While larger authorities in particular often have their own IT departments, many smaller authorities outsource these tasks. Make sure that the responsibilities between you and your IT service provider regarding IT security are clearly regulated. This applies in particular to technical and organisational measures (link). Define contractually how liability is regulated in the event of damage if agreed security measures are not adhered to.
Responsibility cannot be outsourced or delegated. In the event of an incident, your authority may find itself at the end of the liability chain.
Take the minimum requirements as a guide.
- Security checks must already be carried out during the inspection and approval of IT systems.
- Find out about relevant general terms and conditions and requirements when using IT services. These requirements should be part of the contractual relationship between you and your external IT service providers.
- The duty of confidentiality for maintenance and support of ICT systems by third parties must be regulated and unnecessary access to particularly sensitive data must not be permitted.
- In addition, clarifications must be made and agreements reached with the data storage (cloud) company.
The Federal Office for National Economic Supply (FONES) publishes the minimum standards for ICT:
The project initiative for the creation of the independent "CyberSeal" quality label for IT service providers was initiated by a public-private partnership consisting of the NCSC, Mobiliar, Secnovum and digitalswitzerland. IT service providers awarded the CyberSeal label guarantee their customers an adequate level of protection against cyber risks through appropriate technical and organisational measures.
https://www.digitalsecurityswitzerland.ch (In German or French)
The cyber-safe.ch label was developed by the Association Suisse pour le Label de Cybersécurité. It defines minimum requirements specifically for communes and SMEs. An online questionnaire can be used to determine the cyber-risks that communes and SMEs face.
https://www.cyber-safe.ch (In German or French)
The terms and conditions of the Swiss Conference on Informatics (SKI/CSI) are suitable for public administration ICT services. In addition to the SKI/CSI's terms and conditions, contract templates are also available.
https://sik.swiss (In German, French or Italian)
Data protection tools and a list of the respective data protection supervisory authorities can be found on the website of the conference of Swiss data protection commissioners, privatim.
https://www.privatim.ch (In German or French)
The Federal Data Protection and Information Commissioner (FDPIC) is responsible for data processing by private individuals and federal bodies:
Choosing an ICT service provider
Certification in accordance with recognised data protection and information security standards or inspection reports from independent third parties can help in selecting a company. You do not necessarily have to select certified partners. It is recommended to use ICT service companies that can demonstrate that they meet your requirements and can guarantee the availability and security you require. Ask an independent body to check and confirm this.
Carry out security audits
The implementation of the services specified in the contract must be periodically checked according to recognised audit standards, for example those of COBIT (Control Objectives for Information and Related Technology, https://www.isaca.org/resources/cobit) of the Information Systems Audit and Control Association (ISACA, https://www.isaca.org/). Use the services of an independent audit body for this purpose. ICT service providers can also obtain ISAE 3402 Type 2 (International Standard on Assurance Engagements) certification, also known as a SOC 2 report (Service Organisation Control). The audit body will assess aspects of security, availability, integrity and confidentiality.
Last modification 16.05.2023