ICT security and data protection

The Zurich Airport Group ensures that its systems, data and information are available, confidentiality and integrity are maintained, and threats can be averted.

Relevance

The Zurich Airport Group uses a variety of ICT systems at its various locations. In Zurich, Flughafen Zürich AG maintains extensive ICT systems with data centers that are absolutely vital for its operations. The entire airport infrastructure can only function if data can be processed.

In addition to risks of a physical nature such as natural disasters for example, cyberattacks pose a great threat to ICT systems today. The Zurich Airport Group is accordingly faced with the challenge of continually developing its security strategies. The ICT systems and associated data and information must be protected from unauthorised access, while availability, confidentiality and integrity must be maintained at all times.

As a key element of Switzerland’s infrastructure, Zurich Airport is part of the national strategy to protect critical infrastructures and is consequently required to take steps to increase resilience. At the same time the National Aviation Safety Programme (NASP) run by the Federal Office of Civil Aviation (FOCA) stipulates certain ICT security requirements that are binding for Zurich Airport.

Personal data that is collected from, for example, passenger handling, video surveillance, access points to buildings and security zones, vehicle car parks, and from the provision of further services are subject to Swiss and/or European data protection legislation.

Approach

ICT security

To ensure the availability, confidentiality and integrity of its ICT systems, an information security management system (ISMS) is being set up at Zurich Airport. This management system should ensure that comprehensive ICT security is maintained and constantly adapted to meet ever-evolving challenges. Zurich Airport thus complies with the requirements of the NASP. The cybersecurity strategy of Flughafen Zürich AG defined as part of the ISMS is based on internationally recognised standards and the ISMS is set to be certified to ISO 27001 in 2022. The technical and organisational requirements are being implemented and elaborated in an ongoing process audited by the Federal Office of Civil Aviation.

This tight integration with the national strategy to protect critical infrastructures and close conformance with sector standards is intended to ensure the company will always be in a position to detect external cyberattacks or other data breaches at an early juncture and/or minimise their impacts. System-critical infrastructures are provided redundantly, also to limit the damage to ICT systems caused by other incidents such as earthquakes for example.

Data protection

The framework for handling personal data is primarily provided by the Swiss Data Protection Act and the European General Data Protection Regulation.

As well as complying with data protection laws, Flughafen Zürich AG handles all the data and sensitive information of its business customers, service partners, consumers and other stakeholders with care and observes its duties of confidentiality.

Flughafen Zürich AG has appointed a data protection officer to ensure compliance with respect to protecting personal data. This officer advises line managers on the correct handling of personal data, maintains a list of the company’s data repositories, and provides information to affected individuals, external bodies and public agencies.

The management of operational and personal data at the company’s airports abroad is based on the respective local regulations in force.