FZAG has set itself the following goals:
- Support for ICT in fulfilling its mandate.
- Appropriate protection of information in terms of availability, confidentiality and integrity, in accordance with the accepted conditions of all stakeholders and "customers" of the ICT organisation.
- Keep the impact and frequency of successful attacks on information of FZAG within the company's risk appetite.
- Protect the critical information and communication technology systems and data required for safe and secure flight operations against cyberattacks, in line with aviation safety and aviation security, and thus prevent any impact on the safety of civil aviation.
The information security management system serves to document all processes and rules needed to guarantee information security in respect of stakeholder groups. The ISMS is communicated continuously, and level-appropriate training is provided. Application of these rules is mandatory and binding. The ISMS has an area of application defined in the scope.
The ISMS serves to protect information and information processing applications and systems against attacks and hazardous events. Information is independent of its representation and can thus appear in electronic, physical or spoken form.
In accordance with data protection (pursuant to the Federal Act on Data Protection, FADP, or the EU General Data Protection Regulation), the ISMS governs data security and takes account of the data protection requirements as regards data security. Otherwise, data protection is not governed by the ISMS.
In the regulated area, FZAG is subject to the NASP, among others. The integrated management system (IMS) (security and safety in the field of aviation) is delineated as follows: The documentation systems are regulated; data security rules apply only in a subsidiary manner. Within the SAIP perimeter, the provisions on physical security shall apply pursuant to the regulations.
ISMS delegate of the Management Board (CFO)
The following responsibility is based on the requirements of NASP Chapter 19 and the organisation of FZAG:
The CFO has ultimate responsibility for information security and for requirements agreed by the panel for the attention of the Management Board or Board of Directors, and requests the necessary resources.
Information Security Steering Committee (ISSC)
Supports the CFO in decision-making and implementation. This is part of the management review from the point of view of the ISO certificate. The Steering Committee should comprise the following members:
- CFO (Chairman)
- Head of ICT
- Information Security Officer (reporting)
- Area manager O (Head of Flight Operations)
- Area manager M (Head of Building Services)
- Area manager C (Head of Parking & Mobility).
Internal Employees / general
Information Security Officer
Ensures that an information security strategy tailored to the business objectives is implemented while taking account of the identified security requirements.
Ensures that an information security management system (ISMS) is implemented, operated and improved while taking account of the statutory and regulatory requirements.
Ensures that the ISMS and its policies can be communicated appropriately within FZAG and in respect of the ISMS's stakeholders.
Is responsible for implementing the regulatory requirements in terms of information security.
The role of ISO comprises the following competencies:
- Independently implements decisions of the Management Board and the CFO (in terms of the ISMS).
- Authority to issue directives in the context of the ISMS.
Structure procedures and processes in the context of the ISMS.
Asset owners define rules for the permitted use of information and values allocated to them, and they document and apply them.
Risk owners manage the process for assessing and dealing with information security risks for risks allocated to them. They analyse and evaluate the risks and define appropriate measures.
Line managers ensure the smooth, economical and appropriate functioning of the processes in their area of responsibility. They are responsible for the interests of the user group and ensure unique and coordinated managers requirements.
Internal ISMS audit
The internal ISMS audit serves as a periodic check as to whether the ISMS has been implemented in accordance with the Management Board’s requirements and if it is being operated effectively. The audits are conducted in accordance with recognised audit methods and are documented. Here it is important to consider that the certified part of the ISM is re-certified each year by an external body.
In organisational terms, the internal ISMS audit can be incorporated into the ISO function, provided the audits are conducted and reported in coordination with the internal audit of FZAG.
External employees/third-party employees
The rules of FZAG as regards information security also apply to persons who work as external employees or third-party employees in the area of application of the ISMS and must be adhered to.
Employees of FZAG are subject to the internal sanctions process.
For external employees, sanctions are provided for in the contractual agreements.
Information security is understood to include all measures that are ordered, implemented, checked and continuously improved in order to uphold confidentiality, integrity and the availability of information. These measures may be of an organisational, technical or construction-related nature.
- Confidentiality: access to information guaranteed only for the authorised persons.
- Integrity: ensuring the intactness and completeness of information and the processing methods used.
- Availability: guaranteeing needs-based access to information and the related figures for authorised users.
Information security management system (ISMS)
An ISMS is understood to include:
- all rules, procedures and processes within the area of application that serve to define, manage, conduct, check, uphold and continuously improve information security.
- Documentation is handled via the ISMS framework, the SOA (statement of applicability) checks and related policies, process overviews and other documentary evidence.