Airport Business - 19

LANDSIDE SECURITY
stored in airport or third-party
vendor systems.

Know Where the Data
is Coming From
. Graphics below illustrate the type of
ground transportation data collected
by airports.
The definition of data considered
personal is evolving. This data can create
a complete picture of individuals and
their visits to the airport.

Enact Privacy
Safeguards
To address privacy issues, privacy
requirements are being enacted. Some
of the key areas airports need to
incorporate into privacy policy and
procedures include:
1. N on-Disclosure Agreements
(NDA): While having an NDA in
place will not thwart a cybercrime,
it will provide a confidentiality
agreement with third parties and will
help define actions if the information
is disclosed.

3. C
 alifornia Consumer Privacy Act
(CCPA): The CCPA went into effect
on Jan. 1, codifying enhanced privacy
rights. Consumer data privacy rights
allow residents to request from
businesses the categories and specific
elements of personal information the
business collects about the consumer,
the categories of sources from which
that information is collected, the
business purposes for collecting or
selling the information, and the
categories of third parties with which
the information is shared.
4. New York Privacy Act: If passed,
it will give New York residents
sweeping, comprehensive, and
empowering consumer privacy rights.
5. State privacy laws: Each state has
some level of privacy requirements
or breach/loss of data notification
guidelines, so understanding the
requirements by state is highly
recommended.

Data Security
Safeguards
Airport IT systems are growing in
complexity. Many airports are part of a
city, county, or other organization that
implemented programmatic links to
enterprise level systems that are a very
attractive target for cyber criminals.
Airports have to address the risk of
employees with access to systems to be
the source of a breach. This includes
accidental acts that transmit or publish
airport data to unintended recipients as
well as intentional acts.

Plan Ahead
2. 
G enera l Dat a P rotec t ion
Reg u l at ion (GDPR): The
European Union's General Data
Pr ivacy Reg u lation contains
important operational requirements
concerning data minimization,
accuracy, accountability, purpose
and storage limitations, and data
protection that will require impacted
organizations to make technology and
administrative changes. The GDPR
mandates companies demonstrate
compliance, which require the
existence of policies, procedures and
documentation mechanisms.

There is no reason to expect the risk
of a data security breach will go away.
A number of models have been
developed to guide organizations in
developing a comprehensive approach
for their cyber security programs.

Internal Efforts
There are steps every airport can take
to help secure their data.
1. 
I dentify where conf idential
data and Personally Identifiable
Information (PII) resides within
the airport environment. It's critical
to identify the types of information,
specif ically related to customer
PII data and identify where that

information is housed, what systems
interact with it, and where can it go.
A data flow diagram is a helpful tool
to identify these items.
2. Risk Assessment:
* Develop a data inventory and
systems with personal, confidential,
proprietary and/or operational data
and a list of the data being stored.
* Identify the purpose, use and
authorized users of the data and
systems.
* Identify the risks of privacy and
security threats information.
*
P er for m SWOT (Streng ths,
Weak nesses, Oppor t un it ies,
Threats) analysis for systems and
data considered in-scope to.
3. Communicate with employees
and vendors the importance of the
proper use and protection of airport
systems, as well as the policies and
procedures in place to minimize
threats.
4. Conduct a review of vendors and
corresponding access to data and
systems and evaluate the adequacy of
their privacy and security programs.
5. Adopt and publish a privacy
policy addressing the airport's
handling of personal data.
6. Develop and implement a "Privacy
& Security" policy for employees.

External Efforts/
Resources
There are external resources which can
secure data.
1. Obtain consultant assistance
when resources or experience is
required.
2. R equest vendor/third-party
security certifications such as ISO
27001, NIST CSF, HITRUST, and
FedRAMP.
3. C onsider completing System
and Organization Controls
Assessment (SOC) assessments
through a third-party independent
auditor.
4. Gain an understanding of state,
national, and international
legislation related to personal
information.
5. Consider performing Payment
Card Industry (PCI) assessment
activities based on the volume or
the need for securing card data. 

AUGUST | SEPTEMBER 2020 \ AVIATIONPROS.COM / 19
http://www.AVIATIONPROS.COM
Airport Business

Table of Contents for the Digital Edition of Airport Business
