Information Security
IT Risk Management and information security
Addressing IT risks is part of Group Risk Management
VIG has established a mandatory IT Risk Management approach for the Group through the dedicated IT Risk Management Group Guideline. The guideline is a holistic take on specifically addressing IT and therefore the identification, analysis and evaluation of the risks involved using information technology in all its facets. Furthermore, group requirements for setting IT controls, running business impact analyses and IT continuity management targets are formulated within this document.
There is a quarterly Risk Committee held to inform the management on a regular basis (including IT Risk Management aspects). Furthermore, ad hoc developments can and are directly communicated to the management board member responsible for IT.
Three fundamental protection goals: confidentiality, integrity and availability
At VIG, the IT security aims at protecting electronic information and data, information systems, applications, hardware and infrastructure against threats in order to assure the continuity of the business, to minimize business risk, to safeguard know-how, to comply with legal requirements and to maintain business opportunities. Thus, the security of this electronic information and information systems constitutes a necessity for the achievement of essential company objectives and the continuing success of the Group.
To achieve the best protection of information assets and data of our customers VIG focuses on three fundamental protection goals:
- Confidentiality
information is accessible only to authorized users - Integrity
accuracy and completeness of information and processing methods - Availability
authorized users have access to information and associated assets according to requirements
VIG takes comprehensive security measures for the IT landscape to prevent cybercrime and guarantee that protection goals are met. All globally active external IT service providers have extensive certifications in accordance with international standards for information security like ISO 27001 or can provide reports according to ISAE 3402, which are also renewed regularly. To ensure an effective implementation of an Information Security Management System (ISMS) all internal VIG IT entities are ISO 27001 certified.
Multi-layered security
In general, multi-layer security concepts (Defense in Depth) are used to protect data against a wide range of attack vectors and to reduce the probability of an attack being successful.
The outermost layer consists of the IT Security Group Guideline, which is binding for all companies of the Group and whose implementation is monitored by conducting compliance audits. The VIG IT Security Guideline is regularly reviewed and updated. Apart from the guideline VIG companies define additional local IT security measures that consider specific local requirements and legal provisions.
In addition to the basic protection of data centers and server rooms (physical security) by means of access control, alarm systems and monitoring systems, routers and firewalls are used in the outer network area (perimeter security), with very restrictively configured access rights to the layers below. Secured VPNs (Virtual Private Networks) allow controlled and protected access to internal IT systems by authorized persons outside the VIG network. Intrusion detection and intrusion prevention systems are also used to detect and prevent attacks at an early stage. In the internal area of the network, mutually secured network segments are formed for structuring, effective administration and control of access authorizations in order to have separate network segments in case of any cyber-attack attempt.
All servers, IT-devices and applications are protected by appropriate configuration of security-related parameters e.g.:
- Authorization for data and system access follows “need to know principle”
- Use of complex passwords
- Automatically activated screen lock after a defined time of user inactivity
- Filter systems for certain web pages and applications
- Virus scanners
- Regular software updates
- Regular data back-ups
- Data encryption
VIG Cyber Defense Center programme (CDC)
In line with the Group's very high security standards, a Group-wide Cyber Defence Centre programme has been initiated. VIG's Group-wide CDC aims to protect the Group's entire business and customer pool from the risk of cyberattacks and to increase VIG's security level.
Behind the VIG CDC is a team of IT security experts who protect the company by detecting, analysing, investigating and averting cyber threats using semi-automated processes and advanced technology. The IT systems in the VIG Group (such as networks, servers, end devices, applications and databases) are continuously monitored for signs of a cyber security incident. The CDC works around the clock to ensure a rapid response to any threats that arise.
The benefits of the VIG CDC for the Group are:
- Protection of the business and customers
- Joint action against a global cyber threat landscape
- Increased security maturity and ensured Group-wide trust
- Achievement of Group-wide regulatory security
VIG has established three competence centres for the Group in Austria, Poland and the Czech Republic, which will gradually provide services to the Group companies. This will ensure that VIG's capacity to recognise and prevent security incidents and problems is supported and strengthened, that resilience is increased by implementing new security solutions and that knowledge and best practices are shared across borders within the Group.
Another objective is to organise information events, awareness-raising campaigns for employees and customers and dissemination measures in the area of digital media. This will raise awareness of cyber security among a broad audience.
The programme under the Grant Agreement Nummer 101145844 is supported by the European Union.