In the Federal Gazette No. 15 of April 19, 2017, the Draft and the Message of the Federal Information Security Act (Information Security Act, ISG) was published. The purpose of the ISG is “to ensure the secure processing of information for which the Confederation is responsible and the secure use of the Confederation’s IT resources.” It is intended to replace the current fragmented legal basis in a multitude of decrees. The ISG will be primarily based on the Confederation be applicable, especially the federal administration (but also federal courts and federal assembly), but also to cantonal authorities, if they process classified information of the Confederation or access its IT resources.
To ensure information security, the ISG initially provides for “general measures” at several levels:
- The obligated organizations are first generally obligated to Information Security in particular for the confidentiality, availability and integrity of the information in its area of responsibility and for the traceability of its processing.
- Furthermore Classify information and, according to their classification, to make them accessible only to authorized authorities.
- Information security at the Use of information technology tools to be guaranteed. For this purpose, the ISG defines security levels (“basic protection,” “high protection,” and “very high protection”) and requires the obligated authorities to provide for corresponding graduated minimum requirements.
- At Personnel deployment selection, identification, training and commitment to confidentiality must be appropriately regulated, and a “need-to-know principle” must generally be observed.
- To protect information and IT resources, the physical protection ensure
- Identity Management Systems (central management of personal identification) are regulated.
Detailed regulations then apply to Personal safety checks (which today are regulated in the BWIS), for the Operational safety procedures (i.e., an audit of third parties that would be considered for the performance of public contracts and would thereby perform a security-sensitive activity; so-called “security-sensitive contracts”; such an audit is only established today for military procurements) and for critical infrastructures.