COMPUTER GENERATED

1
COMPUTER GENERATED STORED RECORDS CONTROLS

• Presented by
• COSCAP-SA

2
COMPUTER GENERATED STORED RECORDS CONTROLS

• BACKGROUND.
• The material in this presentation is intended to
  provide guidance to Aviation Inspectors
  concerning controls for managing information
  systems that generate and store records used in
  the maintenance of aircraft and aircraft
  components .

3
COMPUTER GENERATED STORED RECORDS CONTROLS

• APPLICABLE RELATED REQUIREMENTS INFORMATION.

Chapter 11 (Maintenance Records) of the
Inspectors manual and ICAO Annex 6, 8.8
4
COMPUTER GENERATED STORED RECORDS CONTROLS

• DEFINITIONS.
• For the purpose of this Document , the following
  definitions applya. Authorizations. Permission
  granted by management to individuals authorizing
  full or partial admission to restricted access
  information management systems.b.Data. A set of
  alphanumeric and/or graphic characters organized
  to represent facts or instructions suitable for
  communicating, interpreting, or processing by a
  computer.

5
COMPUTER GENERATED STORED RECORDS CONTROLS

• c. Field. An element of a computer file that may
  contain data and whose size is controlled by the
  program.d. Information Systems. A computer
  system which is designed to automate a specific
  function such as records management.e. Privacy
  Keys. A password or procedure that allows full or
  partial access to a restricted information
  management system.

6
COMPUTER GENERATED STORED RECORDS CONTROLS

• f. Privacy Locks. A procedure that restricts
  access to a portion of an information system.
• g. Read Only Capability. The authority given to
  an individual which allows that person to access
  or read data in a field without being able to
  change or enter data.

7
COMPUTER GENERATED STORED RECORDS CONTROLS

• i. Record. A history of the maintenance of a
  particular aircraft, aircraft component or item.
  As used in this document, a record is not a
  group of associated data fields or files within
  an information management system.
• j.Write Capability. The authority given to a
  user which allows that person to enter or change
  data in a field.

8
DISCUSSION.

• Maintenance organizations are required to
  maintain records.
• ICAO Annex 6 and various states regulations
  contain requirements regarding the content of
  those records
• Computer based systems have been acquired to
  generate and store maintenance records.
• This document will not discuss what maintenance
  and quality records should contain, but rather
  control mechanisms that should be used.

9
COMPUTER GENERATED STORED RECORDS CONTROLS

• A record system will detect and deter
  unauthorized disclosure, modification, or use of
  records. Record systems require protection to
  ensure that an accurate history of the
  maintenance of an aircraft, aircraft component
  or item exists. An information management system
  should be protected from intruders.

10
COMPUTER GENERATED STORED RECORDS CONTROLS

• The system should also be protected from
  employees with authorized access privileges who
  attempt to perform unauthorized actions.
  Protection is achieved not only by technical,
  physical, and personnel safeguards, but also by
  clearly advising all employees of the
  organizational procedures regarding authorized
  system use.

11
SECURITY PRINCIPLES

• Security attributes should be present in all
  systems. System should include(1) User
  Identification.
• Each user should be uniquely identified by an
  identification code to identify who has logged
  onto the system and to verify access.
• (2) Authentication of User.
• There should be a means of verifying that the
  person entering the user identification code is
  the authorized individual- normally done by the
  use of a password.

12
SECURITY PRINCIPLES

• (3) Principle of Least Possible Privilege.
• Each person is limited to the information and
  transaction authority that is required by their
  job responsibilities.
• Based upon the design of the system, privacy
  locks and keys may control varying combinations
  of data elements.Levels of protection may include
  the following (i) Data items,
  (v)Files, or
• (ii)Data aggregates, (vi)The complete system
  (iii)Sets, (iv)Fields,

13
SECURITY PRINCIPLES

• (4) Relation to Quality Data Responsibilities.
• The system should ensure that authorization
  privileges coincide with the responsibilities
  outlined in the organizations quality control
  program.
• The system should be capable of assigning each
  user the specific access authority needed.

14
SECURITY PRINCIPLES

• (Privileges continued)
• These may include
• (i) Read Only Access.
• (ii) Insert or Write Access Authorizations.
• (iii) Change Access Authorizations..
• (iv) Delete Access Authorizations.
• (v) Security Access Authorizations..

15
AUDITING MECHANISMS.

• The system should include devices that detect
  security breaches.
• Security breaches should alert the security
  manager
• Security breach logs should be available only to
  select individuals.
• Serious events, may generate alarms..

16
AUDITING MECHANISMS

• Protection Against Software and Hardware
  Destruction.
• System records should be protected from
  computer viruses.
• Systems should include virus detection
  programs

17
AUDITING MECHANISMS

• Protection Against Software and Hardware
  Destruction.
• Inventories.
• Inventories of all software and hardware
  configurations and locations should be used
  to ensure unauthorized hardware/software
  does not enter the computer environment.

18
AUDITING MECHANISMS

• Protection Against Software and Hardware
  Destruction.
• Portable Equipment.
• Portable computer equipment such as laptops
  represent special risks from virus contamination
  and thus there use in the system must be strictly
  controlled.

19
AUDITING MECHANISMS

• Protection Against Software and Hardware
  Destruction.
• Network Security.
• Procedures should address additional protection
  necessary to control a network.
• The degree of protection should be based upon the
  complexity of the system.
• Additional protection may required

20
AUDITING MECHANISMS

• Protection Against Software and Hardware
  Destruction
• System Backup.
• Backup provisions should be developed for loss of
  data resulting from system failure.
• Backup periods need to be established.

21
MEDIA CONTROL.

• Media is the material on which data is stored
  and must
• be carefully controlled and protected.
• be stored in secure locations.
• come from authorized sources.

22
MEDIA TYPES

• FLOPPY DISKS AND HARD DRIVES
• Not for long term storage.
• Data for long term storage should be transferred
  to other media.
• Data must be able to be retrieved.

23
MEDIA TYPES

• MAGNETIC TAPES
• should be tested within six months.
• Tapes should be stored in a cool dry environment.
• Storage criteria(i) temperature 62 - 68 degrees
  F.(ii) Relative humidity 35-45.(iii) rewind
  under controlled tension every 3 ½
  years.(iv) before 10 years data should be
  transferred to new tapes.(v) Annual sample of
  tapes should be tested to identify any loss of
  data.(vi) No Smoking, eating, or drinking.

24
MEDIA TYPES

• OPTICAL DISKS
• Optical disks are not highly sensitive to
  physical abuse, environmental conditions, or
  magnetic force fields. Optical disks need only be
  protected from loss.

25
MEDIA TYPES

• METAL PARTICULE TAPES
• Chromium dioxide tapes should be handled like
  magnetic tapes except for periodic rewinding and
  cleaning.
• New types of metal particle tapes will become
  available but may be subject to oxidation.
• Prior to use of any metal particle tapes for long
  term storage,it must be ensured that the tapes
  can maintain integrity of the data

26
DOCUMENTATION

• The information management system should be
  properly documented.(1) All software programs
  within the system, including program changes,
  should be fully documented.(2) Procedures should
  be developed that control all data entered into
  the system. The procedures should address all
  information management system/human interface
  activities. The procedures should be kept current.

27
Availability.

• The computer industry is extremely dynamic
  concerning the systems that are available for
  record keeping. If the organisation changes from
  one system to another, the records that were
  produced by the old system must remain accessible
  to the CAA in a usable format. The organizations
  documented quality control system should
  indicate how this accessibility is accomplished.

28
Information Management System Facility Management.

• The main system facilities that house the
  equipment must be protected from physical threats
  and hazards. Areas to be considered include
• a.Physical Security. Survey for potential hazards
  such as fire and water to minimized damage
  possibilities.
• b. Environmental Conditions. Consider the
  environmental conditions of the equipment and
  media storage areas.
• c. Disaster Recovery.Provide a contingency plan
  to allow recovery of critical system information
  in case of a disaster.

29
TRAINING.

• Organizations should train each employee who is
  involved with any portion of the system. The
  subject matter varying with the employees level
  within the organization and job responsibilities.
  
• Training should include security awareness,
  organizational policy, system operation and
  record storage requirements.
• Training should be documented

30
COMPUTER GENERATED STORED RECORDS
CONTROLS THE END