Siemens Industry Software Inc. and its affiliated companies (SISW) abide by an efficient risk-mitigating governance framework, guidelines, and guidance.
Cybersecurity is one of the most important issues impacting the future – for companies and society. It is the key prerequisite for organizations to safeguard critical infrastructure, protect sensitive information, and assure business continuity. As one of Siemens' strategic goals, the digital transformation will succeed only if we can rely on data security and connected systems. Cybersecurity has a tremendous impact on our customers and is required by many international and national laws and regulations. This makes cybersecurity a top priority for Siemens.
Siemens Industry Software Inc. and its affiliated companies (SISW)’s Cybersecurity organization endeavors to protect our customers’ information that resides in or is processed by SISW products, solutions, and services. We accomplish this by ensuring such products, solutions, and services meet generally accepted engineering practices for product and solution security, including cyber defense best practices such as threat detection operations and attack surface reduction.
Given the importance of cybersecurity, the SISW Chief Information Security Officer (CISO) reports directly to the SISW CEO and through the Siemens Global Chief Cybersecurity Officer.
Siemens’ Corporate Cybersecurity organization and the SISW Cybersecurity organization collaborate closely as trusted partners for the benefit of our customers and other Siemens businesses. The security experts throughout Siemens develop and adopt technologies, leverage the internal network, and consult with peer companies to routinely improve Siemens’ resilience through clear, holistic accountability. We rely on a culture of ownership for all aspects of cybersecurity. All of this gives Siemens a broad foundation for protecting itself, its customers, and society at large.
These are the Certifications, Attestations, Labels, and Reports held by DI SW.
ISO 27001/17/18 Certification
ISO 27001 is the international standard that describes best practices for an Information Security Management System (ISMS).
Achieving ISO 27001 certification and accreditation demonstrates that our organization follows information security (IS) best practices. It also provides an independent expert verification that IS is managed in line with international practice and business objectives.
The commitment of SISW to information security is evidenced by the ISO 27001 certificates listed below and addendums 27017 and 27018.
Siemens supports the CSA, a leading global organization dedicated to best practices for secure cloud computing. Siemens has been labeled as a “Trusted Cloud Provider” by CSA, and SISW offerings have achieved CSA Security, Trust, Assurance, and Risk (STAR) Level One, which affirms our alignment with CSA security practices.
SOC 2® is a Service Organization Control Assessment relevant to security, availability, processing integrity, confidentiality, or privacy.
SISW’s SOC 2® Reports are certified attestations intended to provide detailed information and assurance to our customers. This information refers to controls within SISW related to the security, availability, and processing integrity of all systems involved in service delivery and processing customer data. It also affirms the confidentiality and privacy of the information processed by SISW systems.
SOC 2® Reports can be requested via your SISW Sales contact and will be made available after a proper confidentiality/non-disclosure agreement has been put in place.
SOC 3® Trust Services Report for Services Organizations provides criteria for general use reporting.
These reports can be freely distributed and have been designed to meet the knowledge gap in users who require assurance about security, availability, and privacy but cannot effectively apply the information contained in a SOC 2® Report. SOC 3® Reports are also sufficient for users and use cases when the in-depth information of a SOC 2® Report is not required.
TISAX is an information security assessment for the data exchange mechanisms between companies in the automotive industry.
The TISAX Label confirms that an approved third party has assessed a company’s information security management system as compliant with defined security objectives. In our efforts to facilitate the work of our automotive industry customers, SISW has pursued TISAX labels for certain systems and facilities necessary for such data exchanges.
Further instructions on how to access relevant SISW TISAX certifications are available here.
SISW has established an Information Security Management System (ISMS) that fits within the vision of the Siemens Cybersecurity Policy Framework and prescribes the policies, controls, and assignment of responsibilities that enable SISW to meet customer expectations for cybersecurity and to satisfy the requirements of the certifications and attestations listed above.
Core to the ISMS is the SISW Information Security Program Manual, which provides our management approach to SISW’s information security program for offerings and related activities. The manual describes SISW’s approach to establishing and maintaining an information security governance program that provides for the confidentiality, integrity, availability, and privacy of information resources.
The ISMS also establishes a set of policies, under the governance of the SISW Information Security Council (ISC), to ensure the commitment to the information security program, program objectives, and program enforcement.
SISW's products, solutions, and services contain significant software and IT-related components, which may be subject to rapidly developing regulatory security requirements.
The Siemens-wide PSS Initiative was established to help ensure that the products, solutions, and services we sell enable our customers to run their processes in a secure environment. SISW assigns a Product and Solutions Security Officer (PSSO) to each product line to see that this initiative is implemented and monitored throughout the development cycle.
For this purpose, binding requirements for PSS and recommendations for implementation are in place within Siemens. Continuous improvement and learning are fundamental prerequisites for successful realization of PSS.
Creating common awareness amongst employees is crucial for ensuring adherence to cybersecurity initiatives and maintaining high levels of security and safety. This means creating a risk-aware culture and providing ongoing training and education opportunities for individuals throughout the organization.
Siemens SISW offers employees several activities and avenues for learning and development, including:
• A mandatory global awareness campaign to provide employees with information regarding cybersecurity topics. These training sessions are web-based, barrier-free, and multi-language. In addition, we have “Driver’s License” training for role-specific groups. This mandatory training enables the group to apply Siemens security guidelines.
• Additional SISW-mandatory security training for PSSOs and cloud security-specific training for developers involved in creating content is offered.
• Siemens offers numerous, regularly updated training courses and learning opportunities for employees on a voluntary basis. These training modules range from basic knowledge to specific and specialized areas like PSS.
SISW has implemented a platform that provides an overview of our cybersecurity posture, including insights into potential vulnerabilities, threats, and security logs.
Monitoring of the relevant environments and logs enables:
• Notification of security-related events;
• Centralized overview of account information (resources and assets);
• Validation of designated cloud security postures, alerts, and practices; and
• Execution of informed and targeted security-based business decisions.
SISW maintains an ISO 9001-certified Quality Management System (QMS) designed to embed security controls in the Secure Development Lifecycle (SDLC) of SISW products and the integration of third-party suppliers to control the quality of deliverables. The QMS executes gates at major checkpoints to validate that security controls and quality KPIs have been properly executed.
Cybersecurity risk management processes are part of Siemens’ Enterprise Risk Management strategy (ERM). ERM’s primary goal is to enable Siemens to identify and minimize potential security risks based on international standards.
Siemens' Cybersecurity Risk Management process focuses on reporting and managing risks within the following:
• Asset Classification and Protection for IT, documents, and information;
• Threat and Risk Analysis for products, solutions, and services;
• Exception handling for temporary deviations from the requirements; and
• Cybersecurity Supplier Risk Management, as described below.
Cybersecurity risks need to be managed along the entire supply chain. Siemens considers this topic holistically, including IT, OT, and PSS, for procuring horizontal and vertical components, products, and services.
The main activities for improving the cybersecurity level along the supply chain include:
• Transparency regarding cybersecurity risk exposure along the supply chain;
• Systematic risk management practices supported by third-party supplier assessment methodology and respective tools and templates for contractual cybersecurity requirements to suppliers;
• Active participation in various expert communities; and
• Regular training and awareness campaigns for various target groups and use cases.