In general, multi-layer security concepts (Defense in Depth) are used to protect data against a wide range of attack vectors and to reduce the probability of an attack being successful.
The outermost layer consists of the IT Security Group Guideline, which is binding for all companies of the Group and whose implementation is monitored by conducting compliance audits. The VIG IT Security Guideline is regularly reviewed and updated. Apart from the guideline VIG companies define additional local IT security measures that consider specific local requirements and legal provisions.
In addition to the basic protection of data centers and server rooms (physical security) by means of access control, alarm systems and monitoring systems, routers and firewalls are used in the outer network area (perimeter security), with very restrictively configured access rights to the layers below. Secured VPNs (Virtual Private Networks) allow controlled and protected access to internal IT systems by authorized persons outside the VIG network. Intrusion detection and intrusion prevention systems are also used to detect and prevent attacks at an early stage. In the internal area of the network, mutually secured network segments are formed for structuring, effective administration and control of access authorizations in order to have separate network segments in case of any cyber-attack attempt.
All servers, IT-devices and applications are protected by appropriate configuration of security-related parameters e.g.:
- Authorization for data and system access follows “need to know principle”
- Use of complex passwords
- Automatically activated screen lock after a defined time of user inactivity
- Filter systems for certain web pages and applications
- Virus scanners
- Regular software updates
- Regular data back-ups
- Data encryption