Introduction

Kitty Hawk Aeronautics (KHA) relies on the enterprise security infrastructure to retain the value of all assets; personnel, information and business. The strategic triad of security education, technical enhancement, and business processes is designed to protect the value of KHA and partner assets in the face of uncertainty and an increasingly hostile environment. Supporting the needs of our government and private sector customers means that KHA must address the goals of asset confidentiality, integrity, availability, accountability and assurance at all times.  Applying security principles to protect the value of KHA assets includes adjusting levels of value protection over the lifetime as described in the vision statement.

Policy

From an enterprise business position, the KHA executive team asserts that Security is a competitive differentiator. Our partners know that business is risky in the best of economic conditions, and with tighter margins, their ability to manage risk is even further tested. At no time should their relationship with KHA increase their risk of value loss even further. Only through the vigilance of KHA personnel, business process designs with an emphasis on asset protection, and the strict support of recognized security principles in our architecture.

As a preferred supplier of high quality avionics and telemetry components for the Department of Defense, NASA and the FAA, KHA places the protection of value through proven, mature security practices as a critical success factor for all operations.  In keeping with the KHA Projects Matrix, the revised Common Operating Environment Security implementation shall be completed by end of year 2008 to ensure the continued commitment of security to our partners and customers.

KHA security policy shall be developed based on the recommendations published through the National Institute of Standards Special Publications 800-series NIST SP 800.  Particularly relevant is the NIST SP 800-100, Information Security Handbook: A Guide for Managers.  It is in the best interest of KHA and partners that all KHA program initiatives shall conform to the Generally Accepted Security Principles as defined in NIST SP 800-27 Rev A, Engineering Principles for Information Technology Security.

Reporting Requirements

The Office of Security Services is responsible for the time-sensitive and accurate analysis and reporting of all incidents, vulnerabilities, assurance testing, and security rick mitigations within KHA.  Operationally, the Security Services has a direct reporting responsibility under the Chief Technology Officer.  Annual Security Services audits are performed by trusted outside agencies under DoD, FAA and NASA guidance.

Maintaining the necessary high levels of security require the constant commitment of all KHA employees to identify and report any vulnerability or incident encountered.  Rapid reporting will lead to the early discovery, accurate assessment and rapid response that help KHA redefine security as a critical operational advantage.

In addition to the necessity for rapid reporting, the KHA Security Incident Reporting System uses AES encrypted messaging to maintain the need for confidentiality of vulnerability and incident reporting.  Analysis results are maintained within a secured area of the Knowledge Warehouse for pattern-based assessment and regression testing of security resolutions.  Summary information related to closed security incidents and vulnerabilities are reported quarterly to KHA partners.

The KHA Office of Security Services distributes monthly to all branch offices and project managers the findings of security analysis in known threats, vulnerabilities and mitigation strategies. As part of this monthly report, Security Services, working in coordination with the KHA Enterprise Architecture Group produces an assessment of emerging security trends along with their impact on active and planned programs.  A review of these monthly reports is critical for the successful implementation of projects affected by rapid changes in the security environment.

Capital Planning and Investment Control (CPIC) relies extensively on the accurate forecasting of changes to security requirements and costs associated with the KHA project portfolios.  The Security Forecast is compiled by the Office of Security Services with the assistance of the firm, Boris and Natasha Security Consultations (BNSC) and is published quarterly in the month prior to the CPIC review board.  Aligning to the KHA executive schedule, the Security Forecast is therefore published in February, May, August and November.