IT security in the Federal Administration Read full summary in English
The SFAO has audited the Admin PKI – the basic infrastructure and offering for the issuing of digital certificates – within the Federal Office of Information Technology, Systems and Telecommunication (FOITT). The examination concentrated on assessing the development and current operation as well as future prospects. Admin PKI refers to all processes and the hardware and software needed for issuing certificates of different grades.
- specialised applications, no longer allowing the relevant components to be updated on Windows platform
- weaknesses in the timely resolution of security deficiencies
- Some of the workstation systems give highly privileged user rights (local administrator rights).
- The business areas continue to operate legacy applications and systems despite knowing that these present security deficiencies or prevent security-critical components from being updated.
- Responsibility for security-related matters still tends to be regarded by service providers as a purely technical responsibility.
- These were assigned on the basis of user requests submitted.
- There is a lack of understanding of the segregation of tasks and responsibilities between service providers and service users.
- Good solutions had been found in many areas, however, this knowledge is not sufficiently shared among service providers.
- the individual service providers tend to develop or commission their own solutions
- The FOITT still does not have the contractual basis to assess the quality of network security in the cantons connected
- Cannot take the necessary countermeasures.