Sofema Aviation Services (SAS) is considering the development of an EASA Part 145 Information Security Management (Cyber) System to ensure compliance while maintaining the existing headcount.
Introduction
In an EASA Part 145 organization, where recruitment is constrained, cyber security responsibilities must be managed effectively by leveraging existing resources, optimizing processes, and implementing automation.
A typical EASA Part 145 organization with 100 employees can meet cyber security responsibilities under IS.I.OR.240 without additional recruitment by redistributing responsibilities, leveraging automation, and optimizing internal resources.
With a focus on training, prioritization, and efficient processes, the organization can maintain compliance and protect its operations effectively within existing constraints. Let me know if you’d like a tailored implementation plan or further advice!
Key Responsibilities Policy and Governance:
-
- Maintain and implement a robust cyber security policy aligned with IS.I.OR.200(a)(1).
- Continuously assess and address cyber security risks associated with operations, interfaces, and information systems (IS.I.OR.205).
- Ensure the organization has measures to detect, respond to, and recover from cyber security incidents (IS.I.OR.220).
- Use existing teams (e.g., IT, QA, and Maintenance) to share responsibilities for cyber security oversight.
- Meet EASA requirements for external reporting of cyber security incidents or vulnerabilities (IS.I.OR.230).
Optimizing Cyber Security Staffing Without Recruitment – Redistribution of Responsibilities:
-
- Cyber Security Manager Role – Assign the accountable manager or a senior Team Member with IT competence to oversee cyber security risk management as an additional responsibility.
- Shared Duties – Distribute specific cyber responsibilities across existing teams:
- IT Team: Focus on system monitoring, patch management, and access control.
- Quality Assurance (QA): Handle compliance audits, internal reporting, and record-keeping.
- Operational Teams: Participate in risk assessment and awareness training.
Cross-Training & Internal Training Existing Staff:
-
- Provide cyber security training to existing staff to build competence without hiring external personnel.
- Identify and upskill team members with overlapping IT or cyber security knowledge to handle specialized tasks.
Automated Tools and Technology:
- Threat Monitoring:
- By deploying Security Information and Event Management (SIEM) tools and automated threat detection systems, these organizations can enhance cybersecurity resilience, protect critical maintenance data and systems, optimize operational efficiency, and align with regulatory requirements, thereby safeguarding overall aviation safety.
- Access Management:
- Implement identity and access management systems (IAM) to simplify control of user permissions.
- Incident Response:
- Use predefined response playbooks and automated alerts for efficient handling of cyber incidents.
Challenges and Mitigation Strategies – Challenges:
-
- Limited Resources – Existing staff may lack the time or expertise to fully manage additional responsibilities.
- Complexity of Cyber Threats – Evolving threats may outpace the current capacity of the team.
- Fatigue and Workload – Adding responsibilities can lead to staff burnout or decreased efficiency.
Mitigation Strategies – Prioritization & Streamlining
-
- Focus on critical cyber security activities, such as patch management, access control, and incident response.
- Standardize workflows and use checklists to simplify routine cyber security tasks.
- Use third-party services for specialized activities (e.g., vulnerability scanning or penetration testing) under contractual arrangements.
Best Practices for Managing Cyber Security Without Recruitment
- Team Optimization – Integrate Cyber Security into Daily Operations:
-
- Embed cyber security tasks into routine IT and QA processes (e.g., include cyber checks in maintenance planning or audits).
- Assign dual roles to team members with complementary skill sets, such as IT staff managing security configurations and maintenance planners identifying potential digital vulnerabilities.
Process Improvements – Regular Training:
-
- Schedule quarterly cyber security awareness training sessions for all staff, emphasizing phishing prevention, password hygiene, and reporting protocols.
- Conduct cyber security drills to test and improve readiness without external resources.
-
- Use centralized logging tools to track system activity and identify anomalies.
- Develop automated workflows for responding to common threats, such as ransomware or unauthorized access.
-
- Encourage interdepartmental coordination between IT, operations, and QA teams for cyber security oversight.
- Create a shared knowledge base of cyber security policies, incidents, and lessons learned to empower all employees.
Industry Norms and Standards – Cyber Security Frameworks:
-
- Align with recognized standards like ISO 27001 or the NIST Cybersecurity Framework for guidance on managing responsibilities with limited resources.
- Many small organizations use a lean staffing model, where 1-2 key individuals oversee cyber security with extensive reliance on automation and training.
- Prioritize protections for high-risk systems, such as maintenance management systems, and sensitive data storage.
Managing Cyber Security in a Resource-Constrained EASA Part 145 Organization
- Team Allocation:
- IT staff handle system monitoring and incident response.
- QA staff ensure compliance and maintain records of cyber risks and incidents.
- Maintenance planners assist in identifying operational risks linked to cyber vulnerabilities.
- Training Focus:
- Conduct monthly awareness sessions to ensure all employees understand their role in cyber security.
- Automation:
- Deploy SIEM solution, to monitor and analyze system logs.
Next Steps
- Follow this link to our Library to find & download related documents for Free.
- See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
for comments or questions please email team@sassofia.com
Tags:
EASA Part 145, Cyber Security, SAS blogs, BlogSeries, Key Responsibilities Policy and Governance, IS.I.OR.200(a)(1)
