Vendor Information Security Requirements

Scout Motors is committed to maintaining the highest standards of information security to protect its assets, including confidential and proprietary information, as well as data entrusted to it by customers, partners, and regulatory bodies. As such, Scout Motors requires that all employees, vendors, third party providers, representatives, contractors, external service providers, and potential customers comply with established security standards and practices to safeguard the confidentiality, availability, and integrity of all information. This Vendor Security Requirement Contract outlines the security standards and obligations that Vendor agrees to adhere to in providing services to Scout Motors and/or accessing any Scout system or data. By entering this Contract, Vendor acknowledges its responsibility to implement and maintain appropriate security measures in accordance with the terms outlined herein.

  • Information Security Program - Scout Motors (“Scout”) require all its vendors, service providers and other business partners to maintain a comprehensive written Information Security Management System (ISMS) that includes technical, physical and organizational measures to ensure the confidentiality, security, integrity, and availability of information provided by Scout Motors in alignment with industry recognized standard (E.g. ISO 27001, SOC 2 Type II, TISAX), and its employees, representatives, contractors, customers, and Vendors (collectively, “Scout Motors”) and to protect against unauthorized access, use, disclosure, alteration, or destruction of Data. A successful ISMS should be in place with a common understanding of the division of responsibilities and the implementation of all security requirements is ensured. Therefore, when using external IT service providers and IT services, the responsibilities regarding the implementation of information security measures are to be defined and verifiably documented . Vendor must also appropriately establish an information security process in the project management procedures of the organization (TISAX 1.2)

  • Information Security Policy - Vendor must document and maintain an Information Security Policy, periodically reviewed, and accessible to all employees. The policy must articulate the organization's objectives and the importance of information security, while also clearly outlining the consequences of non-conformance for all employees and contractors. (TISAX 1.1)

  • Assigned Security Responsibility – Vendor must define, document, and assign responsibilities for information security within the organization, and must designate an individual as the primary security manager under this Agreement. The security manager must be responsible for managing and coordinating the performance of Vendor’s obligations set forth in this Agreement.

  • Asset Management - Vendor shall identify and record all information assets and other assets where security is relevant to the organization and where Scout’s system, data and information are stored, transmitted, or destroyed. It must maintain a consistent scheme for the classification of information assets based on the protection goal of confidentiality, availability and integrity. Vendor shall implement specifications for the handling of supporting assets based on the classification of information assets, and it must be documented and applied to Scout data to ensure correct labeling and handling. (TISAX 1.3)

  • Identity and Access Management – Policies, procedures, and controls must be in place to:

    1. limit physical access to information systems and the facility or facilities in which data is processed/stored only to authorized persons; (TISAX 4.1)

    2. ensure that all employees who require access to Scout Data have appropriately controlled access, and to prevent those employees and others who should not have access from obtaining access with a “need-to-know” model;

    3. assign a unique ID to each person with computer access to Scout Information. Users must be informed of consequences of disclosure or sharing of other credentials.

    4. regularly review the list of people and services with access to Scout Information and remove accounts (or advise Scout to remove accounts) that no longer require access. This review must be performed at least once every 90 days.

    5. implement six eyes principle for privilege account approval and review.

    6. Disable any manufacturer-supplied defaults for system passwords and other security parameters on any operating systems, software or other systems. Vendor will mandate and ensure the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to, Scout Information and will require that all passwords and access credentials are kept confidential and not shared among personnel. Passwords must meet the following criteria: contain at least 12 characters; not match previous passwords, the user’s login, or common name; must be changed whenever an account compromise is suspected or assumed; and are regularly replaced after no more than 90 days.

    7. maintain and enforce “account lockout” by disabling accounts with access to Scout Information when an account exceeds more than 10 consecutive incorrect password attempts.

    8. remove access from terminated employees within 24 hours.

  • Security Awareness and Training – A security awareness and training program must be in place for all employees (including management) on a regular basis, which includes training on how to implement and comply with the Information Security Policy. Vendor shall prepare a concept for awareness and training of employees, management, sub-contractors, and contractors, covering various aspects such as information security policy, incident reporting, malware response, password policy, compliance issues, and use of external IT services. The program must be reviewed on an annual basis and the identification of target groups for training and awareness measures based on specific risk environments and roles within the organization must be in place. (TISAX 2.0)

  • Personnel Security – Vendor is not allowed not subcontract or delegate any of its obligations under this Security Policy to any subcontractors without Scout’s prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Vendor will remain responsible for the full performance of its obligations under this Addendum. Vendor must ensure that subcontractors and personnel comply with this Security Policy, and (b) are responsible for all acts, omissions, negligence and misconduct of its subcontractors and personnel, including (as applicable) violation of any law, rule or regulation. (TISAX 6.0)

  • Security Incident Procedures – Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Scout Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. It shall define, document, and assign responsibilities and authority for crisis management within the organization, ensuring qualification of responsible employees. (TISAX 1.6)

    1. Vendor must inform Scout without undue delay (no longer than 24 hours) of Security Breach as defined by applicable law(s) (i) containing Scout Information, or (ii) managed by Vendor with controls substantially similar to those protecting Scout Information (each, a “Security Breach”). Vendor must mitigate Security Breaches in a timely manner and provide Scout written details regarding Vendor’s internal investigation regarding each Security Incident. Vendor agrees not to notify any regulatory authority, nor any customer, on behalf of Scout unless Scout specifically requests in writing that Vendor do so and Scout reserves the right to review and approve the form and content of any notification before it is provided to any party. Vendor will reasonably cooperate and work together with Scout to formulate and execute a plan to rectify all confirmed Security Incidents.

    2. Responsibilities for handling of events based on their category must be defined and assigned. A definition for a reportable security event or observation must exist and should be known by employees and relevant stakeholders. During processing, reported events are categorized (e.g. by responsibility into personnel, physical and cyber), qualified (e.g. not security relevant, observation, suggested security improvement, security vulnerability, security incident) and prioritized (e.g. low, moderate, severe, critical). Responsibilities for handling of events based on their category must be defined and assigned.

    3. Vendor must maintain an active third party insurance that covers Cyber Security events, and includes forensics and crisis management, at least.

  • Device and Media Controls – Policies and procedures on hardware and electronic media that contain Scout Data into and out of your facilities, and the movement of these items, including policies and procedures to address the final disposal of Scout Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Scout Data from electronic media. (TISAX 3.0)

    1. Technical Controls must be in place to ensure that no Scout Data is downloaded or otherwise stored on laptops or other portable devices unless they are subject to all of the protections required herein. Such protective measures shall include, but not be limited to, all devices accessing Scout data shall be encrypted and use up-to-date anti-malware detection prevention software.

    2. Vendor shall determine and fulfill requirements for teleworking, considering secure handling of information, behavior in private and public surroundings, and measures for protection from theft. It must ensure that the organization's network is accessed via a secured connection with strong authentication, such as VPN.

    3. Vendor shall consider measures for traveling, including viewing by authorities and traveling to security-critical countries.

  • Operational Security (TISAX 5.2)

  • Change Management – The vendor shall promptly notify the organization in writing of any proposed changes that may impact information security. Such changes include, but are not limited to:

  • Storage and Transmission Security – Technical security measures to guard against unauthorized access to Scout Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Scout Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access. (TISAX 5.0)

    1. Modifications to systems, software, or infrastructure that could affect the confidentiality, integrity, or availability of sensitive data.

    2. Alterations to access controls, user permissions, or authentication mechanisms.

    3. Adjustments to network configurations, firewalls, or security protocols.

    4. Updates to third-party components or libraries used in the vendor’s solutions.

  • Storage and Transmission Security – Technical security measures to guard against unauthorized access to Scout Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Scout Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access. (TISAX 5.0)

    1. Data must be encrypted at rest with a minimum strength of AES-256 and in transit using TLS 1.2 or higher.

    2. Data Leak Prevention controls must be in place to ensure monitoring and blocking sensitive data exfiltration attempts.

    3. Networks must be secured and include the use of state-of-the-art firewalls and IDS systems. Secure network protocols must also be in place including ISPEC VPNS, SSL/TLS for web traffic and SSH for external access.

    4. Data being transmitted must be protected from unauthorized access or disclosure.

    5. Vendor must have in place a mechanism to manage keys and ensure cryptographic procedures inclusive of emergency process for restoring keys.

    6. Data Classification - Data classification and handling matrix must be documented and applied to Scout data to ensure correct labeling and handling.

  • Logging and monitoring - A Comprehensive logging and monitoring program must be in place. (TISAX 5.2)

    1. SIEM must be deployed.

    2. Security logs must be defined.

    3. Log notification for security events must be automated.

    4. Logs must be reviewed at planned intervals and protected against modification.

    5. Logs must be retained for 30 days online and 90 days archived.

  • Vulnerability Management – Vulnerability management program must be in place with defined mitigation times for critical, high, medium, and low vulnerabilities. Program should include regular patching cadence to ensure all software is up to date. Penetration tests or similar must be conducted on a regular basis. If there is a loss of operational efficiency or data, vendor will mitigate losses and restore data from the last clean backup. Vendor shall regularly test its systems and a vulnerability management program must be in place and Scout data must not be used in test or development environments. State-of-the-art scanning tools must be in place and running on a regular basis. (TISAX 5.2.5)

  • System & Service Audits – Vendor must have auditing requirements for systems & services and coordinate regular audits of identified systems. Audits must be conducted by qualified personnel with suitable tools. (TISAX1.5.2)

  • Business Continuity – Vendor must identify critical IT applications and implement policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, cyber attacks, system failure, and natural disaster) that damages Scout Data, systems that contain Scout Data, and its critical supporting teams or personnel. (TISAX 5.2.8)

    1. Business continuity and Disaster recovery plans must be in place and tested annually.

    2. Redundant systems must be in place to restore Scout data in the event of a disaster or disruption.

    3. Regular backups must be taken and secured from corruption.

  • Supplier Relationship – Vendor shall have a comprehensive Supplier Management Program in place with documented procedures to assess their suppliers’ (sub processors) information security posture before onboarding and at planned intervals. All contractual requirements must be passed on to sub processors. (TISAX 6.0)

  • Physical Security – Vendor must secure physical facility as well as network using a security concept to protect against unauthorized access and is socialized with all employees. Security controls used to protect and detect compromise and must include, but are not limited to, ID badges, biometrics, CCTV, and alarm systems throughout the facility. Access to facilities must adhere to least privilege and all visitors must be checked in/out and escorted while on premise. Mobile devices must be secured through the use of baseline security controls including encryption, access protection, antivirus software with regular signature updates, etc. All devices must be secured through a program similar to Mobile Device Management (MDM) to protect against exfiltration of data. A security zone concept including the associated protective measures based on the requirements for the handling of information assets is in place (TISAX 3.0)

  • Compliance and Continuous Monitoring – Vendor shall monitor and identify legal, regulatory, and contractual requirements at regular intervals, and must demonstrate adherence to an industry standard, including, but not limited to ISO 27001, TISAX, SOC 2, NIST CSF, etc. and demonstrate regular 3rd party audits to ensure compliance. Vendor shall maintain all necessary documentation to show compliance with the minimum information security requirements set forth herein. Upon request, Vendors shall permit Scout or an independent third party to audit Vendor’s compliance with the minimum information security requirements. (TISAX 7.0)