EN 16495:2019
(Main)Air Traffic Management - Information security for organisations supporting civil aviation operations
Air Traffic Management - Information security for organisations supporting civil aviation operations
This document provides guidance based on EN ISO/IEC 27002:2017 applied to organisations supporting civil aviation, with a focus on air traffic management operations.
This includes, but is not limited to, airspace users, airports and air navigation service providers.
Not included are activities of the organisations that do not have any impact on the security of civil aviation operations like for example airport retail and service business and corporate real estate management.
The basis of all guidance in this document is trust and cooperation between the parties involved in Air Traffic Management.
Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der Zivilluftfahrt
Dieses Dokument enthält auf EN ISO/IEC 27002:2017 beruhende Leitlinien, die auf die Zivilluftfahrt unter-stützende Organisationen angewendet werden, mit dem Schwerpunkt auf Betriebsabläufen im Luftverkehrs¬management.
Das betrifft Luftraumnutzer, Flughäfen und Flugsicherungsorganisationen, ist jedoch nicht allein darauf beschränkt.
Nicht in den Anwendungsbereich fallen Handlungen der Organisationen, die sich nicht auf die Sicherheit von Tätigkeiten im Bereich der Zivilluftfahrt auswirken, wie z. B. Einzelhandels und Dienstleistungs-unternehmen an Flughäfen und das Management von Unternehmensimmobilien (en: corporate real estate management).
Grundlage für alle Leitlinien in diesem Dokument sind das Vertrauen und die Zusammenarbeit zwischen den Parteien, die am Flugverkehrsmanagement beteiligt sind.
Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le soutien des opérations de l'aviation civile
La présente Norme européenne définit les lignes directrices et les principes généraux pour la mise en oeuvre d'un système de management de la sécurité de l'information dans les organismes assurant le soutien des opérations de l'aviation civile.
Les activités des organismes qui n'ont pas d'incidence sur la sécurité des activités de l'aviation civile comme, par exemple, la gestion des commerces de détail, des activités de service aéroportuaires ainsi que de l'immobilier corporatif, ne sont pas incluses.
Pour les besoins de la présente Norme européenne, la gestion du trafic aérien est vue comme une expression fonctionnelle couvrant les responsabilités de tous les partenaires de la chaîne de valeur du trafic aérien. Cela comprend, mais sans y être limité, les utilisateurs aérospatiaux, les aéroports et les prestataires de services de la navigation aérienne.
Toutes les exigences de la présente Norme européenne sont fondées sur la confiance et la coopération entre les parties impliquées dans la gestion du trafic aérien.
Upravljanje zračnega prometa - Varnost informacij za organizacije na področju dejavnosti civilnega letalstva
Ta evropski standard določa smernice in splošna načela za izvajanje sistema upravljanja varnosti informacij v organizacijah na področju dejavnosti civilnega letalstva.
Ne vključuje dejavnosti organizacij, ki ne vplivajo na varnost dejavnosti civilnega letalstva, kot na primer prodaja na letališču, storitvene dejavnosti in upravljanje s poslovnimi nepremičninami.
Za potrebe tega evropskega standarda se upravljanje zračnega prometa obravnava kot funkcionalni izraz, ki zajema odgovornosti vseh partnerjev vrednostne verige zračnega prometa. To med drugim vključuje uporabnike zračnega prostora, letališča in ponudnike zračne navigacije.
Osnova vseh zahtev tega evropskega standarda je zaupanje ter sodelovanje med vpletenimi strankami in upravljavcem zračnega prometa.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2019
Nadomešča:
SIST EN 16495:2014
Upravljanje zračnega prometa - Varnost informacij za organizacije na področju
dejavnosti civilnega letalstva
Air Traffic Management - Information security for organisations supporting civil aviation
operations
Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der
Zivilluftfahrt
Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le
soutien des opérations de l'aviation civile
Ta slovenski standard je istoveten z: EN 16495:2019
ICS:
03.220.50 Zračni transport Air transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EN 16495
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 03.100.70; 03.220.50; 35.240.60 Supersedes EN 16495:2014
English Version
Air Traffic Management - Information security for
organisations supporting civil aviation operations
Gestion du trafic aérien - Sécurité de l'information pour Flugverkehrsmanagement - Informationssicherheit für
les organismes assurant le soutien des opérations de Organisationen im Bereich der Zivilluftfahrt
l'aviation civile
This European Standard was approved by CEN on 12 May 2019.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 16495:2019 E
worldwide for CEN national Members.
Contents Page
European foreword . 7
Introduction . 8
1 Scope . 9
2 Normative references . 9
3 Terms, definitions and abbreviations . 9
3.1 Terms and definitions . 9
3.2 Abbreviations . 10
4 Aviation specific requirements related to EN ISO/IEC 27001:2017 . 11
4.1 Structure of this European Standard . 11
4.2 Refinement of EN ISO/IEC 27001:2017 requirements . 11
5 Information Security policies . 11
5.1 Management direction for Information security . 11
5.1.1 Policies for information security . 11
5.1.2 Review of the policies for information security . 11
6 Organization of information security . 11
6.1 Internal organization . 11
6.1.1 Information security roles and responsibilities . 11
6.1.2 Segregation of duties . 12
6.1.3 Contact with authorities . 12
6.1.4 Contact with special interest groups . 12
6.1.5 Information security in project management . 12
6.2 Mobile devices and teleworking . 12
7 Human resources security . 12
7.1 Prior to employment . 12
7.1.1 Screening . 12
7.1.2 Terms and conditions of employment . 13
7.2 During employment . 13
7.2.1 Management responsibilities . 13
7.2.2 Information security awareness, education and training . 13
7.2.3 Disciplinary process . 13
7.3 Termination and change of employment . 13
8 Asset management . 13
8.1 Responsibility for assets . 13
8.1.1 Inventory of assets . 13
8.1.2 Ownership of assets . 13
8.1.3 Acceptable use of assets . 13
8.1.4 Return of assets . 14
8.2 Information classification . 14
8.2.1 Classification of information . 14
8.2.2 Labelling of information . 14
8.2.3 Handling of assets . 14
8.3 Media Handling . 14
9 Access control . 14
9.1 Business requirement for access control . 14
9.2 User access management . 14
9.2.1 User registration and de-registration . 14
9.2.2 User access provisioning . 15
9.2.3 Management of privileged access rights . 15
9.2.4 Management of secret authentication information of users. 15
9.2.5 Review of user access rights . 15
9.2.6 Removal or adjustment of access rights . 15
9.2.7 Digital Identity Management . 15
9.2.8 Unique representation of entities across organisations . 16
9.3 User responsibilities . 16
9.4 System and application access control . 16
9.4.1 Information access restriction . 16
9.4.2 Secure log-on procedures . 16
9.4.3 Password management system . 16
9.4.4 Use of privileged utility programs . 16
9.4.5 Access control to program source code . 16
9.4.6 Web Application Firewalls . 16
10 Cryptography . 17
10.1 Cryptographic controls . 17
10.1.1 Policy on the use of cryptographic controls . 17
10.1.2 Key management . 17
11 Physical and environmental security . 17
11.1 Secure areas . 17
11.1.1 Physical security perimeter . 17
11.1.2 Physical entry controls . 18
11.1.3 Securing offices, rooms, and facilities . 18
11.1.4 Protecting against external and environmental threats . 18
11.1.5 Working in secure areas . 18
11.1.6 Delivery and loading areas. 18
11.2 Equipment . 18
11.2.1 Equipment siting and protection . 18
11.2.2 Supporting utilities . 18
11.2.3 Cabling security .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.