7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

1/14

: 1.0

: 16 2012

:

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

2/14

ATM/ANS

: : 1.0

:

18 MAY 2012

.

-

SecMS , ISMS, Asset, Threat, Treat Agent, Risk, Risk Appetite, Risk Assessment-Risk Mitigation

Risk Controls, SOA (Statement of Application)

I :

:

+30 210 8984139

+30 210 8984135

:

SQS ()

EATMP

:

MEDIA

: MS WORD 2007

Media:

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

3/14

2

.

()

17-05-2012

()

SQS

17-05-2012

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

4/14

3

1. (Asset ): .

(Threat):

/ .

(Threat Agent): : , ,

(Security Incident):

, /.

, (Vulnerability): (threat agent).

(Risk): ,

.

(Risk assessment): .

(Risk mitigation):

.

(Risk controls):

, , .

(Risk appetite): safety

(acceptable level of safety).

.

SecMS: .

ISMS: .

(Scope): Assets

.

SoA (Statement of Application): (Controls)

.

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

5/14

4

1. ...................... .................... ........................ ................... ...................... ........................ .................. . 3

2. ...................... ..................... ....................... .................. ........................ ........................ ............... 5

3. ............................. ........................ ........................ .................. ........................ ................. ...... 5

4. ...................... ................... ........................ ................... ....................... ........................ ............... 5

5. ............................... .................. ........................ 5

6. ................................ ........................ ........................ .................. ........................ ................. ...... 5

7. .............. ................... ........................ ........................ ...................... ....................... ................ 5

8. ....................... ................... ........................ .................... ..................... ........................ ................ 6

9. (ACCEPTABLE MEANS OF COMPLIANCE /AMC).................. ........... 6

10. ..................... ..................... ........................ ................. ........................ ................... ......... 6

11. (SecMS).... ........................ .................. ........................ ........... 7

12. ........................ 8

13. , ,

& ..... ........................ ........................ ........................ .................. ........................ ................ 9

14. ,

...................... ........................ .................. ........................ .................. ....................... ........................ ...................... .. 10

15. (INFORMATION SECURITY MANAGEMENT SYSTEM/ISMS) 11

16. ...................... .................... ....................... ................... ....................... ........................ ................. 12

17. (GUIDANCE MATERIAL)......... ........................ ........................ ................. ........................ .... 12

18. ........................ .................... ....................... ................... ....................... ........................ ................. 13

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

6/14

5

2.

() ATM/ANS (

), ,

() 150/2007 ,

4.3.5 (ATM Security

oversight).

(assets)

.

3. ( 1035/2011)

(SecMS), ATM/ANS

.

() ATM/ANS

.

4. ATM/ANS.

5. 150/2007

(--) .

6. ,

Annex I 1035/2011,

(Sec MS).

7. ,

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

7/14

6

.

8.

( ) .

,

.

9. (ACCEPTABLE MEANS OFCOMPLIANCE /AMC)

ISO

(Accreditated Body)

.

,

4 Annex I 1035/2011

,

.

.

10. 1035/2011, Annex I, 4, .

:

1) , (, , )

ATM/ANS (Aeronautical Assets), (

) (

) .

,

, ,

,

, ,

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

8/14

7

.

2)

, ,

.

3) :

(threats),

,

,

.

4)

,

.

5)

, ,

.

6) ,

.

11. (SecMS) (QMS ,SMS ,ENVMS)

(SecMS) ,

Deming: Plan-Do-Check-Act (PDCA).

( Policy) -

(Objectives)

.

:

1) (Business Requirements).

2) (Regulatory Requirements ).

3) (Responsibilities, Accountabilities).

4) , , /

,

.

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

9/14

8

:

1)

( , ).

2) .

3) - , .

4) (.. ).

5) .

6) (Review).

7) .

8) .

12.

1) (Assets Registry)

.

2) (Security Criticality).

3) ,

.

4) (threats) .

4) (vulnerabilities).

5) , .

6) / (back ups)

(business continuity), /

(degraded mode).

7) , ,

, , ,

,

, ,

- .

.

, ,

, , screening, .

, , passwords, firewalls, (IDS intrusion

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

10/14

9

detection system), CRC (cyclic redundancy checks) (data

integrity) .

13. , , &

(Assets)

(, ),

(data), (hardware/software) ,

,

.

ISO 27001:2005

:

1) (confidentiality)2) (integrity)3) (availability)

(confidentiality)

, .

,

(encryption), (restricted access)

(physical protection) ,,

, , (logical

protection) password.

( )

server,

(.. server

) ()

,

.

,

, background check , .

/ , .

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

11/14

10

(integrity)

(digits)

(corrupted) , ,

(operational logs).

(metadata)

(non repudiation).

CRC (cyclic redundancy checks) IDS (intrusion

detection systems).

, AIS,

(. ICAO Annex 15, Critical data, essential data, routine data,

73/2010).

(availability)

.

(back up)

(Restore),

(multiple storage), ,

(capacity planning) server ,

, .

14. ,

(Low) :

.

(Medium):

.

.

,

,

.

(High): ,

.

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

12/14

11

, , ,

.

(Low):

/

.

(Medium):

/

.

(High):

/ .

(Low):

7

.

(Medium):

48

.

(High):

24 .

15. (INFORMATION SECURITYMANAGEMENT SYSTEM/ISMS)

:

1. (scope), assets .

2. (policy) .. , , .

3. assets (vulnerabilities) risk register.

4. risk assessment (threats) .

5. risk treatment, .6. management approval,

, , (..

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

13/14

12

)

.

7. SoA (Statement of Applicability), .8. Controls,

.

16. :

ICAO Annex 15

1035/2011, 4, Security,

73/2010,

:

()

17. (GUIDANCE MATERIAL) ATM/ANS

EUROCONTROL extranet login. .

One sky Teams/ATM Security Team/Library/Derivables &Publications

ATM Threat Model, Critical Asset Identification Methodology, ICT Security Guidelines, Security

Management Handbook, Security Risk Assessment Methodology.

7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0

14/14

18.

1. Policy

Element 1: Policy

2. Security risk assessment & planning

Element 2: Security risk assessment

Element 3: Legal, statutory, regulatory and other security requirements

Element 4: Security management objectives

Element 5: Security management targets

Element 6: Security management programmes

3. Checking & corrective action

Element 7: Structure, authority and responsibility for security management

Element 8: Competence, training and awareness

Element 9: Communication

Element 10: Documentation and document control

Element 11: Operational control

Element 12: Emergency preparedness, response and security recovery

4. Checking & corrective action

Element 13: Security performance measurement and monitoring

Element 14: System evaluation

Element 15: Security related failures, incidents, non-conformances and corrective and preventive

action

Element 16: Control of records

Element 17: Audit

5. Management review and continual improvement

Element 18: Review and continual improvement

Source: Security Management Handbook, ed.1.0, p.14.