Air Traffic Management - Information security for organisations supporting civil aviation operations

This document provides guidance based on EN ISO/IEC 27002:2017 applied to organisations supporting civil aviation, with a focus on air traffic management operations.
This includes, but is not limited to, airspace users, airports and air navigation service providers.
Not included are activities of the organisations that do not have any impact on the security of civil aviation operations like for example airport retail and service business and corporate real estate management.
The basis of all guidance in this document is trust and cooperation between the parties involved in Air Traffic Management.

Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der Zivilluftfahrt

Dieses Dokument enthält auf EN ISO/IEC 27002:2017 beruhende Leitlinien, die auf die Zivilluftfahrt unter-stützende Organisationen angewendet werden, mit dem Schwerpunkt auf Betriebsabläufen im Luftverkehrs¬management.
Das betrifft Luftraumnutzer, Flughäfen und Flugsicherungsorganisationen, ist jedoch nicht allein darauf beschränkt.
Nicht in den Anwendungsbereich fallen Handlungen der Organisationen, die sich nicht auf die Sicherheit von Tätigkeiten im Bereich der Zivilluftfahrt auswirken, wie z. B. Einzelhandels  und Dienstleistungs-unternehmen an Flughäfen und das Management von Unternehmensimmobilien (en: corporate real estate management).
Grundlage für alle Leitlinien in diesem Dokument sind das Vertrauen und die Zusammenarbeit zwischen den Parteien, die am Flugverkehrsmanagement beteiligt sind.

Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le soutien des opérations de l'aviation civile

La présente Norme européenne définit les lignes directrices et les principes généraux pour la mise en oeuvre d'un système de management de la sécurité de l'information dans les organismes assurant le soutien des opérations de l'aviation civile.
Les activités des organismes qui n'ont pas d'incidence sur la sécurité des activités de l'aviation civile comme, par exemple, la gestion des commerces de détail, des activités de service aéroportuaires ainsi que de l'immobilier corporatif, ne sont pas incluses.
Pour les besoins de la présente Norme européenne, la gestion du trafic aérien est vue comme une expression fonctionnelle couvrant les responsabilités de tous les partenaires de la chaîne de valeur du trafic aérien. Cela comprend, mais sans y être limité, les utilisateurs aérospatiaux, les aéroports et les prestataires de services de la navigation aérienne.
Toutes les exigences de la présente Norme européenne sont fondées sur la confiance et la coopération entre les parties impliquées dans la gestion du trafic aérien.

Upravljanje zračnega prometa - Varnost informacij za organizacije na področju dejavnosti civilnega letalstva

Ta evropski standard določa smernice in splošna načela za izvajanje sistema upravljanja varnosti informacij v organizacijah na področju dejavnosti civilnega letalstva.
Ne vključuje dejavnosti organizacij, ki ne vplivajo na varnost dejavnosti civilnega letalstva, kot na primer prodaja na letališču, storitvene dejavnosti in upravljanje s poslovnimi nepremičninami.
Za potrebe tega evropskega standarda se upravljanje zračnega prometa obravnava kot funkcionalni izraz, ki zajema odgovornosti vseh partnerjev vrednostne verige zračnega prometa. To med drugim vključuje uporabnike zračnega prostora, letališča in ponudnike zračne navigacije.
Osnova vseh zahtev tega evropskega standarda je zaupanje ter sodelovanje med vpletenimi strankami in upravljavcem zračnega prometa.

General Information

Status
Published
Publication Date
02-Jul-2019
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Due Date
03-Jul-2019
Completion Date
03-Jul-2019

RELATIONS

Buy Standard

Standard
EN 16495:2019 - BARVE na PDF-str 60
English language
65 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 16495:2019
01-september-2019
Nadomešča:
SIST EN 16495:2014
Upravljanje zračnega prometa - Varnost informacij za organizacije na področju
dejavnosti civilnega letalstva

Air Traffic Management - Information security for organisations supporting civil aviation

operations

Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der

Zivilluftfahrt

Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le

soutien des opérations de l'aviation civile
Ta slovenski standard je istoveten z: EN 16495:2019
ICS:
03.220.50 Zračni transport Air transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
SIST EN 16495:2019 sl,en,fr

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 16495:2019
---------------------- Page: 2 ----------------------
SIST EN 16495:2019
EN 16495
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 03.100.70; 03.220.50; 35.240.60 Supersedes EN 16495:2014
English Version
Air Traffic Management - Information security for
organisations supporting civil aviation operations

Gestion du trafic aérien - Sécurité de l'information pour Flugverkehrsmanagement - Informationssicherheit für

les organismes assurant le soutien des opérations de Organisationen im Bereich der Zivilluftfahrt

l'aviation civile
This European Standard was approved by CEN on 12 May 2019.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 16495:2019 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN 16495:2019
EN 16495:2019 (E)
Contents Page

European foreword ....................................................................................................................................................... 7

Introduction .................................................................................................................................................................... 8

1 Scope .................................................................................................................................................................... 9

2 Normative references .................................................................................................................................... 9

3 Terms, definitions and abbreviations ..................................................................................................... 9

3.1 Terms and definitions ................................................................................................................................... 9

3.2 Abbreviations ................................................................................................................................................ 10

4 Aviation specific requirements related to EN ISO/IEC 27001:2017 .......................................... 11

4.1 Structure of this European Standard .................................................................................................... 11

4.2 Refinement of EN ISO/IEC 27001:2017 requirements ................................................................... 11

5 Information Security policies .................................................................................................................. 11

5.1 Management direction for Information security .............................................................................. 11

5.1.1 Policies for information security ............................................................................................................ 11

5.1.2 Review of the policies for information security ................................................................................ 11

6 Organization of information security ................................................................................................... 11

6.1 Internal organization .................................................................................................................................. 11

6.1.1 Information security roles and responsibilities ............................................................................... 11

6.1.2 Segregation of duties .................................................................................................................................. 12

6.1.3 Contact with authorities ............................................................................................................................ 12

6.1.4 Contact with special interest groups ..................................................................................................... 12

6.1.5 Information security in project management ................................................................................... 12

6.2 Mobile devices and teleworking ............................................................................................................. 12

7 Human resources security ........................................................................................................................ 12

7.1 Prior to employment ................................................................................................................................... 12

7.1.1 Screening ......................................................................................................................................................... 12

7.1.2 Terms and conditions of employment .................................................................................................. 13

7.2 During employment .................................................................................................................................... 13

7.2.1 Management responsibilities .................................................................................................................. 13

7.2.2 Information security awareness, education and training ............................................................. 13

7.2.3 Disciplinary process .................................................................................................................................... 13

7.3 Termination and change of employment ............................................................................................ 13

8 Asset management ....................................................................................................................................... 13

8.1 Responsibility for assets ............................................................................................................................ 13

8.1.1 Inventory of assets ....................................................................................................................................... 13

8.1.2 Ownership of assets .................................................................................................................................... 13

8.1.3 Acceptable use of assets ............................................................................................................................. 13

8.1.4 Return of assets ............................................................................................................................................ 14

8.2 Information classification ......................................................................................................................... 14

8.2.1 Classification of information .................................................................................................................... 14

8.2.2 Labelling of information ............................................................................................................................ 14

8.2.3 Handling of assets ........................................................................................................................................ 14

8.3 Media Handling ............................................................................................................................................. 14

9 Access control ................................................................................................................................................ 14

9.1 Business requirement for access control ............................................................................................ 14

9.2 User access management .......................................................................................................................... 14

---------------------- Page: 4 ----------------------
SIST EN 16495:2019
EN 16495:2019 (E)

9.2.1 User registration and de-registration ................................................................................................... 14

9.2.2 User access provisioning ............................................................................................................................ 15

9.2.3 Management of privileged access rights .............................................................................................. 15

9.2.4 Management of secret authentication information of users......................................................... 15

9.2.5 Review of user access rights ..................................................................................................................... 15

9.2.6 Removal or adjustment of access rights ............................................................................................... 15

9.2.7 Digital Identity Management .................................................................................................................... 15

9.2.8 Unique representation of entities across organisations ................................................................ 16

9.3 User responsibilities ................................................................................................................................... 16

9.4 System and application access control ................................................................................................. 16

9.4.1 Information access restriction ................................................................................................................. 16

9.4.2 Secure log-on procedures .......................................................................................................................... 16

9.4.3 Password management system ............................................................................................................... 16

9.4.4 Use of privileged utility programs .......................................................................................................... 16

9.4.5 Access control to program source code ................................................................................................ 16

9.4.6 Web Application Firewalls ........................................................................................................................ 16

10 Cryptography ................................................................................................................................................. 17

10.1 Cryptographic controls ............................................................................................................................... 17

10.1.1 Policy on the use of cryptographic controls ........................................................................................ 17

10.1.2 Key management .......................................................................................................................................... 17

11 Physical and environmental security .................................................................................................... 17

11.1 Secure areas .................................................................................................................................................... 17

11.1.1 Physical security perimeter ...................................................................................................................... 17

11.1.2 Physical entry controls ............................................................................................................................... 18

11.1.3 Securing offices, rooms, and facilities ................................................................................................... 18

11.1.4 Protecting against external and environmental threats ................................................................ 18

11.1.5 Working in secure areas ............................................................................................................................ 18

11.1.6 Delivery and loading areas........................................................................................................................ 18

11.2 Equipment ....................................................................................................................................................... 18

11.2.1 Equipment siting and protection ............................................................................................................ 18

11.2.2 Supporting utilities ...................................................................................................................................... 18

11.2.3 Cabling security ............................................................................................................................................. 18

11.2.4 Equipment maintenance ............................................................................................................................ 18

11.2.5 Removal of assets ......................................................................................................................................... 18

11.2.6 Security of equipment and assets off-premises ................................................................................. 18

11.2.7 Secure disposal or re-use of equipment ............................................................................................... 18

11.2.8 Unattended user equipment ..................................................................................................................... 18

11.2.9 Clear desk and clear screen policy ......................................................................................................... 18

12 Operations security...................................................................................................................................... 19

12.1 Operational procedures and responsibilities .................................................................................... 19

12.2 Protection from malware .......................................................................................................................... 19

12.3 Information Back-up ................................................................................................................................... 19

12.4 Logging and monitoring ............................................................................................................................. 19

12.4.1 Event logging .................................................................................................................................................. 19

12.4.2 Protection of log information ................................................................................................................... 19

12.4.3 Administrator and operator logs ............................................................................................................ 19

12.4.4 Clock synchronisation ................................................................................................................................. 19

12.5 Control of operational software .............................................................................................................. 19

12.6 Technical Vulnerability Management ................................................................................................... 19

12.7 Information systems audit considerations ......................................................................................... 19

13 Communications security .......................................................................................................................... 19

13.1 Network security management ............................................................................................................... 19

---------------------- Page: 5 ----------------------
SIST EN 16495:2019
EN 16495:2019 (E)

13.1.1 Network controls .......................................................................................................................................... 19

13.1.2 Security of network services .................................................................................................................... 20

13.1.3 Segregation in networks ............................................................................................................................ 20

13.2 Information transfer ................................................................................................................................... 20

14 System acquisition, development and maintenance ....................................................................... 20

14.1 Security requirements of information systems ................................................................................ 20

14.1.1 Information Security requirements analysis and specification .................................................. 20

14.1.2 Securing application services on public networks .......................................................................... 20

14.1.3 Protecting application services transactions..................................................................................... 20

14.2 Security in development and support processes .............................................................................. 20

14.2.1 Secure development policy ....................................................................................................................... 20

14.2.2 System change control procedures........................................................................................................ 20

14.2.3 Technical review of applications after operating platform changes ......................................... 20

14.2.4 Restrictions on changes to software packages .................................................................................. 21

14.2.5 Secure system engineering principles .................................................................................................. 21

14.2.6 Secure development environment......................................................................................................... 21

14.2.7 Outsourced development .......................................................................................................................... 21

14.2.8 System security testing .............................................................................................................................. 21

14.2.9 System acceptance testing ........................................................................................................................ 21

14.3 Test data .......................................................................................................................................................... 21

15 Supplier relationships ................................................................................................................................ 21

15.1 Information security in supplier relationships................................................................................. 21

15.1.1 Information security policy for supplier relationships ................................................................. 21

15.1.2 Addressing security within supplier agreements ............................................................................ 21

15.1.3 Information and communication technology supply chain .......................................................... 21

15.2 Supplier service delivery management ............................................................................................... 21

16 Information security incident management ...................................................................................... 22

16.1 Management of information security incidents and improvements ......................................... 22

16.1.1 Responsibilities and procedures ............................................................................................................ 22

16.1.2 Reporting information security events ................................................................................................ 22

16.1.3 Reporting information security weaknesses ..................................................................................... 22

16.1.4 Assessment of and decision on information security events ....................................................... 22

16.1.5 Response to information security incidents ...................................................................................... 22

16.1.6 Learning from information security incidents .................................................................................. 22

16.1.7 Collection of evidence ................................................................................................................................. 22

17 Information security aspects of business continuity management ........................................... 23

17.1 Information security continuity ............................................................................................................. 23

17.1.1 Planning information security continuity ........................................................................................... 23

17.1.2 Implementing information security continuity ................................................................................ 23

17.1.3 Verify, review and evaluate information security continuity ...................................................... 23

17.1.4 Business continuity planning framework ........................................................................................... 24

17.2 Redundancies ................................................................................................................................................ 24

18 Compliance ..................................................................................................................................................... 24

18.1 Compliance with legal and contractual requirements ................................................................... 24

18.1.1 Identification of applicable legislation and contractual requirements ................................... 24

18.1.2 Intellectual property rights ...................................................................................................................... 24

18.1.3 Protection of records .................................................................................................................................. 24

18.1.4 Privacy and protection of personally identifiable information .................................................. 24

18.1.5 Regulation of cryptographic controls ................................................................................................... 25

18.2 Information security reviews .................................................................................................................. 25

18.2.1 Independent review of information security ..................................................................................... 25

---------------------- Page: 6 ----------------------
SIST EN 16495:2019
EN 16495:2019 (E)

18.2.2 Compliance with security policies and standards ............................................................................ 25

18.2.3 Technical compliance review ................................................................................................................... 25

Annex A (informative) Additional guidance related to air traffic management ................................. 26

A.1 Assessment of information security risks ........................................................................................... 26

A.1.1 Internal information security risk management .............................................................................. 26

Figure A.1 —Assessment of information security risks ................................................................................ 27

A.2 Interoperability issues of risk assessments ........................................................................................ 29

A.2.1 General ............................................................................................................................................................. 29

A.2.2 Information security risk management for multiple organisations .......................................... 29

A.2.3 Alignment of safety and security risk management......................................................................... 30

A.3 Determining controls .................................................................................................................................. 30

A.4 Levels of trust ................................................................................................................................................. 30

A.4.1 Introduction.................................................................................................................................................... 30

A.4.2 Scale of trust levels ....................................................................................................................................... 31

A.4.3 Classification criteria .................................................................................................................................. 32

A.5 Statement of applicability .......................................................................................................................... 32

A.6 Measurement and auditing of security ................................................................................................. 32

Annex B (informative) Implementation examples ........................................................................................ 33

B.1 General ............................................................................................................................................................. 33

Table B.1 —Overview of an example for LoT-O ............................................................................................... 33

Figure B.1 —LoT-A versus LoT-O .......................................................................................................................... 34

B.2 Security of information in web applications and web services (LoT-A-WEB) ........................ 34

B.2.1 General ............................................................................................................................................................. 34

B.2.2 Parameters for the Level of Trust of a web application/web service ........................................ 34

B.2.3 Determination of the web application / the web service (LoT-A-WEB) ................................... 34

Table B.2 —Level of Trust of the web application/the web service ......................................................... 35

B.2.4 Consequences ................................................................................................................................................. 35

Table B.3 —Evaluation Criteria for LoT-A-WEB .............................................................................................. 35

B.3 Connections between multiple organisations/external connections (LoT-A-NET) ............. 35

B.3.1 Determination of the necessary protection controls....................................................................... 35

B.3.1.1 General .....................................................
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.