IS.D.OR.230 Information security external reporting scheme
(a) The organisation shall implement an information security reporting system that complies with the requirements laid down in Regulation (EU) No 376/2014 and its delegated and implementing acts if that Regulation is applicable to the organisation.
(b) Without prejudice to the obligations of Regulation (EU) 376/2014, the organisation shall ensure that any information security incident or vulnerability, which may represent a significant risk to aviation safety, is reported to their competent authority. Furthermore:
(1) where such an incident or vulnerability affects an aircraft or associated system or component, the organisation shall also report it to the design approval holder;
(2) where such an incident or vulnerability affects a system or constituent used by the organisation, the organisation shall report it to the organisation responsible for the design of the system or constituent.
(c) The organisation shall report the conditions referred to in point (b) as follows:
(1) a notification shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as the condition has been known to the organisation;
(2) a report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as possible, but not exceeding 72 hours from the time the condition has been known to the organisation, unless exceptional circumstances prevent this.
The report shall be made in the form defined by the competent authority and shall contain all relevant information about the condition known to the organisation;
(3) a follow-up report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, providing details of the actions the organisation has taken or intends to take to recover from the incident and the actions it intends to take to prevent similar information security incidents in the future.
The follow-up report shall be submitted as soon as those actions have been identified, and shall be produced in the form defined by the competent authority.
Aviation organizations must report information security incidents and vulnerabilities posing significant aviation safety risks to their competent authority. Incidents affecting aircraft or systems must also be reported to design approval holders. Initial notification is immediate, followed by a detailed report within 72 hours, and a follow-up report outlining corrective and preventative actions.
* Summary by Aviation.Bot - Always consult the original document for the most accurate information.
Loading collections...