EN 16495:2014

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der ZivilluftfahrtGestion du trafic aérien - Sécurité de l’information pour les organismes assurant le soutien des opérations de l’aviation civileAir Traffic Management - Information security for organisations supporting civil aviation operations35.240.60Uporabniške rešitve IT v transportu in trgoviniIT applications in transport and trade03.220.50Air transportICS:Ta slovenski standard je istoveten z:EN 16495:2014SIST EN 16495:2014en,fr,de01-april-2014SIST EN 16495:2014SLOVENSKI
STANDARD
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 16495
January 2014 ICS 03.220.50; 35.040 English Version
Air Traffic Management - Information security for organisations supporting civil aviation operations
Gestion du trafic aérien - Sécurité de l'information pour les organismes assurant le soutien des opérations de l'aviation civile
Flugverkehrsmanagement - Informationssicherheit für Organisationen im Bereich der Zivilluftfahrt This European Standard was approved by CEN on 9 November 2013.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre:
Avenue Marnix 17,
B-1000 Brussels © 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 16495:2014 ESIST EN 16495:2014

Implementation examples . 38 A.1 General . 38 A.2 Security of information in web applications and web services (LoT-A-WEB) . 39 A.2.1 General . 39 A.2.2 Parameters for the Level of Trust of a web application / web service . 39 A.2.3 Determination of the web application / the web service (LoT-A-WEB) . 39 A.2.4 Consequences . 40 A.3 Connections between multiple organisations /external connections (LoT-A-NET) . 40 A.3.1 Determination of the necessary protection controls . 40 A.3.2 Effects of the coupling of networks . 46 A.4 Certificates / Public Key Infrastructure (LoT-A-PKI) . 47 A.4.1 Parameters for the Level of Trust of the certificate management . 47 A.4.2 Determination of the Level of Trust of the certificate management (LoT-A-PKI) . 47 A.4.3 Effects: Recognition of Certificates / PK . 47 A.5 Identity Management (LoT-A-IDM) . 48 A.5.1 Parameters for the Level of Trust of Identity Management . 48 A.5.2 Determination of the Level of Trust of the Identity Management (LoT-A-IDM) . 48 A.5.3 Effects: Recognition of identities . 49 Annex B (informative)
Level of Trust – Implementation Example. 50 Bibliography . 60
Key Boxes with a double line indicate information to be shared as discussed in 4.3.3 Boxes with triple line indicate criteria that have to be established as part of the organisations risk management process. They are then used as fixed inputs to the individual risk assessments Figure 1 A. Impact criteria Impact criteria should be developed and specified in terms of the degree of damage or costs to the organisation caused by an information security event. SIST EN 16495:2014

The “trusted” category is only applied to an organisation's own departments, subsidiaries or business processes that are fully subject to their own security requirements. Third-party organisations cannot be categorised as “trusted”. b) Limited Trust 0
The “Limited Trust 0” (LT0) category describes third-party organisations or organisations within the company that are not subject to proprietary security specifications but that meet the following requirements: All the controls of this European Standard have been bindingly implemented. Compliance with the standard has been confirmed by a qualified information security auditor. NOTE This can be for example a CISA, an ISO/IEC 27001 Lead Auditor or an equivalent professional. c) Limited Trust 1
The “Limited Trust 1” (LT1) category describes third-party organisations or organisations within the company that are not subject to proprietary security specifications but that have a very high level of information security. This also applies to areas in which there are only indirect risks to partners. EXAMPLE 1
linking networks Under specific circumstances, organisations will grant access to their own applications to LT1 partners on a need-to-have basis without implementing application-specific protection measures (e.g. web application firewalls) and without further authentication at edge-of-network (e.g. on the firewall). This procedure is only appropriate if the partner has a very high security level (LT1) and has implemented all relevant information security management system measures in this context. d) Limited Trust 2
The “Limited Trust 2” (LT2) category describes third-party organisations or organisations within the company that are not subject to proprietary security specifications but that have a high level of information security. EXAMPLE 2
linking networks Under specific circumstances, organisations will grant access to their own applications to LT2 partners on a need-to-have basis, but require explicit authentication at edge-of-network (e.g. on the firewall) before establishing a connection. This procedure is only appropriate if the partner has a high security level (LT2) and has implemented all key information security management system measures in this context (e.g. security incident management). e) Limited Trust 3
The “limited trust 3” (LT3) category describes third-party organisations or organisations within the company that are not subject to proprietary security specifications but that have a basic level of information security. EXAMPLE 3
linking networks Under specific circumstances, organisations will grant access to their own applications to LT3 partners on a need-to-have basis, but require explicit authentication at edge-of-network (e.g. on the firewall) and other protection measures (e.g. SIST EN 16495:2014

Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organisation. 5.1.1 Information security policy document The controls recommended in ISO/IEC 27002:2005, 5.1.1, apply accordingly. Implementation guidance specific to aviation
The information security policy should be coordinated with the various security requirements in other areas of aviation (e.g.: physical security of secure areas). The distinctions and mutual dependencies between the individual areas should be documented in the policy or in a separate document. 5.1.2 Review of the information security policy The controls (and all subsequent similar sentences) recommended in ISO/IEC 27002:2005, 5.1.2, apply accordingly. SIST EN 16495:2014

A management framework should be established to initiate and control the implementation of information security within the organisation.
Management should approve the information security policy, assign security roles and coordinate and review the implementation of security across the organisation.
If necessary, a source of specialist information security advice should be established and made available within the organisation. Contacts with external security specialists or groups, including relevant authorities, should be developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents. A multi-disciplinary approach to information security should be encouraged. 6.1.1 Management commitment to information security The controls recommended in ISO/IEC 27002:2005, 6.1.1, apply accordingly. 6.1.2 Information security co-ordination The controls recommended in ISO/IEC 27002:2005, 6.1.2, apply accordingly. 6.1.3 Allocation of information security responsibilities The controls recommended in ISO/IEC 27002:2005, 6.1.3, apply accordingly. Implementation guidance specific to aviation The organisation should appoint a person responsible to serve as a point of contact for strategic information security issues for third parties (e.g. for the planning and implementation of joint measures, etc.). 6.1.4 Authorisation process for information processing facilities The controls recommended in ISO/IEC 27002:2005, 6.1.4, apply accordingly. 6.1.5 Confidentiality agreements The controls recommended in ISO/IEC 27002:2005, 6.1.5, apply accordingly. 6.1.6 Contact with authorities The controls recommended in ISO/IEC 27002:2005, 6.1.6, apply accordingly. Implementation guidance specific to aviation The organisation should cooperate with the appropriate specialist and supervisory authorities, particularly in the areas of IT security and prosecution, and with other critical infrastructures as well. This includes contacts to authorities involved in critical infrastructure protection at the national and European level. 6.1.7 Contact with special interest groups The controls recommended in ISO/IEC 27002:2005, 6.1.7, apply accordingly. SIST EN 16495:2014

The security of the organisation’s information and information processing facilities should not be reduced by the introduction of external party products or services.
Any access to the organisation’s information processing facilities and processing and communication of information by external parties should be controlled.
Where there is a business need for working with external parties that may require access to the organisation’s information and information processing facilities, or in obtaining or providing a product and service from or to an external party, a risk assessment should be carried out to determine security implications and control requirements. Controls should be agreed and defined in an agreement with the external party. 6.2.1 Identification of risks related to external parties The controls recommended in ISO/IEC 27002:2005, 6.2.1, apply accordingly. 6.2.2 Addressing security when dealing with customers The controls recommended in ISO/IEC 27002:2005, 6.2.2, apply accordingly. 6.2.3 Addressing security in third party agreements The controls recommended in ISO/IEC 27002:2005, 6.2.3, apply accordingly. Implementation guidance specific to aviation Disclosure of identities to partners should be part of the agreements. They should clearly specify the conditions of disclosure. Responsibilities for the security of assets (see Clause 7) should be precisely defined by contract for business processes that affect multiple organisations.
All assets should be accounted for and have a nominated owner.
Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets. 7.1.1 Inventory of assets The controls recommended in ISO/IEC 27002:2005, 7.1.1, apply accordingly. 7.1.2 Ownership of assets The controls recommended in ISO/IEC 27002:2005, 7.1.2, apply accordingly. Implementation guidance specific to aviation Where assets are used in business processes shared by multiple organisations the interests of the other organisations should be taken into account by the owners. 7.1.3 Acceptable use of assets The controls recommended in ISO/IEC 27002:2005, 7.1.3, apply accordingly. 7.2 Information classification Objective: To ensure that information receives an appropriate level of protection.
Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information.
Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures. 7.2.1 Classification guidelines The controls recommended in ISO/IEC 27002:2005, 7.2.1, apply accordingly. Implementation guidance specific to aviation To ensure comparability across multiple organisations, an organisation should classify the information it uses in shared business processes in a way that is acceptable to and agreed by all partners in the business process. Such information should be classified to ensure that national and commercial interests are appropriately protected. Confidentiality classes: Information should be assigned to confidentiality classes on the basis of the anticipated damage to business processes if this information becomes known to unauthorised parties. Public:
information that will not result in any damage to the business process/the organisations involved if it becomes known Internal:
information that will result in low to medium damage to the business process/the organisations involved if it becomes known SIST EN 16495:2014

information that can result in major damage to the business process/the organisations involved if it becomes known Strictly confidential:
information that can result in substantial to existential damage to the business process/the organisations involved if it becomes known Generally, information should only be shared on a need-to-know basis. Other information specific to aviation Business needs and the business impacts associated with these needs may include the public interest in the safe and expeditious provision of the service as well as the commercial interests of the individual stakeholders involved. 7.2.2 Information labelling and handling The controls recommended in ISO/IEC 27002:2005, 7.2.2, apply accordingly. 8 Human resources security 8.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
Security responsibilities should be addressed prior to employment in adequate job descriptions and in terms and conditions of employment.
All candidates for employment, contractors and third party users should be adequately screened, especially for sensitive jobs.
Employees, contractors and third party users of information processing facilities should sign an agreement on their security roles and responsibilities. 8.1.1 Roles and responsibilities The controls recommended in ISO/IEC 27002:2005, 8.1.1, apply accordingly. 8.1.2 Screening The controls recommended in ISO/IEC 27002:2005, 8.1.2, apply accordingly. Implementation guidance specific to aviation Multiple organisations should ensure that background verification checks are carried out by partner organisations to an appropriate level, to ensure that access to data/ information shared between partner organisations takes account of the national and commercial interests of all stakeholders. 8.1.3 Terms and conditions of employment The controls recommended in ISO/IEC 27002:2005, 8.1.3, apply accordingly. SIST EN 16495:2014

Management responsibilities should be defined to ensure that s
...