SwissShore Quality and Security

---

SwissShore's services in software development, infrastructure management, and information security have earned them a sound reputation as a trustworthy business partner with the highest quality, precision, and security for which Switzerland is best known. 

Quality is more than the standardization of quality standards only. 

Quality is also to take responsibility in all working, acting, doing.

We take responsibility about all our clients, projects, employees, and the environment. 

This is the unwritten fundament our understanding of quality is based on.

On 25 September 2020, the Swiss Parliament adopted the revised Federal Act on Data Protection (FADP-new). 

The Federal Council will decide on the entry into force after the 100-day referendum period has expired. This article summarizes the most significant changes for companies.

At a glance

• The basic concept of “permission of data processing subject to prohibition” (i.e. prohibition if the data processing leads to an “unlawful violation of the personality of a person”) remains unchanged. Consent to the processing of personal data is still generally not required, even for profiling and the processing of sensitive personal data. The principles of data processing also remain largely unchanged. 
• Legal entities are no longer protected; only natural persons are protected under the FADP-new. 
• The scope of the FADP-new covers actions that have an effect in Switzerland, even if they are initiated abroad. 
• The definitions of “controller of the data file”, “personality profile” and “data file” have been deleted; the definitions of “profiling”, “high-risk profiling” and “data security breach” have been introduced. Genetic and biometric data as well as data on ethnic origin, are considered to be sensitive personal data under the FADP-new. 
• The concepts of “privacy by design” and “privacy by default” are now enshrined in the law, as is already the case in the EU General Data Protection Regulation (GDPR). 
• Data security is the responsibility of the controller as well as the processor. A risk-based approach is introduced. 
• Data processing by processors remains largely unchanged. Under the FADP-new, the processor may only assign the processing to a sub-processor with prior authorisation by the controller. 
• The appointment of a data protection advisor remains voluntary. It can be an advantage when it comes to performing a data protection impact assessment. 
• Under the FADP-new, both the controller and the processor must keep an inventory of their processing activities. This inventory does not have to be declared to the Federal Data Protection and Information Commissioner (FDPIC) (up to now, the controller generally needed to declare data files to the FDPIC). 
• Companies based outside Switzerland who process personal data of persons in Switzerland will have to designate a representative in Switzerland. 
• The requirements for cross-border disclosure of personal data remain largely unchanged. Under the FADP-new, the Federal Council bindingly determines whether the legislation of a state or an international body guarantees an adequate level of protection. 
• The duty of information has been extended to the collection of all kinds of personal data (until now it was only applicable to the collection of sensitive personal data and personality profiles) and also includes automated individual decision-making. 
• Under the FADP-new, the controller must carry out a data protection impact assessment if the intended data processing may lead to a high risk for the data subject. 
• In the future, the controller must notify the FDPIC of data security breaches. 
• Under the FADP-new, data subjects have the right to data portability. 
• The powers of the FDPIC are extended. In the future, the FDPIC can order a number of administrative measures.
• The criminal provisions have been significantly tightened, with fines of up to 250 000 Swiss francs for private persons (i.e. not companies!), but only for violations in certain areas, in particular for the breach of obligations to provide access and information and to cooperate, for the violation of duties of diligence with respect to the requirements for cross-border disclosure of personal data, the appointment of a processor and for failure to comply with the minimum data security requirements. Fines are only applicable to violations that result from a wilful act and are in most cases, only imposed upon the filing of a complaint.

Within these four areas, there are actually 14 specific FISMA requirements that vendors, partners, and contractors need to address:

• Access Controls – Who controls      access to digital and physical information?
• Awareness & Training – Is your staff being trained on FISMA compliant practices?
• Audit & Accountability – Do you conduct regular self-audits to ensure compliance?
• Configuration Management – Is your system configuration optimized to keep hackers out?
• Identification & Authentication – Do you have things like email encryption and multifactor authentication?
• Incident Response – Do you have      an incident response plan in the event of a hack?
• Maintenance – Are you performing regular system maintenance to ensure continued compliance?
• Media Protection – Are all media devices (thumb drives, etc.) properly protected and stored?
• Physical Protection – Are things like file cabinets that contain CUI/CDI properly secured.
• Personnel Security – Do only the      authorized personnel have access to the most sensitive or personal data?
• Risk Assessments – Are you performing regular risk assessments with a compliance partner?
• Security Assessment – Are you assessing the security of your internal IT infrastructure and processes regularly?
• System & Communications Protection – Do you have      adequate safeguards around your systems and communication channels to prevent breaches.
• System & Information Integrity – Is your system data correct and uncorrupted at any given time?

Summarizing in short:

The Federal Information Security Modernization Act of 2014 (FISMA 2014) updates the Federal Government's cybersecurity practices by:

• Codifying Department of Homeland Security      (DHS) authority to administer the implementation of information security      policies for non-national security federal Executive Branch systems,      including providing technical assistance and deploying technologies to      such systems;
• Amending and clarifying the Office of      Management and Budget's (OMB) oversight authority over federal agency      information security practices; and by
• Requiring OMB to amend or revise OMB A-130 to      "eliminate inefficient and wasteful reporting."

Overview

FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.

The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. 

It also:

• Authorizes DHS to provide operational and      technical assistance to other federal Executive Branch civilian agencies      at the agency’s request;
• Places the federal information security      incident center (a function fulfilled by US-CERT) within DHS by law;
• Authorizes DHS technology deployments to other      agencies' networks (upon those agencies' request);
• Directs OMB to revise policies regarding      notification of individuals affected by federal agency data breaches;
• Requires agencies to report major information      security incidents as well as data breaches to Congress as they occur and      annually; and
• Simplifies existing FISMA reporting to      eliminate inefficient or wasteful reporting while adding new reporting      requirements for major information security incidents.

The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA).

ISO9001 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity. In fact, there are over one million companies and organizations in over 170 countries certified to ISO9001.

This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. These principles are explained in more detail in ISO’s quality management principles. Using ISO9001 helps ensure that customers get consistent, good-quality products and services, which in turn brings many business benefits.

Checking that the system works is a vital part of ISO9001. It is recommended that an organization performs internal audits to check how its quality management system is working. 

An organization may decide to invite an independent certification body to verify that it is in conformity to the standard, but there is no requirement for this. 

Alternatively, it might invite its clients to audit the quality system for themselves.

ISO/IEC 17050-1:2004 specifies general requirements for a supplier's declaration of conformity in cases where it is desirable, or necessary, that conformity of an object to the specified requirements be attested, irrespective of the sector involved.

ISO/IEC 17050 has been developed with the objective of providing general requirements for a supplier’s declaration of conformity.

It addresses one of the three types of attestation of conformity, namely attestation undertaken by the first party (e.g. the supplier of a product). Other types are second-party attestation (e.g. where a user issues an attestation for the product the user is using) or third-party attestation. Each of these three types is used in the market in order to increase confidence in the conformity of an object.

This part of ISO/IEC 17050 specifies requirements applicable when the individual or organization responsible for fulfilment of specified requirements (supplier) provides a declaration that a product (including service), process, management system, person or body is in conformity with specified requirements, which can include normative documents such as standards, guides, technical specifications, laws and regulations. Such a declaration of conformity can also make reference to the results of assessments by one or more first, second or third parties. Such references are not to be interpreted as reducing the responsibility of the supplier in any way.

These general requirements are applicable to all sectors. However, these requirements might need to be supplemented for specific purposes, for example for use in connection with regulations.

A supplier's declaration of conformity of a product (including service), process, management system, person or body to specified requirements can be substantiated by supporting documentation under the responsibility of the supplier. 

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. 

ISO (in general) does not perform certification.

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. 

The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.

CSA Security Trust Assurance and Risk (STAR) - Security on the Cloud Verified.

The industry's most powerful program for security assurance in the cloud.

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help you understand the law and determine what parts of it apply to you.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. 

The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

As the GDPR continues to be interpreted, we’ll keep it up to date on evolving best practices.

Data protection principles

• Lawfulness, fairness and transparency — Processing must be lawful, fair, and      transparent to the data subject.
• Purpose limitation — You must process data for the      legitimate purposes specified explicitly to the data subject when you      collected it.
• Data minimization — You should collect and process only as      much data as absolutely necessary for the purposes specified.
• Accuracy —      You must keep personal data accurate and up to date.
• Storage limitation — You may only store personally      identifying data for as long as necessary for the specified purpose.
• Integrity and confidentiality — Processing must be done in such a way      as to ensure appropriate security, integrity, and confidentiality (e.g. by      using encryption).
• Accountability — The data controller is responsible for      being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant. Among the ways you can do this:

• Designate data protection      responsibilities to your team.
• Maintain detailed documentation of the      data you’re collecting, how it’s used, where it’s stored, which employee      is responsible for it, etc.
• Train your staff and implement technical      and organizational security measures.
• Have Data Processing Agreement contracts      in place with third parties you contract to process data for you.
• Appoint      a Data Protection Officer

Data security

It is required to handle data securely by implementing “appropriate technical and organizational measures.”

Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.

Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.

If there is a data breach, companies have 72 hours to tell the data subjects or face penalties. 

Data protection by design and by default

From now on, everything companies do in their organization must, “by design and by default,” consider data protection. Practically speaking, this means companies must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25.

Consent

There are strict new rules about what constitutes consent from a data subject to process their information.

• Consent      must be “freely given, specific, informed and unambiguous.”
• Requests      for consent must be “clearly distinguishable from the other matters” and      presented in “clear and plain language.”
• Data      subjects can withdraw previously given consent whenever they want, and you      have to honor their decision. You can’t simply change the legal basis of      the processing to one of the other justifications.
• Children      under 13 can only give consent with permission from their parent.
• You need to      keep documentary evidence of consent.

Conclusion

We’ve just covered all the major points of the GDPR in a little less than 800 words. The regulation itself (not including the accompanying directives) is 88 pages. 

For any further feel free to contact us.

PCI SECURITY STANDARDS OVERVIEW

The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

PCI Security Standards are developed specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it. They include standards for merchants, service providers, and financial institutions on security practices technologies and processes, and standards for developers and vendors for creating secure payment products and solutions.

We have been audited about our PCI conformity!