PDF Risk Assessment and Management Auto Isac Ebook Full Chapter

Risk assessment and management
Auto-Isac
Visit to download the full and correct content document:
https://textbookfull.com/product/risk-assessment-and-management-auto-isac/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Awareness and Training Auto-Isac
https://textbookfull.com/product/awareness-and-training-auto-
isac/
Security development lifecycle Auto-Isac
https://textbookfull.com/product/security-development-lifecycle-
auto-isac/
Nanotoxicology : Toxicity Evaluation, Risk Assessment

and Management First Edition Dasgupta
https://textbookfull.com/product/nanotoxicology-toxicity-
evaluation-risk-assessment-and-management-first-edition-dasgupta/
Natech Risk Assessment and Management. Reducing the

Risk of Natural-Hazard Impact on Hazardous
Installations Elisabeth Krausmann
https://textbookfull.com/product/natech-risk-assessment-and-
management-reducing-the-risk-of-natural-hazard-impact-on-
hazardous-installations-elisabeth-krausmann/
A Clinician s Guide to Suicide Risk Assessment and
Management 1st Edition Joseph Sadek
https://textbookfull.com/product/a-clinician-s-guide-to-suicide-
risk-assessment-and-management-1st-edition-joseph-sadek/
The Gower Handbook of Extreme Risk Assessment

Perception and Management of Extreme Events Vicki Bier
https://textbookfull.com/product/the-gower-handbook-of-extreme-
risk-assessment-perception-and-management-of-extreme-events-
vicki-bier/
Strategic Security Management: A Risk Assessment Guide

for Decision Makers 2nd Edition Karim Vellani
https://textbookfull.com/product/strategic-security-management-a-
risk-assessment-guide-for-decision-makers-2nd-edition-karim-
vellani/
Winning with Risk Management Financial Engineering and

Risk Management Volume 2 1st Edition Russell Walker
https://textbookfull.com/product/winning-with-risk-management-
financial-engineering-and-risk-management-volume-2-1st-edition-
russell-walker/
Fundamentals of Risk Management Understanding

evaluating and implementing effective risk management
4th Edition Paul Hopkin
https://textbookfull.com/product/fundamentals-of-risk-management-
understanding-evaluating-and-implementing-effective-risk-
management-4th-edition-paul-hopkin/
RISK ASSESSMENT AND MANAGEMENT
AUTO-ISAC
AUTOMOTIVE CYBERSECURITY BEST PRACTICES
RISK ASSESSMENT
AND MANAGEMENT
Best Practice Guide
Version 2.3
Traffic Light Protocol: WHITE.
This information may be shared in public forums.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
Traffic Light Protocol: White (May be shared in public forums)

partners)
Version History
This is a living document, which will be periodically updated under the direction of the Auto-ISAC
Best Practices Working Group. We will track any updates in the table below.
Version Notes:
Version Revision Date Notes

v1.0 18 January 2018
v2.0 19 July 2018 Updated by the Best Practice Working Group Task Force
Changed from TLP Amber to TLP Green for release to
v2.1 30 November 2018
industry stakeholders via request on Auto-ISAC website
Performed periodic continuity and consistency refresh
v2.2 01 July 2019
across all Best Practice documents
Changed from TLP Green to TLP White for release to the
v2.3 19 August 2019
public via request on Auto-ISAC website
i These are voluntary and aspirational practices, which may evolve over time.
Contents
Version History ............................................................................................................................... i
1.0 Introduction ............................................................................................................................. 1
1.1 Best Practices Overview ................................................................................................... 1
1.2 Purpose ............................................................................................................................. 1
1.3 Scope ................................................................................................................................ 1
1.4 Audience ........................................................................................................................... 2
1.5 Authority and Guide Development .................................................................................... 2
1.6 Governance and Maintenance .......................................................................................... 2
2.0 Best Practices ......................................................................................................................... 3
2.1 Scope and Requirements.................................................................................................. 3
2.2 Coverage........................................................................................................................... 4
2.2.1 Design ...................................................................................................................... 4
2.2.2 Implementation and Integration ................................................................................ 5
2.2.3 Testing ..................................................................................................................... 5
2.2.4 Production ................................................................................................................ 5
2.2.5 Aftersales ................................................................................................................. 6
2.3 Roles and Responsibilities ................................................................................................ 6
2.4 Risk Lifecycle .................................................................................................................. 12
2.5 Risk Tolerance ................................................................................................................ 13
2.6 Evaluation of Results and Risk Treatment ...................................................................... 15
2.7 Communicating Risk to Leadership and Stakeholders ................................................... 17
2.8 Governance and Compliance.......................................................................................... 18
Appendix A: Glossary of Terms .................................................................................................... 1
Appendix B: Additional References and Resources ..................................................................... 3
Appendix C: Sample Risk Scoring Frameworks ........................................................................... 4
Appendix D: Acronyms ................................................................................................................. 5
ii Please see Section 1.2 for more information.
)
1.0 Introduction
1.1 BEST PRACTICES OVERVIEW
This Best Practice Guide is one in a series of seven Guides intended to provide the automotive
industry with guidance on the Key Cybersecurity Functions defined in the Automotive
Cybersecurity Best Practices Executive Summary:
1. Incident Response
2. Collaboration and Engagement with Appropriate Third Parties
3. Governance
4. Risk Assessment and Management
5. Awareness and Training
6. Threat Detection, Monitoring and Analysis
7. Security Development Lifecycle
Guides offer greater detail to complement the high-level Executive Summary. This Guide aligns
with the “Risk Assessment and Management” function and is made available for use by
companies, as appropriate for their unique systems, processes, and risks.
1.2 PURPOSE
The purpose of this Guide is to assist automotive industry stakeholders in integrating vehicle
cybersecurity risk management into their overall corporate risk management structure (e.g. based
on ISO 31000:2009 family or COSO 2017 Enterprise Risk Management Framework). This Guide
assumes that organizations already have a risk management strategy in place.
This Guide provides forward-looking guidance without being prescriptive or restrictive. These best
practices are:
• Not Required. Companies have autonomy and can decide which of these practices to
select and can adopt these practices based on their respective risk landscapes and
organizational structures.
• Aspirational. These practices are forward-looking and voluntarily implemented over time,
as appropriate.
• Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving
automotive cybersecurity landscape.
1.3 SCOPE
This Guide describes key considerations for companies around vehicle cybersecurity risk
management efforts. It contains best practices and implementation guidance for companies to
integrate, evaluate and remediate cyber risk assessments throughout the product development
lifecycle. These are voluntary, non-prescriptive, aspirational practices, which companies may use
to determine an appropriate approach for their unique risk landscape.
1 Please see Section 1.2 for more information.
The scope of the guide covers all phases of the vehicle lifecycle, including design, development,
and post-production. These phases are described in Figure 1 below.
FIGURE 1: VEHICLE LIFECYCLE PHASES
1.4 AUDIENCE
This Guide was written for use by light-duty and heavy-duty vehicle OEMs, light-duty and heavy-
duty vehicle suppliers, and commercial vehicle companies (e.g. fleets, carriers). It may also
provide insights for other stakeholders across the connected vehicle ecosystem.
Within these organizations, the primary audience is vehicle cybersecurity managers, leaders, and
senior executives who are responsible for managing vehicle cybersecurity risk.
1.5 AUTHORITY AND GUIDE DEVELOPMENT

The Auto-ISAC Best Practices Working Group wrote this Guide, with support from Booz Allen
Hamilton vehicle cybersecurity SMEs who facilitated the Guide’s development. The Working
Group is comprised of over 130 representatives from Auto-ISAC Members, including:
AT&T
FCA Infineon Nissan
Bosch
Ford Kia NXP
BMW
General Motors Lear Corporation Panasonic
Continental
Geotab Magna Subaru
Cooper Standard
Harman Mazda Toyota
Cummins
Honda Mercedes-Benz Volkswagen
Delphi
Honeywell Mitsubishi Motors Volvo
DENSO
Hyundai Mobis ZF
EHI
The Working Group also coordinated with several external stakeholders while developing this
Guide, including Auto Alliance, Global Automakers, National Highway Traffic Safety
Administration (NHTSA), National Institute of Standards and Technology (NIST), International
Organization for Standardization (ISO), and SAE International (SAE).
1.6 GOVERNANCE AND MAINTENANCE

The Auto-ISAC Best Practices Standing Committee is responsible for the maintenance of the
Guide, which will undergo periodic refresh to incorporate, as appropriate, lessons learned, new
policies, updated or new engineering standards, and the like.
This Guide will be rolled out in phases and marked accordingly with the appropriate Traffic Light
Protocol (TLP) classification:
• First 3 months after publication: TLP Amber - available exclusively to Auto-ISAC Members
• 3 to 9 months after publication: TLP Green - released by request to industry stakeholders
• 9 months after publication: TLP White - released to the public via the Auto-ISAC website
(www.automotiveisac.com), subject to Board of Directors confirmation
This Guide was developed while the ISO and SAE were in the process of jointly developing the
ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering Standard. After ISO/SAE 21434 is
published, the Standing Committee plans to review and update this Guide, if required.
2.0 Best Practices

The objective of this document is to provide guidance for handling cyber risk management
associated with the vehicle ecosystem. This document assumes that a risk methodology is
already in place for the organization and addresses the application of that methodology
throughout the product lifecycle, and the possible actions associated with an objective risk score.
Furthermore, it discusses how corporate risk management practices, for instance risk treatment,
can be adapted by a company to the vehicle product cybersecurity domain.
Many risk management methodologies exist, and each is likely to be individually tailored to each
organization to accommodate for application-specific details or unique organizational attributes,
which may consider culture, process or experience. Possible risk methodologies to consider for
implementation are available in Appendix B: Additional References and Resources of this
document.
2.1 SCOPE AND REQUIREMENTS

It is important to define the overall scope and requirements associated with implementing a cyber
risk assessment methodology. Defining the boundaries of the program will allow for better control
and governance of the activities and manage the potential cost impact.
The same cyber risk assessment methodology typically is used throughout the organization, and
through the product or vehicle lifecycle, including the following organizational departments or
phases of development:
• Product Development Engineering

• Service
• Operations
• Procurement
• Aftermarket
3 These are voluntary and aspirational practices, which may evolve over time.
The cyber risk management process may be tailored throughout the development cycle (see
Section 2.2 Coverage), and the levels of acceptable risk may change throughout the lifecycle as
well (see Section
2.4 Risk LIFECYCLE).
Products, components or systems that may be considered for a cyber risk assessment include all
products that may impact vehicle cybersecurity, which may include the following:
• Electrical or electronic parts or systems installed in road vehicles

• Connected components or access to the outside world (e.g. USB, OBD II)
• Storage of personal data
• Fully connected ecosystem
The complete vehicle ecosystem may include networked systems and connected electronic
components that control or otherwise interact with the connected vehicle ecosystem. These
systems and components enable the collection, processing, storage, and transportation of data,
as well as taking action based on data.
2.2 COVERAGE
An effective cyber risk management process can be based on various types of assessments
performed during certain states of a vehicle or product’s entire lifecycle and will support the
identification of cybersecurity risks.
The vehicle or product lifecycle may consist of several milestones and phases involving different
stakeholders within an automotive company. If the company uses the well-known waterfall or V
model for its development lifecycles, significant milestones may include the follow phases:
• Design
• Implementation and Integration
• Testing
• Production
• Aftersales
During these different phases, different types of security assessments can be performed along
the waterfall model, as well as after product deployment, as shown in the following figure:
FIGURE 2. SAMPLE SECURITY ASSESSMENTS DURING PRODUCT DEVELOPMENT CYCLE

2.2.1 Design
In an early stage, it will be useful to perform a security risk analysis (paper analysis) of a vehicle
or product’s overall functional concept to consider assets, threat vectors and actors, as well as
the resulting protection goals. Based on the outcome of a paper analysis, new risks for cyber risk
management can be identified, and design decisions about new requirements for the overall
architecture can be made and agreed upon. In addition, a company may consider performing
further paper analysis on planned products, which might be derived in the future and which might
consist of both new technology as well as legacy technology (e.g. to reuse existing component
designs in new products).
A risk analysis in the design phase should consider:
• The relevant threats, threat actors and threat vectors identified during the Threat Detection
phase (see the Auto-ISAC’s Threat Detection, Monitoring and Analysis Best Practice
Guide for more information)
• Anticipated risks in the subsequent phases of the vehicle lifecycle (Implementation,
Testing, Production, Aftersales)
• Risks associated with the entire vehicle ecosystem: vehicle electronics, connectivity
interfaces (e.g. OBD II, cellular, WiFi) manufacturing facilities and their IT systems, supply
chain and logistics risks, risks with vendor software, connectivity infrastructure services
(e.g. software update management), security services (e.g. Public Key Infrastructure,
certificate or credential management)
• Risks related to supplier and vendor products (hardware and software)
2.2.2 Implementation and Integration
After the design phase but before implementation, all requirements can be measured against their
effectiveness in reaching company-specific protection goals. Furthermore, it may be useful to
update the vehicle’s overall security posture after all paper analyses have been conducted.
Some products use different development methodologies. Consider the following example:
Mobile applications are often developed in shorter lifecycles (i.e. in an agile style and thus do not
necessarily follow the V model). In this case, it is generally important to define synchronous
security milestones reflecting that the vehicle or product’s functionality has reached its necessary
maturity and that connected functions can be tested together with mobile applications. During the
final stages of development, unanticipated vulnerabilities are likely to be identified. It is therefore
helpful to have budgeted sufficient time in the planning stages for the remediation of identified
risks.
2.2.3 Testing
During the planning phase and before implementation, it is important to introduce several
milestones which ensure that the product’s maturity is in a state where security is testable.
Penetration tests, security code scanning, and other functional security tests can be planned
according to these milestones. The planning of the security testing milestones in the testing phase
typically considers the time to remediate identified vulnerabilities and the remaining length of the
development phase. It might prove useful to rate identified vulnerabilities with a risk rating
methodology and prioritize remediation based on that. Vulnerabilities which might not be quickly
fixed, as well as newly identified weaknesses, could then be treated by the aftersales vehicle
cyber risk management process.
2.2.4 Production
A company may consider performing a security approval at the end of the testing phase to check
product security, and if possible, audit the implementation of security requirements. This security
approval may have the added benefit of raising security awareness within the company, as well
as leading to a natural understanding of security-related tests by involved development
departments. The outcome of this approval may be reflected to the design process to lead to long-
term security improvements and a security-minded culture.
It is important that production cybersecurity risk management not end with the production security
approval. Maintaining a focus on security throughout production helps to manage the risk
landscape. Cybersecurity quality checks often are performed to ensure that the security
measures are being implemented correctly and no unauthorized changes are applied. Production
approved changes can go through a similar, if not the same, risk assessments as were done
during development. Additionally, supply chain risk can be assessed and managed throughout
the production life of the product.
2.2.5 Aftersales
After a product’s market launch, it is useful to have threat monitoring in place, which helps to
identify new trends in the threat landscape (e.g. in the hacker scene, potential emerging attack
vectors, newly discovered vulnerabilities, cybersecurity incidents). To achieve long-term
cybersecurity product improvements, the cyber risk assessment team can be informed about
newly identified attack vectors and the organization’s cyber risk protection goals may be
continuously updated. Over-the-air updates may introduce new features or be helpful in
remediating vulnerabilities or neutralizing potential threats of already deployed vehicles. An over-
the-air update also typically is subject to appropriate assessments (e.g. through paper analysis
and/or penetration tests and code audits).
In addition to threat monitoring and vulnerability management activities a manufacturer can

manage risks in the portion of the aftersales environment where they may have influence, such
as their associated dealership network, connected applications, and accessory parts. During the
development process, each of these areas typically has been considered and ongoing attention
to these areas needs to be sustained throughout the product lifecycle. In the dealer network, items
such as service tools need to be designed, produced, and maintained to have proper security
controls in place. Connected applications should be monitored and the risk assessment should
be updated as the environment changes. Accessory and aftermarket parts also need to be
properly assessed for cybersecurity risk and proper controls put in place.
2.3 ROLES AND RESPONSIBILITIES

This section offers a basic understanding of the different roles and responsibilities that are
possible within a vehicle or product cyber risk management process. The first part of this section
describes the different stakeholders and their roles, while the second part explains the associated
responsibilities regarding their tasks and timing. This section does not refer explicitly to the
product development cycle phases, since most of the tasks are recurring (e.g. assessments after
new cyber incidents or after a product change). This section also discusses how a “second set of
eyes policy” is beneficial. At the end, the interaction of the roles and responsibilities is shown in
an example RASIC (Responsible, Approve, Support, Inform, Consult) chart.
The structure and membership of product cybersecurity teams can vary significantly across
companies based on factors including the cultures, organizational structures, and personnel
within each company. There is no single correct way to allocate roles and responsibilities. Instead,
each company properly can allocate roles and responsibilities in the way that makes most sense
in the contexts of their own businesses. Here we offer one example of how a company might
allocate responsibilities for risk management within one example cybersecurity product team
structure. The use of this example is not intended to suggest that it is preferable to other
approaches. For example, a company may choose to include different members or teams within
its risk management process or allocate responsibilities differently among the team members.
In the example provided here, the parties involved in the cyber risk management process are:
1. Cyber Leader
2. Product Cybersecurity Team, including Cyber Risk Managers and Cybersecurity
Analysts
3. Penetration Testing Team (Pen Testing Team)
4. Incident Response Team
5. Design Team including its Program Manager
6. Developers
7. An appropriate executive manager; (e.g. Director)
Organizations may consider the following roles and associated core responsibilities described
below.
1. In this example, the Cyber Leader is defined as the individual who is responsible for
leading efforts and managing the Product Cybersecurity Team, Penetration Testing
Team, and Vehicle Incident Response Team. The Cyber Leader is the facilitator of all
assessment results and has the job of communicating results to the interested
stakeholders.
Responsibilities may include:

▪ Overseeing the Product Cybersecurity Team to help ensure that cybersecurity
tests and risk assessments are conducted throughout the vehicle lifecycle, and to
direct interaction with appropriate teams to help ensure that standards are being
met.
▪ Helping to ensure the completed tests and risk assessments are logged and
reported as appropriate to leadership and the Product Team.
▪ Collaboration with the Design Team Management to help ensure that there is
firm milestone planning known and followed by all parties.
▪ Reporting to upper management about the product’s cybersecurity state and
threat landscape.
▪ First-line approval on the acceptability (risk tolerance) of identified cybersecurity
risk assessments and escalation to upper management of high-risk topics, as
needed.
▪ Reporting vehicle cyber risks to corporate risk management based on predefined
thresholds.
2. The Product Cybersecurity Team is often referred to in the security domain as the “Blue
Team.” It typically consists of the individuals who perform the day-to-day cybersecurity
processes, including cyber risk assessments on concepts, as well as defining new
protection goals to counter the changing threat landscape. This team is typically
removed (organizationally) from the Design Teams to enable impartiality during all
assessments.

▪ Ownership of the product cyber risk assessment process.
▪ Help ensure that all relevant components and functions of a vehicle are assessed
regarding cyber risks throughout the vehicle lifecycle.
▪ Monitoring and regularly updating the risk landscape.
▪ Defining protection goals for vehicle cybersecurity and the security posture
together with the Design Team that is responsible for a vehicle overall
architecture.
▪ Defining and updating product security policies (e.g. basic security requirements
set).
▪ Review and approval or consulting of specific ECU and functional cybersecurity
concepts delivered by the Design Team.
▪ Interaction and discussions with the Design Team regarding technical
requirements and if these are sufficient to meet the defined protection goals.
▪ Driving the remediation of identified vulnerabilities together with the Design Team
and developers.
3. The Pen Testing Team is in the security domain referred to as the “Red Team” and is
defined as those individuals who perform penetration testing on vehicles, ECUs, or
functions. This team may be internal or external. Separation of the Pen Testing Team
from the Design Team supports impartiality. It can narrow down the practicability of
possible vehicle cyber-attacks and thus can rate the robustness of a product against
cyberattacks. The Pen Testing Team is also able to support the Incident Response team
in certain technical assessments.

▪ Creation of a test plan on cybersecurity tests and perform related penetration
tests.
▪ Performance of periodic source code audits to identify vulnerabilities and raise
awareness for insecure coding styles.
▪ Identification and rating of vulnerabilities regarding practicability of attacks and
impact according to the risk rating methodology mentioned in chapter 7.
▪ Reporting on all performed tests as well as audits.
▪ Definition of new test-cases derived from publicly-known cyber-attacks and
delivery to Design Team and Developers as appropriate.
The Pen Test leader may create test policies, statements of work, or other related
documentation to ensure the completeness of penetration testing. The leader also may
oversee related tests, review reports, and escalate as appropriate.
4. The Incident Response Team is defined as the group who is responsible for technical
analysis of vehicle-related cyber incidents, rating discovered risks and handling incidents
by generating a corporate response.

▪ Technical analysis of vehicle cyber incidents or potential incidents (e.g.
unauthorized access related to a discovered vulnerability, rating resulting risks
and managing incidents by responding and communicating accordingly).
▪ Facilitate conclusion of incidents on a technical and a business level, according
to company risk tolerance, and remediation options described in Section 2.6
Evaluation of Results and Risk Treatment.
▪ Delivery of new attack patterns or concept weaknesses to the Product
Cybersecurity Team to enhance security for future products.
Note that some companies may not task their Incident Response Team with evaluating risks
identified in an incident but might hand off that task to other entities such as a vulnerability
management team. Such a team also may handle vulnerabilities more broadly and have
responsibility for the integration of vulnerability management into risk management.
5. The Design Team are those that work in engineering and who develop or support
development of the hardware and software that is being created and tested. The Design
Team is typically responsible for ensuring that the owners (Cyber Leader and Product
Cybersecurity Team) are provided with the evaluation evidence for accurate risk
assessments, typically program managers.

▪ Design of functionalities and definition of requirements for products.
▪ Planning of milestones for product maturity and its testability.
▪ Break-down of the security posture, which was created at the beginning of the
development lifecycle by the Product Cybersecurity Team into specific product
requirements.
▪ Meeting security performance requirements and specifications as determined by
the product Cyber Leader and Product Cyber Team.
▪ Evaluation of cybersecurity specific test-cases provided by the Product
Cybersecurity Team and Pen Test Team.
6. Developers implement the product requirements defined by the Design Team. The
difference between the Design Team and the developers is that software and hardware
are often developed by different suppliers, while functionality and specification are often
designed within a company. Depending on a company’s structure, it can be easier or
harder for the Product Cybersecurity Team to communicate directly with developers,
discuss vulnerabilities or source code audit findings and educate them on cybersecurity
best practices.

▪ Implementation of requirements delivered by Design Team.
▪ Implementation of changes based on the results of risk assessments delivered
by the Product Cybersecurity Team during certain milestones.
▪ Report any identified implementation risks (e.g. vulnerable third-party software

libraries) to Design Team and Product Cybersecurity Team.
7. The company’s Director makes business decisions that affect the product’s
cybersecurity. The Director receives briefs by the Cyber Leader to make best interest
decisions for the company.

▪ Approves the risk tolerance policy and thresholds for risk escalation.
▪ Take briefings by the Cyber Leader into account when making business
decisions.
However, they decide to allocate roles and responsibilities in the context of their own businesses,
organizations may consider the following advice:
The risk evaluation evidence required for performing these assessments should not have any
obvious internal inconsistencies or inconsistencies with other risk evaluation evidence. This
indicates that all results are initially inconclusive and remain so until a final risk score is assigned
to the system/component.
One person acting as Cyber Leader controls the reporting and helps to remove bias and errors.
Stakeholders are defined as leadership of the design team, cybersecurity, senior leadership, or
other internal stakeholders. The results of risk assessments being accurate and independent of
bias is crucial.
The review of cyber risk assessments may go to leadership in cybersecurity, design, and
executive management. The safety concerns and importance of considering risk in the design
process and throughout product life requires appropriate involvement of these key stakeholders.
Control gate reviews happen initially in two stages. The initial paper-based assessment and the
last penetration test before start of production are leadership’s way of controlling production and
development of new systems/components while understanding the present risk. Penetration tests
and source code audits are often not just performed at the end of the development cycle, but also
during it to identify risks and remediate these depending on their criticality before the product is
deployed in the field. Continuous reassessments of products after deployment can be done on a
periodic basis to help the Product Cybersecurity Team and the Cyber Leader recognize changes
to the risk landscape. Based on product alterations post-production, it might be useful to repeat
the different types of assessments to ensure that safety and risk standards are still being followed.
It may be useful to establish a 2nd pair of eyes principle (i.e. another authority can approve all
performed assessments regarding their scopes and results during each step in the development
phase). The 2nd pair of eyes principle can be achieved by introducing certain quality gates or
milestones which need to be approved by another individual or group not directly involved with
the working product. However, it might be hard to find this independent 2 nd pair of eyes within a
company, since approving cybersecurity relevant concepts or implementations extensive
knowledge in cybersecurity by the approving authority is required. Instead it might be a useful
alternative to establish periodic third party authority process audits on all cyber risk assessment
processes to check if these processes are complete, performed properly, and their results fulfill
the work quality standards as defined by the Cyber Leader.
Below are two examples in which the 2nd pair of eyes principle may be applied:
1. The Cyber Leader approves the last penetration test report regarding its scope and
identified vulnerabilities before vehicle deployment.
2. The Product Cybersecurity team approves compliance with cybersecurity policies of a
design concept for a new component.
Depending on the size, organization, and maturity of the cybersecurity team, it may be more
appropriate for the Design Team to take responsibility for the execution of the risk assessment,
while the Product Cybersecurity Team provides consulting oversight and responsibility for the
overall management. This scenario may be a more appropriate implementation for an OEM,
where the core technical expertise in understanding the details of the component design are held
by the Design Team. The Product Cybersecurity Team can provide counseling and cyber-specific
expertise, but the Design Team is typically responsible for compliance to the Product
Cybersecurity team’s policies or guidelines.
The RASIC tables below show examples of how an interaction between the roles described above
may be defined within a company with more responsibilities assigned to the Product
Cybersecurity Team as in Table 1 or more responsibilities assigned to the Design Team as in
Table 2:
TABLE 1. AN EXAMPLE OF A RASIC CHART TO SHOW INTERACTION BETWEEN VEHICLE CYBER

RISK MANAGEMENT STAKEHOLDERS
TABLE 2. AN EXAMPLE RASIC CHART WITH DESIGN TEAM RESPONSIBLE
2.4 RISK LIFECYCLE

Throughout the vehicle or product lifecycle, the assessed risk category may change as new
information is available. This may include updates due to design maturity, updated and added
product functionality, or changes in technology. It’s vital to ensure that the cyber risk management
process can accommodate these changes over time, and the risk profile is current. It is useful to
update the risk assessment logically, not simply based on milestones or changes in lifecycle. For
example, further design details may reveal additional interfaces, attack paths or technologies that
were undetermined previously.
Depending on the risk assessment method used, it is often helpful to determine the right
frequency, schedule, and scope (e.g. function, single ECU, system, full vehicle, and specified
triggers for residual risk assessments or updates). These methods only require an updated risk
assessment if there is a change to the item that could affect the initial risk assessment (e.g.
changes in functionality). Having a reasonable and practical risk assessment process helps
control costs and enables the company to focus on risk reduction efforts in the areas that require
the most attention.
Integrity Level, as defined by ISO 26262, determines the level of rigor in designing the component,
system or product. Cyber risk management may consider this Integrity level and other factors,
such as privacy, as a guideline for rigor in completing and updating cyber risk assessments. A
higher Integrity level or other such factors may drive greater diligence and attention in maintaining
a current cyber assessment.
Frequency of review and updates is also subject to organizational security culture. A company or
product with a lower risk tolerance may be more sensitive to changes. For example, areas of
higher risk may continue to receive greater attention and updates than known lower risk areas.
It is important to tailor requirements for your organization and risk tolerance and identify areas for
higher frequency in updating risk assessments. Possible triggers to consider may include:
• Changes in system architecture
• New functionality in the design
• Accumulation of residual risk
• New developments that could impact aged or previous projects
• Changes in perceived value of cybersecurity target
• Age of deployed technology
• Discovery of a new vulnerability or disclosure of an exploit
• New vulnerabilities, new threat actors, etc.
Changes in components, part number changes or physical hardware changes may lead to a
decision to undertake a new or updated cyber risk assessment. A change analysis may be
conducted to determine if a new risk assessment is required only on the changes, or an update
can be completed on the original assessment. It may be possible to create cascading risk
assessments, as needed. The following events can be evaluated for consideration of a new
(versus updated) risk assessment:
• Small component design change
• Major component change
• Architecture change
• New functionality
• New attack paths
• New threats or incidents
2.5 RISK TOLERANCE

Risk Tolerance is an organization’s maximum level of risk deemed to be acceptable. Risk
Tolerances for different circumstances can be determined by evaluating risk acceptance criteria,
such as the scale of consequences, potential brand damage, and regulatory compliance
requirements. Organizations may benefit from defining their Risk Tolerance throughout the
phases of the product lifecycle (e.g. concept, development, production, and for different risk
categories (e.g. safety, privacy, non-safety, non-privacy)). For example, having a higher Risk
Tolerance in the concept phase allows progress in cases where risk mitigation capable of meeting
lower downstream Risk Tolerance levels may be possible (see Figure 3). However, such a
narrowing Risk Tolerance approach may be disruptive in cases where risks tolerated in earlier
phases cannot be mitigated to meet the Risk Tolerance levels in later phases. Therefore, some
organizations may prefer a consistent or broadening Risk Tolerance to minimize such disruptions
(see Figure 2). Organizations may choose a higher Risk Tolerance for non-safety / non-privacy
risks as compared with safety / privacy risks, while complying with regulatory requirements. As
vehicles approach their End-of-Life (EOL) date, organizations may choose to raise their Risk
Tolerance for non-safety / non-privacy risks and communicate such EOL timing and potential
consequences to customers as many software and IoT manufacturers do.
FIGURE 3. EXAMPLE OF NARROWING RISK TOLERANCES
FIGURE 4. EXAMPLE OF CONSISTENT RISK TOLERANCES
2.6 EVALUATION OF RESULTS AND RISK TREATMENT

Outlining a company’s acceptable levels for risk tolerance helps ensure that risk-based decisions
can be addressed objectively. It is also valuable to use a scoring system, such as the Common
Vulnerability Scoring System (CVSS), to rate the potential level of impact for each risk in a
reproducible way. Since not all product cybersecurity risks are the same, separating risks into
different categories can be useful.
Automotive companies may consider the following examples for risk categories concerning a
vehicle driver or other road users such as passengers, pedestrians, etc.:
• Safety Critical – Items that can directly affect the steering, braking or motion function of a
vehicle, or produce other imminent safety hazards or driver distractions.
• Privacy – Items that directly compromise the Personally Identifiable Information (PII) and
other personally sensitive automotive data on-board the vehicle affecting users or the
vehicle.
• Functional – Items that would impair or interfere with the functional operation of non-
safety critical components.
• Nuisance – Items that could interfere with a user’s experience but does not impede the
function or safe operation of the product.
Some examples of product cybersecurity risk categories that affect automotive companies but not
directly affect vehicle drivers may include:
• Financial – Items that could lead to financial losses of the user or commercial entities.
• Brand – Items related to the cybersecurity of a specific product that might affect the
reputation of a product, brand, or corporation.
• Compliance – Items that would render the product non-compliant with applicable laws.
Compliance risks may also be treated by corporate risk management and avoided in the
product development process. However, there might be cybersecurity events, which may
have effect on already deployed vehicles and threaten their compliance with regulations.
Each category of risk can have a risk tolerance range based on a scoring system that ranges from
acceptable to unacceptable. Risks that fall within the tolerance range can be judged on how
factors such as effectiveness, cost and complexity of treatment measure up against the potential
severity and likelihood of an incident. An example risk tolerance chart is shown below:

Risk Management – Section 7 Chart
Safety Privacy Compliance Financial Functional Nuisance Brand
Acceptable Measured Unacceptable
FIGURE 5. EXAMPLE RISK TOLERANCE CHART

Having categorized, scored, and assessed a risk against the company’s risk tolerance scale it is
then possible to make informed, risk-based decisions on possible treatment options. Treatments
can be classified into different action vectors depending if they target a cyber incident, a design
risk in early stage, or an identified vulnerability during development:
• Contain (imminent threat)

o Taking actions to reduce the immediate impact of a threat or vulnerability caused
by a cyber incident (e.g. disable cellular connectivity, “do not drive” instruction)
o Likely a short-term reaction to an imminent attack, possibly followed up by a
longer-term solution (remediation / mitigation)
• Remediate / Mitigate
o Risk is sufficiently high, and action is needed to remedy
▪ A high-risk vulnerability that is publicly disclosed may rise to the level of
an imminent threat for containment
o Countermeasures will be taken to eliminate the risk
▪ If the risk cannot be eliminated, efforts will be towards minimizing the
potential impact
▪ Countermeasures may be applied just to new products or to post-
production products in the market
▪ Under certain circumstances countering the threat actor may mitigate the
risk. This may require the involvement of external resources (e.g. law
enforcement)
o Implement actions to prevent future recurrence (e.g. feed upcoming design
phase with the risk report for long-term mitigation)
• Avoid
o Actions are taken to eliminate the risk before countermeasure actions need to be
considered
o Avoid the activity or condition that introduces the risk by choosing an alternative,
less risky activity or approach that meets business objectives
o Avoidance can be a technical as well as non-technical treatment (e.g. update
operation manual, disclaimers, or Terms and Conditions (T&C’s))
• Transfer
o Certain risks may be transferred to other entities (e.g. when a company is insuring
against loss in the case of an event)
• Accept and Monitor (also called “measure”, see graphics)

o Risk is sufficiently low; no immediate action is required to remedy.
o Effective treatment options may not be feasible
o Continued monitoring and re-evaluation of technology, vulnerabilities, etc.
2.7 COMMUNICATING RISK TO LEADERSHIP AND STAKEHOLDERS

An important part of a risk management program is communicating risks to business leaders and
stakeholders. Internal stakeholders to consider for communicating vehicle cybersecurity risks
include:
• Board of Directors
• Drivers (e.g. Customer Relations)
• Dealers and affiliates
• Information technology
• Legal
• Product development
• Product security
• Public relations
• Quality assurance
• Research and engineering
• Risk management
• Regulatory affairs
• Senior executives (e.g. CEO, CIO, CRO, CISO)
When communicating vehicle cybersecurity risks across the organization, key points of emphasis
include:
• Impact – What is the impact to customers? What is the potential or actual consequence
to the business?
• Likelihood – What is the probability of exploitation? Is the threat event realistic? What
special expertise or equipment is required? How close do adversaries need to be to
vehicles? What are the attack vectors?
• Treatment – What are the costs, and implementation timelines of risk treatment options?
Is the risk acceptable without mitigation?
• Risk management – What is the risk management policy? What are the roles and
responsibilities that fall under risk management?
When communicating risks outside of the company (e.g. to city infrastructure planners,
consumers, operators, other manufacturers/ suppliers), it’s often helpful to clarify the risk definition
upfront to avoid miscommunication or misunderstanding. It is also helpful to clearly communicate
with non-technical business stakeholders using non-technical terminology to help them compare
vehicle cybersecurity risks to other more traditional enterprise risks with which they are more
familiar. Proper risk communication mechanisms can avoid unnecessary or uncontrolled external
communications, which can impact company reputation.
2.8 GOVERNANCE AND COMPLIANCE

Prioritization of cybersecurity across the enterprise can help successfully conduct cyber risk
management throughout the product lifecycle. To that end, normal business processes and
procedures can be reviewed for incorporation of cybersecurity risk reviews, including process
documents, control gate reviews, checklists, etc. Full integration into normal business conduct
supports integration into the full product lifecycle, with opportunities for consideration of cyber risk
assessments as part of the advanced development reviews, purchasing agreements, quality and
service activities, as well as other pre- and post-production scope. (See the Auto-ISAC’s
Governance Best Practice Guide for more information)..
Basing cyber risk assessments on internally published standards can ensure that each individual
business entity is calculating risk the same way, and with established tolerance levels.
Further integration into the development cycle would leverage the published standards for risk
evaluation onto the supply base. Cybersecurity thus can be a consideration in the purchasing
documentation, reviews, audits, etc.
To ensure internal compliance with the published standard, and complete integration into the
lifecycle, auditing is an option to evaluate the progress and success of integration. Auditing could
be conducting internally or externally by a third party, depending on readiness or sophistication
of the program anticipated.
To ensure the risk methodology is being applied consistently throughout the organization by all
users, consider establishing a periodic audit cycle. Audits may be conducted internally or
externally and represent an independent viewpoint.
Consider conducting independent risk assessments on a random sampling of the risks reported
in the previous period. Risks within a reasonable tolerance range of the originally reported risks
are considered acceptable.
If any of the sampled reports are deemed unacceptable, consider taking the following actions:
1. Notification of deviation from the Risk Assessment process
2. Specific and directed training on assessment deviation from expectations
3. Peer review or provide support during the completion of the next Risk Assessment
completed by the risk owner
The audit results may be reviewed for any opportunities for improvement to the Risk Assessment
process. This includes reviewing reported risks and updating risk ranges identified in this
document to accurately reflect the current corporate risk tolerance, if needed. This may also feed
back into the Risk Assessment methodology or management documents, including opportunities
for clarity or refinement.
Staying current with industry standards and published best practices can help keep the Risk
Methodology relevant. For example, a company may stay aware of internal and external changes
that may impact a risk assessment, which may include changes to the product, systems or
interfaces within the vehicle ecosystem, or industry evolution. It may sometimes be appropriate
to deep-dive into the current processes and documentation to conduct a periodic review of the
published content for relevancy to the current business or technology. Willingness to adjust to
changes is important to remain relevant – internal changes in the organization, changes to the
product, systems, interfaces, or external industry evolution may all have significant impact on the
cyber risk assessment and evaluation process.
Appendix A: Glossary of Terms

Relevant terms used in this Guide are defined below.
TERM DEFINITION
A path or means by which a threat actor can gain access to the networks or
Attack Vector
assets to deliver a malicious outcome.
The process of planning, organizing, leading, and influencing the activities of
Enterprise Risk
an organization to minimize the effects of risk on an organization's capital and
Management (ERM)
earnings. ERM covers financial, strategic, operational, cyber and other risks.
Estimate of magnitude of harm to stakeholders originating from a threat and/or
Impact
attack
An occurrence that actually or potentially results in adverse consequences to a
vehicle, connected infrastructure, or information that the vehicle processes,
Incident
stores, or transmits and that may require a response action to mitigate the
consequences.
The risk that an event would pose if no controls or other mitigating factors
Inherent Risk
were in place (the gross risk or risk before controls).
The practice of testing a system, network or application to find vulnerabilities
Penetration Testing
that a threat actor could exploit.
Post-Production Vehicles that have been produced and sold to a dealer or end customer and
Product are outside the OEM’s ownership.
A quantitative and qualitative measuring process of risk based on a
Risk Scoring framework, which assigns a score to the risk according to a hierarchical
grading system.
The risk that remains after security controls are taken into account (the net risk
Residual Risk
or risk after controls).
An evaluation of a company’s risks, including the number of risks, type of risk,
Risk Profile
and potential effects of risks.
The threshold of risk that an organization or individual is willing to accept
Risk Tolerance
without some form of response.
Threat Actor A person or entity posing a threat to the vehicle ecosystem.
An event or circumstance, perpetrated by a threat actor, that has the potential

Threat Event
to cause a negative impact to the vehicle ecosystem.
Vehicle The likelihood of and potential impact from the exploitation of a vehicle
Cybersecurity Risk ecosystem cybersecurity vulnerability in a threat event.
The components and infrastructure on or connected to the vehicle (e.g.
hardware and software, intellectual property, mobile applications, customer
Vehicle Ecosystem data, vehicle data, supplier/manufacturing networks, applications, processes
and organizations that directly or indirectly touch the vehicle and may play a
role in vehicle cybersecurity).
Vulnerability Weakness of an asset or control that can be exploited by one or more threats.
Appendix B: Additional References and Resources

The following References and Resources provide additional content and expertise for companies
to consider in conjunction with the Best Practices discussed in this Guide.
REFERENCES – DOCUMENTS THAT MAY OFFER ADDITIONAL IMPLEMENTATION GUIDANCE

ISO/SAE 21434 - Road Vehicle Cybersecurity Engineering Standard (under development) <link>
Unified Compliance Framework (UCF), SANS Critical Security Controls <link>
NIST SP 800-30 - Guide for Conducting Risk Assessments <link>
SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems <link>
NIST Cybersecurity Framework <link>
EVITA - E-safety Vehicle Intrusion Protected Applications <link>
JSAE-JASO TP-15002 - (in Japanese currently) – Guideline for Automobile Information Security Analysis <link>
ISO/IEC 15408 – Information Technology - Security Techniques <link>
ISO/IEC 17799 – Code of Practice for Information Security Management <link>
ISO/IEC 27001 – Information Security Management Systems - Requirements <link>
ETSI Cyber Security Technical Committee (TC CYBER) ETSI TR 103 456 – Implementation of the Network and
Information Security (NIS) Directive <link>
DOT HS 812 073 – NIST Cybersecurity Risk Framework Applied to Modern Vehicles <link>
ISO 31000:2009 – Principles and Guidelines on Implementation
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
COSO (Committee of Sponsoring Organizations of the Treadway Commission) - Enterprise Risk Management
Integrated Framework 2004
RESOURCES – ORGANIZATIONS THAT MAY OFFER ADDITIONAL INSIGHTS

European Telecommunications Standards Institute (ETSI) <link>
Common Vulnerability Scoring System (CVSS) <link>
International Organization for Standardization (ISO) <link>
Institute of Risk Management (IRM) <link>
ISA/IEC 62443 Cybersecurity Certificate Programs <link>
National Institute of Standards and Technology (NIST) <link>
National Highway Traffic Safety Administration (NHTSA) <link>
PMI PMBOK Guide <link>
Public Risk Management Association <link>
Risk Management Society (RIMS) <link>
SAE International <link>
Appendix C: Sample Risk Scoring Frameworks
This Appendix includes sample risk scoring frameworks. Note that companies may choose to use
a wide range of frameworks, including those that differ substantially from the examples provided
here.
Sample Vehicle Cybersecurity Risk Scoring Framework #1
Sample Vehicle Cybersecurity Risk Scoring Framework #2
Appendix D: Acronyms
Auto-ISAC Automotive Information Sharing and Analysis Center
CEO Chief Executive Officer
CIO Chief Information Officer
CISO Chief Information Security Officer
CRO Chief Risk Officer
CAN Controller Area Network
CERT Computer Emergency Readiness Team
COSO Committee of Sponsoring Organizations
CVSS Common Vulnerability Scoring System
ECU Electronic Control Unit
EOL End of Life
ERM Enterprise Risk Management
ETSI European Telecommunications Standards Institute
EVITA E-safety Vehicle Intrusion Protected Applications
IEC International Electrotechnical Commission
IRM Institute of Risk Management
ISA International Society of Automation
ISO International Organization for Standardization
IT Information Technology
JASO Japanese Automotive Standards Organization
JSAE Society of Automotive Engineers of Japan
NHTSA National Highway Traffic Safety Administration
NIST National Institute of Standards and Technology
NIS Network and Information Security
OBD II On-Board Diagnostics
OEM Original Equipment Manufacturer
OTA Over-the-Air
PII Personally Identifiable Information
PMBOK Project Management Body of Knowledge
PMI Project Management Institute
RASIC Responsible, Approve, Support, Inform, Consult
RMI Risk Management Society
SAE Society of Automotive Engineers
SME Subject Matter Expert
TLP Traffic Light Protocol
UCF Unified Compliance Framework
USB Universal Serial Bus
Another random document with
no related content on Scribd:
out of service, he was selected, probably on account of his familiarity
with colonial affairs, to receive the surrender of New York and its
dependencies, in accordance with the treaty of peace. The territory
thus recovered had been granted by Charles II., at the time of its first
seizure in 1664, to his brother, the Duke of York; and Andros, who
must have been personally known to them both, was now appointed
lieutenant-governor of the palatine province. His commission bears
111
date of July 1, 1674. He was well fitted for the position. His
residence in Holland had made him familiar with the people with
whom he was chiefly to deal, and his acquaintance with American
affairs stood him in good stead in matters of general policy, as his
administration soon disclosed; while his connection with the court
and with the royal family enabled him to act as a confidential agent
of the Duke. He arrived in New York in November accompanied by
his wife, and after some formalities entered upon his government.
His treatment of the conquered Dutch was marked with great tact
and judgment, and rarely has the transfer of a colony of one nation
to the rule of another been effected with so little friction or
112
disturbance.
In regard to the serious problem of the treatment of the Indians
he was far-sighted enough to continue the wise and judicious policy
of his predecessors in regard to the powerful and dangerous
confederation of the Iroquois or Five Nations. The importance of this
can hardly be over-estimated in its bearing upon the subsequent
history of the country. It is true that this policy was not original with
him; he took it as a legacy from the Dutch in 1674, as Nicolls had
done ten years before; but it may be said that the honest and
judicious administration of Indian affairs did much to save the
English colonies from being wiped out of existence by a general
113
Indian war. If the Iroquois had been roused to go on the war-path,
as were the unfortunate Indians of New England, it is hard to see
what could have saved the scattered settlements. And again, if
Andros, by a tortuous and deceitful policy like that of the United
Colonies towards the New England Indians, had thrown the Iroquois
into the arms of the French, who were only too anxious for
reconciliation with them, there is little probability that the valor of
Wolfe would ever have had a chance for success on the Plains of
Abraham.
As a provincial governor Andros made many enemies; but they
were mainly in the colonies lying adjacent to his own. The patent of
New York was very extensive, and covered territory which the
114
neighboring colonies claimed had been already ceded to them.
Connecticut had vague claims all the way to the South Sea, and had
been devoting its energies during the short space of its history to
edging along its frontier further and further to the westward, in spite
of the indignant protests of the Dutch. Settlements had been formed
on Long Island, which was undoubtedly beyond its limits. Now, the
dispute was between rival colonies of the same country; and
considering the uncertainty of the title of Connecticut, Andros must
be allowed to have acted with propriety and moderation. He
succeeded in making good the title of the Duke to Long Island and
Fisher’s Island, where the Connecticut authorities were attempting to
exercise jurisdiction; but the boundary line upon the mainland
remained an unsettled question even down to our own times. At
Saybrook, Andros did his duty in asserting formally his principal’s
claim, but was wise enough not to press a question which would
115
have caused great difficulties between the Colonies.
With the New Jersey settlers he had still more difficulty, as they
had various grants and patents from the Duke himself to plead for
their justification; but he pursued a straightforward course, standing
up, as he was bound to do, for the rights of his principal, unless they
could be legally shown to have been granted away. His passion for
regular and orderly business methods soon manifested itself, and his
letters reveal the indignation of a man of affairs at the utterly
116
unbusiness-like ways of the people with whom he had to do.
Besides his commission as Governor of New York, he had
undoubtedly private instructions as to how he should comport
himself towards his uneasy neighbors, the New England colonies.
He was anxious to keep on good terms with Connecticut, as New
York was largely dependent upon that colony for provisions; and his
letters to the Connecticut authorities are mostly of a friendly
character, though written in a tone of superiority which undoubtedly
gave serious offence. On hearing that the people of Hartford were
harboring one of the regicides, he addressed a very sharp letter to
the colonial authorities, to which they replied in a tone of injured
innocence, which is quite edifying, asking him for the names of those
117
who had so maligned their loyalty.
It was impossible for the Connecticut Republicans to realize the
profound horror which the execution of Charles had caused, and the
depth of the feeling of hatred and repugnance which the perpetrators
of that audacious act had inspired. Even after William and Mary were
on the throne, and James II. was an exile, it was found that a
regicide, of the character and position of Ludlow, dared not show
himself in England; and during the Restoration period the feeling was
intense. The act was regarded by the majority of Englishmen as
sacrilege, as well as murder, for it had destroyed not only what was
called the sacred majesty of the king, but the sacred majesty of the
legal government. To Andros the news that Goffe and Whalley were
escaping justice by the connivance of the authorities was horrible,
and must have suggested doubts, if he had not found them already,
of the policy of allowing men who would have been excluded from all
office in England to rule the king’s colonies in America.
A more serious difficulty arose with Massachusetts, whose
authorities had ventured to send commissioners to the Mohawks to
treat directly with them as an independent nation—an act at utter
variance with the policy of the Dutch and English, who regarded
them as under their authority, and which, therefore, was liable to
118
plunge the colony in war. The ostentatious assumption of
independence by the colony of Massachusetts, its claim to be free
from the laws of England, and the spirit displayed by many of its
leaders, which must have seemed seditious to the legal mind of
Andros, made it necessary for him to watch very carefully any affairs
in which they were concerned. His attitude brought upon him the
hostility of the colony, and its authorities asserted, and constantly
reiterated, the charge that it was at Albany, by his connivance, that
119
Philip’s Indians had procured supplies of arms.
This charge, naturally, was most offensive to the loyal spirit of
Andros, who had fretted a good deal under his forced inactivity in the
war; and he repeatedly denied it, challenging his accusers for proof
of their assertions, proof which they were absolutely unable to
supply. They continued, however, to insinuate this malicious
statement, and it was long believed by the people of Massachusetts,
and led undoubtedly to much of the hostility between them and
120
Andros during his subsequent rule in New England. In spite of
their aspersions, he continued steadily in his prudent policy, keeping
the Mohawks quiet on one side, and, by vigorous measures against
the Indians in Maine, protecting his personal enemies from inroads
121
upon the other. His government of New York was successful; the
country remained in peace; its quiet contrasted strongly with the
troubles in New England, and the revenues of the colony were
honestly collected and wisely administered. To those who hold the
commonly received opinion of Andros, it will seem strange to find
that he urged upon the Duke of York the desirability of allowing the
122
colonists the privileges of a representative assembly. In
November 1677, he returned to England on a leave of absence,
remaining there until May of the following year.
While in England he received the honor of knighthood, a sign
that his labors were appreciated, and gave, in the form of answers to
the inquiries of the Committee for Trade and Plantations, statements
in regard to American affairs which are of great value as exhibiting
the condition of the colonies, and especially of New York, at that
time. His replies about New England are such as we might expect
from a man of his character and position, and disclose no hostility.
He says: “The acts of trade and navigacon are sayed, & is
generally beleeved, not to be observed in ye Collonyes as they
ought”—a statement which is certainly moderate if not grammatical;
and also: “I doe not find but the generality of the Magistrates and
people are well affected to ye king and kingdome, but most, knowing
noe governmt then their owne, think it best, and are wedded and
oppiniate for it. And ye magistrates & others in place, chosen by the
people, think that they are oblidged to assert & maintain sd
Government all they cann, and are Church members, and like so to
be, chosen, and to continue without any considerable alteracon and
change there, and depend upon the people to justifie them in their
actings.” For a description of a puritan republic by a royalist and
123
churchman, this is remarkably fair and correct.
The last two years of his government in New York were vexed
with difficulties with some of the English merchants of the province,
who were probably pinched by Andros’s strict and methodical, and
possibly also narrow and literal, administration of the revenue laws.
He was openly accused by them, and by other discontented parties,
to the Duke of York as dishonest in his management of the revenue,
and was summoned home to answer to the charges. A special
commissioner, who was absurdly incompetent for the position, was
sent to investigate the accounts, and he took the side of the
124
merchants in his report. Andros, however, was able to answer
satisfactorily every charge against him, and boldly demanded a
thorough examination of all his acts as governor. He was examined
before Churchill and Jeffreys, neither of whom would have been
likely at that time to have let any one go free who had defrauded the
Duke, and they reported that Andros “had not misbehaved himself,
or broken the trust reposed in him by his royal highness in the
administration of his government, nor doth it appear that he hath
125
anyway defrauded or mismanaged his revenue.”
Though completely exonerated, he was not at this time
reinstated in the governorship, and the next five years of his life were
passed in England at court, where he obtained an honorable position
in the household, and in his estates in Guernsey, to which in 1684
the island of Alderney was added by royal grant at a rent of thirteen
126
shillings. In 1685 he received a military command once more, and
served in the campaign in the west of England against Monmouth;
and the silence of the enemies in regard to any acts of cruelty at this
time is a high tribute, for, if they had known of any, they would
127
undoubtedly have held him up for abhorrence as a persecutor.
Later in the year he was made lieutenant-colonel of the Princess
Anne of Denmark’s regiment of horse, under the command of the
Earl of Scarsdale.
The accession of James, under whom he had acted previously,
made it likely that Andros would again receive employment. In spite
of the fact that he was a devoted adherent of the Church of England,
the king, who was attempting to restore the Roman worship, gave
him his full confidence, and entrusted him with the work of carrying
out a project which had been for some time before the minds of the
colonial authorities in England—the consolidation of New England
into a single province. This was no new idea of James II., but had
been discussed for several years; and it was a plan that had much to
recommend it.
As early as 1678, the Lords of Trade and Plantations had been
brought to see the need of a general governor and a fit judicature in
the colonies, for the determining of differences; and in 1681
Culpepper had urged the project. A preliminary measure had been
adopted of appointing a general revenue officer for all the American
128
colonies, with the power of selecting his own subordinates. The
notorious Randolph, a man of strict honesty and probity of life, but
unable to see more than his own side of any question, was
appointed deputy surveyor-general over the New England colonies,
and devoted his energies to obtaining the forfeiture of the patent of
Massachusetts. The astuteness and bribery of the Massachusetts
agents were able to defer the evil day until the autumn of 1684,
129
when the charter was vacated. This left Massachusetts in the
hands of the crown; the next problem was to obtain the vacating of
the more regular charters of Connecticut and Rhode Island. Writs of
quo warranto were issued, and sent to the colonies respectively; and
the submission of Rhode Island, after some decent protests, was
130
obtained.
Andros was chosen by the king for the important post of
governor-general, not, as Palfrey insinuates, because he was
peculiarly disagreeable to Massachusetts, and so likely to carry out
the objects of the king; but because the king knew him personally,
and knew him to be a man of capacity and integrity. It is absurd to
suppose that James, who was an experienced man of business
himself, and more familiar with colonial affairs than any king of
England before or since, would have intentionally selected a man for
the purpose who would endanger the success of the undertaking.
Colonel Kirke, who had been actually designated as governor, had
been withdrawn as disagreeable to New England. It is unnecessary
here to enter into any arguments to show the advantage that would
have accrued to the colonies if this judicious plan had been
successful. New England might have been spared much wasteful
legislation and ruinous financial experiments, and would have been
joined together in one strong province, instead of being composed of
several weak and jealous colonies; the union, the benefits of which it
took the colonists so long to learn, would have been facilitated; and a
strong and united front would have been presented to the French,
who were beginning now to threaten the existence of the English
colonies. The Stuarts, it is true, were pensioners and allies of the
King of France in Europe, but in America they were his natural and
inevitable enemies; and James, who, unlike his brother, felt deeply
the shame of his vassalage to the French, was anxious to prevent
any extension of French power in America.
Andros arrived in Boston in December 1686, and was received
131
in a most loyal and even enthusiastic manner. A large portion of
the Massachusetts people had grown weary of the rule of the
oligarchy, and Andros was welcomed as bringing with him the
protection of English law. His government had been constituted in
detail in his commission, and he at once proceeded to organize it
and to levy the taxes necessary for its support. Deprived of the
representative assembly in which the semblance of free government
had been preserved, one of the towns attempted to resist the tax.
The leaders of the movement were tried fairly and legally, and were
132
fined and imprisoned for their attempt at resistance. After this no
attempts were made to dispute the laws of the new government, until
the revolution which overthrew all legal authority in the colony broke
out in 1689.
It was very important for Andros that the submission of
Connecticut should be obtained without conflict, as Massachusetts,
like New York, was largely dependent upon the neighboring colony
for food. The Connecticut authorities fenced and parried, interposed
delays, and showed themselves, as they always did, clever men of
business, exhibiting qualities that doubtless raised Governor Treat
and Secretary Allyn in Governor Andros’s estimation. Finally,
however, when further resistance was dangerous, a letter was sent
which could be construed either as a surrender or as not a
surrender, so that they might have a safe retreat in any case; and on
133
the strength of this letter Andros assumed the government. The
period that follows is sometimes described as the “usurpation,” but
there is nothing in the history of the times to give one the impression
that the government of Andros in Connecticut was not as regular and
legal a government as the colony ever had. If Andros had not been
overthrown in Massachusetts by a carefully-prepared rebellion,
which left the colonies without a governor, it is not likely that either
Connecticut or Rhode Island would have ventured to resume its
charter. Andros came to Connecticut in October 1687, travelling by
way of Providence and New London, and from New London across
country through what are now Salem, Colchester, and Glastonbury,
to the Rocky Hill ferry. He was attended by a “company of gentlemen
and grenadiers to the number of sixty or upwards,” and was met at
the ferry by a troop of horse “which conducted him honorably from
134
the ferry through Waterfield (Wethersfield) up to Hartford.” Of the
transactions at Hartford we have the dramatic story of local tradition,
the only proof of which was the existence of an oak tree said to have
been the receptacle of the charter. For this romantic story there is
absolutely no contemporary authority, and the details are very
improbable. The charter very possibly may have been concealed,
and very possibly in the Charter Oak, but the incidents of the familiar
135
story are, if known, not mentioned by any writers of the time. The
records of the colony contain simply the formal but expressive entry:
“His Excellency, Sr Edmund Andross, Knt., Capt. General & Govr of
his Maties Territorie and Dominion in New England, by order from his
Matie James the second, King of England, Scotland, France &
Ireland, the 31 of October, 1687, took into his hands the government
of this colony of Conecticott, it being by his Matie annexed to
Massachusets & other colonys under his Excelencies Goverment.
136
FINIS.”
Bulkeley, in the “Will and Doom,” relates that Andros was met at
Hartford by the trained bands of divers towns who united to pay him
their respects.
“Being arrived at Hartford,” he continues, “he is greeted and

caressed by the Govr and assistants, and some say, though I will
not confidently assert it, that the Govr and one of his assistants
did declare to him the vote of the Genl Court for their submission
to him. However, after some treaty between his Excellency and
them that evening, he was, the next morning, waited on and
conducted by the Govr, Deputy Govr, Assistants and Deputies,
to the Court Chamber, and by the Govr himself directed to the
Govr’s seat, and being there seated (the late Govr, Assistants
and Deputys being present & the Chamber thronged as full of
people as it was capable of), His Excellency declared that his
Majesty had, according to their desire, given him a commission
to come and take on him the government of Connecticut, and
caused his commission to be publicly read. That being done, his
Excellency showed that it was his Majesty’s pleasure to make
the late Govr and Captain John Allyn members of his council,
and called upon them to take their oaths, which they did
forthwith, and all this in that public and great assembly, nemine
contradicente, and only one man said that they first desired that
they might continue as they were.”
“After this his Excellency proceeded to erect courts of
Judicature, and constituted the said John Allyn, Esq. & Judge of
the inferiour Court of Common Pleas for the county of Hartford,
and all others who before had been assistants, & dwelling in the
same County, he now made Justices of the Peace for the said
County.
“From hence his Excellency passed through all the rest of
the countys of N. Haven, N. London and Fairfield, settling the
Government, was everywhere chearfully and gratefully received,
and erected the King’s Courts as aforesaid, wherein those who
were before in the office of Govr, Deputy Govr and Assistants
were made Judges of the Pleas, or Justices of the Peace, not
one excepted nor (finally) excepting, but accepting the same,
some few others being by his Excellency added to them in the
several Countys, not without, but by & with their own advice and
approbation, and all sworn by the oaths (of allegience and) of
their respective offices, to do equal justice to rich and poor, after
the Laws & Customs of the Realm of England, and of this his
Majesty’s dominion.”
“The Secretary, who was well acquainted with all the
transactions of the General Court, and very well understood their
meaning and intent in all, delivered their common seal to Sir
137
E. A.”
Connecticut under Andros passed a period of peace and quiet.

Governor Treat and secretary Allyn were made members of the
council and judges, besides being entrusted with military commands,
and everything went on quietly. There was an evident disposition to
favor Connecticut, and every reason why it should be favored. We
hear of no complaint against the government or the laws. The worst
hardship recorded is the settling of intestate property according to
English law, instead of the customs of the colony. It is true that town
meetings were forbidden except once a year, but there were frequent
sessions of the courts held, so that the citizens were not deprived of
all the common interests of their lives. With Allyn the governor was
on most friendly terms, modifying several regulations at his
suggestions, and entrusting him largely with the management of
138
Connecticut affairs. To make a proper catalogue of miseries, the
Connecticut historian, Trumbull, is obliged to borrow and relate
doleful stories from Massachusetts, not asserting that they happened
139
in Connecticut, but certainly producing that impression.
There were many reasons why Connecticut did not resent the
government of Andros as much as was the case in Massachusetts.
In the first place, Connecticut had had a lawful government and a
law-abiding people; its charter had not been taken away as a
punishment, but as a political necessity; while Massachusetts had
been fighting for a system of more than questionable legality, and in
a spirit which might well seem to the royal officials to be seditious.
Connecticut had enjoyed a form of government in which the people
had really controlled public affairs; in Massachusetts the government
had been in the hands of an oligarchy, who resented most bitterly
their deposition from power as robbing them of their peculiar
privileges. In Connecticut the ecclesiastical system at this time was
judicious and moderate; the radical tendencies of the New Haven
colony had been held in check by the wiser policy of Hartford.
Persecution had never been a feature of Connecticut religion, and its
history is not disgraced with the accounts of frequent religious
quarrels, excommunications, and expulsions which are so familiar to
that of the neighboring colony. In Massachusetts Andros found
himself opposed and thwarted in every way that the angry leaders
could devise; in Connecticut, though men were attached to their self-
government and resented its loss, he was received with respect and
consideration. One is led to suspect that, with all their pride in their
charter and love of their liberties, the leading men of Connecticut
were shrewd enough to see the advantages that they received from
the new arrangement. They saw the arrogance of their old rivals of
the “Bay Colony” humiliated; they had the pleasure of seeing
Hampshire county compelled to come to Hartford to court, and they
felt themselves favored and trusted by the governor. Besides all
these considerations, from the situation of Connecticut, lying as it did
between Massachusetts and New York, it was much to Andros’s
interest that he should keep the colony well disposed, and he took
some trouble to do so.
And, after all, what do the charges of tyranny and
misgovernment amount to, even in Massachusetts? The real
gravamen of all the charges is, that the charter had been taken
away, and the people of Massachusetts did not enjoy those laws of
England which they had always claimed as their birthright. The
personal charges against Andros were so frivolous that the colonial
agents did not dare to put their hands to them when the case was
brought to trial in England, and, by their failure to appear, confessed
that they were false and malicious. It is not likely that Andros was
always conciliatory. That a population of dissenting Whigs should put
difficulties in the way of public service of the Church of England, as
by law established, must have been to Andros unendurable, and it is
absurd to represent his use of a meeting-house in Boston for the
religious services of the national church as an instance of malignant
140
despotism. It is far from improbable that Andros was compelled
against his will to be as civil as he was to the American non-
conformists, because his master was trafficking with them in
England. While Increase Mather was intriguing with the king and
receiving friendly messages from Father Petre, and while men like
Alsop and Rosewell and Penn were basking in the favors of the court
at Whitehall, a governor of New England, even if he had wished,
141
could not venture upon any acts of oppression in America. In fact,
Andros’s actions in insisting on the services of the English Church in
Boston may be considered among the most creditable in his history,
and exhibit the character of the man. He risked offending the king,
and did offend the puritans, in order to show respect to that historic
church of his nation, which king and puritan alike desired to
overthrow.
It is quite probable that Andros was at times rough in his
language. Without justifying him in this, it may be pleaded that it
certainly was not an uncommon fault of military men; and besides,
there were a good many things that must have made the use of
strong language a relief. He did not have a very high appreciation of
Indian deeds; but few honest men to-day, legal or lay, would differ
from him. He reviled the palladium of New England liberties, the
towns; but perhaps in this he was in advance of his age. He
reorganized the court system, established tables of fees, and
changed the method of proving wills; but here the blame is not his;
but if any one’s, it should lie upon the king who established the
province, or the council who passed the laws. The truth seems to be
that Andros was shocked and scandalized at the loose, happy-go-
lucky way of doing business that had, up to this time, served the
colonies; and he labored in New England, as he had in New York,
and as he afterwards did in Virginia, to give his province a good,
efficient, general system of administration. What made it
objectionable to the colonies was not that it was bad, but that it was
different from what they had had. The man who does his arithmetic
upon his fingers would count it a hardship if he were compelled to
use the much more convenient processes known to better educated
men. The case was the same in New England. They did not want to
be improved; they had no desire for any more efficient or regular
administration than they were accustomed to. They preferred
managing their own affairs badly to having them done for them, were
it ever so well. It is not difficult for us to appreciate their discontent.
It is harder for us to put ourselves in Andros’s place, and to feel
with him the disgust of an experienced and orderly administrator at
the loose and slipshod methods that he saw everywhere; the
indignation of the loyal servant of the king at hardly concealed
disloyalty and sedition; the resentment of a devoted member of the
national Church of England at the insults heaped upon it by the men
who had failed in their previous attempt to destroy it.
Andros failed to conciliate Massachusetts. An angel from heaven
bearing King James’s commission would have failed. A rebellion
against his power was carefully prepared, doubtless in concert with
the Whig leaders in England; and when the news of the English
Revolution came, Massachusetts broke out also, arrested the
governor, destroyed the government, and set up an irregular
142
government of its own. The object of this revolution was evidently
to overthrow the Dominion of New England, and to resume separate
colonial independence before the new English authorities had time to
communicate with Andros. There is no reason to think that Andros
would have tried to hold the country for James. Respect for the law
was, with him, the reason for his loyalty to the crown; and though he
was personally attached to the Stuarts and had acted under James
for many years, he was governor of the Dominion, not for James
Stuart, but for the king of England.
The popular leaders were indeed afraid, not that Andros would
oppose the revolution in England, but that he would accept it, and be
confirmed by William and Mary in the same position he had held
under James, and that thus the hated union of the colonies would be
perpetuated. Their revolution was only too successful. They had their
own way, and the events in Salem in 1692 were a commentary on
the benefits of colonial autonomy.
In Rhode Island and Connecticut the old charters were
reassumed. In Connecticut, as there had been little break when
Andros came, so now there was little trouble when he departed.
Secretary Allyn had managed the affairs of the colony before the
“usurpation”; Secretary Allyn had been the chief intermediary
between Andros and the people; Secretary Allyn continued to
manage Connecticut affairs after Andros had gone. The particularists
succeeded in getting possession of the government, in spite of the
opposition of a strong minority, and Connecticut, like Massachusetts,
143
returned to her insignificant but precious independence.
Andros succeeded in escaping once, but was arrested in Rhode
Island, and returned by the magistrates there to the revolutionary
leaders in Boston. By these he was kept in prison for nearly a year,
and then sent to England, where, as has been said, no one
144
appeared against him. Hutchinson complains that the
Massachusetts agents were misled by their counsel, Sir John
Somers. When one considers that Somers was one of the greatest
lawyers the bar of England has ever known, one is inclined to
believe that he knew his clients’ case was too bad to take into
145
court.
The government of William and Mary found nothing to condemn
in Andros’s conduct, and showed their appreciation of his services
by sending him out, in 1692, as governor of Virginia, adjoining to the
146
office at the same time the governorship of Maryland.
He exhibited here the same qualities that had characterized his
government in New York and New England; intelligent aptitude for
business, love of regularity and order, zeal for honest administration,
and consequently some degree of severity upon offenders against
the navigation laws who were often men of good birth and position,
and last, though not least, a great dislike of the interference of
meddling ecclesiastics with matters of state. He reduced the records
of the province to order, finding that they had been seriously
neglected; and when the State House was burned, he provided a
building for them, and had them again carefully sorted and
registered. He encouraged the introduction of manufactures and the
planting of cotton, and established a legal size for the tobacco cask,
an act which protected the merchants from arbitrary plundering by
custom house officials in England, but which was used by his
enemies to form the basis of an accusation of defrauding the
revenue. He was on the best of terms with the prominent men of the
Dominion, and he left behind him a pleasant memory in Virginia
among the laity, and among those of the clergy who were not under
the influence of Commissary Blair. The quarrel with Blair was an
unfortunate one, for, though meddlesome and dogmatic, he was
working for the higher interests of the colony; but the evidence he
himself supplies of the temper of his proceedings explains Sir
Edmund’s antipathy.
He was recalled to England in 1698, and was worsted in his
contest with Blair, having been unfortunate enough to bring upon
himself the resentment of the Bishop of London. The record of the
trial is preserved at Lambeth, and has been printed in this country,
and a perusal of it will convince most readers that Sir Edmund
received very hard usage, and might have complained, in the words
of the lawyer who was defeated in a contest with Laud, that he had
147
been “choked by a pair of lawn-sleeves.”
The rest of his life was passed at home. The government still
showed their confidence in him by appointing him the Governor of
148
Guernsey. He lived quietly, passing a peaceful old age, and died
in February, 1714 at the age of seventy-six. His continued interest in
the welfare of the colonies, in the service of which he had passed so
many years, is evidenced by the fact that his name appears among
the members of the Society for the Propagation of the Gospel in
149
Foreign Parts.
Removed from the prejudices of his own day and generation,
and regarded in the impartial light of history, Sir Edmund Andros
appears not as the cruel persecutor that he seemed to the Mathers
and the Sewalls, nor as the envious Sanballat that Blair’s fervent
Scotch imagination pictured him, but as a single-hearted, loyal
English gentleman, of the best type of those cavaliers, devoted to
church and king, who, in their horror at the results of puritanism and
liberalism in England, were willing to sacrifice if necessary some
150
degree of personal liberty in order to secure the dominion of law.
Judging from what we know of him, we should have looked to
see him, had he been in England instead of in America at the time of
the Revolution, by the side of many fellow Tories maintaining the
liberties and the religion of his country. In America, far from the
scene of conflict, his duty was to support the government of the king;
but the claim of the colonists that, by arresting him, they prevented
him from “making an Ireland of America,” is disproved by his
immediate and loyal acceptance of the results of the Revolution, and
by the confidence the new government immediately reposed in
151
him.
The French authorities in Canada, who were in a position to
judge his character correctly, have left on record their opinion that it
was hopeless to expect assistance from him against his countrymen
in the struggle between the two nations that broke out after the
abdication of James II. The Chevalier de Callières, Governor of
Montreal, wrote to the Marquis de Seignelay as follows:
“Chevalier Andros, now Governor-General of New England

and New York, having already declared in his letter to M. de
Denonville that he took all the Iroquois under his protection as
subjects of the crown of England, and having prevented them
returning to M. de Denonville to make peace with us, there is no
longer reason to hope for its conclusion through the English, nor
for the alienation of the Iroquois from the close union which exist
with those (the English), in consequence of the great advantage
they derive from thence, the like to which we cannot offer for
divers reasons.
“Chevalier Andros is a Protestant as well as the whole
English colony, so that there is no reason to hope that he will
remain faithful to the King of England (James II.), and we must
expect that he will not only urge the Iroquois to continue the war
against us, but that he will also add Englishmen to them to lead
them and seize the posts of Niagara, Michillimackinac and
others proper to render him master of all the Indians, our allies,
according to the project they have long since formed, and which
they were beginning to execute when we declared war against
the Iroquois, and when we captured seventy Englishmen who
were going to take possession of Michillimackinac, one of the
151
most important posts of Canada.”
It is gratifying to notice that at last his character and services are

beginning to be better appreciated in the provinces over which he
ruled; and we may hope that in time the Andros of partisan history
will give place, even in the popular narratives of colonial affairs, to
the Andros that really existed, stern and proud and uncompromising,
it is true, but honest, upright, and just; a loyal servant of the crown,
and a friend to the best interests of the people whom he governed.
NOTES.
102
The principal authority for the facts of Andros’s life before he
became governor of the Duke of York’s province is a
biographical sketch in the History of Guernsey, by Jonathan
Duncan, Esq., London, 1841, written by the late Mr. Thomas
Andros of Guernsey, who died in 1853. This sketch was copied
in N. Y. Colonial Documents, ii. 740, and has been used by
W. H. Whitmore in his memoir of Sir Edmund Andros, in the
first volume of The Andros Tracts. Mr. Whitmore has added to
the sketch some few additional facts collected from a pedigree
at the Heralds’ Office and from private family papers. His
memoir is the most convenient, as it is the fullest and most
accurate, life of Andros that has appeared. The History of
Guernsey, by Ferdinand Brock Tupper, contains a few
additional facts in regard to him, but of trifling importance. Vide
pp. 367, 377, 392. See also Chronicles of Castle Cornet by the
same author.
103
Duncan, History of Guernsey, p. 89.
104
Memoir of the Life of the late Reverend Increase Mather, D. D.,
London, 1725, pp. 10–12.
105
Whitmore, Andros Tracts, I. ix. Duncan, p. 106.
106
Pedigree, in Andros Tracts, I. vi. Duncan, p. 588. From
Calendar of State Papers, Am. and W. Indies, we learn that
Andros saw service in the West Indies, being major in a
regiment of foot, commanded by Sir Tobias Bridge, which left
England in March, 1667, and arrived in Barbadoes in April. He
returned to England in 1668, as bearer of despatches and
letters to the government, and was in England in September of
that year. Whether he returned to Barbadoes is not evident, but
he was in England in Jan., 1671, and throughout the year. The
regiment was disbanded and four companies sent to England,
arriving there Oct. 5, 1671, and were incorporated in the new
dragoon regiment being raised for Prince Rupert, to which
Andros received his commission Sept. 14, 1671. This
chronology is irreconcilable with that given in the pedigree or
by Duncan.
107
For relations of Lord Craven and Elizabeth, see Miss Benger’s
Memoir of the Queen of Bohemia.
108
Duncan, p. 588. Calendar of State Papers, America and the
West Indies (1661–1668), 1427, 1436, 1439, 1476, 1760,
1761, 1762, 1824, 1839, (1669–1674), 394, 545.
109
Duncan, pp. 588–89. America and W. Indies (1669–1674),
554, 559, 625, 639, 791. Mackinnon, Origin and Services of
the Coldstream Guards, i. 185.
110
Tupper, History of Guernsey, 2d Ed., London, 1876. He says
(p. 392): “Edmund Andros had succeeded his father as bailiff
(bailli) in 1674, with power to nominate a lieutenant during his
long non-residence; he was also a colonel of dragoons, and
after his return from his successive North American
governments, he was constituted lieutenant-governor of
Guernsey by Queen Anne, who dispensed with his executing
the office of bailiff and accepted Eleazar Le Marchant as
lieutenant-bailiff.” Apparently he had some trouble at first from
the governor of the island, Christopher, Lord Hatton, for we find
(p. 377) a royal order sustaining Andros, and forbidding Lord
Hatton to disturb him in the office of bailiff.
111
N. Y. Col. Doc., iii. 215. The boundaries stated in this
Commission are as follows: “All that part of ye Maine Land of
New England beginning at a certaine place called or knowne
by ye name of St. Croix next adjoyneing to new Scotland in
America and from thence along ye sea Coast unto a certaine
place called Pemaquin or Pemaquid and soe up the River
thereof to ye furthest head of the same, as it tendeth
northwards and extending from thence to the River Kinebequi
and soe upwards by ye shortest course to ye river Canada
northwards. And also all that Island or Islands comonly called
or knowne by ye several names of Matowacks or Long Island
scituate lying and being towards ye West of Cape Codd and ye
Narrow Higansetts abutting upon ye maine land betweene ye
two rivers there called or knowne by ye severall names of
Conecticut and Hudsons River together also wth ye said river
called Hudsons River and all ye land from ye West side of
Conecticut River to ye East side of Delaware Bay, and also all
those severall Islands called or knowne by ye name of Martine
mynyards and Nantukes otherwise Nantukett, together with all
the lands islands soiles rivers harbours mines mineralls
quarryes woods marshes waters lakes fishings hawking
hunting and fowling and all royaltyes and profitts comôdityes
and hereditaments to the said several islands lands and
premisses, belonging and apperteyning with their and every of
their appurtenancies.”
112
For Andros’s own account of the first three years of his
administration, see N. Y. Col. Doc., iii. 254–257. For the
surrender of New York, Documentary History of New York, iii.
43; Andros’s report on state of the province, i. 60.
113
That this was recognized by men qualified to judge, vide letter
from Lieutenant-Colonel Talcott to Andros, Connecticut
Colonial Records (1678–89), p. 399; vide also Doc. Hist. N. Y.,
i. 99; Conn. Col. Rec. (1665–78), pp. 397, 404, 461, 492. For
Andros’s own official report of the assistance he rendered New
England in Philips’s war, see N. Y. Col. Doc., iii. 264, 265. For
remarks upon the contrasted Indian policies, see Brodhead,
Hist. New York, ii. 281–290.
114
Conn. Col. Rec. (1678–89), p. 283. N. Y. Col. Doc., iii. 236.

PDF Risk Assessment and Management Auto Isac Ebook Full Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF Risk Assessment and Management Auto Isac Ebook Full Chapter

Uploaded by

Copyright:

Available Formats

Risk assessment and management

Awareness and Training Auto-Isac

Security development lifecycle Auto-Isac

Nanotoxicology : Toxicity Evaluation, Risk Assessment

Natech Risk Assessment and Management. Reducing the

The Gower Handbook of Extreme Risk Assessment

Strategic Security Management: A Risk Assessment Guide

Winning with Risk Management Financial Engineering and

Fundamentals of Risk Management Understanding

Traffic Light Protocol: WHITE.

This information may be shared in public forums.

Traffic Light Protocol: White (May be shared in public forums)

Version Revision Date Notes

Traffic Light Protocol: White (May be shared in public forums)

Traffic Light Protocol: White (May be shared in public forums)

Traffic Light Protocol: White (May be shared in public forums)

FIGURE 1: VEHICLE LIFECYCLE PHASES

1.5 AUTHORITY AND GUIDE DEVELOPMENT

1.6 GOVERNANCE AND MAINTENANCE

Traffic Light Protocol: White (May be shared in public forums)

2.0 Best Practices

2.1 SCOPE AND REQUIREMENTS

• Product Development Engineering

Traffic Light Protocol: White (May be shared in public forums)

• Electrical or electronic parts or systems installed in road vehicles

Traffic Light Protocol: White (May be shared in public forums)

FIGURE 2. SAMPLE SECURITY ASSESSMENTS DURING PRODUCT DEVELOPMENT CYCLE

Traffic Light Protocol: White (May be shared in public forums)

In addition to threat monitoring and vulnerability management activities a manufacturer can

2.3 ROLES AND RESPONSIBILITIES

Traffic Light Protocol: White (May be shared in public forums)

Responsibilities may include:

Traffic Light Protocol: White (May be shared in public forums)

Responsibilities may include:

Responsibilities may include:

Traffic Light Protocol: White (May be shared in public forums)

Responsibilities may include:

Responsibilities may include:

Responsibilities may include:

Traffic Light Protocol: White (May be shared in public forums)

▪ Report any identified implementation risks (e.g. vulnerable third-party software

Responsibilities may include:

Traffic Light Protocol: White (May be shared in public forums)

TABLE 1. AN EXAMPLE OF A RASIC CHART TO SHOW INTERACTION BETWEEN VEHICLE CYBER

Traffic Light Protocol: White (May be shared in public forums)

TABLE 2. AN EXAMPLE RASIC CHART WITH DESIGN TEAM RESPONSIBLE

2.4 RISK LIFECYCLE

Traffic Light Protocol: White (May be shared in public forums)

2.5 RISK TOLERANCE

Traffic Light Protocol: White (May be shared in public forums)

FIGURE 3. EXAMPLE OF NARROWING RISK TOLERANCES

FIGURE 4. EXAMPLE OF CONSISTENT RISK TOLERANCES

Traffic Light Protocol: White (May be shared in public forums)

2.6 EVALUATION OF RESULTS AND RISK TREATMENT

Traffic Light Protocol: White (May be shared in public forums)

Safety Privacy Compliance Financial Functional Nuisance Brand

Acceptable Measured Unacceptable

FIGURE 5. EXAMPLE RISK TOLERANCE CHART

• Contain (imminent threat)

Traffic Light Protocol: White (May be shared in public forums)

• Accept and Monitor (also called “measure”, see graphics)

2.7 COMMUNICATING RISK TO LEADERSHIP AND STAKEHOLDERS

Traffic Light Protocol: White (May be shared in public forums)