[Business Impact Analysis] [Critical Business Function] [T2] Part 3
CBF 9: IT & Cyber Resilience
Impact Over Time of Business Functions
![[BCM] [CAAS] [E3] [BIA] [T2] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/49fa98f3-188b-41d3-9245-869918317926.png)
The resilience of information technology and cybersecurity capabilities within the Civil Aviation Authority of Singapore (CAAS) is critical to maintaining safe, secure, and uninterrupted civil aviation operations in Singapore.
The Critical Business Function (CBF-9): IT & Cyber Resilience encompasses the digital backbone of CAAS’s services, from real-time air traffic management to the secure operation of enterprise systems and digital aviation platforms.
This chapter evaluates the potential impact over time if these functions are disrupted, using a 1 to 5 scale—where 1 indicates minimal impact and 5 indicates severe or critical impact.
The analysis is aligned with the BCM Institute’s framework for impact assessment and considers factors such as operational disruption, financial cost, safety risks, regulatory compliance, and reputational damage.
Understanding the impact severity over specific time intervals allows CAAS to prioritize recovery strategies and allocate appropriate resources, ensuring that business continuity objectives are met in the face of cyber incidents, IT system failures, or external threats.
Table 3: [Impact Over Time of Business Functions for CBF 1: Air Navigation Services
|
Sub-CBF Code |
Sub-CBF |
Highest-Impact Area |
4 Hr |
8 Hr |
1 Day |
2 Day |
3 Day |
5 Day |
7 Day |
10 Day |
14 Day |
21 Day |
30 Day |
60 Day |
RTO |
MTPD |
Vulnerable Period |
|
CBF-1.1 |
Air Traffic Management (ATM) Systems Resilience |
Operational Safety |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
5 |
2 Hours |
4 Hours |
Peak Air Traffic Periods |
|
CBF-1.2 |
Cybersecurity Monitoring & Threat Response |
Information Security |
4 |
4 |
5 |
5 |
5 |
5 |
5 |
5 |
4 |
4 |
4 |
4 |
4 Hours |
1 Day |
During Cyberattack or Breach |
|
CBF-1.3 |
Critical System Backup & Data Recovery |
Data Integrity & Continuity |
3 |
3 |
4 |
4 |
4 |
4 |
4 |
4 |
3 |
3 |
3 |
3 |
8 Hours |
2 Days |
During Recovery Operations |
|
CBF-1.4 |
Enterprise IT Infrastructure Continuity |
Service Availability |
3 |
4 |
4 |
4 |
4 |
4 |
3 |
3 |
3 |
3 |
2 |
2 |
8 Hours |
3 Days |
System Upgrades or Failures |
|
CBF-1.5 |
Digital Aviation Services Platform (DASP) Resilience |
Stakeholder Services |
3 |
4 |
4 |
4 |
4 |
3 |
3 |
3 |
2 |
2 |
2 |
2 |
6 Hours |
2 Days |
High-Demand Transaction Periods |
|
CBF-1.6 |
Cloud and Third-Party Service Continuity |
Third-Party Dependency |
2 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
2 |
2 |
1 Day |
5 Days |
Vendor Transition or Downtime |
|
CBF-1.7 |
IT Governance & Compliance Management |
Regulatory Compliance |
1 |
2 |
2 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
2 |
2 |
2 Days |
14 Days |
During Regulatory Audits |
|
CBF-1.8 |
Disaster Recovery Planning and Testing |
Recovery Assurance |
1 |
1 |
2 |
2 |
2 |
2 |
2 |
2 |
2 |
2 |
2 |
2 |
3 Days |
30 Days |
Non-Tested Periods |
Notes
- Impact values are based on a scale of 1 (lowest) to 5 (highest) as per BCM standards.
- RTO (Recovery Time Objective): The maximum allowable time to recover the function to avoid unacceptable consequences.
- MTPD (Maximum Tolerable Period of Disruption): The longest time a process can be disrupted before it causes irrevocable damage.
- Vulnerable Period: Time of heightened risk when disruption will cause a disproportionately high impact.
Summing Up ... for Part 3
The analysis of impact over time for the sub-functions under CBF-9 IT & Cyber Resilience clearly illustrates the time-sensitive and mission-critical nature of digital infrastructure within CAAS. Functions such as Air Traffic Management Systems Resilience and Cybersecurity Monitoring present high criticality even at the 4-hour mark, reinforcing the need for rapid recovery capabilities, well-tested disaster recovery plans, and continuous monitoring.
Conversely, sub-functions like Governance, Compliance, and Disaster Recovery Testing tolerate longer disruptions before causing material impact, but are essential for long-term regulatory and reputational standing.
The Recovery Time Objectives (RTOs) and Maximum Tolerable Periods of Disruption (MTPDs) defined in this assessment provide clear targets for CAAS to build its IT and cyber resilience capabilities, especially as digital transformation and aviation modernisation continue to accelerate.
This prioritisation ensures that CAAS can uphold its commitment to aviation safety, regulatory compliance, and stakeholder trust, even during IT disruptions or cyber incidents.
[Business Impact Analysis] [Critical Business Function] [T2] Part 4
CBF 1: Air Navigation Services
Supporting IT Systems and Applications
The Civil Aviation Authority of Singapore (CAAS) operates within a highly complex, regulated, and technology-reliant environment.
As such, the resilience of its IT and cyber systems forms a critical backbone in maintaining uninterrupted air navigation services, safeguarding national cybersecurity, and ensuring operational continuity across all aviation-related functions.
This chapter focuses on the supporting IT systems and applications that underpin the Critical Business Function: CBF-9 – IT & Cyber Resilience.
It presents a comprehensive view of the key Sub-CBFs, identifies core systems, evaluates Recovery Point Objectives (RPOs) and System Recovery Time Objectives (System RTOs), and outlines the special equipment or resources that facilitate their continuity.
This analysis enables CAAS to maintain resilient operations in alignment with best practices in business continuity and disaster recovery planning.
Table 4: [BIA] [P4] Supporting IT Systems and Applications for CBF 9: IT & Cyber Resilience
|
CBF Code |
CBF |
IT Systems and Applications |
RPO |
System RTO |
Supporting Special Equipment or Resources |
Remarks |
|
CBF-1.1 |
Air Traffic Management (ATM) Systems Resilience |
LORADS III, SURVnet, ATFM System, Airport-CDM, A-SMGCS |
< 1 min |
< 30 min |
Redundant radar/ADS-B sensors, failover servers, dual comm networks |
Critical real-time control systems; high availability and low-latency essential |
|
CBF-1.2 |
Cybersecurity Monitoring & Threat Response |
SIEM, SOAR, IDS/IPS, Threat Intelligence Platforms |
< 15 min |
1 hour |
SOC tools, AI anomaly detection, endpoint protection systems |
Continuous monitoring; immediate threat mitigation required |
|
CBF-1.3 |
Critical System Backup & Data Recovery |
Veeam, NetBackup, Azure Backup, Tape Library |
4 hrs |
8 hours |
Secure offsite storage, high-capacity data recovery servers |
Data integrity and secure storage paramount |
|
CBF-1.4 |
Enterprise IT Infrastructure Continuity |
ERP, HRMS, Financial Systems, CAAS Intranet |
1 hour |
4 hours |
Backup power, virtual machine clustering, load balancers |
Supports internal administration and regulatory reporting |
|
CBF-1.5 |
Digital Aviation Services Platform (DASP) Resilience |
DASP Core Modules, e-AIP, Aeronautical Information Management (AIM) |
< 1 hour |
2 hours |
Cloud-based resilience, mobile app integrations, API gateways |
Interfaces with industry stakeholders and airline operators |
|
CBF-1.6 |
Cloud and Third-Party Service Continuity |
Microsoft 365, AWS-hosted systems, vendor-provided aviation platforms |
2 hours |
6 hours |
Third-party SLAs, redundant internet links, encrypted data transfers |
Continuous validation of vendor DR capabilities required |
|
CBF-1.7 |
IT Governance & Compliance Management |
GRC Tools, Audit Management System, ITIL Service Management Platforms |
4 hours |
8 hours |
Policy repositories, compliance tracking dashboards |
Supports audits, regulatory reviews, and compliance enforcement |
|
CBF-1.8 |
Disaster Recovery Planning and Testing |
DR Automation Tools, DR Plan Repository, Test Orchestration Tools |
N/A |
Varies |
DR testing lab, sandbox environments, version-controlled documentation |
Annual testing cycle with scenario-based validation |
|
CBF-1.9 |
Air Navigation Technical Support & Maintenance |
Maintenance Ticketing System, CMMS |
≤ 4 hrs |
≤ 1 day |
Diagnostic kits, mobile tech vehicles |
Ensures the uptime of the CNS/ATM infrastructure |
|
CBF-1.10 |
Safety and Compliance Monitoring |
Safety Management System (SMS), Regulatory Audit Tools |
≤ 1 day |
≤ 3 days |
Compliance monitoring dashboards, audit archives |
Required for regulatory adherence and reporting |
|
CBF-1.11 |
Training & Certification of ATS Personnel |
LMS, Simulation Systems, Licensing Database |
≤ 1 day |
≤ 5 days |
ATC simulators, training modules, e-learning platforms |
Licensing cycles, not time-critical daily |
Summing Up ... for Part 4
The resilience of IT and cyber capabilities is a cornerstone of CAAS’s operational excellence and regulatory compliance.
By clearly mapping each Sub-CBF under CBF-9 to their respective systems, recovery parameters, and supporting infrastructure, CAAS demonstrates a proactive and structured approach to safeguarding critical aviation functions.
As cyber threats evolve and digital transformation accelerates, maintaining up-to-date IT continuity plans, system redundancy, and robust disaster recovery capabilities ensures that CAAS remains prepared for both anticipated and unforeseen disruptions.
This foundational support strengthens national aviation safety and positions CAAS as a resilient aviation authority in a digitally connected world.
![[BCM] [CAAS] [E3] [RAR] [T1] List of Threats](https://no-cache.hubspot.com/cta/default/3893111/638600be-d908-40a0-9168-d5cc6eef1926.png)
![[BCM] [CAAS] [E3] [RAR] [T2] Treatment and Control](https://no-cache.hubspot.com/cta/default/3893111/0df84fd2-d151-43eb-bd67-e8de11e820a7.png)
![[BCM] [CAAS] [E3] [RAR] [T3] Risk Impact and Likelihood Assessment](https://no-cache.hubspot.com/cta/default/3893111/00fedd72-3ce2-4a52-8aee-e18e5bac5d56.png)
![[BCM] [CAAS] [E3] [BCS] [T1] Mitigation Strategies and Justification](https://no-cache.hubspot.com/cta/default/3893111/17350a9e-771a-404d-9740-5c8d3a9d509d.png)
![[BCM] [CAAS] [E3] [BIA] [T1] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/205c35be-6bb6-45c3-8d47-81ef80651678.png)
![BCM] [CAAS] [E3] [BIA] [T3] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/bb87c891-2812-43e5-aadb-9f4f97254055.png)
![[BCM] [CAAS] [E3] [BCS] [T2] [CBF] [9] Recovery Strategies](https://no-cache.hubspot.com/cta/default/3893111/d7b8a6d3-33f9-40b6-9619-4c9f7e050850.png)
![[BCM] [CAAS] [E3] [BCS] [T3] [CBF] [9] Minimum Resources Required during a Disaster](https://no-cache.hubspot.com/cta/default/3893111/de745a68-c821-4b0f-baa4-4785f18ddfa0.png)
![[BCM] [CAAS] [E3] [PD] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/be43aeec-6049-442e-889c-043930b32b3d.png)
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
