Airship AI Holdings, Inc. - (AISP)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY.

 

Airship’s cybersecurity and risk management program is intended to protect the confidentiality, integrity, and availability of our critical information systems and the data resided on them. Due to the nature of our business and our customers, we face various cybersecurity challenges and threats, including attempts to gain unauthorized access to our codebase, proprietary or confidential information, denial-of-service attacks, attacks from foreign nations, as well as threats to our identity and personnel. We have designed our IT systems and processes with the intention that our solutions should defend against the ever-evolving threat landscape while remaining agile to keep up with such threats.

 

Airship leverages a combination of the NIST Cyber Security Framework alongside the CMMC framework to protect its assets and secure our supply chain for our customers. We use the controls from these frameworks as well as guidelines and best practices from the industry to develop our cybersecurity plan. Our cybersecurity plan and its elements are reviewed regularly to ensure they meet the requirements and expectations of our security needs.

 

 
32

 

Airship’s cybersecurity program is spearheaded by their cybersecurity department with approval from executive management. The stakeholders have been identified and know their roles within the cyber security process as well as having all roles be documented.

 

Risk is assessed based on multiple factors. First, our IT team updates and maintains our asset inventory to ensure all assets are included in our risk management process. From there, key assets are identified, and risk is assessed based on business impact, availability of information, and attack feasibility. After the risks have been identified, they are reviewed with the stakeholders for action plans or sign-off on the acceptance of risk.

 

Airship leverages third party applications and software to help identify vulnerabilities within our system’s boundaries. These vulnerability lists are used to create remediation plans and are prioritized based on severity and attack feasibility.

The Company performs security awareness training with its employees. Our security policy is also provided to employees upon employment providing them with the rules and policies to follow so that proper security practices are understood and performed.

 

An incident response plan has been established which provides detailed information on actions to take in the event of an incident. The incident response plan includes the scope of the plan, establishes the incident response team, details the incident response lifecycle, and provides templates to make the process easier to document and follow. Timelines, communication methods, and notification information are included in the plan to ensure the process can be followed in high pressure situations which can occur during incidents.

 

Business continuity and disaster recovery plans are also a part of our cybersecurity process. Ensuring data continuity in times of disaster or other incidents is important so that proper security is followed in times of impact to our business. Our business continuity and disaster recovery plan includes a list of items that are essential to our business along with RTO and RPO information. The plan lists what each employee in the plan is responsible for and provides contact information.

 

Sensitive and confidential data is a part of business. Airship leverages an encryption and signing policy that identifies the type of information Airship stores and what level of encryption and signing is required for the data. This document also details the overarching requirements for encryption such as allowed cyphers, encryption methods, and key storage.

 

Airship has had one cybersecurity incident in the last decade. The Company was the victim of a ransomware virus that encrypted several machines on Airship’s corporate network. The threat was quickly identified and isolated before significant damage could be done. The attack did not affect business operations and did not have a significant financial impact on the Company. Most files affected had backup and Airship was able to remove affected files and restore them from backup.