Policy and Guidelines on Cyber Security

April 10, 2019

DOTr-OTS MEMORANDUM CIRCULAR NO. 2019-03

SUBJECT : Policy and Guidelines on Cyber Security

 

Pursuant to Section 4.9.1 of Annex 17 to the Convention on International Civil Aviation (Chicago Convention) measures relating to Cyber Threats; Chapter 11 (Cyber Threats to Critical Aviation Information and Communication Technology System) of the National Civil Aviation Security Program (NCASP); Republic Act No. 10173, otherwise known as the "Data Privacy Act of 2012" and its Implementing Rules and Regulations (IRR); Republic Act No. 10175, otherwise known as the Cybercrime Prevention Act; and National Cybersecurity Plan 2022-DICT, OTS adopts the following policy and guidelines:

I. RATIONALE

The civil aviation operation environment is changing rapidly and significantly with the deployment of new advanced technologies and communication systems shifting from manual processes to more efficient automated processes, communications, and storage, in order to enhance security and facilitation.

It is the obligation of the aviation industry to protect their own information assets and critical infrastructures against cyber criminals in order to prevent unauthorized access to sensitive information and access to aviation information system and ICT infrastructure.

II. OBJECTIVE

The main objective of this policy is to ensure that aviation industry operators have security measures in placed to protect critical aviation information and communication technology system and data against cyber threats/attacks.

III. SCOPE/COVERAGE

This MC applies to all airport operators, aircraft operators, air traffic service providers, cargo operators and other entities involve in civil aviation.

IV. GUIDELINES

A. All airport operators, aircraft operators, cargo operators and other entities involved in the aviation industry shall develop their own Cyber Security Policy based on risk assessment, taking into consideration the cost of their information assets, complexity of the information system and size of their network infrastructure which has the following components: 1

1. Data Governance and Protection such as but not limited to:

1.1 Email Usage

1.2 Password Management

1.3 Bring Your Own Device (BYOD) Management

2. Data Transmission Access Control (Physical and Virtual) Management

3. Data Identity and Privacy Management

4. System and Network Security Management

5. Security Incident and Handling Procedure

6. Cyber Security Contingency and Emergency Plan (in case of security breach)

B. All airport operators, aircraft operators, cargo operators and other entities involved in the aviation industry shall likewise:

1. Require Complete Background Investigation (CBI) on IT staff and other personnel who have access to the critical information systems which include but are not limited to:

a. Access control and alarm monitoring systems;

b. Departure control systems;

c. Passenger and baggage reconciliation systems;

d. Screening systems and/or explosive detection systems, whether networked or operating in a standalone configuration;

e. Regulated agent and/or known consignor databases;

f. Air traffic management systems;

g. Aircraft operator reservation and passenger check-in systems;

h. Closed-circuit television surveillance systems; and

i. Security command, control and dispatch systems.

2. Provide continuous capacity building for IT Staff and end user on the latest technology and new information system, respectively.

3. Include confidentiality clause as well as the requirements for CBI on all contracts with Third Party Service Providers or Suppliers of ICT equipment and information system.

4. Submit incident report to OTS in case of security breach, copy furnish Department of Transportation (DOTr), Department of Information and Communications Technology (DICT), National Privacy Commission (NPC), and other concerned agencies.

5. Undergo Vulnerability and Penetration Testing (VAPT) services of Third Party Service Providers of ICT equipment and information system accredited by the DICT.

6. Install firewall and other security equipment if necessary.

C. Cyber Security Policies and other security requirements under this MC shall be included in the security program of all airport operators (ASP), aircraft operators (AOSP), air traffic service providers, cargo operators and other entities involve in civil aviation.

V. MISCELLANEOUS PROVISIONS

A. Construction. The provisions herein shall be liberally construed in order to promote its civil aviation security objectives.

B. Reservations. Nothing herein shall be construed as precluding OTS through its Administrator, from implementing enforcing the provisions enunciated herein; and from prescribing other requirements to meet the constantly evolving challenges in civil aviation security.

C. Amendments. Nothing in this circular shall restrict OTS, through its Administrator, to modify, amend or repeal any provision of this circular by subsequent issuances.

D. Repeal. All orders, rules, regulations and issuances, or parts hereof, which are inconsistent with this circular, are hereby accordingly repealed or modified.

E. Separability. If any provision or section of this circular is declared null and void by competent authority, the remaining provisions thereof shall not be affected and shall remain in full force and effect.

F. Effectivity. This circular shall take effect immediately. A copy of this circular shall be deposited with the University of the Philippines Law Center, in compliance with the Revised Administrative Code.

VI. ANNEXES

A. Annex A — Definition of Terms

B. Annex B — RA 10173

C. Annex C — RA 10175

D. ICAO Annex 17 Section 4.9 on Cyber Security

E. Civil Aviation Cyber Security Action Plan

(SGD.) USEC ARTURO M. EVANGELISTAAdministrator

ANNEX A

Definition of Terms

Bring Your Own Device (BYOD) — the practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes.

Cyber — a term which relates to or characteristic of the culture of computers, information technology, and virtual reality.

Cyber Attacks — an attempt by hackers to damage or destroy a computer network or system.

Cyber Security — the protection of internet-connected systems, including hardware, software and data, from cyberattacks.

Cyber Security Policy — a formal document that outlines the principles, procedures and guidelines to enforce, manage, monitor and maintain security on a computer network. It is designed to ensure that the computer network is protected from any act or process that can breach its security.

Cyber Threats — the possibility of a malicious attempt to damage or disrupt a computer network or system.

Data Governance — a data management concept concerning the capability that enables an organization to ensure that high data quality exists throughout the complete lifecycle of the data.

Data Transmission — the transfer of data (a digital bitstream or a digitized analog signal) over a point-to-point or point-to-multipoint communication channel.

Email — a digital mechanism for exchanging messages through Internet or intranet communication.

Information Assets — a body of knowledge that is organized and managed as a single entity. Like any other corporate asset, an organization's information assets have financial value. That value of the asset increases in direct relationship to the number of people who are able to make use of the information.

Information System — a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

ICT Infrastructure — encompasses all the devices, networks, protocols and procedures that are employed in the telecoms or information technology.

Security Breach — a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

"Third Party Service Providers" — a person that is not an affiliate of the Agency that provides services to the Agency and maintains, processes or is otherwise permitted access to Nonpublic Information through its provision of services to the Agency.

 

Footnotes

1. Chapter 11, NCASP: Cyber Threats to Critical Aviation Information and Communication Technology System.