The Federal Audit Office (CDF) notes security gaps when transferring data from the Ruag armaments group to the Department of Defense (DDPS). In his audit report, he asks for “adjustments”.
The IT security audit showed that the transfer of systems and data was “largely successful”, despite follow-up projects that have not been completed, writes the Federal Finance Control (CDF), the highest body of financial supervision of the Confederation, in its report published on Monday.
IT governance and IT security organization are “adequate”, but significant adjustment work is still needed. Cooperation with the BAC (Army Command Assistance Base) works, but is not yet well established, continues the CDF.
When integrating the systems into their new environment, no large-scale security compliance checks were carried out, resulting in a “significant risk”, especially for Internet-related applications, says the Webmaster. CDF. He asks that the army (BAC) systematically carry out security compliance checks.
>> Read also:
CDF calls for a faster solution
The establishment of an information security management system with audit activities contributes to long-term information security, says the CDF report. Risk management and business continuity management are in progress. But the latter should not be operational until 2023. The CDF invites Ruag AG to find a faster solution.
In March 2018, the Federal Council decided to merge the business units of the former Ruag company, almost exclusively active for the Swiss army, into a new company of the Ruag group MRO Holding AG (MRO CH), i.e. in its subsidiary Ruag AG. These parties were to be separated from the rest of the Ruag group (Ruag International), which carries out international civil and military activities.
The split also affected Ruag’s information and communication technologies (ICT). It was decided to entrust this responsibility to the Federal Department of Defense (DDPS). The entire infrastructure and ICT systems were reorganized and the data included in the security perimeter of the Army Command Assistance Base (BAC). Federal security requirements must therefore be observed.
According to an estimate from September 2020, the dissociation project is expected to cost between 81 and 86 million Swiss francs. Of the 57 million francs spent until the end of September, 34 million francs are attributable to the ICT split. The project involves around 2,500 MRO CH employees at more than 20 sites in Switzerland.
ats / fgn