ANAC, aeronautical authority in Brazil, launched in December 2017, the Resolution # 458 , regarding the use exclusively computerized for the records required by the Regulatory Agency.
According to the ANAC , the standard is aligned with international instructions, such as those issued by the United States Civil Aviation Authority (FAA), even with ISO 27000 standard certifications.
The resolution document is actually very simple. Although its language is more directed to those who dominate the subject of IT systems, it is possible for the laity to realize that the resolution contains the minimum obligations to build a solid and secure system.
As it should be, special attention is given to questions aimed at:
- Data security, including access restrictions;
- backup policy;
- activity log records;
- authentication through electronic signature, by encrypted certificate; and
- access to audit, including remote monitoring of records and processes.
The first item is very simple, it’s about enforcing the use of access passwords so that not only authorized people use it, but also that it is very well registered who did what activity in the system.
The backup policy is very simple, without the requirement of specific methods, leaving the freedom for the regulated to choose one or several methods of the most varied.
Logging means that the system must keep a very detailed history of each act of each person who accessed and used the system and what that person did.
Electronic signature authentication can be, for the lay public, the greatest novelty and obstacle. In fact, today it will not be any more. It is an instrument well dominated with several solutions already well matured in the world market.
There are many ways to implement the electronic signature. And in later articles I intend to technically detail how MaintShop will do its implementation.
The last item is a case of great repercussion. Because with this requirement, the regulated company will be subject to constant monitoring by the ANAC, remotely, without warnings or formalization. Access to the records will be in real time, unrestricted. To all records and records in the records, including their changes, resulting from corrections or modifications since the first signed version of each record.
Some may question about this last item, but in my personal way of seeing things, it’s a no-return way. In several other areas of economic activity, regulatory institutions already use full and unrestricted access to regulated ones.
Initially the resolution makes clear that the use of computerized systems is a option of regulated. But it seems clear to me that it is a matter of time for this to be an obligation.
To the friends of the branch, I hope to have clarified something in this small and initial article on the subject. And I promise to write more, because I know that this will be of interest to many, and many details must be clarified.