IS.D.OR.220 Information security incidents — detection,
response and recovery
(a) Based on the outcome of the risk assessment carried out in accordance with point IS.D.OR.205 and the outcome of the risk treatment performed in accordance with point IS.D.OR.210, the organisation shall implement measures to detect incidents and vulnerabilities that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety. Those detection measures shall enable the organisation to:
(1) identify deviations from predetermined functional performance baselines;
(2) trigger warnings to activate proper response measures, in case of any deviation.
(b) The organisation shall implement measures to respond to any event conditions identified in accordance with point (a) that may develop or have developed into an information security incident. Those response measures shall enable the organisation to:
(1) initiate the reaction to the warnings referred to in point (a)(2) by activating predefined resources and course of actions;
(2) contain the spread of an attack and avoid the full materialisation of a threat scenario;
(3) control the failure mode of the affected elements defined in point IS.D.OR.205(a).
(c) The organisation shall implement measures aimed at recovering from information security incidents, including emergency measures, if needed. Those recovery measures shall enable the organisation to:
(1) remove the condition that caused the incident, or constrain it to a tolerable level;
(2) reach a safe state of the affected elements defined in point IS.D.OR.205(a) within a recovery time previously defined by the organisation.
Loading collections...