Part IS Ask me anything

Part IS Ask me anything

With much of the aviation industry finalising their implementation of Part IS, EASA asked for your questions on LinkedIn. Now the questions (including a bonus one on coffee deprivation) have been turned into a view that you can view on YouTube here (or watch below). 

On YouTube you will see timestamps for the individual questions, which are listed below:

• 00:00 Question 1: How can Part-IS be used as a business enabler, rather than just a regulatory obligation?
   
• 01:05 Question 2: What are common audit findings related to Part-IS, and how can they be avoided? 
   
• 02:22 Question 3 & 4: In an airline context operating multiple Approved Organisations under the same AM, we are structuring our Information Security governance in line with EASA PART‑IS. Is it more effective to appoint a single transversal Appointed Person for Information Security overseeing all Approved Organisations, or to designate a CRP with delegated appointed person roles inside each Approved Organisation? 
   
• 04:28 Question 5: Regarding the AKC model in risk assessments for assessing feasibility, we’ve faced a problem when assessing insider threats, as insiders have high scores in all three factors, from their nature. This results to making insider threats the top risk in our heat map, especially with critical systems where the impact is also high. How do you handle this? An idea we had was to calculate the risk likelihood by multiplying the AKC feasibility and a statistical probability factor, deriving from historical data (e.g. according to ENISA insider threats were about 0.8% of the cyber attacks, maybe even less for not critical systems). This could maybe “normalise” the risk score to a more realistic figure? 
   
• 07:10 Question 6: As AMC1 IS.I.OR.235(a) states that contracts should include a definition of the roles and responsibilities of both the contracting and contracted organisations, is it acceptable to include a section detailing shared responsibilities, or is it always the case that responsibilities must be strictly separated with no shared elements? 
   
• 08:00 Question 7: In a complex organisation where a CRP is appointed, does regulation IS.I.OR.240(b) require additional roles reporting to the CRP, or would the CRP alone be sufficient to meet this requirement? 
   
• 08:54 Question 8: In the safety risk management process, we are supposed to share information about identified risks internally and externally. Are we supposed to share information about our information security vulnerabilities just as generously?
   
• 10:10 Question 9: What is the thinking on how best to equip our existing safety investigators with new tools to investigate Part IS threats? 
   
• 11:31 Question 10: A theme I note was my clients is why do they have jumped through the hoops of another “Part”? If the intent is to mitigate cyber threats that endanger aviation safety, then such could be simply considered and mitigated as part of the SMS obligations. 
   
• 13:17 Question 11: Are you expecting us to include the risk register as part of the documentation to be sent in present & suitable level? 
   
• 13:42 Question 12: Explain to a kid what Part-IS will do for aviation? 
   
• 14:25 Bonus Question: Now I have the feeling that you are not well concentrated. What is the problem?

The rest of the questions will be answered in writing soon 🔜