This is the first in a four-part series examining IT disaster recovery regulatory compliance, and other compliance requirements, on a vital industry-by-vital industry basis.
The airline industry is a vital cog in the global economy, and a disaster-related IT stoppage would have significant and negative consequences for many nations worldwide. However, one might be surprised to learn that there are some areas of the airline industry that have little-to-no IT DR regulation.
Different Sectors of Industry Have Different DR Requirements
To examine the disaster recovery requirements in the airline industry, we need to divide it into its three main components:
- Aircraft manufacturers
- Airline operations & reservation systems
- Airports/aviation operations
Clearly, airports and airline operations / reservation systems have the most to lose in case of IT system failure. The unavailability of aviation operation systems would represent a significant public safety risk; therefore Canadian Aviation Regulations and the Aeronautics Act infer that aviation operations have heavy-duty backup systems in place.
Even though the unavailability of airline operations or third-party reservations systems would not necessarily constitute a direct safety risk, it would pose a severe threat to the companies’ business operations, and therefore an extensive back-up and recovery facility supports these systems. The industry standard, the Canadian Computer Reservation System Regulations, also require a complete, readily-accessible copy of airline passenger records.
Aircraft Manufacturers Face Different Regulations Than Airports or Airlines
When it comes to aircraft or aerospace manufacturers, their operations or services may not be as time-sensitive as operations / reservation systems, so there’s less urgency to have a full-scale back-up and recovery system in place – unless they are maintaining fighter jets in a national defence situation! There are no laws or regulations regarding provision of IT DR in Canada.
However, according to the Canada Consumer Product Safety Act, and also pursuant to Transport Canada’s Canadian Aviation Regulations, aircraft manufacturers have to maintain physical and electronic records relating to their products in such a state that they are available for reporting immediately, or within two days of a product “incident”. However, there’s no easy way to determine if all manufacturers have fully complied with this requirement.
How Does The U.S. Compare?
In the U.S., regulations for IT DR specifically for the commercial airline manufacturers are non-existent, but there are voluntary programs for DR compliance that are specified by government, but not industry specific.
As an example, The Voluntary Private Sector Preparedness (PS-Prep) program for business continuity, was launched in 2007 by the Department of Homeland Security. PS-Prep recently adopted existing standards (ASIS International SPC.1-2009, ISO 22301:2012 and NFPA 1600) to serve as the basis of its accreditation and certification program. Although not explicit, while reading between the lines you could see that IT DR is strongly encouraged!
The Bottom Line
Thus, in comparison to other vital industries, the airline industry is in the middle of the pack when it comes to preparedness for IT disaster recovery. Certainly we can be assured that airline passenger safety, supplemented by government compliance, will never be compromised for the lack of a disaster recovery plan. However, there may be more room for airlines and aircraft manufacturers to disclose and/or improve their DR readiness, and for the industry in both the United States and in Canada to set more stringent regulation.
