Swiss Federal Audit Office


IT security in the Federal Administration Read full summary in English

2011 report autoID-CH:1358242702703

The SFAO has audited the Admin PKI – the basic infrastructure and offering for the issuing of digital certificates – within the Federal Office of Information Technology, Systems and Telecommunication (FOITT). The examination concentrated on assessing the development and current operation as well as future prospects. Admin PKI refers to all processes and the hardware and software needed for issuing certificates of different grades.

In the report

- specialised applications, no longer allowing the relevant components to be updated on Windows platform

- weaknesses in the timely resolution of security deficiencies

In the report

- Some of the workstation systems give highly privileged user rights (local administrator rights).

- The business areas continue to operate legacy applications and systems despite knowing that these present security deficiencies or prevent security-critical components from being updated.

- Responsibility for security-related matters still tends to be regarded by service providers as a purely technical responsibility.

- These were assigned on the basis of user requests submitted.

- There is a lack of understanding of the segregation of tasks and responsibilities between service providers and service users.

In the report

- Good solutions had been found in many areas, however, this knowledge is not sufficiently shared among service providers.

- the individual service providers tend to develop or commission their own solutions

In the report

- The FOITT still does not have the contractual basis to assess the quality of network security in the cantons connected

- Cannot take the necessary countermeasures.

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.