7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
1/14
: 1.0
: 16 2012
:
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
2/14
ATM/ANS
: : 1.0
:
18 MAY 2012
.
-
SecMS , ISMS, Asset, Threat, Treat Agent, Risk, Risk Appetite, Risk Assessment-Risk Mitigation
Risk Controls, SOA (Statement of Application)
I :
:
+30 210 8984139
+30 210 8984135
:
SQS ()
EATMP
:
MEDIA
: MS WORD 2007
Media:
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
3/14
2
.
()
17-05-2012
()
SQS
17-05-2012
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
4/14
3
1. (Asset ): .
(Threat):
/ .
(Threat Agent): : , ,
(Security Incident):
, /.
, (Vulnerability): (threat agent).
(Risk): ,
.
(Risk assessment): .
(Risk mitigation):
.
(Risk controls):
, , .
(Risk appetite): safety
(acceptable level of safety).
.
SecMS: .
ISMS: .
(Scope): Assets
.
SoA (Statement of Application): (Controls)
.
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
5/14
4
1. ...................... .................... ........................ ................... ...................... ........................ .................. . 3
2. ...................... ..................... ....................... .................. ........................ ........................ ............... 5
3. ............................. ........................ ........................ .................. ........................ ................. ...... 5
4. ...................... ................... ........................ ................... ....................... ........................ ............... 5
5. ............................... .................. ........................ 5
6. ................................ ........................ ........................ .................. ........................ ................. ...... 5
7. .............. ................... ........................ ........................ ...................... ....................... ................ 5
8. ....................... ................... ........................ .................... ..................... ........................ ................ 6
9. (ACCEPTABLE MEANS OF COMPLIANCE /AMC).................. ........... 6
10. ..................... ..................... ........................ ................. ........................ ................... ......... 6
11. (SecMS).... ........................ .................. ........................ ........... 7
12. ........................ 8
13. , ,
& ..... ........................ ........................ ........................ .................. ........................ ................ 9
14. ,
...................... ........................ .................. ........................ .................. ....................... ........................ ...................... .. 10
15. (INFORMATION SECURITY MANAGEMENT SYSTEM/ISMS) 11
16. ...................... .................... ....................... ................... ....................... ........................ ................. 12
17. (GUIDANCE MATERIAL)......... ........................ ........................ ................. ........................ .... 12
18. ........................ .................... ....................... ................... ....................... ........................ ................. 13
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
6/14
5
2.
() ATM/ANS (
), ,
() 150/2007 ,
4.3.5 (ATM Security
oversight).
(assets)
.
3. ( 1035/2011)
(SecMS), ATM/ANS
.
() ATM/ANS
.
4. ATM/ANS.
5. 150/2007
(--) .
6. ,
Annex I 1035/2011,
(Sec MS).
7. ,
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
7/14
6
.
8.
( ) .
,
.
9. (ACCEPTABLE MEANS OFCOMPLIANCE /AMC)
ISO
(Accreditated Body)
.
,
4 Annex I 1035/2011
,
.
.
10. 1035/2011, Annex I, 4, .
:
1) , (, , )
ATM/ANS (Aeronautical Assets), (
) (
) .
,
, ,
,
, ,
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
8/14
7
.
2)
, ,
.
3) :
(threats),
,
,
.
4)
,
.
5)
, ,
.
6) ,
.
11. (SecMS) (QMS ,SMS ,ENVMS)
(SecMS) ,
Deming: Plan-Do-Check-Act (PDCA).
( Policy) -
(Objectives)
.
:
1) (Business Requirements).
2) (Regulatory Requirements ).
3) (Responsibilities, Accountabilities).
4) , , /
,
.
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
9/14
8
:
1)
( , ).
2) .
3) - , .
4) (.. ).
5) .
6) (Review).
7) .
8) .
12.
1) (Assets Registry)
.
2) (Security Criticality).
3) ,
.
4) (threats) .
4) (vulnerabilities).
5) , .
6) / (back ups)
(business continuity), /
(degraded mode).
7) , ,
, , ,
,
, ,
- .
.
, ,
, , screening, .
, , passwords, firewalls, (IDS intrusion
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
10/14
9
detection system), CRC (cyclic redundancy checks) (data
integrity) .
13. , , &
(Assets)
(, ),
(data), (hardware/software) ,
,
.
ISO 27001:2005
:
1) (confidentiality)2) (integrity)3) (availability)
(confidentiality)
, .
,
(encryption), (restricted access)
(physical protection) ,,
, , (logical
protection) password.
( )
server,
(.. server
) ()
,
.
,
, background check , .
/ , .
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
11/14
10
(integrity)
(digits)
(corrupted) , ,
(operational logs).
(metadata)
(non repudiation).
CRC (cyclic redundancy checks) IDS (intrusion
detection systems).
, AIS,
(. ICAO Annex 15, Critical data, essential data, routine data,
73/2010).
(availability)
.
(back up)
(Restore),
(multiple storage), ,
(capacity planning) server ,
, .
14. ,
(Low) :
.
(Medium):
.
.
,
,
.
(High): ,
.
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
12/14
11
, , ,
.
(Low):
/
.
(Medium):
/
.
(High):
/ .
(Low):
7
.
(Medium):
48
.
(High):
24 .
15. (INFORMATION SECURITYMANAGEMENT SYSTEM/ISMS)
:
1. (scope), assets .
2. (policy) .. , , .
3. assets (vulnerabilities) risk register.
4. risk assessment (threats) .
5. risk treatment, .6. management approval,
, , (..
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
13/14
12
)
.
7. SoA (Statement of Applicability), .8. Controls,
.
16. :
ICAO Annex 15
1035/2011, 4, Security,
73/2010,
:
()
17. (GUIDANCE MATERIAL) ATM/ANS
EUROCONTROL extranet login. .
One sky Teams/ATM Security Team/Library/Derivables &Publications
ATM Threat Model, Critical Asset Identification Methodology, ICT Security Guidelines, Security
Management Handbook, Security Risk Assessment Methodology.
7/30/2019 Hansa_ansp Atm-Ans Security Oversight v 1.0
14/14
18.
1. Policy
Element 1: Policy
2. Security risk assessment & planning
Element 2: Security risk assessment
Element 3: Legal, statutory, regulatory and other security requirements
Element 4: Security management objectives
Element 5: Security management targets
Element 6: Security management programmes
3. Checking & corrective action
Element 7: Structure, authority and responsibility for security management
Element 8: Competence, training and awareness
Element 9: Communication
Element 10: Documentation and document control
Element 11: Operational control
Element 12: Emergency preparedness, response and security recovery
4. Checking & corrective action
Element 13: Security performance measurement and monitoring
Element 14: System evaluation
Element 15: Security related failures, incidents, non-conformances and corrective and preventive
action
Element 16: Control of records
Element 17: Audit
5. Management review and continual improvement
Element 18: Review and continual improvement
Source: Security Management Handbook, ed.1.0, p.14.