Marco Miniotto, Senior IT Security Consultant CISSP-ISSMP
Does your ICT Enterprise Architecture achieve the minimum resilience required?
In November 2018, the Swiss Confederation clarified the Swiss approach to data security through a document called "Minimum Standard for Improving ICT Resilience 2018". This Swiss document was almost entirely inspired by the requirements of the US NIST contained in the 2014 NIST document "Framework for Improving Critical Infrastructure Cybersecurity" commissioned by the Obama Administration in the face of escalating risks associated with cyber threats.
The Swiss approach
Unlike in the past, with this "Minimum Standard" document there is now an official Swiss federal instrument in the light of which, in the event of a cyber incident, the state of data protection in which the conditions that allowed the incident to occur could be assessed.
With this instrument, the Swiss Confederation is also following the EU's trend of transferring responsibility for data protection from the institutions to companies.
Unlike in the case of the EU-GDPR, these Swiss federal provisions do not only concern personal data, but extend data protection in general within a framework of unquestionable strategic importance at national level.
The Swiss federal government, in this case (and unlike in the past), seems not to consider it necessary to have any new specific legislation on the matter, and instead sets out as a legal basis for these indications of its own:
"State responsibility, based on the mandate enshrined in the Federal Constitution and the Swiss supply law'.
With the "Minimum Standard for Improving ICT Resilience 2018", the Swiss federal government offers a clear reference tool in this field, with precise references to the security controls of the most widespread internationally applied frameworks (e.g. ISO27001:2013, COBIT 5, etc.).
In concrete terms, it means setting up a multi-year project in this sense based on the following five "functions"
and the following security controls:
WIRD already assists its customers, currently a large public hospital in Switzerland, in evaluations related to the adoption of the minimum level of resilience suggested by the federal government using an appropriate selection of the security controls provided by the federal government and using the ISO 27001-2013, NIST and COBIT standards.
Get help on what is the right approach for your organisation now. Contact the WIRD Security Team at email@example.com .
COBIT: Control Objectives for Information and Related Technology is an internationally recognised framework for IT governance and divides the tasks of IT into processes and control objectives (often translated as 'control goal', actually 'control specifications', in the current German-language version the term is no longer translated). The COBIT's version actually used by the Swiss Confederation is "COBIT 5". COBIT does not primarily define how the requirements are to be implemented, but rather what is to be implemented.
NIST: The National Institute of Standards and Technology is a federal authority in the United States with its headquarters in Gaithersburg (Maryland). The former name of the agency was National Bureau of Standards (NBS) from 1901 to 1988.
ISO 27001:2013 is the international standard which is recognised globally for managing risks to the security of information. Certification to ISO 27001 is a prove to clients and other stakeholders that the security of your information is actively managed. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
Links and downloads:
Link to official website of the Swiss Federal Administration: https://www.bwl.admin.ch/bwl/en/home/themen/ikt/ikt_minimalstandard.html
Download the official Swiss Federal document on "Minimum standard for improving ICT resiliance"