Professional Documents
Culture Documents
PDF Risk Assessment and Management Auto Isac Ebook Full Chapter
PDF Risk Assessment and Management Auto Isac Ebook Full Chapter
Auto-Isac
Visit to download the full and correct content document:
https://textbookfull.com/product/risk-assessment-and-management-auto-isac/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://textbookfull.com/product/awareness-and-training-auto-
isac/
https://textbookfull.com/product/security-development-lifecycle-
auto-isac/
https://textbookfull.com/product/nanotoxicology-toxicity-
evaluation-risk-assessment-and-management-first-edition-dasgupta/
https://textbookfull.com/product/natech-risk-assessment-and-
management-reducing-the-risk-of-natural-hazard-impact-on-
hazardous-installations-elisabeth-krausmann/
A Clinician s Guide to Suicide Risk Assessment and
Management 1st Edition Joseph Sadek
https://textbookfull.com/product/a-clinician-s-guide-to-suicide-
risk-assessment-and-management-1st-edition-joseph-sadek/
https://textbookfull.com/product/the-gower-handbook-of-extreme-
risk-assessment-perception-and-management-of-extreme-events-
vicki-bier/
https://textbookfull.com/product/strategic-security-management-a-
risk-assessment-guide-for-decision-makers-2nd-edition-karim-
vellani/
https://textbookfull.com/product/winning-with-risk-management-
financial-engineering-and-risk-management-volume-2-1st-edition-
russell-walker/
https://textbookfull.com/product/fundamentals-of-risk-management-
understanding-evaluating-and-implementing-effective-risk-
management-4th-edition-paul-hopkin/
RISK ASSESSMENT AND MANAGEMENT
AUTO-ISAC
AUTOMOTIVE CYBERSECURITY BEST PRACTICES
RISK ASSESSMENT
AND MANAGEMENT
Best Practice Guide
Version 2.3
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Version History
This is a living document, which will be periodically updated under the direction of the Auto-ISAC
Best Practices Working Group. We will track any updates in the table below.
Version Notes:
This Guide does not prescribe or require specific technical or organizational practices.
i These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Contents
Version History ............................................................................................................................... i
1.0 Introduction ............................................................................................................................. 1
1.1 Best Practices Overview ................................................................................................... 1
1.2 Purpose ............................................................................................................................. 1
1.3 Scope ................................................................................................................................ 1
1.4 Audience ........................................................................................................................... 2
1.5 Authority and Guide Development .................................................................................... 2
1.6 Governance and Maintenance .......................................................................................... 2
2.0 Best Practices ......................................................................................................................... 3
2.1 Scope and Requirements.................................................................................................. 3
2.2 Coverage........................................................................................................................... 4
2.2.1 Design ...................................................................................................................... 4
2.2.2 Implementation and Integration ................................................................................ 5
2.2.3 Testing ..................................................................................................................... 5
2.2.4 Production ................................................................................................................ 5
2.2.5 Aftersales ................................................................................................................. 6
2.3 Roles and Responsibilities ................................................................................................ 6
2.4 Risk Lifecycle .................................................................................................................. 12
2.5 Risk Tolerance ................................................................................................................ 13
2.6 Evaluation of Results and Risk Treatment ...................................................................... 15
2.7 Communicating Risk to Leadership and Stakeholders ................................................... 17
2.8 Governance and Compliance.......................................................................................... 18
Appendix A: Glossary of Terms .................................................................................................... 1
Appendix B: Additional References and Resources ..................................................................... 3
Appendix C: Sample Risk Scoring Frameworks ........................................................................... 4
Appendix D: Acronyms ................................................................................................................. 5
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
ii Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
)
1.0 Introduction
1.1 BEST PRACTICES OVERVIEW
This Best Practice Guide is one in a series of seven Guides intended to provide the automotive
industry with guidance on the Key Cybersecurity Functions defined in the Automotive
Cybersecurity Best Practices Executive Summary:
1. Incident Response
2. Collaboration and Engagement with Appropriate Third Parties
3. Governance
4. Risk Assessment and Management
5. Awareness and Training
6. Threat Detection, Monitoring and Analysis
7. Security Development Lifecycle
Guides offer greater detail to complement the high-level Executive Summary. This Guide aligns
with the “Risk Assessment and Management” function and is made available for use by
companies, as appropriate for their unique systems, processes, and risks.
1.2 PURPOSE
The purpose of this Guide is to assist automotive industry stakeholders in integrating vehicle
cybersecurity risk management into their overall corporate risk management structure (e.g. based
on ISO 31000:2009 family or COSO 2017 Enterprise Risk Management Framework). This Guide
assumes that organizations already have a risk management strategy in place.
This Guide provides forward-looking guidance without being prescriptive or restrictive. These best
practices are:
• Not Required. Companies have autonomy and can decide which of these practices to
select and can adopt these practices based on their respective risk landscapes and
organizational structures.
• Aspirational. These practices are forward-looking and voluntarily implemented over time,
as appropriate.
• Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving
automotive cybersecurity landscape.
1.3 SCOPE
This Guide describes key considerations for companies around vehicle cybersecurity risk
management efforts. It contains best practices and implementation guidance for companies to
integrate, evaluate and remediate cyber risk assessments throughout the product development
lifecycle. These are voluntary, non-prescriptive, aspirational practices, which companies may use
to determine an appropriate approach for their unique risk landscape.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
1 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
The scope of the guide covers all phases of the vehicle lifecycle, including design, development,
and post-production. These phases are described in Figure 1 below.
1.4 AUDIENCE
This Guide was written for use by light-duty and heavy-duty vehicle OEMs, light-duty and heavy-
duty vehicle suppliers, and commercial vehicle companies (e.g. fleets, carriers). It may also
provide insights for other stakeholders across the connected vehicle ecosystem.
Within these organizations, the primary audience is vehicle cybersecurity managers, leaders, and
senior executives who are responsible for managing vehicle cybersecurity risk.
The Working Group also coordinated with several external stakeholders while developing this
Guide, including Auto Alliance, Global Automakers, National Highway Traffic Safety
Administration (NHTSA), National Institute of Standards and Technology (NIST), International
Organization for Standardization (ISO), and SAE International (SAE).
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
2 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
This Guide will be rolled out in phases and marked accordingly with the appropriate Traffic Light
Protocol (TLP) classification:
• First 3 months after publication: TLP Amber - available exclusively to Auto-ISAC Members
• 3 to 9 months after publication: TLP Green - released by request to industry stakeholders
• 9 months after publication: TLP White - released to the public via the Auto-ISAC website
(www.automotiveisac.com), subject to Board of Directors confirmation
This Guide was developed while the ISO and SAE were in the process of jointly developing the
ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering Standard. After ISO/SAE 21434 is
published, the Standing Committee plans to review and update this Guide, if required.
This Guide does not prescribe or require specific technical or organizational practices.
3 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
The cyber risk management process may be tailored throughout the development cycle (see
Section 2.2 Coverage), and the levels of acceptable risk may change throughout the lifecycle as
well (see Section
2.4 Risk LIFECYCLE).
Products, components or systems that may be considered for a cyber risk assessment include all
products that may impact vehicle cybersecurity, which may include the following:
2.2 COVERAGE
An effective cyber risk management process can be based on various types of assessments
performed during certain states of a vehicle or product’s entire lifecycle and will support the
identification of cybersecurity risks.
The vehicle or product lifecycle may consist of several milestones and phases involving different
stakeholders within an automotive company. If the company uses the well-known waterfall or V
model for its development lifecycles, significant milestones may include the follow phases:
• Design
• Implementation and Integration
• Testing
• Production
• Aftersales
During these different phases, different types of security assessments can be performed along
the waterfall model, as well as after product deployment, as shown in the following figure:
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
4 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Some products use different development methodologies. Consider the following example:
Mobile applications are often developed in shorter lifecycles (i.e. in an agile style and thus do not
necessarily follow the V model). In this case, it is generally important to define synchronous
security milestones reflecting that the vehicle or product’s functionality has reached its necessary
maturity and that connected functions can be tested together with mobile applications. During the
final stages of development, unanticipated vulnerabilities are likely to be identified. It is therefore
helpful to have budgeted sufficient time in the planning stages for the remediation of identified
risks.
2.2.3 Testing
During the planning phase and before implementation, it is important to introduce several
milestones which ensure that the product’s maturity is in a state where security is testable.
Penetration tests, security code scanning, and other functional security tests can be planned
according to these milestones. The planning of the security testing milestones in the testing phase
typically considers the time to remediate identified vulnerabilities and the remaining length of the
development phase. It might prove useful to rate identified vulnerabilities with a risk rating
methodology and prioritize remediation based on that. Vulnerabilities which might not be quickly
fixed, as well as newly identified weaknesses, could then be treated by the aftersales vehicle
cyber risk management process.
This Guide does not prescribe or require specific technical or organizational practices.
5 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
2.2.4 Production
A company may consider performing a security approval at the end of the testing phase to check
product security, and if possible, audit the implementation of security requirements. This security
approval may have the added benefit of raising security awareness within the company, as well
as leading to a natural understanding of security-related tests by involved development
departments. The outcome of this approval may be reflected to the design process to lead to long-
term security improvements and a security-minded culture.
It is important that production cybersecurity risk management not end with the production security
approval. Maintaining a focus on security throughout production helps to manage the risk
landscape. Cybersecurity quality checks often are performed to ensure that the security
measures are being implemented correctly and no unauthorized changes are applied. Production
approved changes can go through a similar, if not the same, risk assessments as were done
during development. Additionally, supply chain risk can be assessed and managed throughout
the production life of the product.
2.2.5 Aftersales
After a product’s market launch, it is useful to have threat monitoring in place, which helps to
identify new trends in the threat landscape (e.g. in the hacker scene, potential emerging attack
vectors, newly discovered vulnerabilities, cybersecurity incidents). To achieve long-term
cybersecurity product improvements, the cyber risk assessment team can be informed about
newly identified attack vectors and the organization’s cyber risk protection goals may be
continuously updated. Over-the-air updates may introduce new features or be helpful in
remediating vulnerabilities or neutralizing potential threats of already deployed vehicles. An over-
the-air update also typically is subject to appropriate assessments (e.g. through paper analysis
and/or penetration tests and code audits).
The structure and membership of product cybersecurity teams can vary significantly across
companies based on factors including the cultures, organizational structures, and personnel
within each company. There is no single correct way to allocate roles and responsibilities. Instead,
each company properly can allocate roles and responsibilities in the way that makes most sense
in the contexts of their own businesses. Here we offer one example of how a company might
allocate responsibilities for risk management within one example cybersecurity product team
structure. The use of this example is not intended to suggest that it is preferable to other
approaches. For example, a company may choose to include different members or teams within
its risk management process or allocate responsibilities differently among the team members.
In the example provided here, the parties involved in the cyber risk management process are:
1. Cyber Leader
2. Product Cybersecurity Team, including Cyber Risk Managers and Cybersecurity
Analysts
3. Penetration Testing Team (Pen Testing Team)
4. Incident Response Team
5. Design Team including its Program Manager
6. Developers
7. An appropriate executive manager; (e.g. Director)
Organizations may consider the following roles and associated core responsibilities described
below.
1. In this example, the Cyber Leader is defined as the individual who is responsible for
leading efforts and managing the Product Cybersecurity Team, Penetration Testing
Team, and Vehicle Incident Response Team. The Cyber Leader is the facilitator of all
assessment results and has the job of communicating results to the interested
stakeholders.
This Guide does not prescribe or require specific technical or organizational practices.
7 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
2. The Product Cybersecurity Team is often referred to in the security domain as the “Blue
Team.” It typically consists of the individuals who perform the day-to-day cybersecurity
processes, including cyber risk assessments on concepts, as well as defining new
protection goals to counter the changing threat landscape. This team is typically
removed (organizationally) from the Design Teams to enable impartiality during all
assessments.
3. The Pen Testing Team is in the security domain referred to as the “Red Team” and is
defined as those individuals who perform penetration testing on vehicles, ECUs, or
functions. This team may be internal or external. Separation of the Pen Testing Team
from the Design Team supports impartiality. It can narrow down the practicability of
possible vehicle cyber-attacks and thus can rate the robustness of a product against
cyberattacks. The Pen Testing Team is also able to support the Incident Response team
in certain technical assessments.
4. The Incident Response Team is defined as the group who is responsible for technical
analysis of vehicle-related cyber incidents, rating discovered risks and handling incidents
by generating a corporate response.
This Guide does not prescribe or require specific technical or organizational practices.
9 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
7. The company’s Director makes business decisions that affect the product’s
cybersecurity. The Director receives briefs by the Cyber Leader to make best interest
decisions for the company.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
10 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
processes to check if these processes are complete, performed properly, and their results fulfill
the work quality standards as defined by the Cyber Leader.
Below are two examples in which the 2nd pair of eyes principle may be applied:
1. The Cyber Leader approves the last penetration test report regarding its scope and
identified vulnerabilities before vehicle deployment.
2. The Product Cybersecurity team approves compliance with cybersecurity policies of a
design concept for a new component.
Depending on the size, organization, and maturity of the cybersecurity team, it may be more
appropriate for the Design Team to take responsibility for the execution of the risk assessment,
while the Product Cybersecurity Team provides consulting oversight and responsibility for the
overall management. This scenario may be a more appropriate implementation for an OEM,
where the core technical expertise in understanding the details of the component design are held
by the Design Team. The Product Cybersecurity Team can provide counseling and cyber-specific
expertise, but the Design Team is typically responsible for compliance to the Product
Cybersecurity team’s policies or guidelines.
The RASIC tables below show examples of how an interaction between the roles described above
may be defined within a company with more responsibilities assigned to the Product
Cybersecurity Team as in Table 1 or more responsibilities assigned to the Design Team as in
Table 2:
This Guide does not prescribe or require specific technical or organizational practices.
11 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Frequency of review and updates is also subject to organizational security culture. A company or
product with a lower risk tolerance may be more sensitive to changes. For example, areas of
higher risk may continue to receive greater attention and updates than known lower risk areas.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
12 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
It is important to tailor requirements for your organization and risk tolerance and identify areas for
higher frequency in updating risk assessments. Possible triggers to consider may include:
• Changes in system architecture
• New functionality in the design
• Accumulation of residual risk
• New developments that could impact aged or previous projects
• Changes in perceived value of cybersecurity target
• Age of deployed technology
• Discovery of a new vulnerability or disclosure of an exploit
• New vulnerabilities, new threat actors, etc.
Changes in components, part number changes or physical hardware changes may lead to a
decision to undertake a new or updated cyber risk assessment. A change analysis may be
conducted to determine if a new risk assessment is required only on the changes, or an update
can be completed on the original assessment. It may be possible to create cascading risk
assessments, as needed. The following events can be evaluated for consideration of a new
(versus updated) risk assessment:
• Small component design change
• Major component change
• Architecture change
• New functionality
• New attack paths
• New threats or incidents
This Guide does not prescribe or require specific technical or organizational practices.
13 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Tolerance for non-safety / non-privacy risks and communicate such EOL timing and potential
consequences to customers as many software and IoT manufacturers do.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
14 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Automotive companies may consider the following examples for risk categories concerning a
vehicle driver or other road users such as passengers, pedestrians, etc.:
• Safety Critical – Items that can directly affect the steering, braking or motion function of a
vehicle, or produce other imminent safety hazards or driver distractions.
• Privacy – Items that directly compromise the Personally Identifiable Information (PII) and
other personally sensitive automotive data on-board the vehicle affecting users or the
vehicle.
• Functional – Items that would impair or interfere with the functional operation of non-
safety critical components.
• Nuisance – Items that could interfere with a user’s experience but does not impede the
function or safe operation of the product.
Some examples of product cybersecurity risk categories that affect automotive companies but not
directly affect vehicle drivers may include:
• Financial – Items that could lead to financial losses of the user or commercial entities.
• Brand – Items related to the cybersecurity of a specific product that might affect the
reputation of a product, brand, or corporation.
• Compliance – Items that would render the product non-compliant with applicable laws.
Compliance risks may also be treated by corporate risk management and avoided in the
product development process. However, there might be cybersecurity events, which may
have effect on already deployed vehicles and threaten their compliance with regulations.
Each category of risk can have a risk tolerance range based on a scoring system that ranges from
acceptable to unacceptable. Risks that fall within the tolerance range can be judged on how
factors such as effectiveness, cost and complexity of treatment measure up against the potential
severity and likelihood of an incident. An example risk tolerance chart is shown below:
This Guide does not prescribe or require specific technical or organizational practices.
15 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
• Avoid
o Actions are taken to eliminate the risk before countermeasure actions need to be
considered
o Avoid the activity or condition that introduces the risk by choosing an alternative,
less risky activity or approach that meets business objectives
o Avoidance can be a technical as well as non-technical treatment (e.g. update
operation manual, disclaimers, or Terms and Conditions (T&C’s))
• Transfer
o Certain risks may be transferred to other entities (e.g. when a company is insuring
against loss in the case of an event)
• Board of Directors
• Drivers (e.g. Customer Relations)
• Dealers and affiliates
• Information technology
• Legal
• Product development
• Product security
• Public relations
• Quality assurance
• Research and engineering
• Risk management
• Regulatory affairs
• Senior executives (e.g. CEO, CIO, CRO, CISO)
When communicating vehicle cybersecurity risks across the organization, key points of emphasis
include:
• Impact – What is the impact to customers? What is the potential or actual consequence
to the business?
• Likelihood – What is the probability of exploitation? Is the threat event realistic? What
special expertise or equipment is required? How close do adversaries need to be to
vehicles? What are the attack vectors?
• Treatment – What are the costs, and implementation timelines of risk treatment options?
Is the risk acceptable without mitigation?
This Guide does not prescribe or require specific technical or organizational practices.
17 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
• Risk management – What is the risk management policy? What are the roles and
responsibilities that fall under risk management?
When communicating risks outside of the company (e.g. to city infrastructure planners,
consumers, operators, other manufacturers/ suppliers), it’s often helpful to clarify the risk definition
upfront to avoid miscommunication or misunderstanding. It is also helpful to clearly communicate
with non-technical business stakeholders using non-technical terminology to help them compare
vehicle cybersecurity risks to other more traditional enterprise risks with which they are more
familiar. Proper risk communication mechanisms can avoid unnecessary or uncontrolled external
communications, which can impact company reputation.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
18 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
The audit results may be reviewed for any opportunities for improvement to the Risk Assessment
process. This includes reviewing reported risks and updating risk ranges identified in this
document to accurately reflect the current corporate risk tolerance, if needed. This may also feed
back into the Risk Assessment methodology or management documents, including opportunities
for clarity or refinement.
Staying current with industry standards and published best practices can help keep the Risk
Methodology relevant. For example, a company may stay aware of internal and external changes
that may impact a risk assessment, which may include changes to the product, systems or
interfaces within the vehicle ecosystem, or industry evolution. It may sometimes be appropriate
to deep-dive into the current processes and documentation to conduct a periodic review of the
published content for relevancy to the current business or technology. Willingness to adjust to
changes is important to remain relevant – internal changes in the organization, changes to the
product, systems, interfaces, or external industry evolution may all have significant impact on the
cyber risk assessment and evaluation process.
This Guide does not prescribe or require specific technical or organizational practices.
19 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
TERM DEFINITION
A path or means by which a threat actor can gain access to the networks or
Attack Vector
assets to deliver a malicious outcome.
The process of planning, organizing, leading, and influencing the activities of
Enterprise Risk
an organization to minimize the effects of risk on an organization's capital and
Management (ERM)
earnings. ERM covers financial, strategic, operational, cyber and other risks.
Estimate of magnitude of harm to stakeholders originating from a threat and/or
Impact
attack
An occurrence that actually or potentially results in adverse consequences to a
vehicle, connected infrastructure, or information that the vehicle processes,
Incident
stores, or transmits and that may require a response action to mitigate the
consequences.
The risk that an event would pose if no controls or other mitigating factors
Inherent Risk
were in place (the gross risk or risk before controls).
The practice of testing a system, network or application to find vulnerabilities
Penetration Testing
that a threat actor could exploit.
Post-Production Vehicles that have been produced and sold to a dealer or end customer and
Product are outside the OEM’s ownership.
A quantitative and qualitative measuring process of risk based on a
Risk Scoring framework, which assigns a score to the risk according to a hierarchical
grading system.
The risk that remains after security controls are taken into account (the net risk
Residual Risk
or risk after controls).
An evaluation of a company’s risks, including the number of risks, type of risk,
Risk Profile
and potential effects of risks.
The threshold of risk that an organization or individual is willing to accept
Risk Tolerance
without some form of response.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
1 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Vulnerability Weakness of an asset or control that can be exploited by one or more threats.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
2 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
This Guide does not prescribe or require specific technical or organizational practices.
3 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
This Appendix includes sample risk scoring frameworks. Note that companies may choose to use
a wide range of frameworks, including those that differ substantially from the examples provided
here.
Sample Vehicle Cybersecurity Risk Scoring Framework #1
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
4 Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
Appendix D: Acronyms
Auto-ISAC Automotive Information Sharing and Analysis Center
IT Information Technology
OTA Over-the-Air
This Guide does not prescribe or require specific technical or organizational practices.
5 These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
RISK ASSESSMENT AND MANAGEMENT
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
6 Please see Section 1.2 for more information.
Another random document with
no related content on Scribd:
out of service, he was selected, probably on account of his familiarity
with colonial affairs, to receive the surrender of New York and its
dependencies, in accordance with the treaty of peace. The territory
thus recovered had been granted by Charles II., at the time of its first
seizure in 1664, to his brother, the Duke of York; and Andros, who
must have been personally known to them both, was now appointed
lieutenant-governor of the palatine province. His commission bears
111
date of July 1, 1674. He was well fitted for the position. His
residence in Holland had made him familiar with the people with
whom he was chiefly to deal, and his acquaintance with American
affairs stood him in good stead in matters of general policy, as his
administration soon disclosed; while his connection with the court
and with the royal family enabled him to act as a confidential agent
of the Duke. He arrived in New York in November accompanied by
his wife, and after some formalities entered upon his government.
His treatment of the conquered Dutch was marked with great tact
and judgment, and rarely has the transfer of a colony of one nation
to the rule of another been effected with so little friction or
112
disturbance.
In regard to the serious problem of the treatment of the Indians
he was far-sighted enough to continue the wise and judicious policy
of his predecessors in regard to the powerful and dangerous
confederation of the Iroquois or Five Nations. The importance of this
can hardly be over-estimated in its bearing upon the subsequent
history of the country. It is true that this policy was not original with
him; he took it as a legacy from the Dutch in 1674, as Nicolls had
done ten years before; but it may be said that the honest and
judicious administration of Indian affairs did much to save the
English colonies from being wiped out of existence by a general
113
Indian war. If the Iroquois had been roused to go on the war-path,
as were the unfortunate Indians of New England, it is hard to see
what could have saved the scattered settlements. And again, if
Andros, by a tortuous and deceitful policy like that of the United
Colonies towards the New England Indians, had thrown the Iroquois
into the arms of the French, who were only too anxious for
reconciliation with them, there is little probability that the valor of
Wolfe would ever have had a chance for success on the Plains of
Abraham.
As a provincial governor Andros made many enemies; but they
were mainly in the colonies lying adjacent to his own. The patent of
New York was very extensive, and covered territory which the
114
neighboring colonies claimed had been already ceded to them.
Connecticut had vague claims all the way to the South Sea, and had
been devoting its energies during the short space of its history to
edging along its frontier further and further to the westward, in spite
of the indignant protests of the Dutch. Settlements had been formed
on Long Island, which was undoubtedly beyond its limits. Now, the
dispute was between rival colonies of the same country; and
considering the uncertainty of the title of Connecticut, Andros must
be allowed to have acted with propriety and moderation. He
succeeded in making good the title of the Duke to Long Island and
Fisher’s Island, where the Connecticut authorities were attempting to
exercise jurisdiction; but the boundary line upon the mainland
remained an unsettled question even down to our own times. At
Saybrook, Andros did his duty in asserting formally his principal’s
claim, but was wise enough not to press a question which would
115
have caused great difficulties between the Colonies.
With the New Jersey settlers he had still more difficulty, as they
had various grants and patents from the Duke himself to plead for
their justification; but he pursued a straightforward course, standing
up, as he was bound to do, for the rights of his principal, unless they
could be legally shown to have been granted away. His passion for
regular and orderly business methods soon manifested itself, and his
letters reveal the indignation of a man of affairs at the utterly
116
unbusiness-like ways of the people with whom he had to do.
Besides his commission as Governor of New York, he had
undoubtedly private instructions as to how he should comport
himself towards his uneasy neighbors, the New England colonies.
He was anxious to keep on good terms with Connecticut, as New
York was largely dependent upon that colony for provisions; and his
letters to the Connecticut authorities are mostly of a friendly
character, though written in a tone of superiority which undoubtedly
gave serious offence. On hearing that the people of Hartford were
harboring one of the regicides, he addressed a very sharp letter to
the colonial authorities, to which they replied in a tone of injured
innocence, which is quite edifying, asking him for the names of those
117
who had so maligned their loyalty.
It was impossible for the Connecticut Republicans to realize the
profound horror which the execution of Charles had caused, and the
depth of the feeling of hatred and repugnance which the perpetrators
of that audacious act had inspired. Even after William and Mary were
on the throne, and James II. was an exile, it was found that a
regicide, of the character and position of Ludlow, dared not show
himself in England; and during the Restoration period the feeling was
intense. The act was regarded by the majority of Englishmen as
sacrilege, as well as murder, for it had destroyed not only what was
called the sacred majesty of the king, but the sacred majesty of the
legal government. To Andros the news that Goffe and Whalley were
escaping justice by the connivance of the authorities was horrible,
and must have suggested doubts, if he had not found them already,
of the policy of allowing men who would have been excluded from all
office in England to rule the king’s colonies in America.
A more serious difficulty arose with Massachusetts, whose
authorities had ventured to send commissioners to the Mohawks to
treat directly with them as an independent nation—an act at utter
variance with the policy of the Dutch and English, who regarded
them as under their authority, and which, therefore, was liable to
118
plunge the colony in war. The ostentatious assumption of
independence by the colony of Massachusetts, its claim to be free
from the laws of England, and the spirit displayed by many of its
leaders, which must have seemed seditious to the legal mind of
Andros, made it necessary for him to watch very carefully any affairs
in which they were concerned. His attitude brought upon him the
hostility of the colony, and its authorities asserted, and constantly
reiterated, the charge that it was at Albany, by his connivance, that
119
Philip’s Indians had procured supplies of arms.
This charge, naturally, was most offensive to the loyal spirit of
Andros, who had fretted a good deal under his forced inactivity in the
war; and he repeatedly denied it, challenging his accusers for proof
of their assertions, proof which they were absolutely unable to
supply. They continued, however, to insinuate this malicious
statement, and it was long believed by the people of Massachusetts,
and led undoubtedly to much of the hostility between them and
120
Andros during his subsequent rule in New England. In spite of
their aspersions, he continued steadily in his prudent policy, keeping
the Mohawks quiet on one side, and, by vigorous measures against
the Indians in Maine, protecting his personal enemies from inroads
121
upon the other. His government of New York was successful; the
country remained in peace; its quiet contrasted strongly with the
troubles in New England, and the revenues of the colony were
honestly collected and wisely administered. To those who hold the
commonly received opinion of Andros, it will seem strange to find
that he urged upon the Duke of York the desirability of allowing the
122
colonists the privileges of a representative assembly. In
November 1677, he returned to England on a leave of absence,
remaining there until May of the following year.
While in England he received the honor of knighthood, a sign
that his labors were appreciated, and gave, in the form of answers to
the inquiries of the Committee for Trade and Plantations, statements
in regard to American affairs which are of great value as exhibiting
the condition of the colonies, and especially of New York, at that
time. His replies about New England are such as we might expect
from a man of his character and position, and disclose no hostility.
He says: “The acts of trade and navigacon are sayed, & is
generally beleeved, not to be observed in ye Collonyes as they
ought”—a statement which is certainly moderate if not grammatical;
and also: “I doe not find but the generality of the Magistrates and
people are well affected to ye king and kingdome, but most, knowing
noe governmt then their owne, think it best, and are wedded and
oppiniate for it. And ye magistrates & others in place, chosen by the
people, think that they are oblidged to assert & maintain sd
Government all they cann, and are Church members, and like so to
be, chosen, and to continue without any considerable alteracon and
change there, and depend upon the people to justifie them in their
actings.” For a description of a puritan republic by a royalist and
123
churchman, this is remarkably fair and correct.
The last two years of his government in New York were vexed
with difficulties with some of the English merchants of the province,
who were probably pinched by Andros’s strict and methodical, and
possibly also narrow and literal, administration of the revenue laws.
He was openly accused by them, and by other discontented parties,
to the Duke of York as dishonest in his management of the revenue,
and was summoned home to answer to the charges. A special
commissioner, who was absurdly incompetent for the position, was
sent to investigate the accounts, and he took the side of the
124
merchants in his report. Andros, however, was able to answer
satisfactorily every charge against him, and boldly demanded a
thorough examination of all his acts as governor. He was examined
before Churchill and Jeffreys, neither of whom would have been
likely at that time to have let any one go free who had defrauded the
Duke, and they reported that Andros “had not misbehaved himself,
or broken the trust reposed in him by his royal highness in the
administration of his government, nor doth it appear that he hath
125
anyway defrauded or mismanaged his revenue.”
Though completely exonerated, he was not at this time
reinstated in the governorship, and the next five years of his life were
passed in England at court, where he obtained an honorable position
in the household, and in his estates in Guernsey, to which in 1684
the island of Alderney was added by royal grant at a rent of thirteen
126
shillings. In 1685 he received a military command once more, and
served in the campaign in the west of England against Monmouth;
and the silence of the enemies in regard to any acts of cruelty at this
time is a high tribute, for, if they had known of any, they would
127
undoubtedly have held him up for abhorrence as a persecutor.
Later in the year he was made lieutenant-colonel of the Princess
Anne of Denmark’s regiment of horse, under the command of the
Earl of Scarsdale.
The accession of James, under whom he had acted previously,
made it likely that Andros would again receive employment. In spite
of the fact that he was a devoted adherent of the Church of England,
the king, who was attempting to restore the Roman worship, gave
him his full confidence, and entrusted him with the work of carrying
out a project which had been for some time before the minds of the
colonial authorities in England—the consolidation of New England
into a single province. This was no new idea of James II., but had
been discussed for several years; and it was a plan that had much to
recommend it.
As early as 1678, the Lords of Trade and Plantations had been
brought to see the need of a general governor and a fit judicature in
the colonies, for the determining of differences; and in 1681
Culpepper had urged the project. A preliminary measure had been
adopted of appointing a general revenue officer for all the American
128
colonies, with the power of selecting his own subordinates. The
notorious Randolph, a man of strict honesty and probity of life, but
unable to see more than his own side of any question, was
appointed deputy surveyor-general over the New England colonies,
and devoted his energies to obtaining the forfeiture of the patent of
Massachusetts. The astuteness and bribery of the Massachusetts
agents were able to defer the evil day until the autumn of 1684,
129
when the charter was vacated. This left Massachusetts in the
hands of the crown; the next problem was to obtain the vacating of
the more regular charters of Connecticut and Rhode Island. Writs of
quo warranto were issued, and sent to the colonies respectively; and
the submission of Rhode Island, after some decent protests, was
130
obtained.
Andros was chosen by the king for the important post of
governor-general, not, as Palfrey insinuates, because he was
peculiarly disagreeable to Massachusetts, and so likely to carry out
the objects of the king; but because the king knew him personally,
and knew him to be a man of capacity and integrity. It is absurd to
suppose that James, who was an experienced man of business
himself, and more familiar with colonial affairs than any king of
England before or since, would have intentionally selected a man for
the purpose who would endanger the success of the undertaking.
Colonel Kirke, who had been actually designated as governor, had
been withdrawn as disagreeable to New England. It is unnecessary
here to enter into any arguments to show the advantage that would
have accrued to the colonies if this judicious plan had been
successful. New England might have been spared much wasteful
legislation and ruinous financial experiments, and would have been
joined together in one strong province, instead of being composed of
several weak and jealous colonies; the union, the benefits of which it
took the colonists so long to learn, would have been facilitated; and a
strong and united front would have been presented to the French,
who were beginning now to threaten the existence of the English
colonies. The Stuarts, it is true, were pensioners and allies of the
King of France in Europe, but in America they were his natural and
inevitable enemies; and James, who, unlike his brother, felt deeply
the shame of his vassalage to the French, was anxious to prevent
any extension of French power in America.
Andros arrived in Boston in December 1686, and was received
131
in a most loyal and even enthusiastic manner. A large portion of
the Massachusetts people had grown weary of the rule of the
oligarchy, and Andros was welcomed as bringing with him the
protection of English law. His government had been constituted in
detail in his commission, and he at once proceeded to organize it
and to levy the taxes necessary for its support. Deprived of the
representative assembly in which the semblance of free government
had been preserved, one of the towns attempted to resist the tax.
The leaders of the movement were tried fairly and legally, and were
132
fined and imprisoned for their attempt at resistance. After this no
attempts were made to dispute the laws of the new government, until
the revolution which overthrew all legal authority in the colony broke
out in 1689.
It was very important for Andros that the submission of
Connecticut should be obtained without conflict, as Massachusetts,
like New York, was largely dependent upon the neighboring colony
for food. The Connecticut authorities fenced and parried, interposed
delays, and showed themselves, as they always did, clever men of
business, exhibiting qualities that doubtless raised Governor Treat
and Secretary Allyn in Governor Andros’s estimation. Finally,
however, when further resistance was dangerous, a letter was sent
which could be construed either as a surrender or as not a
surrender, so that they might have a safe retreat in any case; and on
133
the strength of this letter Andros assumed the government. The
period that follows is sometimes described as the “usurpation,” but
there is nothing in the history of the times to give one the impression
that the government of Andros in Connecticut was not as regular and
legal a government as the colony ever had. If Andros had not been
overthrown in Massachusetts by a carefully-prepared rebellion,
which left the colonies without a governor, it is not likely that either
Connecticut or Rhode Island would have ventured to resume its
charter. Andros came to Connecticut in October 1687, travelling by
way of Providence and New London, and from New London across
country through what are now Salem, Colchester, and Glastonbury,
to the Rocky Hill ferry. He was attended by a “company of gentlemen
and grenadiers to the number of sixty or upwards,” and was met at
the ferry by a troop of horse “which conducted him honorably from
134
the ferry through Waterfield (Wethersfield) up to Hartford.” Of the
transactions at Hartford we have the dramatic story of local tradition,
the only proof of which was the existence of an oak tree said to have
been the receptacle of the charter. For this romantic story there is
absolutely no contemporary authority, and the details are very
improbable. The charter very possibly may have been concealed,
and very possibly in the Charter Oak, but the incidents of the familiar
135
story are, if known, not mentioned by any writers of the time. The
records of the colony contain simply the formal but expressive entry:
“His Excellency, Sr Edmund Andross, Knt., Capt. General & Govr of
his Maties Territorie and Dominion in New England, by order from his
Matie James the second, King of England, Scotland, France &
Ireland, the 31 of October, 1687, took into his hands the government
of this colony of Conecticott, it being by his Matie annexed to
Massachusets & other colonys under his Excelencies Goverment.
136
FINIS.”
Bulkeley, in the “Will and Doom,” relates that Andros was met at
Hartford by the trained bands of divers towns who united to pay him
their respects.