The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors

Christian Schlager; Georg Macher

doi:10.1007/978-3-030-85521-5_27

The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors

Christian Schlager^*, Georg Macher

^*Corresponding author for this work

Institute of Technical Informatics (4480)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

ASPICE has been introduced to development of embedded systems at automotive suppliers to assess the capability of processes. ASPICE covers processes for software, system, quality assurance, configuration management, problem resolution, change management, project management and supplier monitoring. It defines a scheme for determining the capability of the process based on the underlying PAM. HW Spice is also taken into consideration, because it is also necessary for Cybersecurity, but not mechanical Spice. Based on ASPICE VDA defined processes for Cybersecurity Engineering, Cybersecurity Risk Management and Supplier Request and Selection. This means additional effort for the assessors and also the engineering team when the ASPICE assessment is extended by processes of Cybersecurity to satisfy the requirements of standard ISO/SAE 21434. This paper investigates for the method of mapping the base practices (BP) of cybersecurity process defined by VDA to BP of ASPICE process(es) to reduce the time of an assessment by merging the Base Practices of Processes from Cybersecurity with the Base Practices of Processes from ASPICE.

Original language	English
Title of host publication	Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings
Editors	Murat Yilmaz, Paul Clarke, Richard Messnarz, Michael Reiner
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	409-422
Number of pages	14
ISBN (Print)	9783030855208
DOIs	https://doi.org/10.1007/978-3-030-85521-5_27
Publication status	Published - 2021
Event	28th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2021 - Krems, Austria Duration: 1 Sep 2021 → 3 Sep 2021

Publication series

Name	Communications in Computer and Information Science
Volume	1442
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	28th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2021
Country/Territory	Austria
City	Krems
Period	1/09/21 → 3/09/21

Keywords

ASPICE
Assessment
Cybersecurity

ASJC Scopus subject areas

Computer Science(all)
Mathematics(all)

Access to Document

10.1007/978-3-030-85521-5_27

Cite this

Schlager, C., & Macher, G. (2021). The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors. In M. Yilmaz, P. Clarke, R. Messnarz, & M. Reiner (Eds.), Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings (pp. 409-422). (Communications in Computer and Information Science; Vol. 1442). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-85521-5_27

The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors. / Schlager, Christian; Macher, Georg.

Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings. ed. / Murat Yilmaz; Paul Clarke; Richard Messnarz; Michael Reiner. Springer Science and Business Media Deutschland GmbH, 2021. p. 409-422 (Communications in Computer and Information Science; Vol. 1442).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Schlager, C & Macher, G 2021, The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors. in M Yilmaz, P Clarke, R Messnarz & M Reiner (eds), Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings. Communications in Computer and Information Science, vol. 1442, Springer Science and Business Media Deutschland GmbH, pp. 409-422, 28th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2021, Krems, Austria, 1/09/21. https://doi.org/10.1007/978-3-030-85521-5_27

Schlager C, Macher G. The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors. In Yilmaz M, Clarke P, Messnarz R, Reiner M, editors, Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 409-422. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-030-85521-5_27

Schlager, Christian ; Macher, Georg. / The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors. Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings. editor / Murat Yilmaz ; Paul Clarke ; Richard Messnarz ; Michael Reiner. Springer Science and Business Media Deutschland GmbH, 2021. pp. 409-422 (Communications in Computer and Information Science).

@inproceedings{64f6fcee418b4e4e90f6fd45cfeccfb1,

title = "The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors",

abstract = "ASPICE has been introduced to development of embedded systems at automotive suppliers to assess the capability of processes. ASPICE covers processes for software, system, quality assurance, configuration management, problem resolution, change management, project management and supplier monitoring. It defines a scheme for determining the capability of the process based on the underlying PAM. HW Spice is also taken into consideration, because it is also necessary for Cybersecurity, but not mechanical Spice. Based on ASPICE VDA defined processes for Cybersecurity Engineering, Cybersecurity Risk Management and Supplier Request and Selection. This means additional effort for the assessors and also the engineering team when the ASPICE assessment is extended by processes of Cybersecurity to satisfy the requirements of standard ISO/SAE 21434. This paper investigates for the method of mapping the base practices (BP) of cybersecurity process defined by VDA to BP of ASPICE process(es) to reduce the time of an assessment by merging the Base Practices of Processes from Cybersecurity with the Base Practices of Processes from ASPICE.",

keywords = "ASPICE, Assessment, Cybersecurity",

author = "Christian Schlager and Georg Macher",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 28th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2021 ; Conference date: 01-09-2021 Through 03-09-2021",

year = "2021",

doi = "10.1007/978-3-030-85521-5_27",

language = "English",

isbn = "9783030855208",

series = "Communications in Computer and Information Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "409--422",

editor = "Murat Yilmaz and Paul Clarke and Richard Messnarz and Michael Reiner",

booktitle = "Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings",

address = "Germany",

}

TY - GEN

T1 - The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors

AU - Schlager, Christian

AU - Macher, Georg

PY - 2021

Y1 - 2021

N2 - ASPICE has been introduced to development of embedded systems at automotive suppliers to assess the capability of processes. ASPICE covers processes for software, system, quality assurance, configuration management, problem resolution, change management, project management and supplier monitoring. It defines a scheme for determining the capability of the process based on the underlying PAM. HW Spice is also taken into consideration, because it is also necessary for Cybersecurity, but not mechanical Spice. Based on ASPICE VDA defined processes for Cybersecurity Engineering, Cybersecurity Risk Management and Supplier Request and Selection. This means additional effort for the assessors and also the engineering team when the ASPICE assessment is extended by processes of Cybersecurity to satisfy the requirements of standard ISO/SAE 21434. This paper investigates for the method of mapping the base practices (BP) of cybersecurity process defined by VDA to BP of ASPICE process(es) to reduce the time of an assessment by merging the Base Practices of Processes from Cybersecurity with the Base Practices of Processes from ASPICE.

AB - ASPICE has been introduced to development of embedded systems at automotive suppliers to assess the capability of processes. ASPICE covers processes for software, system, quality assurance, configuration management, problem resolution, change management, project management and supplier monitoring. It defines a scheme for determining the capability of the process based on the underlying PAM. HW Spice is also taken into consideration, because it is also necessary for Cybersecurity, but not mechanical Spice. Based on ASPICE VDA defined processes for Cybersecurity Engineering, Cybersecurity Risk Management and Supplier Request and Selection. This means additional effort for the assessors and also the engineering team when the ASPICE assessment is extended by processes of Cybersecurity to satisfy the requirements of standard ISO/SAE 21434. This paper investigates for the method of mapping the base practices (BP) of cybersecurity process defined by VDA to BP of ASPICE process(es) to reduce the time of an assessment by merging the Base Practices of Processes from Cybersecurity with the Base Practices of Processes from ASPICE.

KW - ASPICE

KW - Assessment

KW - Cybersecurity

UR - http://www.scopus.com/inward/record.url?scp=85115048495&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-85521-5_27

DO - 10.1007/978-3-030-85521-5_27

M3 - Conference paper

AN - SCOPUS:85115048495

SN - 9783030855208

T3 - Communications in Computer and Information Science

SP - 409

EP - 422

BT - Systems, Software and Services Process Improvement - 28th European Conference, EuroSPI 2021, Proceedings

A2 - Yilmaz, Murat

A2 - Clarke, Paul

A2 - Messnarz, Richard

A2 - Reiner, Michael

PB - Springer Science and Business Media Deutschland GmbH

T2 - 28th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2021

Y2 - 1 September 2021 through 3 September 2021

ER -

The Cybersecurity Extension for ASPICE - A View from ASPICE Assessors

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this