Information security
Background and area of application
Flughafen Zürich AG (FZAG) is obtaining certification in a defined area of application in accordance with ISO Standard 27001:2013 and undertakes to comply with these requirements. The area of application of the certification comprises the ICT infrastructure.
Goals of information security
FZAG has set itself the following goals:
- Support for ICT in fulfilling its mandate.
- Appropriate protection of information in terms of availability, confidentiality and integrity, in accordance with the accepted conditions of all stakeholders and "customers" of the ICT organisation.
- Keep the impact and frequency of successful attacks on information of FZAG within the company's risk appetite.
- Protect the critical information and communication technology systems and data required for safe and secure flight operations against cyberattacks, in line with aviation safety and aviation security, and thus prevent any impact on the safety of civil aviation.
Information security management system
The information security management system serves to document all processes and rules needed to guarantee information security in respect of stakeholder groups. The ISMS is communicated continuously, and level-appropriate training is provided. Application of these rules is mandatory and binding. The ISMS has an area of application defined in the scope.
The ISMS serves to protect information and information processing applications and systems against attacks and hazardous events. Information is independent of its representation and can thus appear in electronic, physical or spoken form.
In accordance with data protection (pursuant to the Federal Act on Data Protection, FADP, or the EU General Data Protection Regulation), the ISMS governs data security and takes account of the data protection requirements as regards data security. Otherwise, data protection is not governed by the ISMS.
In the regulated area, FZAG is subject to the NASP, among others. The integrated management system (IMS) (security and safety in the field of aviation) is delineated as follows: The documentation systems are regulated; data security rules apply only in a subsidiary manner. Within the SAIP perimeter, the provisions on physical security shall apply pursuant to the regulations.
Continuous improvement
The ISMS of FZAG is checked continuously and adapted to current circumstances. The competencies of all involved units are being developed to ensure continuous improvement.
Organisation and responsibilities
ISMS delegate of the Management Board (CFO)
The following responsibility is based on the requirements of NASP Chapter 19 and the organisation of FZAG:
The CFO has ultimate responsibility for information security and for requirements agreed by the panel for the attention of the Management Board or Board of Directors, and requests the necessary resources.
Information Security Steering Committee (ISSC)
Supports the CFO in decision-making and implementation. This is part of the management review from the point of view of the ISO certificate. The Steering Committee should comprise the following members:
- CFO (Chairman)
- COO
- Head of ICT
- Information Security Officer (reporting)
- Area manager O (Head of Flight Operations)
- Area manager M (Head of Building Services)
- Area manager C (Head of Parking & Mobility).
Internal Employees / general
All FZAG employees who are subject to the ISMS must comply with the ISMS rules and are responsible within the operating framework for information security in their area.
The line managers at all hierarchical levels are obliged to provide the appropriate resources with the appropriate skills for information security. They are obliged to sustainably implement all necessary security measures in their area of responsibility. They lead their employees and train them in line with needs.
Information Security Officer
Responsibility
Ensures that an information security strategy tailored to the business objectives is implemented while taking account of the identified security requirements.
Ensures that an information security management system (ISMS) is implemented, operated and improved while taking account of the statutory and regulatory requirements.
Ensures that the ISMS and its policies can be communicated appropriately within FZAG and in respect of the ISMS's stakeholders.
Is responsible for implementing the regulatory requirements in terms of information security.
Competencies
The role of ISO comprises the following competencies:
- Independently implements decisions of the Management Board and the CFO (in terms of the ISMS).
- Authority to issue directives in the context of the ISMS.
Structure procedures and processes in the context of the ISMS.
Asset owner
Asset owners define rules for the permitted use of information and values allocated to them, and they document and apply them.
Risk owner
Risk owners manage the process for assessing and dealing with information security risks for risks allocated to them. They analyse and evaluate the risks and define appropriate measures.
Service manager
Service managers are responsible for management of the IT services assigned to them throughout the entire life cycle.
Line manager
Line managers ensure the smooth, economical and appropriate functioning of the processes in their area of responsibility. They are responsible for the interests of the user group and ensure unique and coordinated managers requirements.
Application managers
Application managers are responsible for the technical solution of the application as a whole and for commissioning it.
Internal ISMS audit
The internal ISMS audit serves as a periodic check as to whether the ISMS has been implemented in accordance with the Management Board’s requirements and if it is being operated effectively. The audits are conducted in accordance with recognised audit methods and are documented. Here it is important to consider that the certified part of the ISM is re-certified each year by an external body.
In organisational terms, the internal ISMS audit can be incorporated into the ISO function, provided the audits are conducted and reported in coordination with the internal audit of FZAG.
External employees/third-party employees
The rules of FZAG as regards information security also apply to persons who work as external employees or third-party employees in the area of application of the ISMS and must be adhered to.
Checks
FZAG checks information security at planned, regular intervals with internal and external audits. The results of these checks are incorporated into the continuous improvement.
Sanctions
Employees of FZAG are subject to the internal sanctions process.
For external employees, sanctions are provided for in the contractual agreements.
Definitions of terms
Information security
Information security is understood to include all measures that are ordered, implemented, checked and continuously improved in order to uphold confidentiality, integrity and the availability of information. These measures may be of an organisational, technical or construction-related nature.
- Confidentiality: access to information guaranteed only for the authorised persons.
- Integrity: ensuring the intactness and completeness of information and the processing methods used.
- Availability: guaranteeing needs-based access to information and the related figures for authorised users.
Information security management system (ISMS)
An ISMS is understood to include:
- all rules, procedures and processes within the area of application that serve to define, manage, conduct, check, uphold and continuously improve information security.
- Documentation is handled via the ISMS framework, the SOA (statement of applicability) checks and related policies, process overviews and other documentary evidence.