What is integrated security?

A comprehensive security concept that integrates organisational, personnel-related and legal/regulatory measures in addition to the two pillars of physical security and IT security – and how SwissSign implements it as a trust service provider.

‘Integrated security’ describes a comprehensive approach to security aimed at bringing together and coordinating different aspects of security within the systems and the organisation in order to ensure the best possible overall security. Compared to isolated security measures, integrated security takes a holistic approach, linking and coordinating different security areas so that they work together optimally.

Purpose: a security level greater than the sum of its parts

Integrated security is based on the principle that isolated security measures are not sufficient to meet the complex security requirements of a modern organisation, especially a trust service provider such as SwissSign, which operates in a highly regulated market.

Within an integrated security strategy, all security measures and concepts – physical, IT-based, organisational, personnel-related and legal/regulatory – are united into one overarching system and harmonised with each other, being connected in such a way that they complement and reinforce each other. Furthermore, the aim is to achieve a security level that is greater than the sum of its parts. This reduces vulnerabilities in the security network, as all security measures are coordinated with each other. In turn, this significantly increases SwissSign’s resilience against threats and risks, all while improving the efficiency of monitoring and control efforts.

Objectives and tasks of integrated security

The primary aim of integrated security is to achieve maximum protection and resilience; in particular, protecting the lives and health of all people affected by the organisation’s security measures takes priority here.

An integrated security concept encompasses the following tasks:

• Using transparent, effective and efficient security measures, including to maintain a high level of trustworthiness, sovereignty and independence.

• Establishing, maintaining and developing a security management system (ISMS) for all security areas.

• Coordinating overall security by integrating the security areas into the security organisation.

• Creating a security culture in which security is seen as a work task and observed by employees as part of their work.

• Achieving an appropriate security level.

• Creating the necessary cyber resilience to ensure future-oriented success in the digital world as the data security specialist of Swiss Post.

• Safeguarding our image and positive reputation in the public eye, towards domestic and foreign authorities, in the federal administration, among suppliers and partners.

• Ensuring business operations and preventing disruptions through preventive and reactive measures to protect SwissSign on a financial level and preserve its reputation.

• Managing emergencies when disruptions are escalated.

• Handling business-critical risks in compliance with legal and regulatory requirements, and taking economic efficiency into account.

• Avoiding breaches of laws or regulatory requirements through compliance with legal, regulatory and contractual provisions

• Implementing financially justifiable security measures.

• Deploying a risk-based approach for integrated security to ensure the (continuous) improvement and safeguarding of complex security issues.

• Handling natural resources with care, avoiding any negative impacts on the environment.

Norms and standards of integrated security

The legal or industry-specific requirements on which a security concept is based vary greatly between organisations. They may be government regulations, guidelines issued by the relevant industry associations or overarching company standards. As a Swiss trust service provider, SwissSign is subject to the following regulations in particular:

• ISO/IEC 27001: an international standard for information security management systems (ISMS). It defines requirements for planning, implementing, monitoring and improving an ISMS and is recognised worldwide. SwissSign is ISO 27001-certified.

• ITIL (Information Technology Infrastructure Library): this describes a best-practice framework for effective IT service management. In that respect, ITIL represents a collection of processes and tasks that are considered best practices for IT service management. SwissSign draws on this framework and involves it in its process management activities.

• BSI IT Baseline Protection Methodology: BCM (business continuity management as part of the IT Baseline Protection Methodology of the German Federal Office for Information Security [BSI]) describes a systematic method for safeguarding IT systems. It provides recommendations and catalogues of measures for business continuity in the event of a crisis and is based on a pragmatic approach to achieve an appropriate level of security. SwissSign bases its business continuity management on this standard.

• ISO/IEC 22301: this standard focuses on business continuity management and ensures that companies are prepared for disruptions in order to maintain business operations. It is closely linked to integrated security, due to its inclusion of IT infrastructure continuity as a critical component. SwissSign bases its business continuity management on this standard.

• NIS (Network and Information Security [NIS] Directive): the NIS Directive defines measures for ensuring that network and information systems in the European Union share a high common security level. The NIS Directive has established a single legal framework for building cybersecurity capacity across the EU. As a certified trust service provider in Switzerland and the EU, SwissSign is obliged to comply with this Directive.

• ISO/IEC 31000: a standard for risk management that offers general principles and guidelines for managing risks in companies. It helps with the identification, assessment and management of risks relevant to the security and continuous operation of IT systems and services. SwissSign bases its risk management on this standard.

These norms and standards offer good, structured approaches and guidelines for developing an integrated security strategy for SwissSign, minimising risks and strengthening business continuity.

Additional legal bases and standards for ‘physical security’

Switzerland has various legal and regulatory requirements in place that are relevant to physical security. The purpose of these requirements is to guarantee physical security for people and infrastructures, and to minimise risks. Companies and organisations have an obligation to integrate these requirements into their security concepts. The following are some of the most important legal framework conditions and standards that may apply to SwissSign.

• Fire protection regulations of the VKF (VKF = Association of Cantonal Fire Insurers)

• National and cantonal building laws

• Swiss Code of Obligations (OR)

• Swiss Employment Act (EmpA)

• Swiss Accident Prevention Ordinance (VUV)

• Directive of the Federal Coordination Commission for Occupational Safety (EKAS)

• Swiss Environmental Protection Act (USG)

• Swiss Energy Act (EnG)

• DSG (Swiss Federal Act on Data Protection) and related ordinances

• ISO/IEC 27001/27002

As SwissSign does not have its own real estate, the lessor must fulfil the legal and regulatory requirements in the leased premises as far as possible.

Important: the regulatory requirements and legislation listed apply to SwissSign as a whole. Due to the regulatory requirements for supply chains, contractual partners (service providers, partners, suppliers, etc.) are also obliged to comply with these when fulfilling their roles.

Challenges and risks of integrated security

Just as implementing integrated security offers many benefits, it can also come with a number of challenges that require careful consideration:

• High complexity: integrated security involves a multitude of measures from different fields, meaning it often results in a high level of complexity that can make it harder to manage. Good coordination and a clear division of responsibilities within the organisation are needed.

• Financial investments: a comprehensive security concept, accompanied by the necessary certifications, can sometimes be costly, as it requires significant investments in technology, personnel and organisational measures. This means additional costs for certifications, state-of-the-art infrastructure and comprehensive protection systems, including the necessary partnerships, as well as workforce training and sensitisation measures that are required at regular intervals. These expenses are necessary for keeping up with the constant challenges posed by new strategies and technologies and offering customers a good and, above all, secure service. At least, this is the case for an organisation such as SwissSign that places high demands on its trustworthiness.

• Technological risks: modern security solutions are often based on technologies that are vulnerable to attack. Cyber attacks and rapid technological development can quickly render existing security measures obsolete.

• The human component: people make mistakes – a lack of training or the unintentional disregard of security guidelines poses a major risk. Even the best security precautions are only as strong as the employees who implement them. A careless employee can cause significant security problems. It is therefore essential to embed security awareness throughout the entire organisation, to raise employee awareness continuously, to motivate and inform employees and to offer appropriate support. At SwissSign, we take this very seriously.

The future of integrated security: what are the benefits of the digital transformation?

Technological developments such as the Internet of Things (IoT) and increasing automation through artificial intelligence (AI) will have a major impact on integrated security in the years to come. The most important trends include:

• Automated security measures: AI and machine learning can be used to monitor and predict threats in order to initiate preventive measures.

• Cyber-physical systems: the increasing interlinking of physical and digital security is creating a growing need for security solutions that cover both.

• Data protection and ethics: with the use of big data and AI on the rise, the requirements for data protection and ethically acceptable security practices are also increasing.

Automated security measures

Security precautions that use artificial intelligence (AI) and machine learning (ML) to independently identify, analyse and respond to threats without the need for human intervention. These measures are increasingly being deployed in IT security to monitor large amounts of data, detect anomalies in real time and proactively defend against potential threats.

Examples of automated security measures include:

• Detection of anomalies: AI-supported systems continuously monitor network traffic and user behaviour in order to identify suspicious deviations at an early stage. These include unusual access attempts or network activity that could indicate cyberattacks, for instance.

• Threat analysis and prediction: machine learning algorithms can be used to identify patterns in cyber threats and predict future attacks. The system continuously learns from new data about threats and can use the knowledge gained to prevent attacks as they develop.

• Automated response measures: when an incident is detected, automated systems can initiate protective measures, such as blocking suspicious IP addresses, isolating compromised systems or enforcing security updates.

• Intrusion prevention systems (IPS): these systems use AI to detect potential threats and automatically apply security policies to fend off attacks before they cause damage.

• Phishing detection: AI analyses emails and user communication to detect phishing attempts and blocks them before they reach inboxes.

Automated security measures are able to monitor and respond to threats around the clock, significantly reducing response times. The preventive use of these technologies improves security processes, defends against cyber attacks more quickly and reduces potential damage to organisations.

However, when evaluating automated security measures, it is important to consider their risks critically: Misinterpreted signals can cause automated systems to trigger actions that may hinder or disrupt business processes. Attackers are already trying to influence and exploit automated systems in their own way. A risk-based assessment of the advantages and disadvantages of automated security measures is therefore required.

Cyber-physical systems (CPS)

These are systems which involve the close interlinking and real-time connection of physical and digital components via the internet. They capture and control physical processes using software and network components and respond dynamically to changes in their environment. Examples include connected vehicles, industrial control systems, smart grids and medical devices.

Since these systems contain both physical and digital elements, safeguarding integrated security is particularly important, as vulnerabilities in digital security can have significant physical consequences. This creates new requirements for security solutions that guarantee both the digital integrity and physical security of systems.

The increasing interconnection of these systems leads to threats such as cyber attacks on critical infrastructure, which can result in production disruptions, manipulation or even physical damage. Managing these risks requires comprehensive security solutions that integrate IT security standards (such as ISO 27001 or NIST) and physical security aspects to prevent both virtual and physical attacks.

Data protection and ethics

These are key issues in today’s digital world, as the use of big data and artificial intelligence (AI) is constantly growing. While these technologies offer great opportunities to gain insights, optimise processes and offer new services, they also pose risks to privacy and ethical responsibility.

The EU AI Act (Artificial Intelligence Act): in 2024, the EU adopted the AI Act, a law on the comprehensive regulation of artificial intelligence (AI). Its objective is to protect fundamental rights and promote the deployment of secure, human-centred AI systems in the European Single Market. The AI Act aims to protect citizens from risks and fundamental rights violations caused by the improper use of AI.

Data protection: data protection is about protecting users’ personal information and ensuring that data is processed responsibly and transparently. Big data and AI, in particular, often collect and process huge amounts of personal data, which entails risks such as misuse, identity theft and unwanted surveillance. Privacy policies such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) set standards aimed at guaranteeing the protection and rights of data subjects, including:

• Data minimisation: collecting only the data that is necessary.

• Transparency: informing users about the collection and use of data.

• Consent: obtaining active consent from users for data processing.

• Deletion of data: deleting data when it is no longer needed.

Ethics: ethical questions affect how data is collected, processed and used, particularly when these processes are based on algorithms and AI. Ethical data use requires responsible security practices and takes into account possible impacts on society such as discrimination, surveillance and decision-making. Key ethical principles include:

• Fairness and transparency: AI systems should be fair and work transparently to avoid discrimination and prejudice.

• Avoiding bias: ensure that algorithms are not trained by erroneous or unbalanced data that could yield discriminatory results.

• Responsibility: define clearer responsibilities for the decisions made by AI and automated systems.

• Traceability: traceability and explainability of AI models to promote user trust and create transparency.

Data protection and ethical security practices are key to protecting user privacy, building trust and ensuring the social acceptability and responsible use of new technologies.