| Kitty Hawk Information System Security Classification |
| Lines of
Business |
|
Impacts = { L=Low, M=Moderate,
H=High } |
|
| Finance
& Administration (Back Office) |
System Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall System
Security Classification |
External Access
Required |
Description |
| |
PRISM
Accounts Receivable/Payable |
Customer/Supplier
balance details, Order Information |
confidentiality=M,integrity=H,availability=L |
High |
No.
But does integrate with banking channels for electronic payments and receipt
of payments. |
|
| |
SAP
General Ledger |
Account
Balances |
confidentiality=M,integrity=M,availability=L |
Moderate |
No |
|
| |
SAP
HR Module |
Employee
Private Details |
confidentiality=M,integrity=M,availability=L |
Moderate |
No |
|
| |
Activity
Based Cost Accounting System |
LOB
overheads and costs information per product range |
confidentiality=M,integrity=M,availability=H |
High |
No |
New
System. Occurs across all lines of business & consolidates existing
separate finance, payroll, general ledger accounting systems. Non
availability could affect long term product pricing and Accounting. |
| |
Data
mart & reporting |
Knowledge
Creation and Management |
confidentiality=M,integrity=M,availability=M |
Moderate |
No |
Consolidates
data from above 3 systems and produces daily reports. Note that part of the
initiative is to ensure that controlled access to data marts is established. |
| |
Knowledge
warehouse |
Knowledge
Creation and Management |
confidentiality=H,integrity=H,availability=M |
High |
No |
To
be established. To be run by CIO's office. Centralised for all systems.
Contains extracted information from all LOB: Defense, R&D, Space, Civil
Aviation, Client , and supplier information. |
| Contracts and Legal (Back Office) |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
Lexus/Nexus
online Legal Library System |
Legal
Documents |
confidentiality=M,integrity=M,availability=L |
Moderate |
No |
Moderate
Confidentiality and Integrity rquirments on legal documents and contracts.
Loss of system availability has a low impact could be substituted with manual
processes and retrieval of hard copies of documents from offsite storage. |
| |
PRISM
(Computer Asssociate) Contracting System v6.1 |
Contracts
and contractor private details |
confidentiality=M,integrity=M,availability=L |
Moderate |
No |
New,
to be established. Requirement is to integrate with new accounting system.
Has a moderate confidentiality and integrity impact where loss of these goals
could result in criminal fraud, or incorrect payments to contractors. Non
availability could be substituted with manual processes. |
| Commercial
Aviation |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
CAD/CADCAM
v7.1 |
Commercial
Engineering Designs, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
No |
Business
Essential System loss of availability, Commercial Aviation LOB only affected,
but affects both component and harness lines of production. Integrated System
feeds design plans into production and quality control systems. System non
availability would cause delays in production could result in high penalties
for Kitty Hawk and possible contract cancellation. Compromised
confidentiality and Integrity could have major impact on losing Intellectual
Property and competitive advantage and long term revenue loss. |
| |
Production
Plant Monitoring System v4.2 |
Commercial
Manufacturing & Engineering |
confidentiality=H,integrity=H,availability=H |
High |
No |
Business
Essential System loss of availability, Commercial Aviation LOB only affected,
but affects both component and harness lines of production. Non availability
would mean loss or production control and operational reporting. Integrated
to Quality Monitoring system and would have the same negative safety impacts |
| |
Component
Manufacturing systems |
Commercial
Manufacturing & Engineering |
confidentiality=H,integrity=H,availability=H |
High |
No |
Non
availability would mean component orders could not be completed. In longer
term would result in financial loss if stock from warehouse inventory were
depleted. |
| |
Harness
Assembly Systems |
Commercial
Manufacturing & Engineering |
confidentiality=H,integrity=H,availability=H |
High |
No |
Same
as above |
| |
Quality
Control Systems |
Commercial
Manufacturing & Engineering |
confidentiality=H,integrity=H,availability=H |
High |
No |
Linked
to strategic goal of improving harness quality. Non availability could be
replaced my a manual slower inspection process but would result in slower
production rates and delayed order delivery. No quality control system would
allow sub standard quality harnesses to be fitted to commercial aircraft
which has an impact on aircraft safety and all passenger life. |
| Defence
Systems |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
GIG
Broadband System IX |
Military
Defense Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
No |
Business
Essential System loss of availability, Defense LOB only affected but is the
current primary product range and hence would have high impact Kitty Hawk,
Military Grade, Secret Information on Defense systems, Compromised
confidentiality and Integrity could have major impact on future Defense
Mission Capability with possible high loss of life. |
| |
NIPRNET
(node) |
Military
Defense Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
No |
Same
as above |
| |
USN
F-18C UHF/VHF EMI-EMC Test System |
Military
Defense Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
External
Access required by Northrop Grumman for support in outfitting of USCG
DeepWater Cutter UHF/VHF radios |
Same
as above |
| Space Systems |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
USAF
Geotalk System |
Space
Scientific Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
No |
Business
Essential System loss of availability, Space LOB only affected but delays in
production could result in high penalties for Kitty Hawk and possible
contract cancellation, knock on delays to NASA with national and
international repercussions on company reputation. Secret Information on
Space systems, Compromised confidentiality and Integrity could have major
impact on future Space Mission Capability with possible loss of life. |
| |
NASA
Standards & Design System II |
Space
Scientific Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
External
Access required by Raytheon for development on the Challenge Athena III
Wideband Satellite Communication System |
Same
as above |
| |
NASA
Mars Lander Communications System (Node to JPL and Housten Center) |
Space
Scientific Engineering, KHA Intellectual Property and Patents |
confidentiality=H,integrity=H,availability=H |
High |
External
Access required by Jet Propulsion Labs for Mars Lander IV Program |
Same
as above |
| Research
& Development |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
KHA
Avionics Design & Testing System |
Scientific
& Engineering Plans, Research and new Intellectual Property, Patents |
confidentiality=H,integrity=H,availability=L |
High |
No |
Business
Essential. Systems do not have an impact on current production lines. The
confidentiality impact is high as it affects the competitiveness of future
product lines. Loss of confidentiality and integrity would result in R&D
investment loss, future revenue loss on new product lines. |
| |
NASA
Next-Generation Space Shuttle Avionics Programs |
Scientific
& Engineering Plans, Research and new Intellectual Property, Patents |
confidentiality=H,integrity=H,availability=L |
High |
External
Access to Boeing required for NGSSAP. |
Same
as above |
| Shipping
& Receiving |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
Pitney
Bowes Shipping Center v3.5 (Node) |
Client
Delivery Address Information |
confidentiality=M,integrity=M,availability=L |
Moderate |
No |
Integrates
to Warehouse system providing client delivery address information. Moderate
confidentiality impact as client address information needs to be kept
private. Loss of Integrity could result in incorrect delivery and theft of
delivered goods. Impact of loss of availability is low as delivery addresses
could be manually looked up. |
| |
FEDEX
Tracking System (Node) |
Tracking
and expected Delivery time information |
confidentiality=L,integrity=L,availability=L |
Low |
No |
|
| |
KHA
Warehouse Inventory System |
Warehouse
stock levels and SKU details |
confidentiality=L,integrity=M,availability=M |
Moderate |
No |
Multi
site system. Loss of availability could be replace by manual process but will
introduce delivery delays. Orders fulfillment could be satisfied by other
warehouses in the short term but may introduced increased shipping costs due
to longer delivery routes. Information about products in warehouse is general
public knowledge and has a low confidentiality impact, but stock level data
integrity needs to be kept tamper proof to prevent theft. |
| |
Intermec
Bar Code Readers/Database v2.42 |
Barcode
SKU information. |
confidentiality=L,integrity=L,availability=L |
Low |
No |
Non
availability would mean that the warehouse system stock levels will have to
kept upto date manually via data capture. Will have a low impact on delivery
times. |
| Technology
Support |
System
Name |
Information
Type |
System
Categorisation = {(confidentiality, Impact?), (integrity, Impact?),
(availability, Impact?)}. |
Overall
System Security Classification |
External
Access Required |
Description |
| |
EA
repository |
Contains
certain Sensitive information. eg. DR and BC Plans |
confidentiality=L,integrity=L,availability=L |
Low |
No |
To
be established. And will provide a front end to the Knowledge warehouse
establish above. General low impact as mostly contains information available
in other areas of organisation. |
| |
Standard
Desktop Image: XP, Office 2007, Adobe Acrobat |
Not
information sensitive, but considered essential business productivity tools. |
confidentiality=L,integrity=L,availability=L |
Low |
No |
Loss
of availablibity will impact abliity to update standardised O/S stacks with
patches/upgrades. Can in short term be replaced by a series of manual
installations. |
| |
Gigabit
ethernet |
Not
Information Sensitive but critical technical service in terms of impacting
all communication between systems. |
confidentiality=L,integrity=L,availability=H |
High |
No |
High
availability required for system access and inter system communication. |
| |
T3
dedicated Data Circuts |
Not
Information Sensitive but critical technical service in terms of impacting
all communication between systems. |
confidentiality=L,integrity=L,availability=H |
High |
No |
High
availability required for system access and inter site communication. |
| |
Cisco
VPN |
Not
Information Sensitive but a critical technical service in terms of providing
external access to internal systems.. |
confidentiality=L,integrity=L,availability=H |
High |
No |
In
the short term business partners and contracts could use telephonic communicationbut will
affect Defense, Space, R& D lines of business in supporting external
partners and delivery on certain contracts. |
| |
Baracuda
Firewalls |
Firewall
Rules is network security sensitive information. |
confidentiality=H,integrity=H,availability=H |
High |
No |
Essential
for protection of internal systems from external threats, and isolation of
various LOB network subnets where sensitivity of the system requires it to
ring fenced. Loss of availability may affect WAN interconnectivity and
various LOB interconnectivity. Loss of integrity on firewall rules could
expose the entire organisation to external threats. |
| |
Network
IDN |
Not
Information Sensitive. |
confidentiality=L,integrity=L,availability=L |
Low |
No |
|
| |
PBX
Nortel Meridian SL-100 |
Not
Information Sensitive but critical in terms controlling all telephonic
communication in and out of the company. |
confidentiality=L,integrity=L,availability=H |
High |
No |
High
availability required, has impact on communications across all processes and LOB |
| |
CA
Unicenter |
System
incident information, CMDB |
confidentiality=L,integrity=L,availability=L |
Low |
No |
Non
Availlability will have a impact on System Confguration changes and system
troubleshooting |
| |
Remedy
Help Desk |
System
incident information, CMDB |
confidentiality=L,integrity=L,availability=L |
Low |
No |
Non
Availlability will have a impact on incident management, and ability to
perform pro-active system problem management. Could be replaced by a manual
system with telephone and email support in short term. |
| |
Black
Berry Enterprise server |
Not
Formation Sensitive. Used for mobile users and Senior Managers. |
confidentiality=L,integrity=L,availability=L |
Low |
No |
No
High impact in any area. Will affect the mobility of Senior and executive
management. |
| |
Exchange
2007 |
Not
Formation Sensitive but critical in terms controlling all email communication
in and out of the company. |
confidentiality=L,integrity=L,availability=H |
Moderate |
No |
High
availability required, has impact on communications across all processes and LOB |
| |
IIS
servers & Apache Web servers |
|
confidentiality=M,integrity=M,availability=H |
High |
No |
Non
Availlability will affect all thin client access to systems. ACL's on web
servers required to restrict access to confidential static content. |
| |
Virus
protection : Symantec desktop |
Not
information sensitive but important that it is kept upto date with latest
virus detect engines and signatures to be distributed to all desktops |
confidentiality=L,integrity=L,availability=H |
High |
No |
Non
Availability impacts the entire organisations ability to combat a virus
outbreak. |
| |
Linux
Print & File Servers |
|
confidentiality=M,integrity=L,availability=L |
Moderate |
No |
Non
Availability does not affect production lines. May contain confidential
documents that need to be protected on file servers. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|