ISO27002 Security-Program Phase 1 Review James Faxon CISO for Aviall – A Boeing Company

1. ISO27002 Security-Program Phase 1 Review James Faxon CISO for Aviall – A Boeing Company

2. Factors Under Consideration • Aerospace & Defense Industry does not require ISO 2700x-Compliance • No regulations or contracts that require ISO 2700x-Compliance • No Security compromise which has adversely impacted the Aviall Business • No firm commitment from Boeing Security in relation to financial-assistance • Weekly meetings set to discuss status • The ISO 27001/2 due for change end of 2011 beginning 2012

3. ISO 27002 – DOMAINS Phase 1 – Initial Assessment Risk Rating 3 -Risk Mgmt Tool ( Enterprise ) AVIALL MGT Report To BOEING High-Level Assessment of Applications + Infrastructure High Med 1 2 3 Low GENERAL Domains • Control Exists ? • Is Working ? • Documented ? • Training done ? Prioritize effort and drive Phase-2 WBS, with focus on High-Risk DOMAINS 4.0 Risk Assessment and Treatment 5.0 Security Policy 6.0 Organization of Information Security 7.0 Asset Management 8.0 Human-Resources Security 9.0 Physical and Environmental Security 10.0 Communications and Operations Management 11.0 Access Control 12.0 Information-Systems Acquisition, Development and Maintenance 13.0 Information-Security Incident-Management 14.0 Business-Continuity Management 15.0 Compliance • Financial-Loss Tolerance (EBIT) ** • Critical Loss (High) – more than $15 MM - Operating Earnings • Significant Loss (Med) - $1 -15 MM - Operating Earnings • Minor Loss (Low) - $0 up to $1 MM - Operating Earnings • Business-Operations Disruption Tolerance ** • Critical Delay – More than 720 hrs (Greater than 4 weeks) • Significant Delay – 336 hours up to 720 hrs (2 weeks to 4 weeks) • Minor Delay – 1 hrs – 336 hrs (1 day to 2 weeks) • Regulatory Non-Compliance ** • Reputational Damage – Critical • Customer Confidence - Critical • Shareholder Value - Critical • **As Agreed to by Executive Management 3q 2010

4. ISO Program Rollup • Status today – Phase 1 Complete • Phase 1 was a high level gap assessment against the ISO 27002 standard to answer – Question ‘What’s missing? (where’s the Risk?)’ • Review also designed to collect data for Boeing questions regarding Coverage (Breadth) and Maturity (Depth) of security-controls • Overall, 86 observations were found, rated as: • Considered High (24%), • Considered Medium (40%), • Considered Low-Risk (36%) • Of the observations found, 72% were process or procedure related

5. Synopsis of Major Risks Identified: • Access-Control is Configured & managed manually prone to errors • No Changing of Passwords for shared-ID’s – System/Application Accounts • No Network-Traffic Monitoring (don’t know what’s coming in or going out) • Lack of Company-Wide Data-Classification Program • No Centralized Management and Correlation of Security-Event Logs (the 1st Line of Notification ) • Little review of Escalated Privileges / Access • No Database Encryption for Sensitive Data (Specific to PCI ) • No Business Continuity Plan (BCP) coupled with IS Disaster Recovery Plan Phase 1 GAP-Assessment Results LIKELIHOOD I M P A C T • Risks Identified by Boeing CIO (John Hinshaw) and CISO (Linda Meeks): • Espionage or business disruption attacks by nation states or criminals • Insiders may inadvertently access or un-intentionally disclose information • Unauthorized modification of infrastructure by insiders • Insiders modifying financial information for personal gain • Application vulnerabilities due to lack of application security practices • Denial-Of-Service attacks by nation states; resultant unavailability • Malware due to software sourcing or contractors causing unauthorized modification of applications Note – Analysis conducted based on worse case scenario

6. Total Cost and Hours to Meet Policy Mandate • To Implement the entire ISO 27002 security requirements as • outlined by Boeing. • Additional headcount • required to support (16+) • A centralized Sec organization should be considered to support the technical infrastructure and process / procedural work required (Under Joe Church) • All Capital and Expense cost represent internal BEST • estimate without a formal RFP or BRD • Project cost could be 2x TOTAL COST IMPLEMENTATION – $8.88 MM ANNUAL COST - $5.151 MM

7. High-Risk Items Implementation • Additional headcount required to support (9+) • A centralized TECHNICAL Security organization should be considered to support the technical infrastructure and process and procedural work required - (Under Joe Church) • All Capital and Expense cost represent internal BEST estimate without a formal RFP or BRD - Dollar values could be as high as 2x High-Risk AreasRemediation Costs / Hours for All HIGH-RISK AREAS TOTAL COST IMPLEMENTATION – $3.72 MM ANNUAL COST - $2.58 MM

8. Phase 2 – Deep Dive • Feed in new RQMTS • DoD • Safe Harbor • ISO Compliance Program Risk Rating Detailed Requirements (and Controls) 1 - Review APPLS + Tech Infrastructure Assess / Test Annually Schedule & Perform Tests based on Risk / RQMT Category (1 – 2 – 3 years) High 4 Med Deep-Dive Assessment • Re-Usable Documentation • Audit Test Plan • Test Scripts • Test Data (sample) • Execute / Review Results • Store Evidence • Prepare Reports 5 Low 2 - Identify GAPS • New / Improved Controls • Tools (Security, Monitor, etc) • Improve Process / WorkFlow • P + P / Mgt or User-Guides • Budget / Staff • Training 6 4 - Develop Remediation Plan 3 -Risk Mgmt Tool ( Enterprise ) Audit Review EXEC Review Escalate based on Cost / Staff Impact 7 (Compliance-Plan) Prioritized Work-List 8 I/S Managed Internal Audit Reviews Substantive 5 - Follow-Up List • Validate Remedy • Re-Testable • Mgmt Review Approve ? YES 9 Report To BOEING 6 - Risk-Based Annual Plan NO Back to 3 Update / Add New Controls v 0806