Infor­ma­ti­on Secu­ri­ty Act: Draft and Message

In the Fede­ral Gazet­te No. 15 of April 19, 2017, the Draft and the Mes­sa­ge of the Fede­ral Infor­ma­ti­on Secu­ri­ty Act (Infor­ma­ti­on Secu­ri­ty Act, ISG) was published. The pur­po­se of the ISG is “to ensu­re the secu­re pro­ce­s­sing of infor­ma­ti­on for which the Con­fe­de­ra­ti­on is respon­si­ble and the secu­re use of the Confederation’s IT resour­ces.” It is inten­ded to replace the cur­rent frag­men­ted legal basis in a mul­ti­tu­de of decrees. The ISG will be pri­ma­ri­ly based on the Con­fe­de­ra­ti­on be appli­ca­ble, espe­ci­al­ly the fede­ral admi­ni­stra­ti­on (but also fede­ral courts and fede­ral assem­bly), but also to can­to­nal aut­ho­ri­ties, if they pro­cess clas­si­fi­ed infor­ma­ti­on of the Con­fe­de­ra­ti­on or access its IT resources.

To ensu­re infor­ma­ti­on secu­ri­ty, the ISG initi­al­ly pro­vi­des for “gene­ral mea­su­res” at seve­ral levels:

1. The obli­ga­ted orga­nizati­ons are first gene­ral­ly obli­ga­ted to Infor­ma­ti­on Secu­ri­ty in par­ti­cu­lar for the con­fi­den­tia­li­ty, avai­la­bi­li­ty and inte­gri­ty of the infor­ma­ti­on in its area of respon­si­bi­li­ty and for the tracea­bi­li­ty of its processing.
2. Fur­ther­mo­re Clas­si­fy infor­ma­ti­on and, accor­ding to their clas­si­fi­ca­ti­on, to make them acce­s­si­ble only to aut­ho­ri­zed authorities.
3. Infor­ma­ti­on secu­ri­ty at the Use of infor­ma­ti­on tech­no­lo­gy tools to be gua­ran­teed. For this pur­po­se, the ISG defi­nes secu­ri­ty levels (“basic pro­tec­tion,” “high pro­tec­tion,” and “very high pro­tec­tion”) and requi­res the obli­ga­ted aut­ho­ri­ties to pro­vi­de for cor­re­spon­ding gra­dua­ted mini­mum requirements.
4. At Per­son­nel deployment sel­ec­tion, iden­ti­fi­ca­ti­on, trai­ning and com­mit­ment to con­fi­den­tia­li­ty must be appro­pria­te­ly regu­la­ted, and a “need-to-know prin­ci­ple” must gene­ral­ly be observed.
5. To pro­tect infor­ma­ti­on and IT resour­ces, the phy­si­cal pro­tec­tion ensure
6. Iden­ti­ty Manage­ment Systems (cen­tral manage­ment of per­so­nal iden­ti­fi­ca­ti­on) are regulated.

Detail­ed regu­la­ti­ons then app­ly to Per­so­nal safe­ty checks (which today are regu­la­ted in the BWIS), for the Ope­ra­tio­nal safe­ty pro­ce­du­res (i.e., an audit of third par­ties that would be con­side­red for the per­for­mance of public con­tracts and would ther­eby per­form a secu­ri­ty-sen­si­ti­ve acti­vi­ty; so-cal­led “secu­ri­ty-sen­si­ti­ve con­tracts”; such an audit is only estab­lished today for mili­ta­ry pro­cu­re­ments) and for cri­ti­cal infras­truc­tures.