Managing Information Security: EASA Part-IS PDF
Document Details
Uploaded by Deleted User
EASA
Tags
Summary
This document provides an introduction to EASA Part-IS, focusing on managing information security risks in aviation operations. It explains the need for an Information Security Management System (ISMS) and its benefits, as well as outlining the risks and considerations for safety-critical environments. The document emphasizes a structured approach to identifying threats and implementing security measures.
Full Transcript
Managing Your Information Security: An Introduction to EASA Part-IS The Digital Frontier Aviation’s threat landscape is changing. A symbol of technological progress, aviation is moving further into a new digital realm that will see its ecosystem more digitised and interconnected than ever before (F...
Managing Your Information Security: An Introduction to EASA Part-IS The Digital Frontier Aviation’s threat landscape is changing. A symbol of technological progress, aviation is moving further into a new digital realm that will see its ecosystem more digitised and interconnected than ever before (Fig. 1). However, the safety benefits of digitisation are two-sided. Whilst technological innovation in aviation safety systems may drastically improve their operation, it also drastically increases or introduces new attack surfaces which can be used to compromise them. Therefore, the time has come for aviation organisations to focus on managing the information security risks that have an impact on the safety of their operations. To achieve this, organisations must establish and implement an Information Security Management System (ISMS) to ensure the security of its safety-critical assets, and the information used for their operation. The European Union Aviation Safety Agency (EASA) has a new regulation, Part-IS, which requires aviation organisations in scope to establish and implement an ISMS to manage the information security risks that have an impact on aviation safety. Moreover, the regulation also requires them to identify information security incidents, as well as respond to and recover from them in a way that minimises the potential impact on safety. The Information Security Management System (ISMS) An ISMS is a structured and organised way for organisations to identify the threats that their critical systems face and implement proportionate measures to protect them from being attacked – or at least, to limit or prevent the impact of such attacks. Nearly all aviation organisations are accustomed to having Safety Management Systems (SMS) – another structured approach to managing safety risks in a way that prevents accidents and incidents. In effect, the objectives of an SMS and ISMS are the same: both aim to manage risks that threaten aviation safety. A SMS focuses on the operational safety threats of flight operations, and maintenance processes, amongst other aviation activities. In contrast, an ISMS focuses on information security threats that could have an adverse impact on the confidentiality, integrity, and availability of systems and data. Depending on the risk management approach, an organisation may decide to integrate an ISMS within their existing SMS, or to create a separate ISMS entirely. However, the end goal of ensuring safety is the same and must be achieved to ensure regulatory compliance. Establishing and Implementing an ISMS / A Breakdown of the ISMS After gaining the support of senior management and the accountable manager, defining organisational information security objectives, and establishing the various policies and procedures that govern the ISMS, the organisation must then assess its risks. By identifying their safety-critical assets, they can start to look at what threats these assets may face and determine how likely they are to become a fully-fledged attack, and what impact such an attack may have on safety. The results of the risk assessment process will tell the organisation which assets face the most risk, and in turn, are to be prioritised and protected using a risk-proportionate amount of security measures or controls. Security controls do vary and are commonly categorised as ‘Administrative’ or ‘Technical’. The former involves the creation of policies and procedures that are either general or system-specific. These documents define the various rules that help meet information security objectives and protect critical assets. The latter, on the other hand, are security measures that involve the use of technological tools to protect data, systems, and networks from security threats. Such measures, including logical access control, use of encryption, secure configuration of systems and failover for high availability, must be efficient and monitored for effectiveness. No matter how many measures an organisation puts in place, they can never guarantee their complete security. They will face security incidents, the outcomes of which may threaten the safety of their operations, and therefore, also need to be dealt with in a structured and coordinated manner. Organisations need to prepare for any security incidents that threaten the confidentiality, integrity, and availability of their safety-critical systems and data. Through proper incident response and recovery planning, they can minimise the safety impacts of these incidents – keeping their most safety-critical operations going. Managing an ISMS is an ongoing process; ensuring its continual improvement is essential. Identifying areas of improvement and re-evaluating existing risks is a vital component of the ISMS – something that will keep it ahead of evolving threats. Continual improvements ensure that the ISMS remains relevant to the organisation it is protecting, and the threats it is protecting it against. By monitoring the performance of the ISMS, undertaking internal audits, and reviewing requirements, organisations can ensure that it remains effective, adaptive to their needs, and reflective of their threat landscape. The Benefits of an Aviation ISMS There are many benefits that organisations can capitalise on when implementing an ISMS. Being able to prioritise its risk mitigation efforts, an organisation is able to allocate its resources where they are needed most and anticipate possible impacts on safety. Ensuring the safety of operations is an uncompromisable responsibility that, aside from safeguarding human life, ensures that the industry retains its already high standard of safety reputation – something critical for its survival. Whilst an ISMS may be seen as a costly burden, an organisation will truly reap the financial benefits when something bad happens. The economic impact of cyber attacks on organisations may include high penalties, as well as legal costs. However, these are still incomparable when safety is on the line. Moving Forward Technology is evolving, and so are the digital threats surrounding it. The aviation industry, to keep enjoying its already high level of safety, needs to adapt its risk management process to start considering the new information security threats to the systems it relies on to ensure the safety of its operations. To further highlight the necessity of such an ISMS, EASA’s Part-IS regulation has made it mandatory to implement. By appreciating the benefits that an ISMS brings to them, organisations can move forward in this new digital age where they are effectively managing their security, to ensure safety. Proactively and continuously assessing their risks, both internal and external, as well as effective incident response, will put organisations at the forefront of protecting against the adverse security effects of technological innovation.
