Purpose of the security program: This document compiles the high level artifacts for the Kitty Hawk Aviation security infrastructure. The goal is to secure the Front and Back Office Applications, infrastructure services, access profiles for software service providers, and business partners. The KHA WAN, Data Centers domestically and internationally should all be guided by these policies for enterprise consistency and scalability. Since KHA operates in a fast European market, this should provide a vehicle to spawn new secured data centers “on demand” as business requires. This plan should provide the security related policies and procedures for documentation, testing, certification, accreditation, operational and disposal of EA components at all levels of the EA framework.

Principles of IT security – The prime principle of the security principle is to provide enterprise authentication and authorization services, with monitoring, control, audit capabilities, so that vulnerabilities can be quickly assessed and rectified. It also should be standardized with centralized control to make changes effectively and quickly – this is essential because of the constant changing patterns of the attacks to networks, assets and data. We should have SOPs to execute the purpose of this document. This should promote security conscious design, assurance, authentication, and access.

Critical Success Factors – Success factors include:

1. Security Awareness

2. Incorporate security facets into all aspects of design

3. Enterprise Security Training Plans

4. Confidentiality

5. Integrity

6. Availability

7. Risk and Vulnerability management

Intended Outcomes – All the critical success factors should be managed by appropriate metrics. The goal is to provide hardened infrastructure with clear guidelines for access and account management. It is also intended to create security awareness that permeates throughout KHA. We want to make security considerations everyone’s problem, and not an IT afterthought. There should be no unintended access to the physical locations or systems, no asset vulnerability, no unsecured transmission that are possible risks to a distributed computing environment.

Performance Measures – These follow the critical success factors:

1. System Uptime

2. Active and Inactive Accounts

3. Network Latency

4. Failed Logins

5. Physical Access Violations

6. Configuration Management Metrics by asset, software versions, and patches

7. Configuration Management of Policy Updates by policy version, date, category

Policy Guidance – The security policy should cover the areas of: Intranet, Extranet, encryption email, virus, passwords, 3^rd party connections for partners, and acceptable use. The procedures created will be used for reference to develop the security policy. FIPS – 199 System Categorization, FEA Reference Models,  FEA Contexts and Conditions, NIST 800-53 Control Selection are best practice examples of security publications.

Reporting Requirements – The IT Security Program Roles and Responsibilities will be focused around infrastructure, servers, networks, and applications. Each group will manage its component of the policies, implementation and communication plans, maintaining milestones and schedules for updates that need to be coordinated with the other groups. An IT Security Focal will be responsible to work with the Chief Architect, and EA Program Office to publish milestones and schedules for all components of the EA framework. Reporting will include metrics mentioned in the performance measures section.

Concept of Operations – IT security focal will engage with the focals from all the levels of the EA framework to cover identity management, authentication standards, event recording, certifying trusted , untrusted facilities, and VLANs, setting asset compliance standards, and approving systems, and applications as secure. Only certified components can be moved to production. A Perimeter Design and Integration Team (PDIT) will review requests to add to the infrastructure and will govern the implementation of the security policy.

Security Program Elements:

• Physical  Security: All facilities should provide for physical security. All employees and partners should have a badge for identification. The server rooms need to be cipher locked with access given to those who are authorized to maintain the assets. A log should be maintained of who is entering the facilities and when. Only US persons will have access to the Data Centers where all the servers will be housed.

• Operational and data Security: Data, server, and application backups need to be done regularly to protect against situations of system outage, corrupt data, damaged hard disks etc. Also a robust Disaster Recovery Plan needs to be instituted for fail-over purposes, to minimize data and operational time loss. KHA Data Center facilities also have uninterrupted power supply, on-site generators to provide 24/7 service. KHA also provides security training on an on-going basis. There are basic mandatory training courses that are monitored by management, and it is every employee’s responsibility to complete these courses.

• Personnel and Informational Security: KHA conducts complete background check(s) on all its employees. For partners they have to sign a Proprietary Information Agreement (PIA) clause, and a Non-Disclosure Agreement (NDA) to legally protect the information. The robust authorization process, Access Control Policy, and audit controls for non-compliance checks ensures personnel and informational security.

• Standard Operating Procedures: A test and evaluation environment will be setup to enable the certification and accreditation process. Any change to architecture, the Policy Enforcement Points (PEP), any new application or technology that needs to be injected into the infrastructure has to go thru a Risk and Vulnerability Assessment (RVA) review before it is approved. The assessment team includes resources from networking, application teams, operations team, security, partners, and customers.