Developing an EASA Compliant Cyber Security Audit Checklist

Sofema Online (SOL) www.sofemaonline.com considers the key elements to be included in a Cyber Security Audit Checklist.

Introduction

This checklist provides a starting point to evaluate the cybersecurity management and emergency response system of an airline. It should be tailored to the specific requirements and risks faced by the airline and can be expanded or modified as needed.

The following elements should be considered when you are constructing your organisational-specific EASA Compliant Cyber Security Audit Checklist.

Cyber Security Administrative Oversight

>> Cyber Security Policy - aligns with EASA guidelines.

>> Clearly define roles and responsibilities for cybersecurity within the organization.

>> Identify and document the assets that need protection and the associated risks.

Risk Assessment and Management

>> Process for risk assessment of the critical systems, networks, and infrastructure

>> Identification of potential threats and vulnerabilities specific to aviation systems.

>> Process for ensuring risk mitigation strategies and controls based on the assessment results.

Development of the Incident Response Plan

>> Incident response plan to effectively respond to and recover from cyber incidents.

>> Escalation procedures, roles, and responsibilities during incidents.

>> Establishment of communication protocols with relevant stakeholders, including  CA &/or if required EASA.

Implementation of Access Controls

>> Adequate access controls for all critical systems, databases, and networks.

>> Multi-factor authentication and strong password policies.

>> Review process to manage and update access privileges based on roles and responsibilities.

Secure Network Infrastructure

>> Implementation of firewalls, intrusion detection and prevention systems, and secure configuration standards.

>> Process for regular monitoring of network traffic for any anomalies or potential security breaches.

>> Implementation of secure network segmentation to isolate critical aviation systems from non-critical systems.

Ensure Security Awareness and Training

>> Availability of regular training and awareness programs for employees on cybersecurity best practices.

>> Education of employees about social engineering techniques, phishing attacks, and other common cyber threats.

>> Effective promotion of a culture of security awareness and willingness of employees to report any suspicious activity.

Evidence of Regular Security Audits and Assessments

>> Evidence of regular security audits and assessments to ensure compliance with EASA requirements.

>> Identification of gaps or vulnerabilities with appropriate remedial actions.

>> Evidence of detailed records of the audit findings, remediation actions, and follow-up activities.

Incident and Data Breach Reporting

>> Procedures for reporting cyber incidents and data breaches to relevant authorities, including EASA.

>> Maintenance of detailed records of all incidents, response actions, and lessons learned.

>> Procedure for management of data breach notification

Stay Updated with EASA Guidelines

>> Regularly review and update your cybersecurity program to align with the latest EASA guidelines.

>> Demonstrate ongoing engagement regarding new threats, vulnerabilities, and best practices in the aviation industry.

Cyber Security Management

>> Has the airline established a comprehensive cybersecurity management program?

>> Is there a designated person or team responsible for overseeing cybersecurity?

>> Are cybersecurity policies and procedures documented and communicated to relevant personnel?

>> Are cybersecurity roles and responsibilities clearly defined and understood?

>> Has the airline conducted a risk assessment to identify potential cybersecurity threats and vulnerabilities?

>> Deployment of robust anti-malware solutions across all systems and networks.

>> Regularly updating and patching software for operating systems.

>> Educating employees on safe browsing habits and the dangers of opening suspicious emails or attachments.

Cyber Security Incident Response

>> Does the airline have an incident response plan in place?

>> Has the incident response plan been tested and reviewed periodically?

>> Are there mechanisms in place to monitor, detect, and respond to cybersecurity incidents?

>> Is there a system in place to report and document cybersecurity incidents?

Cyber Security Software & Controls

>> Has the airline implemented access controls to protect sensitive systems and data?

>> Are software applications and operating systems regularly updated with the latest security patches?

>> Are antivirus and anti-malware solutions deployed and updated on all relevant systems?

>> Are network security measures, such as firewalls and intrusion detection systems, implemented?

>> Are employee training and awareness programs conducted regularly to promote cybersecurity best practices?

>> Are third-party vendors and partners subject to cybersecurity assessments and contractual obligations?

Cyber Emergency Response System

>> Does the airline have a documented Cyber emergency response plan?

>> Is there a designated emergency response team responsible for coordinating and executing the plan?

>> Has the Cyber emergency response plan been communicated to relevant stakeholders and personnel?

>> Has the airline conducted Cyber emergency response drills and exercises?

>> Is there a system in place to receive and disseminate emergency alerts and notifications?

>> Are there established communication channels and protocols during an emergency?

>> Does the airline have backup systems and redundancies to ensure continuous operations during emergencies?

>> Has the airline identified critical assets and systems that require special protection during emergencies?

>> Are there contingency plans in place to mitigate potential risks and disruptions?

>> Has the airline established relationships and coordination mechanisms with relevant authorities and agencies for emergencies?

>> Are there procedures in place to assess and manage the physical and cybersecurity risks associated with emergency response operations?

>> Is there a process to review and update the emergency response plan based on lessons learned and changing circumstances?

Next Steps

Our sister company - Sofema Aviation Services offers the following courses delivered as classroom or webinar - EASA Compliant Organization Cyber Security Responsibilities

Please see www.sassofia.com or email team@sassofia.com