Laws and regulations in Cybersecurity (Switzerland)

The following article describes the most important laws and regulations in terms of personal data, data rights, and obligations of data holders. Those are described as an "Implementation provision" with an underlying instruction für actions for a more specific description.

In general, the board of directory is lawfully required for an ordinary audit of a risk assessment. The audit/revision is supported by IT-Security measures and transmitted with an internal control system (IKS).

The information, of course, is required to be inaccessible by unauthorized and handled carefully.

For a revision by the board of directory, you as an IT-Security manager are required to know the following articles of law

OR Art. 663b Ziff. 12 The board of directors is required to exercise a proper risk assessment that includes risk analysis, risk management strategy, risk definitions, risk mitigation, and risk control

OR Art. 728a Ziff. 3 An ordinary revision requires an IKS. Auditors are required to transfer reports over an IKS.

OR Art. 727 Listed companies those stocks are publicly traded, GmbH's and companies which are obligated to prepare consolidated financial statements are lawfully required for a revision. Companies, independent of legal form, that reached one of the 3 properties shown below, within the timespan of two years are also required to do so.
- 10 Million Balance sheet turnover
- 20 Million turnover
- 50 full-time employees

OR Art. 957 Abs. 5 Describes that Data such as documents, correspondences (as well as order confirmations), that influences the balance sheet and income statement are under the law of archiving obligation. The data needs to be archived within the time span of 10 years. Archives are required to fill requirements such as protection for integrity, the duty of care, availability, and accessibility, and permitted form of storage so a change of the data can be detected.

The act of data protection comes into effect as soon as conclusions can be drawn to single individuals. For example, data-mining or a CRM includes data that can be led to an identification of a person, their interest, and general information. Specific data within different categories are required to be specially supported:

• Religious views or activities
• Philosophical views or activities
• Political views or activities
• Trade union views or actions
• Health
• Intimacy
• Ethical associations
• Social support measures
• Information regarding administrative and/or criminal law measures

The most important articles of law are

DGS Art. 2 Defines the scope of the DGS.

DGS Art. 3 Defines important terms in the DGS and how personal data are identified

DGS Art. 4 Describes the legit usage of personal data.

DGS Art. 5 Defines that the confidentiality and integrity of data both needs to be protected

DGS Art. 7 An organization is required to take measures accordingly to protect data and information from unauthorized individuals

DGS Art. 7a Describes the correct usage of personal data

DGS Art. 8 Defines the right of accessing personal data and how they are transmitted

DGS Art. 8 Abs. 1 An organization needs to protect data from
- Unauthorized or accidental destruction
- Loss
- Technical issues
- Falsification, theft or unauthorized usage
- Unauthorized changes, copying or unauthorized access and editing

DGS Art. 10a Regulates access and editing through third parties. Also, there is no way to transfer responsibilities to third parties

Long story short, it is required to handle personal data accordingly, confidentially, and secure. Make sure no one tampers with the data and/or information and provide integrity for it. Some circumstances require you to provide personal data if requested within a previously defined timespan.

I also want to mention the ZertES. ZertEs is an organization that defines the requirements for a CA under which circumstances they are allowed to issue digital certificates.

Also worth a mention is the "Bundesgesetz zur Überwachung der Post- und Fernmeldeverkehrs" (BÜPF) which is translated federal law on the surveillance of the postal and telecommunications traffic.
The BÜPF regulates the surveillance of telecommunication and mail communication. The "Dienst für besondere Aufgaben" (DBA), translated "service for special tasks" is a part of the EJPD (Eidgenössisches justiz und Polizeidepartement / Federal department of justice and police) and monitors the communications if law regulations require it. Important is that data can not be retroactively included. An exception is phonecall histories from the last 6 months.