FAA Compliance

From ZuluLog Wiki
Revision as of 01:24, 20 October 2014 by Roger Bright (Talk | contribs)
Jump to: navigation, search

The software that ZuluLog.com makes available on our Web site meets or exceeds minimum industry-standard specifications for secure electronic record-keeping systems and standards prescribed by the Federal Aviation Administration of the United States (FAA). This document is intended to present an overview of the software's methods of compliance with common security requirements.

Contents

Electronic Signatures

FAA Advisory Circular 120-78 presents criteria for determining the acceptability of digitally signed records. These criteria are:

Uniqueness

An electronic signature must identify a specific individual. No one else must be able to produce an electronic signature identical to that of a specific individual. ZuluLog.com uniquely identifies each individual user through a combination of the following methods: unique user name; user-selected password; unique email address; SSL security certificates; and security policies which restrict access to sensitive information to senior personnel.

Significance

An electronic signature must represent unambiguously the intent of the signer to indicate the truthfulness and correctness of the document or record being signed. All records entered into ZuluLog.com as a form of official record-keeping are considered to be signed when a user clicks on the Save button or otherwise expressly causes a record to be saved to the system's database. Under ZuluLog.com's Terms of Use, users agree to save only true and correct data when the site is used for record-keeping. An individual may not use ZuluLog.com's software without agreeing to the Terms of Use.

Scope

It must be clear which specific document or record an electronic signature applies to. ZuluLog.com's entry screens and record import screens have discrete save functionality; although single or multiple records may be saved at once, it is always clear what is being saved, and therefore which records the electronic signature applies to.

Security

Individuals must be prevented from affixing another individual's signature to a document or record. ZuluLog.com uses various means of securing user data, including but not limited to: unique usernames and passwords; SSL encryption; database-level encryption; firewalls; physical security; data access logs; secure record amendment and deletion mechanisms; and data access policies, including mechanisms of disabling access to terminated employees and users.

Non-repudiation

Once a digital record is signed, the signer must not be able to credibly deny having signed the record. ZuluLog.com's security features and access logs make it very unlikely that a signature could be duplicated, or a signed record altered.

Traceability

The signer of a document must be able to be positively identified. ZuluLog.com accomplishes this through mechanisms described above.

Note that ZuluLog.com's software contains multi-user functionality. As one example, students can grant specific flight instructors access to their records, and instructors can then modify flight records, logbook endorsements, and other data contained within a student's account. At the time of modification, such records are considered to have been signed by the instructor or other individual acting as an authorized agent of the user whose records are modified. A record of such modifications is kept on ZuluLog.com's servers.

Reporting

FAA Advisory Circular 120-78 recommends that an electronic record-keeping system have a means of reporting required data, including paper copies, to the FAA or the National Transportation Safety Board of the United States (NTSB). ZuluLog.com has the ability to provide such records, and can do so when expressly required by law.

Auditing

The FAA recommends that the system be audited every 60 days at a minimum, and a record of audits kept. ZuluLog.com makes use of software which monitors server integrity, accessibility, and security; and stores logs of its monitoring results. These logs are kept indefinitely. From the standpoint of ZuluLog.com's data security and integrity, it is not necessary to audit each end-user computer workstation where ZuluLog.com's software is used; however, the end user is responsible for auditing his or her own workstations to ensure that sensitive information such as ZuluLog.com passwords are not stored in a non-secure manner.

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox