The software that ZuluLog.com makes available on our Web site meets or exceeds minimum industry-standard specifications for secure electronic record-keeping systems and standards prescribed by the Federal Aviation Administration of the United States (FAA). This document is intended to present an overview of the software's methods of compliance with common security requirements.
FAA Advisory Circular 120-78 presents criteria for determining the acceptability of digitally signed records. These criteria are:
An electronic signature must identify a specific individual. No one else must be able to produce an electronic signature identical to that of a specific individual. ZuluLog.com uniquely identifies each individual user through a combination of the following methods: unique user name; user-selected password; unique email address; SSL security certificates; and security policies which restrict access to sensitive information to senior personnel.
It must be clear which specific document or record an electronic signature applies to. ZuluLog.com's entry screens and record import screens have discrete save functionality; although single or multiple records may be saved at once, it is always clear what is being saved, and therefore which records the electronic signature applies to.
Individuals must be prevented from affixing another individual's signature to a document or record. ZuluLog.com uses various means of securing user data, including but not limited to: unique usernames and passwords; SSL encryption; database-level encryption; firewalls; physical security; data access logs; secure record amendment and deletion mechanisms; and data access policies, including mechanisms of disabling access to terminated employees and users.
Once a digital record is signed, the signer must not be able to credibly deny having signed the record. ZuluLog.com's security features and access logs make it very unlikely that a signature could be duplicated, or a signed record altered.
The signer of a document must be able to be positively identified. ZuluLog.com accomplishes this through mechanisms described above.
Note that ZuluLog.com's software contains multi-user functionality. As one example, students can grant specific flight instructors access to their records, and instructors can then modify flight records, logbook endorsements, and other data contained within a student's account. At the time of modification, such records are considered to have been signed by the instructor or other individual acting as an authorized agent of the user whose records are modified. A record of such modifications is kept on ZuluLog.com's servers.
FAA Advisory Circular 120-78 recommends that an electronic record-keeping system have a means of reporting required data, including paper copies, to the FAA or the National Transportation Safety Board of the United States (NTSB). ZuluLog.com has the ability to provide such records, and can do so when expressly required by law.
The FAA recommends that the system be audited every 60 days at a minimum, and a record of audits kept. ZuluLog.com makes use of software which monitors server integrity, accessibility, and security; and stores logs of its monitoring results. These logs are kept indefinitely. From the standpoint of ZuluLog.com's data security and integrity, it is not necessary to audit each end-user computer workstation where ZuluLog.com's software is used; however, the end user is responsible for auditing his or her own workstations to ensure that sensitive information such as ZuluLog.com passwords are not stored in a non-secure manner.