Information security interface

In the Swiss banking world, the theft of data and its purchase and analysis by authorities in other countries have caused major financial damage and jeopardised the reputation of companies. In extreme cases, such incidents can lead to the bankruptcy of a company. The theft of personal data should not be underestimated either.

Information Security
The revelations of Edward Snowden have made us aware that data is stolen every day without our noticing. Not only companies, but also administrations need to get a grip on their "information", otherwise an "information leak" will lead to serious consequences.

But what is meant by information security? The term is interpreted differently depending on the situation, but in any case it goes beyond a purely technical approach.

It is important to examine all aspects, i.e. those of the employees, the organisation, the culture and the processes.

In the federal administration, information security is understood to mean information protection, data protection, ICT security, personal security and physical security:

However, there are often major differences between the information systems and processes. For example, in the Federal Administration, risk analyses are carried out for each protected object of ICT applications - services, systems, networks, data collections, infrastructures and products - according to the hazard analysis (ONR 49002-2:2014).

This bottom-up approach contrasts with the top-down approach of "Risk Management Confederation", in which a holistic presentation of the risk is possible thanks to the scenario method.

Hazard analysis, on the other hand, focuses on the details of a system or organization and is therefore process-oriented.

The actual focus is therefore on the operational activity and not on the strategic level. The results of the two approaches can be depicted on a risk map as follows:

Risks in information and communication technology
The risks of information and communication technology (ICT) are complex. Due to the different approach to risk analysis, it is not possible to integrate the identified ICT risks into the "Federal Government Risk Management" without additional effort:

Instead, the main ICT risks must be analyzed again using the scenario method. In order for this "translation" of the various methods to succeed, cooperation between the various players is essential - especially between business process managers, risk coaches and IT security officers.

Only through this step is it possible to communicate with the management or the board of directors in a way that is appropriate to the structure. These bodies must ultimately decide on the measures that affect the organisation and the systems.

Particularly the view into the future - with which changed basic conditions we must count in the next years - is to be included with strategic decisions.

New EU General Data Protection Regulation (DSGVO)
The advancing digitalisation also places new legal requirements on companies. A current example is the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018. In contrast to information protection, which is concerned with the general protection of information, data protection focuses on the protection of the personality and fundamental rights of individuals. Personal data is data that relates to an identified or identifiable natural person.

The Federal Act of 19 June 1992 on Data Protection (FADP; SR 235.1) defines personal data that is particularly worthy of protection. According to the exhaustive catalogue in Art. 3(c) FADP, this includes data on religious, ideological, political and trade union views or activities, health, privacy and race, social assistance measures and administrative and criminal prosecutions and sanctions.

Personality profiles, i.e. compilations of data that allow an assessment of essential aspects of the personality of a natural person, are also particularly worthy of protection (Art. 3 let. d FADP).

Are all processes integrated?
Regardless of the applicable law in Switzerland, many Swiss companies are required to comply with the stricter and more comprehensive GDPR. Although there are still many unanswered questions regarding implementation, there is a considerable need to address this issue from a risk management perspective - at the latest since the European Parliament adopted the GDPR in April 2016.

Business process managers and risk managers of a company must analyze whether their existing systems and organization meet the legal requirements. In a recurring process, those responsible for information security must critically examine whether personal data are adequately protected against unauthorized processing, destruction, modification and loss by technical and organizational measures. The management is obliged to comply with the provisions of the GDPR, insofar as the GDPR is applicable to the company in question.

A delegation of responsibility, for example to a data protection officer, is not possible, as the management ultimately determines the budget, strategy and purpose of the data processing. At most, the implementation of the GDPR can be delegated.

Communicate in the event of an incident
To ensure that the correct action is taken in the event of an incident, it is the task of risk management to prepare emergency planning, crisis communication and clear responsibilities. In the event of data leaks, the Federal Reporting and Analysis Centre for Information Assurance (MELANI) generally recommends the greatest possible transparency vis-à-vis the affected customers.

It is important that communication is rapid. In order for the mitigation measures to be successful, the organisation must periodically rehearse possible incidents and continuously adapt and develop the emergency plans.

Of central importance is honest risk management, i.e. not talking down any of the risks or allowing oneself to be blinded by the illusion of cost savings.

An unwanted data leakage not only leads to more effort and costs, but can also cause lasting damage to the reputation of an organisation or company. In addition, the GDPR provides for infringements to be punished with fines of up to 4 % of the total worldwide turnover in the previous financial year.

Conclusion: Exploiting synergies
Information security and risk management are non-delegable management tasks, whereby their analysis methods differ. Since only the top-down approach is suitable for top management decisions, the need for coordination between the two systems is relatively great. However, if this important interaction between information security and risk management succeeds, multiple synergies can be exploited and tangible added value can be achieved: Management no longer perceives the tools as burdensome bureaucracy, but as valuable decision-making aids.

In this way, know-how can be combined and used in joint reporting. In this way, management can decide efficiently and on the basis of an optimal foundation how to deal with the risks of information security.

safety is to be dealt with.