(PURSUANT TO ACT NO. 181/2014 COLL., ON CYBER SECURITY AND ON AMENDMENTS TO RELATED ACTS (CYBER SECURITY ACT, AS AMENDED)
1. PERSONAL SECURITY
1.1. The contractual partner of Air Navigation Services of the Czech Republic (hereinafter referred to as “Contractor”)
a) Shall have a Security Awareness Development Plan in place, the aim of which is to ensure adequate training and security awareness development and which contains:
i. Instructions for users, administrators, persons performing security functions and subcontractors concerning their obligations and the security policy;
ii. Required theoretical and practical training of users, administrators and persons performing security functions;
b) Shall have appointed persons responsible for realization of the individual activities listed in the plan;
c) Shall instruct, in compliance with the Security Awareness Development Plan, users, administrators and persons holding security roles and subcontractors on their obligations and on the security policy by means of initial and recurrent training;
d) In compliance with the Security Awareness Development Plan, ensure for persons holding security roles regular professional training based on the current needs as regards cybersecurity;
e) Shall ensure, in compliance with the Security Awareness Development Plan, regular training and verification of the employees’ security awareness according to their job responsibilities;
f) Shall ensure inspections of compliance with the security policy by users, administrators and persons holding security roles;
g) Shall ensure handover of responsibilities if the contractual relationship with the administrators and persons holding security roles is terminated;
h) Shall evaluate the efficacy of the Security Awareness Development Plan, of the training having been realized as well as of other activities related to development of the security awareness;
i) Shall determine rules and procedures to deal with cases of breaches of the established security rules by users, administrators and persons holding security roles;
j) Shall keep records of training containing the subject matter of the training and a list of persons who attended it.
1.2. Air Navigation Services of the Czech Republic (hereinafter referred as “ANS CR”) reserves the right to keep records of and check the Contractor’s activities, keep records of incidents and unusual activities of the employees and other persons operating in favour or on behalf of the Contractor (hereinafter referred to as “Contractor’s Staff”). Based on those records, ANS CR shall be entitled to evaluate the trustworthiness and reliability of the Contractor’s Staff. In the event of any identified risk, the ANS CR shall inform the Contractor of a non-conformity and both parties shall enter into dealings to solve the situation.
1.3. The qualification of the Contractor’s Staff must correspond to the work position occupied (to the work performed and the level of security).
2. PHYSICAL SECURITY AND SAFETY
2.1. The Contractor as an employer in performance of the respective contract is responsible for complying with Safety and Health Protection and Fire Protection regulations by its employees or other individuals engaged in work in its favor (hereinafter together referred to as “the Contractor´s employees”).
3. SECURITY AWARENESS
3.1. All Contractor’s Staff must be provably trained and acquainted with the applicable internal documents of the Ordering Party relating to the subject of performance of this contract. The Contractor is responsible for training of the Contractor’s Staff and for acquainting them with the requirements of this contract and the annexes thereof.
4.1. All Contractor’s Staff who participate in the performance of the contract through the Contractor’s ICT technology must have their own unique user account recorded and maintained within their ICT infrastructure, while every such user account shall be associated with specific roles in the individual designated systems, modules or applications. All Contractor’s Staff must have valid identification and current contact details.
4.2. All Contractor’s Staff who access the Ordering Party’s internal systems shall have their unique user account kept and maintained by the Ordering Party, and specific roles associated exclusively with the performance of the subject of this contract are to be assigned to every such account in the individual systems, modules or applications.
5.1. Terms for authentication within the ANS CR ICT infrastructure:
a) Multi-factor authentication is used for identification of designated system privileged users.
b) Password-based verification - where clear multi-factor identification of privileged users cannot be used, it is necessary to use authentication through cryptographic keys guaranteeing a similar security level or a password with the required rules.
5.2. As regards remote access of the Contractor, the Contractor shall submit documents for completion of an application for remote access according to which the following security rules are set afterwards:
a) The responsible person of the respective designated system of ANS CR shall complete the application on behalf of the Contractor (based on source documents provided by the Contractor’s contact person);
b) The application content must be fully in line with the subject of performance of this contract;
c) After the application has been accepted, the user is acquainted with the remote access rules and is provided with authentication data.
5.3. The Contractor shall be responsible for the activities of his employees and other natural persons performing work for his benefit, which shall comply with the rules provided by ANS CR. Any damages resulting from violation of these rules by the Contractor´s employees shall be borne by the Contractor.
6.1. The Contractor’s staff using ANS CR ICT infrastructure are required to use the privileged authorization reasonably and only for a period of time that is necessary for performance of the activities in line with the subject of the contract. Users and administrators are not allowed to use privileged authorization accounts for common work that is not related to the designated system administration.
6.2. ANS CR shall inform the Contractor’s Staff of the ANS CR protected information they have access to and the manner they can handle it. The Contractor is not allowed to handle the Ordering Party’s protected information in a manner or conduct that are not explicitly listed in the instructions.
7. WORKSTATION SECURITY
7.1. Access to ANS CR systems is realized by means of the ANS CR equipment (HW, SW) by default.
7.2. The Contractor’s HW (PC, laptops) can only access internal protected information and ICT systems if approved by the respective ANS CR workplace and responsible person.
7.3. The Contractor´s HW connected to ANS CZ via VPN must:
a) Have a functional anti-virus certified by AV-TEST (av-test.org) or VB100 (virusbulletin.com);
b) Have a functional personal firewall (FSCS);
c) Have functional and set automatic operation system updates (e.g. Windows Server Update Services);
d) Have an operation system that is covered by the producer’s service support (if this is not explicitly excluded by contractual agreement);
e) Have conditions ensured in the Linux environment, possibly other operating systems approved by ANS, similar to those for Windows as defined above - AV, FSCS, UPDATE, OS.
8. USE OF CRYPTOGRAPHIC TOOLS
8.1. If the use of cryptographic tools is required within the subject of performance, the technical conditions are as follows:
a) Symmetric password encryption with method defined by ANS CR. The password must be submitted by a different communication channel;
b) Encryption by means of digital certificates issued by a generally recognized CA or by a CA that is explicitly trusted by both parties;
c) If the certificate validity towards CRL cannot be verified, the certificate shall be considered invalid and cannot be used for encryption or signing;
d) Encryption using PGP keys approved by both parties or verified by an independent trustworthy third party;
e) An ANS CR defined cypher shall be used for the VPN access to designated systems;
f) A HTTPS protocol with a cypher defined by ANS CR shall be used for web servers presenting data from designated information systems beyond the system itself;
g) AN EV certificate of a generally recognized certification authority shall be used for web servers presenting data from designated systems for users out of ANS CR.
9.1. Access of the Contractor’s Staff to selected internal information and to the information and telecommunication systems is recorded, monitored and evaluated on a continuous basis. The system events are recorded in logs.
9.2. The Contractor is obliged to continuously monitor (within its ICT infrastructure) published and known security vulnerabilities which can influence smooth and safe operation of the systems covered by the Contract. It means for example vulnerabilities in the operation systems, third party software, web components etc.
10. PROTECTION OF MEDIA
10.1. The storage of ANS CR protected data on portable media and transfer of thereof outside premises of ANS CR requires prior approval of ANS CR.
10.2. In case of ANS CR protected data storage on portable media the Contractor is required, if manageable, to store or require the storage of such data encrypted and to keep records of these media.
10.3. The Contractor is required to ensure erasure of ANS CR protected data immediately after the purpose for their processing and/or storage has expired by the means of NIST 800-88 standard. It shall not be possible to recover the information after the data has been erased. The Contractor must keep a record of data erasure.
11. SECURITY EVENTS/INCIDENTS
11.1. The Contractor is required to report any suspicion of cybernetic security incidents:
a) To the responsible person;
b) Immediately after identifying the cybernetic security event/incident;
c) By e-mail, phone or in person;
d) With description
i. of the date and time of event/incident
ii. event/incident nature;
iii. of the source of the event/incident;
iv. of the target / victim of the event/incident;
v. of the potential impact.
12. AUDIT OF THE CONTRACTOR (CUSTOMER AUDIT RULES)
12.1. AUTHORIZATION TO PERFORM AUDIT OF THE CONTRACTOR
a) ANS CR reserves the right to perform audits of the Contractor.
b) ANS CR shall inform the Contractor of its intention of performing the audit at least 5 working days beforehand. Both parties shall agree upon the audit content, necessary cooperation and schedule and ANS CR undertakes to act so as not to disturb the Contractor’s operation.
c) In case of any serious circumstances (e.g. suspicion of risky behaviour of the Contractor) related to the performance of this contract, ANS CR reserves the right to perform an unannounced audit of the Contractor taking into consideration the Contractor’s operating circumstances.
d) When critical information infrastructure elements related to respective implementing Regulation (EU) laying down common requirements for air traffic management / air navigation services providers and other functions of the air traffic management network are audited and supervised (by provision of ANS), the auditor / inspector establishes corrective measures to findings and date to be implemented. The Contractor is obliged to implement the corrective measures within the scope of the stipulated corrective measure and the required deadline.
e) Audit documents shall be maintained by the department responsible for audits. Records of a particular audit shall always be provided with the same identifier. The individual audit records consists of:
i. Audit plan;
ii. Audit notification;
iii. Audit questionnaire (a list of auditor’s questions if the auditor considers it appropriate);
iv. Audit report;
v. Written, picture or other records of the operation, procedures or equipment related to the audit (if necessary for documenting of the findings);
vi. Record of findings (remedial measures and subsequent check).
f) The audited party (the Contractor) shall receive a final audit report including potential findings.
Based on the findings listed in the final audit report, the Contractor shall propose remedial measures and deadlines and submit a list thereof to ANS CR for approval.
ANS CR shall confirm the measures proposed, if they meet the requirements set out in the final audit report.
12.2. REMEDIAL MEASURES
a) The audited party (the Contractor) is required to ensure implementation of the arranged remedial measures by the deadline arranged.
b) The Contractor shall submit the report of the measures implemented to ANS CR.
13. TERMINATION OF THE CONTRACT ARRANGEMENTS
13.1. In case of termination of the Contract, all Contractor´s access to ANS CR assets (VPN, systems, applications, data) are terminated not later than at the last day of Contract validity.
13.2. If the assets of ANS CR have been provided to the Contractor, all items must be returned, not later than the last day of Contract validity.
13.3. If the ANS CR data assets (data) have been provided to the Contractor, all data has to be returned and erased from all Contractor´s systems and media by the means of NIST 800-88 standard .
13.4. In case of a non-standard termination of the Contract, if necessary, Contractor´s access may be terminated before the expiry of the period of effect agreed in the Contract.