Part-IS: Ask me anything

Описание: 00:00 Question 1
Question: How can Part-IS be used as a business enabler, rather than just a regulatory obligation?

01:05 Question 2
Question: What are common audit findings related to Part-IS, and how can they be avoided?

02:22 Question 3 & 4
Question: In an airline context operating multiple Approved Organisations under the same AM, we are structuring our Information Security governance in line with EASA PART‑IS.
Is it more effective to appoint a single transversal Appointed Person for Information Security overseeing all Approved Organisations, or to designate a CRP with delegated appointed person roles inside each Approved Organisation?

04:28 Question 5
Question: Regarding the AKC model in risk assessments for assessing feasibility, we’ve faced a problem when assessing insider threats, as insiders have high scores in all three factors, from their nature. This results to making insider threats the top risk in our heat map, especially with critical systems where the impact is also high. How do you handle this? An idea we had was to calculate the risk likelihood by multiplying the AKC feasibility and a statistical probability factor, deriving from historical data (e.g. according to ENISA insider threats were about 0.8% of the cyber attacks, maybe even less for not critical systems). This could maybe “normalise” the risk score to a more realistic figure?

7:10 Question 6
Question: As AMC1 IS.I.OR.235(a) states that contracts should include a definition of the roles and responsibilities of both the contracting and contracted organisations, is it acceptable to include a section detailing shared responsibilities, or is it always the case that responsibilities must be strictly separated with no shared elements?

08:00 Question 7
Question: In a complex organisation where a CRP is appointed, does regulation IS.I.OR.240(b) require additional roles reporting to the CRP, or would the CRP alone be sufficient to meet this requirement?

08:54 Question 8
Question: In the safety risk management process, we are supposed to share information about identified risks internally and externally. Are we supposed to share information about our information security vulnerabilities just as generously?

10:10 Question 9
Question: What is the thinking on how best to equip our existing safety investigators with new tools to investigate Part IS threats?

11:31 Question 10
Question: A theme I note was my clients is why do they have jumped through the hoops of another “Part”? If the intent is to mitigate cyber threats that endanger aviation safety, then such could be simply considered and mitigated as part of the SMS obligations.

13:17 Question 11
Question: Are you expecting us to include the risk register as part of the documentation to be sent in present & suitable level?

13:42 Question 12
Question: Explain to a kid what Part-IS will do for aviation?

14:25 Bonus
Question: Now I have the feeling that you are not well concentrated. What is the problem?