TIAA Released IOV Cyber Guidelines

On February 18, The Telematics Industry Application Alliance (TIAA) released a notice on the Draft Internet of Vehicles (IOV) Cybersecurity Protection Guideline Rules, open for public comments until March 30. The guidelines were developed under the guidance of Ministry of Industry and Information Technology (MIIT) and the Office of State Commercial Cryptography Administration (OSCCA).
 
The rules herein build on the Industry Control System Information Security Protection Guideline, and raise detailed requirements in light of actual needs of the IOV sector. The IOV system operators and the enterprises & public institutions engaging in planning, design, manufacturing, operation & maintenance and assessment of IOV system-related products are governed by the rules. It is not clear how this IOV Cybersecurity protection guideline relates to the TC260 Cybersecurity standards and whether this IOV Cybersecurity guideline will be integrated into TC260 series of standards.
 
The notice outlines 35 detailed articles and highlights include the following:
 
IV. Physical and Environmental Security Protection
(1) The computer rooms for service platforms shall be located within China. The siting and design of computer rooms, and relevant power supply, fire protection and temperature & humidity control for such rooms shall comply with the requirements of national standard. Physical security measures shall be in place for computer rooms, such as access control, surveillance via camera, and 24-hour on-duty system. For the service platforms adopting public cloud service model, the selection of cloud service providers shall comply with the requirements of national standard.
 
IX. Data Security
(1) Risk assessment shall be regularly conducted for the data collected, transferred and stored in IOV systems. Critical business data and user information must be protected by security mechanisms (e.g. encryption and anti-tampering) during their storage and transmission, while the access control policy shall be adopted during the use.
 
X. Supply Chain Management
(1) When choosing providers for planning, design, construction, operation & maintenance or evaluation of IOV systems and for supply of products/services, priority shall be given to the products accredited through security assessment and those enterprises & public institutions with security service experience, while requiring the providers to keep relevant matters confidential to prevent divulgence of sensitive information.