Security for ESET LiveGuard Advanced
Introduction
The purpose of this document is to summarize the security practices and security controls applied within ESET LiveGuard Advanced. Security practices and controls are designed to protect customer information confidentiality, integrity, and availability. Note that security practices and controls may change.
Scope
The scope of this document is to summarize security practices and security controls for ESET LiveGuard Advanced infrastructure, organization, personnel, and operational processes. Security practices and controls include:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationship
- Information security incident management
- Information security aspects of business continuity management
- Compliance
Security Concept
ESET, spol. s r.o. company is ISO 27001:2013 certified with integrated management system scope explicitly covering ESET LiveGuard Advanced services.
Therefore, the concept of information security uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the layer of the network, operating systems, databases, applications, personnel, and operating processes. Applied security practices and security controls are intended to overlap and complement each other.
Security Practices and Controls
1. Information Security Policies
ESET uses information security policies to cover all aspects of the ISO 27001 standard, including information security governance and security controls and practices. Policies are reviewed annually and updated after significant change to ensure their continuing suitability, adequacy, and effectiveness.
ESET performs annual reviews of this policy and internal security checks to ensure consistency with this policy. Non-compliance with information security policies is subject to disciplinary actions for ESET employees or contractual penalties up to contract termination for suppliers.
2. Organization of Information Security
The organization of information security for ESET LiveGuard Advanced consists of multiple teams and individuals involved in information security and IT, including:
- ESET executive management
- ESET internal security teams
- Business applications IT teams
- Other supporting teams
Information security responsibilities are allocated in line with information security policies in place. Internal processes are identified and assessed for any risk of unauthorized or unintentional modification or misuse of ESET assets. Risky or sensitive activities of internal processes adopt the segregation of duties principle to mitigate the risk.
The ESET legal team is responsible for contacts with government authorities including, Slovak regulators on cybersecurity and personal data protection. The ESET Internal Security team is responsible for contacting special interest groups like ISACA. The ESET Research lab team is responsible for communication with other security companies and the greater cybersecurity community.
Information security is accounted for in project management using the applied project management framework from conception to project completion.
Remote work and telecommuting are covered through the use of a policy implemented on mobile devices that include the use of strong cryptographic data protection on mobile devices while traveling through untrusted networks. Security controls on mobile devices are designed to work independently of ESET internal networks and internal systems.
3. Human Resource Security
ESET uses standard human resource practices, including policies designed to uphold information security. These practices cover the whole employee lifecycle, and they apply to all teams that access the ESET LiveGuard Advanced environment.
4. Asset Management
The ESET LiveGuard Advanced infrastructure is included in ESET asset inventories with strict ownership and rules applied according to asset type and sensitivity. ESET has an internal classification scheme defined. All ESET LiveGuard Advanced data and configurations are classified as confidential.
5. Access Control
ESET's Access control policy governs every access in ESET LiveGuard Advanced. Access control is set on the infrastructure, network services, operating system, database, and application level. Full user access management on the application level is autonomous.
ESET backend access is strictly limited to authorized individuals and roles. Standard ESET processes for user (de)registration, (de)provisioning, privilege management, and review of user access rights are used to manage ESET employee access to ESET LiveGuard Advanced infrastructure and networks.
Strong authentication is in place to protect access to all ESET LiveGuard Advanced data.
6. Cryptography
Strong cryptography (SSL) is in place to encrypt data in transit to protect ESET LiveGuard Advanced data.
7. Physical and Environmental Security
ESET LiveGuard Advanced is cloud-based. ESET relies on a private cloud and the Microsoft Azure cloud. The physical location of the private cloud data center is exclusively in the European Union (EU). Microsoft Azure is not limited to the EU territory; however, it is only used to store one-way hashes created from submitted files without including personal data. Strong cryptography is in place to protect customer data during transport.
8. Operations Security
The ESET LiveGuard Advanced service is operated via automated means based on strict operational procedures and configuration templates. All changes, including configuration changes and new package deployment, are approved and tested in a dedicated testing environment before deployment to production. Development, test, and production environments are segregated from each other. ESET LiveGuard Advanced data is located only in the production environment.
The ESET LiveGuard Advanced environment is supervised using operational monitoring to swiftly identify problems and provide sufficient capacity to all services on the network and host levels.
All configuration data is stored in our regularly backed-up repositories to allow for automated recovery of an environment’s configuration. ESET LiveGuard Advanced data backups are stored both on-site and off-site.
Backups are encrypted and regularly tested for recoverability as a part of business continuity testing.
Auditing on systems is performed according to internal standards and guidelines. Logs and events from the infrastructure, operating system, database, application servers, and security controls are collected continuously. The logs are further processed by IT and internal security teams to identify operational and security anomalies and information security incidents.
ESET uses a general technical vulnerability management process to handle the occurrence of vulnerabilities in ESET infrastructure, including ESET LiveGuard Advanced and other ESET products. This process includes proactive vulnerability scanning and repeated penetration testing of infrastructure, products, and applications.
ESET states internal guidelines for the security of internal infrastructure, networks, operating systems, databases, application servers, and applications. These guidelines are checked via technical compliance monitoring and our internal information security audit program.
9. Communications Security
The ESET LiveGuard Advanced environment is segmented via native cloud segmentation with network access limited only to necessary services among network segments. The availability of network services is achieved via native cloud controls like availability zones, load-balancing, and redundancy. Dedicated load-balancing components are deployed to provide specific endpoints for ESET LiveGuard Advanced instance routing that enforce authorization of traffic and load-balancing. Network traffic is continuously monitored for operational and security anomalies. Potential attacks can be resolved by using native cloud controls or deployed security solutions. All network communication is encrypted via generally available techniques, including IPsec and TLS.
10. System Acquisition, Development, and Maintenance
Development of ESET LiveGuard Advanced systems is performed in accordance with the ESET secure software development policy. Internal security teams are included in the ESET LiveGuard Advanced development project from the initial phase and overlook all development and maintenance activities. The internal security team defines and checks the fulfillment of security requirements in various stages of software development. The security of all services, including newly developed ones, is tested continuously after release.
11. Supplier relationship
A relevant supplier relationship is conducted according to valid ESET guidelines, which cover whole relationship management and contractual requirements from the information security and privacy perspective. The quality and security of services provided by the critical service provider are assessed regularly.
Furthermore, ESET utilizes the principle of portability for ESET LiveGuard Advanced to avoid supplier lockout.
12. Information Security Incident Management
Information security incident management in ESET LiveGuard Advanced is performed similarly to other ESET infrastructures and relies on defined incident response procedures. Roles within incident response are defined and allocated across multiple teams, including IT, security, legal, human resources, public relations, and executive management. The incident response team for an incident is established based on incident triage by the internal security team. That team will provide further coordination of other teams handling the incident. The internal security team is also responsible for evidence collection and lessons learned. Incident occurrence and resolution are communicated to affected parties. ESET legal team is responsible for notifying regulatory bodies if needed according to the General Data Protection Regulation (GDPR) and Cybersecurity Act transposing Network and Information Security Directive (NIS).
13. Information Security Aspects of Business Continuity Management
Business continuity of the ESET LiveGuard Advanced service is coded in the robust architecture used to maximize the availability of the provided services. Complete restoration from off-site backup and configuration data is possible in the event of a catastrophic failure of all redundant nodes for ESET LiveGuard Advanced components or the ESET LiveGuard Advanced service. The restoration process is tested regularly.
14. Compliance
Compliance with the regulatory and contractual requirements of ESET LiveGuard Advanced is regularly assessed and reviewed similarly to other infrastructure and processes of ESET, and necessary steps are taken to provide compliance on a continuous basis. ESET is registered as a digital service provider for Cloud Computing digital service covering multiple ESET services, including ESET LiveGuard Advanced. Note that ESET compliance activities do not necessarily mean that the overall compliance requirements of customers are satisfied as such.