Professional Documents
Culture Documents
Hansa - Ansp Atm-Ans Security Oversight V 1.0
Hansa - Ansp Atm-Ans Security Oversight V 1.0
: 16 2012
ATM/ANS
1.0
18 MAY 2012
-
SecMS , ISMS, Asset, Threat, Treat Agent, Risk, Risk Appetite, Risk Assessment-Risk Mitigation
Risk Controls, SOA (Statement of Application)
I :
SQS ()
EATMP
MEDIA
:
Media:
MS WORD 2007
17-05-2012
()
()
17-05-2012
SQS
1.
(Asset ): .
(Threat):
/ .
(Threat Agent): : , ,
(Security Incident):
, /.
, (Vulnerability):
(threat agent).
(Risk): ,
.
(Risk assessment): .
(Risk mitigation):
.
(Risk controls):
, , .
(Risk appetite): safety
(acceptable level of safety).
.
SecMS: .
ISMS: .
(Scope): Assets
.
SoA (Statement of Application): (Controls)
.
1.
...................................................................................................................................................... 3
2.
................................................................................................................................................... 5
3.
.............................................................................................................................................. 5
4.
.................................................................................................................................................. 5
5.
......................................................................... 5
6.
................................................................................................................................................. 5
7.
.............................................................................................................................................. 5
8.
................................................................................................................................................... 6
9.
10.
....................................................................................................................................... 6
11.
(SecMS) ................................................................................. 7
12.
........................ 8
13.
, ,
& ....................................................................................................................................... 9
14.
,
................................................................................................................................................................................. 10
15.
16.
.................................................................................................................................................... 12
17.
(GUIDANCE MATERIAL)...................................................................................................... 12
18.
...................................................................................................................................................... 13
11
2.
() ATM/ANS (
), ,
() 150/2007 ,
4.3.5 (ATM Security
oversight).
(assets)
.
3.
( 1035/2011)
(SecMS), ATM/ANS
.
() ATM/ANS
.
4.
ATM/ANS.
5.
150/2007
(--) .
6.
,
Annex I 1035/2011,
(Sec MS).
7.
8.
( ) .
,
.
9.
(ACCEPTABLE MEANS OF
COMPLIANCE /AMC)
ISO
(Accreditated Body)
.
,
4 Annex I 1035/2011
,
.
10.
1035/2011, Annex I, 4, .
:
1) , (, , )
ATM/ANS (Aeronautical Assets), (
) (
) .
,
, ,
,
, ,
.
2)
, ,
.
3) :
(threats),
,
,
.
4)
,
.
5)
, ,
.
6) ,
.
11.
(SecMS)
:
1)
( , ).
2) .
3) - , .
4) (.. ).
5) .
6) (Review).
7) .
8) .
12.
1) (Assets Registry)
.
2) (Security Criticality).
3) ,
.
4) (threats) .
4) (vulnerabilities).
5) , .
6) / (back ups)
(business continuity), /
(degraded mode).
7) , ,
, , ,
,
, ,
- .
.
, ,
, , screening, .
,
, passwords, firewalls, (IDS intrusion
13.
, ,
&
(Assets)
(, ),
(data), (hardware/software) ,
,
.
ISO 27001:2005
:
1) (confidentiality)
2) (integrity)
3) (availability)
(confidentiality)
, .
,
(encryption), (restricted access)
(physical protection) ,,
, , (logical
protection) password.
( )
server,
(.. server
) ()
,
.
,
, background check , .
/
(integrity)
(digits)
(corrupted) , ,
(operational logs).
(metadata)
(non repudiation).
CRC (cyclic redundancy checks) IDS (intrusion
detection systems).
, AIS,
(. ICAO Annex 15, Critical data, essential data, routine data,
73/2010).
(availability)
.
(back up)
(Restore),
(multiple storage), ,
(capacity planning) server ,
, .
14.
(Low) :
.
(Medium):
.
.
,
,
.
(High):
,
.
10
, , ,
.
(Low):
.
(Medium):
/
.
(High):
/ .
(Low):
7
.
(Medium):
48
.
(High):
24 .
15.
(INFORMATION SECURITY
MANAGEMENT SYSTEM/ISMS)
:
1. (scope), assets
.
2. (policy) ..
, , .
3. assets
11
)
.
7. SoA (Statement of Applicability), .
8. Controls,
.
16.
:
ICAO Annex 15
1035/2011, 4, Security,
73/2010,
:
()
17.
(GUIDANCE MATERIAL)
ATM/ANS
EUROCONTROL extranet login. .
One sky Teams/ATM Security Team/Library/Derivables &Publications
ATM Threat Model, Critical Asset Identification Methodology, ICT Security Guidelines, Security
Management Handbook, Security Risk Assessment Methodology.
12
18.
1. Policy
Element 1: Policy
13