logo
stripes
logo
stripes

Governance for Cybersecurity & Software Updates

Effective governance is the foundation for aligning with GB/T 44495 (cybersecurity) and GB/T 44496 (software updates). This page outlines a practical, non-normative governance model that integrates organizational roles, policies, competence, process control, supplier oversight, and continuous improvement in the China market context.

1) Policy & Objectives

  • Cybersecurity & Updates Policy: scope (China market), objectives, risk appetite, decision authority, and links to corporate policies.
  • Applicability: vehicle types/variants, ECUs, software items, and backend interfaces that affect vehicle risk or update delivery in China.
  • Commitments: secure development, vulnerability handling/PSIRT, signing/eligibility, records/retention, and privacy-by-design for telemetry.

2) Organization, Roles & Accountability

  • Leadership: appointed owner(s) for GB/T alignment with authority to approve risk, budgets, and exceptions.
  • RACI: Responsibility matrices for item security, TARA, verification/validation, PSIRT, SUMS, supplier security, data protection, and records.
  • Segregation of duties: distinct authors/reviewers/approvers; dual control for keys and signing operations.
  • Local presence: identified CN contacts for regulator queries, incident comms, and audit coordination.

3) Competence & Training

  • Role profiles: skills and qualification criteria for engineering, testing, PSIRT, SUMS, dealer operations, and supplier managers.
  • Curriculum: ISO/SAE 21434 basics, R155/156 fundamentals, GB/T expectations, secure update chain-of-trust, privacy, and evidence hygiene.
  • Records: training completion, refresh cadence, and competence reviews tied to audits.

4) Process Framework & Control

  • Cybersecurity lifecycle (GB/T 44495-aligned): concept → development → production → operation → decommissioning with TARA, requirements, and V&V gates.
  • Software updates (GB/T 44496-aligned): plan → package/sign → approve → deliver → install → validate → record → improve; rollback criteria defined upfront.
  • Change/config management: version control for artifacts, templates, eligibility rules, manifests, and keys/certificates.
  • Document control: stable IDs, owners, approvals, applicability to CN variants, bilingual (EN/中文) where needed.

5) Key, PKI & Toolchain Governance

  • Key management policy: hierarchy, HSM usage, roles, rotation/revocation, emergency procedures; supplier delegation rules.
  • Signing policy: algorithms/parameters, timestamping, provenance recording, and audit logs.
  • Approved toolchains: build/packaging/signing, diagnostics/service tools; access control, qualification/approval records, and change approvals.

6) Supplier & Third-Party Governance

  • Contracts/SOWs: flow-down cybersecurity/update requirements, SLAs for vulnerability fix, SBOM deliverables, evidence packages, and audit rights.
  • Assessment & monitoring: risk-based supplier audits, corrective actions, and re-assessment triggers tied to incidents or changes.
  • Interface security: keys/credentials custody, update procedures, service tool controls, and coordination for incidents and campaigns.

7) Records, Retention & Privacy (China Context)

  • Evidence index: single catalog of artifacts with stable IDs, owners, versions, CN applicability, and translation pointers.
  • Retention: per-VIN/per-campaign records with defined retention periods suitable for China markets; immutable or signed logs, clock-sync evidence.
  • Data minimization: telemetry PII reduction, access controls, export logging, and clear lawful basis documentation.

8) Monitoring, PSIRT & Incident Governance

  • Vulnerability intake: public page, security mailbox, supplier portals; triage SLAs.
  • PSIRT playbook: severity classes, escalation, communications (incl. CN authorities), linkage to SUMS for corrective updates.
  • Lessons learned: update TARA, requirements, tests, training, and supplier criteria.

9) KPIs, Audits & Management Review

  • KPIs: TARA aging, control coverage, defect discovery pre/post, update success/abort, time-to-patch, incident MTTR, training coverage.
  • Internal audits: periodic checks on CSMS/SUMS, keys/toolchains, suppliers, and records.
  • Management review: cadence, inputs (KPIs/audits/incidents), decisions and assigned CAPA.

Practical Do / Don’t

Do

  • Publish a clear RACI and keep it versioned.
  • Localize critical documents (EN/中文) for audits and suppliers.
  • Bind security/update SLAs into contracts with measurable acceptance criteria.
  • Operate dual-control for signing keys; retain key lifecycle logs.
  • Maintain a single evidence index with stable IDs and CN applicability tags.

Don’t

  • Rely on ad-hoc emails for supplier evidence—use a controlled portal.
  • Let eligibility rules change mid-campaign without re-approval.
  • Store excessive PII in telemetry when technical IDs suffice.
  • Mix development artifacts with production evidence repositories.

Typical Outputs

  • Cybersecurity & Updates Policy (CN scope), org chart, and RACI.
  • Competence matrix, training plan, and completion records.
  • Process set: TARA/requirements/V&V, PSIRT, SUMS procedures, change/config control.
  • Key/PKI policy, signing policy, toolchain approvals, access logs.
  • Supplier clauses, assessment results, CAPA, evidence exchange packages.
  • Evidence index, retention policy, privacy notes, and access audit logs.
  • KPI dashboards, internal audit reports, management review minutes/CAPA.
Disclaimer: This page summarizes governance practices relevant to GB/T 44495 & 44496. For authoritative requirements, consult the official standards and applicable guidance from Chinese authorities or accredited bodies.