In January 2022, the compensation funds in Switzerland received an advance notification from the Federal Social Insurance Office (FSIO) announcing the introduction of new requirements in relation to information security and data protection. At that time, the “Recommendations on the minimum requirements for the information systems of the implementing bodies“ were published with a view to the revision of the AHVG Act, which are based on the international ISO 27001 standard.
The FSIO has now published the definitive ISDS directives (information security and data protection) on 1 January 2024 – in time for the entry into force of the legal amendments to modernise supervision from 1 January 2024.
The recommendations from 2022
The recommendations already stipulated at the time that each implementing body must implement an information security management system and that corresponding guidelines must be issued and communicated on this basis. Furthermore, specifications were defined for a number of subject areas along the known controls of ISO 27001. For example, in areas such as teleworking, personnel, asset management, access control and cryptography.
However, it was also communicated transparently at the time that the recommendations still contained open points that needed to be finalised before the directives were published. These included the commissioning of third parties and the involvement of subcontractors. But also order processing abroad and the use of cloud services.
The new directive (W-ISDS)
The document “Directives on information security and data protection audits (WAID)” deals with the IT audits that will be carried out on behalf of the FSIO in future and the auditors who are to carry them out. However, the second published document, “Directives on the information security and data protection requirements for the information systems of the implementing bodies of the 1st pillar/FAMZ (W-ISDS)“, is more interesting for the implementing bodies. Unsurprisingly, the directives published in this document contain almost all the points from the recommendations published two years ago.
The clarified position on the use of third parties and cloud services in particular is likely to cause some discussion. The ISDS requirements under point 2.15 contain two particularly succinct provisions, which will be analysed in more detail below.
Prohibition of processing abroad
Firstly, it is required that “it must be ensured at all times that no personal data of insured persons is processed abroad, unless the processing involves the international exchange of data by law.” This requirement was already included in the 2022 recommendations, and this requirement alone prohibits the use of most cloud services unless it is ensured that no personal data of insured persons ends up abroad. It is particularly restrictive that the FSIO has not limited this to data on social assistance measures within the meaning of the FADP (particularly worthy of protection), but refers to all personal data of insured persons. Notably, this already includes a name, an email address or an AHV number. In addition to the use of cloud services, this also applies to the use of external service providers who may process data abroad. Although the foreword to the document mentions a recommendation in this regard, it must be assumed that this is a copy-paste error. The same sentence could be found in the communication on the 2022 recommendations.
Severe restrictions on the use of public cloud services
However, the new restrictions go even further. They require compliance with the “Cloud Principles of the Federal Administration“. This refers to a Federal Chancellery document that has been in force since 1 October 2023. Among other things, it contains a tiered model that describes which cloud models may be used to process which data. The categorisation of data sensitivity is based on the classification according to the Information Security Act on the one hand and the Data Protection Act on the other. According to this model, particularly sensitive personal data, e.g. data relating to social welfare measures, should be processed exclusively on private clouds of the federal government with its own applications (no standard products) or classically on-prem without a cloud. This means that not only public clouds are generally prohibited – including those from Swiss providers – but theoretically also Swiss private clouds, provided they are not operated by the federal government. However, the principles allow for the conclusion to be reached in individual cases – subject to corresponding analyses and appropriate contractual, organisational and technical protective measures – that certain data with increased protection requirements may be processed in a public cloud after all. This is also explicitly mentioned again in the FSIO’s directive.
Comment
The new directives are absolutely welcome in principle. They provide the necessary pressure to raise information security and data protection at the Pillar 1 implementing organisations to an appropriate level. The clear and strict ban on foreign processing and the severe restriction on the use of public cloud services are understandable in light of the legal basis, public perception and the associated cautious stance of the Federal Social Insurance Office.
However, if these restrictions are placed in the context of the discussions surrounding the use of Microsoft M365 in public administration, the question arises as to whether the corset has been unnecessarily tightened. In particular, the ban on processing all personal data of insured persons abroad seems excessively restrictive. Provisions that ensure compliance with data protection and social security confidentiality, but do not go beyond this, would have been more appropriate. In the foreword to the directives, this is justified by the complex situation under data protection law and reference is made to the problems surrounding the Cloud Act with regard to US cloud providers.
When dealing with Microsoft Office, which according to the federal government is in fact without alternative, the compensation offices are now faced with a choice between plague and cholera.
- They can continue to rely on the on-prem solutions and hope that Microsoft can be persuaded once again to release new versions or extend support.
- They can introduce M365 without following the specifications too closely and risk a forced dismantling as well as possible damage to their reputation.
- Or they can introduce M365 with all the necessary checks and clarifications, which is associated with a number of functional restrictions and also means considerable effort, which ultimately manifests itself in corresponding costs.
The extent to which these severe restrictions are conducive to information security in general or data protection in particular is open to debate.
Managed SASE
Managed Infrastructure
Analytics as a Service
Information Security as Service
Security Strategy
Security Architecture
Technology Consulting
GRC
Security Awareness
Cyber Resilience
Network Security
Content Security
Application Security
Cloud Security
Infrastructure Security
OT Security
Endpoint Security
Security Analytics
Team
Working at ensec
Facts and Figures
