ICT security and data protection

The Zurich Airport Group ensures that its systems, data and information are available, confidentiality and integrity are maintained, and threats can be averted.

Relevance

Flughafen Zürich AG uses a variety of ICT systems at its various locations. In Zurich, the company maintains extensive ICT systems with data centers that are absolutely vital for its operations. The entire airport infrastructure can only function if data can be processed. The situation is similar at the three airports in Brazil. In Chile, on the other hand, the ICT systems of the subsidiary A-Port and its sites are largely confined to the commercial and personnel-related administration of the company itself as the aviation-related systems in particular are operated by the authorities.

In addition to risks of a physical nature such as natural disasters for example, cyberattacks pose a great threat to ICT systems today. The Zurich Airport Group is accordingly faced with the challenge of continually developing its security strategies. The ICT systems and associated data and information must be protected from unauthorised access, while availability, confidentiality and integrity must be maintained at all times.

As a key element of Switzerland's infrastructure, Zurich Airport is part of the national strategy to protect critical infrastructures and is consequently required to take steps to increase resilience. At the same time the National Aviation Security Programme (NASP) run by the Federal Office of Civil Aviation (FOCA) stipulates certain ICT security requirements that are binding for Zurich Airport.

Personal data that are collected in Zurich from, for example, passenger handling, video surveillance, access points to buildings and security zones, vehicle car parks, and from the provision of further services are subject to Swiss and/or European data protection legislation.

Approach

ICT security

To ensure the availability, confidentiality and integrity of its ICT systems, during the reporting year Flughafen Zürich AG set up an information security management system (ISMS) certified to ISO 27001. This management system ensures that ICT security is maintained for the basic infrastructure and is constantly adapted to meet ever-evolving challenges. Zurich Airport thus complies with the requirements of the NASP. The cybersecurity strategy of Flughafen Zürich AG defined as part of the ISMS is based on internationally recognised standards. The technical and organisational requirements are implemented and elaborated in an ongoing process audited by the Federal Office of Civil Aviation.

ISMS now
ISO 27001
certified

This tight integration with the national strategy to protect critical infrastructures and close conformance with sector standards is intended to ensure the company will always be in a position to detect external cyberattacks or other data breaches at an early juncture and minimise their impacts. System-critical infrastructures are provided redundantly, also to limit the damage to ICT systems caused by other incidents such as earthquakes for example.

The behaviour of employees is key to successfully protecting systems against cyberattacks. Regular information campaigns and training events are held to raise awareness among all ICT users so they can quickly recognise potential threats.

In 2021, a project to prepare for ISO 27001 certification was started in Brazil in collaboration with external consultants. The resulting recommendations are still in the process of being implemented, with certification scheduled for 2023.

In addition, an internal audit focusing on ICT security was carried out in the Latin American subsidiaries during the reporting year. The vulnerabilities identified will be investigated and the necessary steps taken to rectify them.

Protection of personal data

The framework for handling personal data is primarily provided by the Swiss Data Protection Act and the European General Data Protection Regulation.

As well as complying with data protection laws, Flughafen Zürich AG handles all the data and sensitive information of its business customers, service partners, consumers and other stakeholders with care and observes its duties of confidentiality.

Flughafen Zürich AG has appointed a data protection officer to ensure compliance with respect to protecting personal data. This officer advises line managers on the correct handling of personal data, maintains a list of the company's data repositories, and provides information to affected individuals, external bodies and public agencies.

The management of operational and personal data at the company's airports abroad is based on the respective local regulations in force. Owing to the scope of the systems, no sensitive passenger-related data are collected at the airports in Chile. The passenger data collected at the Brazilian airports cannot be linked to individual people.

In addition, between June 2021 and March 2022 a data protection project was carried out in Brazil with the aid of external consultants. Among other things, a record of processing activities was created containing an overview of all the processes in which potentially sensitive data are processed. The results are currently being processed.