ICT security and data protection

The Zurich Airport Group ensures that its systems, data and information are available, confidentiality and integrity are maintained, and threats can be averted.

Relevance

At its various sites, Zurich Airport Ltd. uses different systems for information and communication technology. In Zurich, the company maintains extensive ICT systems with data centers that are absolutely vital for its operations. The entire airport infrastructure can only function if data can be processed. The situation is similar at the three majority-owned subsidiaries in Brazil. In Chile, on the other hand, the ICT systems of the subsidiary A-Port and its sites are largely confined to the commercial and personnel-related administration of the company itself, as in particular the aviation-related systems are operated by the authorities.

In addition to risks of a physical nature such as natural disasters for example, cyberattacks pose a great threat to ICT systems today. The Zurich Airport Group is accordingly faced with the challenge of continually developing its security strategies. The ICT systems and associated data and information must be protected from unauthorised access while maintaining availability, confidentiality and integrity at all times.

As a key element of Switzerlandʼs infrastructure, Zurich Airport is part of the national strategy to protect critical infrastructures and is consequently required to take steps to increase resilience. At the same time the National Aviation Security Programme (NASP) run by the Federal Office of Civil Aviation (FOCA) stipulates certain ICT security requirements that are binding for Zurich Airport.

Personal data collected in Zurich, for example from passenger handling, video surveillance, access points to buildings and security zones, vehicle car parks, and from the provision of further services, are subject to Swiss and/or European data protection legislation.

Approach

ICT security

Following its ISO 27001 certification the previous year, to ensure the availability, confidentiality and integrity of its ICT systems, Zurich Airport Ltd.ʼs information security management system (ISMS) successfully completed a recertification audit during the reporting year. This management system ensures that ICT security is maintained for the basic infrastructure and is constantly adapted to meet ever-evolving challenges. Zurich Airport thus complies with the requirements of the NASP. The cybersecurity strategy of Zurich Airport Ltd., originally drawn up in 2019, was completely revised during the year under review. It is based on internationally recognised standards. The revised strategy gave rise to various projects which will be implemented in a comprehensive programme over the coming years. The technical and organisational requirements are already being implemented and elaborated in an ongoing process audited by the Federal Office of Civil Aviation.

This tight integration with the national strategy to protect critical infrastructures and close conformance with sector standards is intended to ensure the company will always be in a position to detect external cyberattacks or other data breaches at an early juncture and minimise their impacts. System-critical infrastructures are provided redundantly, also to limit the damage to ICT systems caused by other incidents such as earthquakes for example.

The central importance of awareness is assigned to a separate project in the revised cybersecurity strategy as the behaviour of employees is key to successfully protecting systems against cyberattacks. Regular information campaigns and training events are held to raise awareness among all ICT users and enable them to quickly spot potential threats.

In Brazil, the project launched in 2021 to achieve ISO 27001 certification has not yet been completed. Further work will be required this year in order to meet the standard.

Various measures for improving ICT security which had been decided on in the previous year were implemented in Chile during the year under review. These greatly increased resilience and also ensured compliance with data security legislation.

Protection of personal data

The framework for handling personal data is primarily provided by the Swiss Data Protection Act and the European General Data Protection Regulation.

As well as complying with data protection laws, Zurich Airport Ltd. handles all the data and sensitive information of its business customers, service partners, consumers and other stakeholders with care and observes its duties of confidentiality.

Zurich Airport Ltd. has appointed a data protection officer to ensure compliance as regards the protection of personal data. This officer advises line managers on the correct handling of personal data, maintains a list of the companyʼs data repositories, and provides information to affected individuals, external bodies and public agencies. In addition, during the year under review Zurich Airport Ltd. drew up a data ethics policy setting out its principles for handling personal and operational data.

The management of operational and personal data at the companyʼs airports abroad is based on the respective local regulations in force. Owing to the limited scope of the systems, no passenger-related data are collected at the airports in Chile. The passenger data collected at the Brazilian airports cannot be linked to individual people.