev. č. / Ev.-Nr. 1751 / S4 / ŠKODA AUTO a.s., tř. Václava Klementa 869, Mladá Boleslav II, 293 01 Mladá Boleslav, Czech Republic / 1/4Platnost od: 01. 07. 2017