[BCM] [CAAS] [E3] [BIA] [T3] [CBF] [9] IT & Cyber Resilience

[Business Impact Analysis] [Critical Business Function] [T2] Part 5

CBF 9: IT & Cyber Resilience

Inter-dependencies

Inter-dependencies are crucial for understanding the full impact and continuity needs of a Critical Business Function (CBF). For CAAS, the CBF-9 IT & Cyber Resilience function supports both operational and strategic capabilities in air navigation services, aviation regulation, and national aviation security.

Each Sub-CBF identified under CBF-9 depends on various internal and external stakeholders, systems, and service providers. These dependencies are classified based on their type (internal or external), direction (upstream, downstream, or mutual), and their specific nature.

Recognising and evaluating these inter-dependencies ensures that CAAS can pre-emptively address vulnerabilities that may arise from systemic breakdowns or cascading failures.

This assessment supports effective recovery planning, system integration, and resilience enhancement across the aviation ecosystem.

Table 5: [BIA] [P5] Inter-dependencies for CBF 9: IT & Cyber Resilience

Below is a sample table for Key Business Processes and Sub-Processes of CBF-9 IT & Cyber ResilienceIT & Cyber Resilience Air Navigation Services for the Civil Aviation Authority of Singapore (CAAS), integrating the dependency types and descriptions as guided by the BCMpedia Part 5: Inter-dependencies:

CBF Code	CBF	Name of Business Unit or Vendor/Supplier/Outsource Partner	Type of Dependency - Internal	Type of Dependency - External	Type of Dependency	Description of Nature of Dependency
CBF-1.1	Air Traffic Management (ATM) Systems Resilience	Air Navigation Services Division (ANSD)	✓		Mutual	ATM systems rely on ANSD for real-time data; ANSD depends on system uptime for airspace operations.
CBF-1.2	Cybersecurity Monitoring & Threat Response	Internal Cybersecurity Team, CSA (Cyber Security Agency of Singapore)	✓	✓	Mutual	Internal SOC detects threats; CSA provides national threat intelligence and policy guidance.
CBF-1.3	Critical System Backup & Data Recovery	IT Department, Cloud Backup Vendor (e.g., AWS, Azure)	✓	✓	Downstream	Internal team manages backup operations; cloud vendor ensures secure offsite storage and restoration.
CBF-1.4	Enterprise IT Infrastructure Continuity	Facilities Management, ICT Vendors (e.g., NCS, Singtel)	✓	✓	Mutual	Internal facilities manage data centre infrastructure; vendors ensure telco and hardware availability.
CBF-1.5	Digital Aviation Services Platform (DASP) Resilience	DASP Product Team, Application Developers, API Partners	✓	✓	Upstream	Platform development depends on timely updates and API integration with airline and airport systems.
CBF-1.6	Cloud and Third-Party Service Continuity	External Cloud Providers, SaaS Vendors		✓	Downstream	Continuity of operations is dependent on SLA and availability guarantees from cloud service providers.
CBF-1.7	IT Governance & Compliance Management	Risk and Compliance Unit, IDA/MCI (policy bodies)	✓	✓	Mutual	CAAS must comply with national ICT governance while setting internal audit and compliance measures.
CBF-1.8	Disaster Recovery Planning and Testing	IT Continuity Team, External DR Site Vendor	✓	✓	Downstream	Internal DR plans depend on periodic testing and the operational readiness of external DR facilities.

Summing Up ... for Part 5

The inter-dependency mapping of CAAS's IT & Cyber Resilience function (CBF-9) highlights the complex web of relationships that sustain operational continuity in the aviation ecosystem. Internally, these dependencies span across infrastructure, compliance, and cybersecurity teams.

Externally, partnerships with cloud service providers, national regulators, and critical vendors form a foundational layer of resilience.

By clearly identifying upstream, downstream, and mutual dependencies, CAAS can proactively manage risks, strengthen coordination mechanisms, and improve decision-making during disruptions.

This approach reinforces CAAS’s role as a resilient aviation authority, safeguarding Singapore’s airspace operations and national interests.

[Business Impact Analysis] [Critical Business Function] [T2] Part 6

CBF 9: IT & Cyber Resilience

Vital Records

In the context of IT and Cyber Resilience, vital records refer to those essential documents and digital data necessary for the CAAS to resume and continue its critical business functions following a disruption. These records support timely decision-making, compliance with aviation and cybersecurity regulations, coordination of air traffic services, and protection of sensitive information infrastructure.

For CBF-9 IT & Cyber Resilience, the safeguarding and recoverability of such records is paramount. The preservation strategy involves identifying key media types (e.g., digital, physical), storage locations (on-premise, cloud, off-site), and the designated custodians responsible for their upkeep and availability during crises.

The following table outlines the Sub-CBFs, associated vital records, and their custodianship to ensure operational resilience and compliance within CAAS.

Table 6: [BIA] [P6] Vital Records for CBF 9: IT & Cyber Resilience

Sub-CBF Code	Sub-CBF	Description of Vital Records	Media Type	Location	In Whose Care
CBF-1.1	Air Traffic Management (ATM) Systems Resilience	ATM operational procedures, system logs, configuration files, radar and navigation data logs	Digital	CAAS Data Centre (Primary & DR)	Head, ATM Systems Division
CBF-1.2	Cybersecurity Monitoring & Threat Response	Threat intelligence reports, incident response logs, vulnerability assessment results	Digital	Security Operations Centre (SOC)	CISO / SOC Manager
CBF-1.3	Critical System Backup & Data Recovery	Backup schedules, recovery scripts, encryption keys, and restoration procedures	Digital (Encrypted)	Encrypted Offsite Backup Vault	IT Infrastructure Manager
CBF-1.4	Enterprise IT Infrastructure Continuity	System architecture diagrams, asset registers, hardware configurations, service contracts	Digital & Physical	IT Services Repository, DR Site	Infrastructure Services Head
CBF-1.5	Digital Aviation Services Platform (DASP) Resilience	Source code repositories, service APIs, user access records, platform architecture	Digital	Cloud Repository, GitHub Enterprise	Head, DASP Development
CBF-1.6	Cloud and Third-Party Service Continuity	SLAs, vendor contact lists, data transfer logs, BCP agreements	Digital	Secure Cloud Vault, Vendor Portal	Vendor & Risk Management Officer
CBF-1.7	IT Governance & Compliance Management	Compliance audits, policy manuals, risk assessments, audit trail logs	Digital & Physical	Compliance Archive (Internal Audit)	Head, IT Compliance & Governance
CBF-1.8	Disaster Recovery Planning and Testing	DR plans, test results, recovery metrics, update logs	Digital	DR Documentation Repository	BCM Coordinator / DR Manager

Summing Up ... for Part 6

Ensuring the integrity, availability, and confidentiality of vital records related to IT and Cyber Resilience is essential for maintaining CAAS's operational readiness during disruptions.

These vital records enable timely restoration of systems, informed decision-making, and compliance with regulatory requirements.

By systematically identifying and managing vital records across each sub-function of CBF-9, CAAS reinforces its preparedness posture, protects national airspace safety, and sustains its leadership in civil aviation resilience.

Continuous review and updating of these records—as well as robust custodianship—remain critical to long-term resilience planning.

Resilience Redefined: Implementing BCM at Civil Aviation Authority of Singapore
eBook 3: Starting Your BCM Implementation
MBCO	P&S	RAR T1	RAR T2	RAR T3	BCS T1	CBF

CBF-1 Air Navigation Services
DP	BIAQ T1	BIAQ T2	BIAQ T3	BCS T2	BCS T3	PD

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].