831.101.4 order of the DFI on minimum requirements to be met by the technical and organisational measures to be taken by the services and institutions systematically using the number of insured AVS outside the AVS of November 7, 2007 (status on December 1, 2007) the federal Department of the Interior, under art. 50g, al. 3, of the Federal Act of 20 December 1946 on old-age insurance and survivors (LAVS), in agreement with the federal Department of finance, stop: Section 1 provisions general article 1 purpose this order is intended to ensure that the services and institutions that systematically use the insurance number take technical and organisational measures sufficient to: a. ensure that the used number is correct; b. to prevent any misuse.
S. 2 scope this order applies to all services and institutions that systematically use the number of insured within the meaning of art. 50 d and 50th LAVS.
If the routine use focuses on collections of data in which no linked to the insured number transfer is done, only apply the provisions of the art. 6-8.
Section 2 measures to ensure the use of correct insurance number s. 3 design of computer systems computer systems are designed to exclude any possibility of conflicting information regarding the number of valid insured attributed to a particular person.
S. 4 manual entry of the insured number insurance number can be manually entered in a data collection only after verification of the control key following the procedure described in annex 1.
The number in the form of bar code optical reading is equated with manual input.
S. 5 security of the data source the insured number cannot be entered into a data collection if certainty as to the correctness of the number is sufficient.
Certainty as to the correctness of the number of insured is deemed sufficient when latter was communicated by a procedure consistent with art. 134, al. 2 to 4, the rules of 31 October 1947 on old-age insurance and survivors (RAVS).
The certainty is presumed to be sufficient when there is no doubt about the identity of the person corresponding to the number of insured as it prepares to enter and that the source of the issue is one of the following: a. certificate of OASI insured within the meaning of art. 135 RAVS; b. card insured within the meaning of art. 42 (a) of the Federal Act of 18 March 1994 on health insurance (LAMal) valid at the time of seizure; c. communication in writing or by electronic means, topical at the time of the seizure, emanating from a body of OASI; d. communication in writing or by electronic means, of news at the time of the seizure, from a service or an institution recommended by the central compensation office (CdC) as being safe enough.
The CdC publishes on the Internet list of services and institutions it recommends as being safe enough.
RS 831.101 RO 2009 1609 RS 832.10 Section 3 measures to prevent any misuse s. 6 agents access to the collections of data containing the insured number is granted only to persons who are in need of the said number to perform their tasks. Reading and writing in the said rights data collections is restricted to these individuals.
When the insured number is used systematically in complex systems, the necessary protective measures are taken on the basis of a detailed risk. This analysis must take into account the risk of an illegal grouping of data collections.
The use of computing resources and units memory meets the minimum security standards set out in annex 2.
S. 7 transmission of data by the public networks when collections containing sets of data showing the number of insured through a public network, they are encrypted in accordance with the State of the art.
S. 8 use and communication services and institutions that use the insurance number shall inform their employees, through training and development, that the insured number can be used only in connection with their duties and cannot be communicated in accordance with the legal requirements.
S. 9 entry into force this order comes into force on December 1, 2007, subject to the al. 2 and 3.
Art. 5, al. 3, let. a, comes into force on July 1, 2008.
Art. 5, al. 3, let. b, comes into force on January 1, 2009.
Annex 1 (article 4) Verification of the control key A. Composition of the insured xn-12 xn-11 xn-10 number.
Xn-9 xn-8 xn-7 xn - 6.
Xn-5 xn-4 xn-3 xn - 2.
Xn-1 xn Code country number of nine-digit key 7 5 6 1 2 3 4 5 6 7 8 9 7 b. logic of the control key control key is the last digit of the number (xn); It is obtained by the following operations:-multiply alternatively by 3 and 1 each, starting with the penultimate (xn-1), and add these intermediate products: total = (3xn-1) + (xn - 2) + (3xn-3)... - then determine the value (key control xn) which, added to total intermediate, will give the next multiple of 10.
Note: If the total intermediate is already a multiple of 10, the control key is 0.
C. Illustration insurance number 7 5 6 1 2 3 4 5 6 7 8 9 to? SS multiplier 1 3 3 1 1 3 1 3 1 3 1 3 result 7 15 6 3 2 9 4 15 6 21 8 27 intermediate total ss: 123 value to add to get a multiple of 10 130 is the next multiple of 10 after the total intermediate 123. The difference, and therefore the control key, is 7 to? = 7 State December 1, 2007 annex 2 (art. 6, Al 3) minimum security standards for the operation of computer resources and units of memory used during routine use of insured number 1. Access to computing resources and units of memory is secured physically. In the event of use of computing resources and mobile data, care must be taken by cryptographic processes (data coding) comply with State of the art to render impossible the access and use by persons not autorisees.2. Access to computing resources and units of memory is protected by appropriate and corresponding security measures the State of the art and the risks involved. These measures include at least the use of software (antivirus), commercially available and regularly updated, detection and removal of malicious software, and the use of firewall (Central or individual) systems. 3. Users with access to computing resources and memory units must authenticate. If the authentication is done by means of a password, it is kept secret and cannot be communicated. If there is reason to believe that unauthorized people know him, he is immediately remplace.4. The elimination of errors (debugging patches) updates are applied as soon as possible to the operating systems and to the logiciels.5. On computer systems employees, officials shall record in writing activities and important events and analyze regulierement.6. When a computer resource or unit memory needs to be repaired, removed or destroyed, it is imperative that it contains more numbers of insured and that they cannot be reconstituted.
State on December 1, 2007