Security Policy

Introduction

Purpose of the Document

The purpose of this document is to summarize the technical, organizational, and physical controls and security practices applied within ESET infrastructure, which includes ESET portfolio, i.e. products, applications, solutions and ESET services (hereinafter referred to as Product). Security measures, controls and polices are designed to protect

•ESET portfolio operation and data processing in the on-premises or cloud environments

•confidentiality, integrity, and availability of the customer data

•customer information from unlawful destruction, loss, alteration, unauthorized disclosure or access

ESET may update this document and the specific measures, controls and policies that govern them to meet evolving threats and adapt to developing security technology and industry standards.

Audience

This document should be read by anyone who requires assurance in the area of Security of the ESET portfolio, or the Customer who intends to use the ESET solutions or services via integration to their environment.

Context, concept and scope

ESET, spol s r.o. company is ISO 27001:2022 certified with an integrated management system.

Therefore, the concept of information security management uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the every layer of the information system architecture stack e.g. network, operating systems, databases, applications, personnel, and operating processes. Applied security practices and security controls are intended to overlap and complement each other.

The scope of this document is to summarize technical and organizational measures implemented for ESET portfolio; organization, personnel, and operational processes.  

Security practices and controls include governance and technical measures, including, but not limited to:

•Information security policies

•Organization of information security

•Human resource security

•Access control

•Cryptography

•Physical and environmental security

•Data protection, Network security, Application security

•Operational security

•Communications security

•System acquisition, development, and maintenance

•Supplier relationship

•Information security incident management

•Information security aspects of business continuity management

•Compliance

Abbreviations

Note: Italic script – used for names of referenced internal Company documents, not available for the public audience, for example, Policy on Internal Regulation

Security Governance

Information security management program

The company ESET established and maintains a frame of Information security management program as a cross-organizational function guiding protection of information assets. Information security documentation is guided by security policies, processes, and documentation via the Policy on Internal Regulations. ESET adopted the Integrated Management System Policy which serves as top-level

•ISMS policy,

•QMS policy and

•Information Security Policy.

ESET adheres to its Policy on Integrated Management System, defining the framework for quality and information security management. This policy is owned by the Chief Information Security Officer (CISO) for ESET and represents the top-level management commitment to security and quality. It defines responsibilities for the management and assurance of these domains and outlines ESET’s commitment to continuously evaluate and improve the effectiveness of its management system in compliance with ISO 9001 and ISO 27001 standards.

Corporate policies are documented, maintained, and reviewed annually, and updated after significant changes to ensure their continuing suitability, adequacy, and effectiveness. Updates are communicated to internal personnel, where policies are available to all employees. Policies are formally adopted, signed by the CEO, published, and communicated to all employees and relevant parties. Policies are formally acknowledged by ESET employees upon onboarding.

In addition to policies, ESET's Information Security and Technical Security teams have designed processes, procedures, standards, and configuration baselines based on industry and vendor security best practices (e.g., CIS benchmarks, OWASP, NIST). These are provided to IT and Technology teams to ensure secure development, configuration, and operation of ESET information systems and products.

ESET maintains interconnected governance documentation, which is designed and made available to all personnel in accordance with ESET's certifications for ISO 9001 and ISO 27001. Operating procedures are tailored to meet the specific needs of each team, managed within designated workspaces, and updated as required.

Policy compliance monitoring and disciplinary procedures are in place to address and remediate any non-compliance with security policies, reinforcing ESET's commitment to accountability and continuous improvement.

To ensure ongoing compliance and effectiveness, ESET has implemented a risk management framework, maintaining technical and organizational controls. ESET's risk management process involves a comprehensive assessment and management of risks within its Integrated Management System (based on ISO 9001 and ISO 27001). This includes evaluating assets, identifying security requirements, calculating risks, and selecting appropriate mitigation strategies. The Chief Information Security Officer (CISO) oversees the overall risk management process, ensuring regular reporting of security risks and related metrics to executive management. Additionally, third-party risk management is rigorously enforced through vendor assessments, following ESET's Contract Security Standard.

Compliance with Industry Standards

External validation and accreditation are critically important to organizations that rely on ESET's capabilities and technology to secure their data and comply with regulatory requirements. For details refer to ESET's certifications page.

Compliance monitoring

The Integrated Management System Policy establishes the integrated management system, including regular reviews and audits.

Internal audits regularly review adherence to ESET's policies and processes as outlined in the Policy on Internal Audit. The Policy on Internal Regulations stipulates the responsibility for regular monitoring of the application of internal regulations and relevant adjustments, if needed.

Regular reviews and internal and external audits are conducted in line with an annual and three-year long-term audit plan. Internal audits are performed by independent auditors who regularly review the adherence to ESET's policies and processes or applicable standards (for example, ISO 9001, ISO 27001 and SOC2), depending on the audit scope. Internal audits are planned and performed at least annually. Audit findings are collected and recorded in a dedicated ticketing system, with respective owners assigned, who are responsible for addressing and resolving the non-conformities within a pre-defined timeframe. Audit findings that require management oversight and decisions are reviewed at regular management review meetings.

Organization of Information Security

Information security responsibilities are allocated in line with the information security policies in place. Internal processes are identified and assessed for any risk of unauthorized or unintentional modification or misuse of ESET information assets. Risky or sensitive activities of internal processes adopt the security best practices principle to mitigate the risk.

Information security is accounted for in project management using the applied project management framework from conception to project completion.

Remote work and telecommuting are covered through the use of a policy implemented on mobile devices, which includes the use of strong cryptographic data protection when traveling through untrusted networks. Security controls on mobile devices are designed to work independently of ESET internal networks and internal systems.

Human Resource Security

ESET uses standard human resource practices, including policies designed to uphold information security. These practices cover the entire employee lifecycle, and they apply to all employees.

ESET company requires ESET personnel to undergo background verification and screening during onboarding; signing of the nondisclosure or confidentiality agreement as part of the employment contract that obligates them to follow internal security policies and standards, protect ESET confidential information and customer data; to complete information security awareness training during onboarding as part of ESET's compliance and awareness program.

Technical measures

Identity and Access Management

ESET's Policy on Access Management governs every access to ESET infrastructure. Access control processes in the area of granting, revocation, change of access and also revision of granted access rights applied for all infrastructure, technology, application or tools levels. Full user access management on the application level is autonomous. Identity single sign-on is governed by a central identity provider, which ensures that a user can access the authorized environment or application only.

User and access management, processes and technical measures for user access deprovisioning, user access provisioning, review, removal and adjustment of access rights are used to manage ESET employee access to ESET infrastructure and networks in line with security standards, which include, but are not limited to:

•Access provisioning based on least privilege "need to know" basis

•Regular review of user access

•Termination of user access in line with security policy

•Assignment of the unique account to everyone

•Logging of user access attempts, review, and monitoring

•Physical access logging and review

•Implementation of multi-factor authentication for high-privileged and admin access

•Timeout enforcement for interactive sessions after specified period of inactivity

Data Protection

Data Encryption

ESET protects data in its infrastructure; strong cryptography is used to encrypt data at rest (including portable devices) and in transit. Implementation of cryptography follows rules defined by internal Cryptography standard. Customer data is retained in accordance with relevant regulations e.g. GDPR, NIS2 directive or industry and finance regulations.

Measures in place:

•Generally trusted certificate authority is used to issue certificates for public web services

•Internal ESET PKI is used to manage keys within ESET infrastructure

•CSP platform native encryption is enabled to ensure data at-rest protection for relevant parts of the data processing or data persistence in the cloud environment (data storages, backups)

•Strong cryptography (e.g. TLS) is in place to encrypt data in transit

Data Backup and Recovery

Backups are governed by the Policy on Information Security in the Operation of Information and Communication Technologies.

All ESET portfolio configuration and deployment data are stored in ESETs protected and regularly backed-up repositories to allow for automated recovery of an environment configuration. Regular disaster recovery testing process is used to verify configuration backup restorability within business expected times.

ESET Customer's data is regularly backed up according to industry standards and regulations, operation of high availability and contractual recoverability requirements. Backups are protected against tampering, and backup validity is regularly tested by disaster recovery exercising processes.

Network Security

Network segmentation is applied throughout the entire ESET network environment. Networks are segregated based on defined criteria and enforced by using VLANs on firewalls.

ESET utilizes a variety of boundary protection systems, including L7 firewalls, intrusion detection systems and intrusion prevention systems. These systems are configured and maintained to protect external access points, ensuring that any unauthorized attempts to access the network are detected and prevented.  

Remote access to internal assets is provided via user or site-to-site VPN with roles and responsibilities, security requirements, and controls stipulated in ESET internal policies, and configured in compliance with security industry standards. VPN user accounts are maintained within Active Directory and are part of the employee account provisioning process.

ESET implements and maintains network security controls to protect data that is processed, received or stored in the cloud environment. CSP accounts and underlying infrastructure utilize network access control lists and security groups within CSPs Virtual Network to limit access to all provisioned resources. Access to cloud resources is only via encrypted channels.  

Hardening

ESET utilizes the process of securing systems to reduce possible vulnerability to attacks. This involves following techniques and best practices:

•having a signed gold image that is being used to install or deploy host or container

•turning off unnecessary services

•automatic planned attaching and ad hoc patching of critical components in case of high risk

•operating system upgrades before reaching its End of Life

•configuring security settings

•automation of Infrastructure and application management in a repeatable and consistent manner

•removing unnecessary software

•restricting access to local resources

•host-based controls such as antivirus, endpoint detection and response, and network policies

ESET uses a centralized approach for applying and verifying hardening to components of IT environments aimed at minimizing the attack surface, which is the sum of all potential entry points that attackers could exploit. For details, refer to the following part of this document.

Application Security

Secure Development Practices

ESET implements secure software development practices through its Policy on Security in Software Development Lifecycle (SSDLC), which integrates security controls and risk management throughout all stages of development.

The SSDLC policy defines requirements for:

•Code is written following secure coding guidelines and reviewed before merging

•Threat modeling and design reviews are performed for new features and major changes

•Automated security checks (static analysis, dependency scanning and selected dynamic tests) run as part of CI/CD pipelines

•Third-party and open-source components are tracked and kept up-to-date; an SBOM is maintained for all released products

•Findings from incidents, penetration tests and bug bounty reports are reviewed and fed back into the development process

The goal of the SSDLC policy is to ensure that all ESET software Products are secure, reliable and compliant with applicable standards and regulations.

Product Vulnerability Management

ESET maintains a defined process for identifying, assessing and addressing vulnerabilities in its applications and Products throughout their lifecycle.

The process covers both internally discovered issues and reports from external sources.

As part of Product vulnerability management, ESET:

•Uses automated scan tools to scan source code, dependencies and build artifacts for known vulnerabilities

•Reviews findings manually to confirm impact and relevance before assigning remediation

•Tracks and prioritizes fixes based on severity, exploitability and product exposure

•Performs targeted security testing and retesting to verify remediation

•Integrates vulnerability data into development and release planning, so that critical issues are addressed before shipment

•Accepts and handles external reports through coordinated disclosure and a public bug bounty program

•Assigns CVE identifiers for confirmed product vulnerabilities as part of its role as a CVE Numbering Authority (CNA)

•Applies patches and fixes based on vulnerability severity and business impact, following a structured triage process

oThe triage process aligns with ISO/IEC 30111 (vulnerability handling) and ISO/IEC 29147 (vulnerability disclosure)

oCVSS scoring and external intelligence sources such as CISA's Known Exploited Vulnerabilities (KEV) catalog are used to guide prioritization

oFinal remediation decisions are made collaboratively by the responsible Product and security teams

These processes ensure that vulnerabilities are managed in a consistent, transparent and traceable way across all ESET Products.

Penetration Testing

ESET performs regular penetration testing of its Products as part of the overall product security assurance process – within our own Penetration Testing Program. Testing is carried out before major releases and at planned intervals for maintained Products.

Penetration testing at ESET focuses on:

•Verifying that implemented security controls and mitigations are effective

•Identifying potential vulnerabilities that automated tools may not detect

•Validating the results of previous remediation efforts

•Assessing the overall attack surface and risk exposure of released Products

Tests are performed in isolated environments by qualified internal specialists or trusted external partners using recognized industry methodologies (OWASP WSTG / MTG, NIST SP 800-115, PTES).

Findings are documented, rated, and tracked through the same vulnerability management process used for internally and externally reported issues.

Penetration testing results feed directly into Product improvement plans and the SSDLC, helping ensure that lessons learned are captured and recurring weaknesses are reduced over time.

Operational Security

Information Security Policy in the Operations of ICT

Policy on Information Security in the Operation of ICT within the Company establishes fundamental security rules related to the operation of ICT in accordance with the ISO 27001 standard.

Information Security Policy in the Operation of ICT defines security requirements for IT-operational processes and their documentation, including operational procedures, change management, separation of roles and responsibilities, separation of production, test and development environments, third-party IT services, performance planning, IT projects, malware protections, backup, network security, media security, e-commerce requirements and monitoring.

Logging and Auditing

Logging and auditing on a system is performed according to internal standards and guidelines (Policy on Security Monitoring and Security Incident Management).  

Logs and events from the infrastructure, operating system, database, application servers, and security controls are collected continuously. ESET utilizes a central log management platform (SIEM) for protecting relevant logs from unauthorized modification or destruction. The logs are further processed by IT and internal security teams to identify operational and security anomalies and information security incidents. Data in SIEM is retained for time required by regulations and for retrospective threat hunting.

Security Monitoring and Incident Response

Security monitoring and management of security incidents is defined by the Policy on Security Monitoring and Security Incident Management.

The policy outlines

•responsibilities and rules for development, proper configuration, protection, storage, analysis, evaluation and retention of security logging and auditing

•process, roles and responsibilities for security incident management

•preventing security incidents

•minimizing the impact of security incidents

•learning from security incidents

•educating employees about monitoring activities, their scope and the role of employees in monitoring and incident response

An established Security Operations Center (SOC), operating 24x7, is empowered to continuously monitor the security status of IT infrastructure and applications and respond to security incidents.

Information security incident management in ESET relies on the defined Incident Response Procedure. Roles within incident response are defined and allocated across multiple teams, including IT, security, legal, human resources, public relations, and executive management. Standard incidents are handled by the SOC team. For more significant security incidents, the Command center is informed. Command Center, in cooperation with the SOC team, coordinates incident response and engage other teams to handle the incident. SOC team, supported by responsible members of the internal security team, is also responsible for evidence collection and lessons learned. Incident occurrence and resolution are communicated to affected parties, including customers and partners. ESET legal team is responsible for notifying regulatory bodies if needed, according to the General Data Protection Regulation (GDPR) and Cybersecurity Act transposing Network and Information Security Directive (NIS2).

Patch Management

Patch Management is used as one of several mitigation activities to remediate vulnerabilities.

Security patches are evaluated and applied based on the severity and risk of identified vulnerabilities.

A defined triage and prioritization process determines patch deployment order and timelines. This process follows ESET's internal guidelines aligned with ISO/IEC 30111. CVSS scoring and external threat intelligence sources, such as CISA's Known Exploitable Vulnerabilities (KEV) catalog, support risk-based decisions and prioritization.

All patches are verified in controlled environments before deployment to production to ensure that they resolve the target issue without negatively impacting system stability or compatibility.

Deployment follows established change management procedures that ensure traceability, accountability and rollback capability when required.

Patch activities are continuously monitored and reviewed to confirm effectiveness, identify outdated systems and drive ongoing process improvements.

The Application Logging Guideline specifies technical measures and requirements governing logging for all applications developed by ESET.

Malware and Threat Protection

Protection against malware (by antivirus software and EDR) is stipulated in the Policy on Information Security in the Operation of Information and Communication Technologies. Employees are required to report immediately any suspicion of a malware infection to SOC as outlined in the Policy on information security for ESET employees.  

Requirements for employee endpoints are outlined in the Security Standard for Workstations.

ESET utilizes its own anti-malware tools enriched by verified third-party solutions to protect endpoints and cloud workloads.

The SOC team performs threat hunting activities based on Policy on Security Monitoring and Security Incident Management. Threat data (feeds) are collected to the SIEM system, which automatically ingests to produce threat intelligence applied to events in security monitoring.

Technical compliance

The Internal Security team provides and maintains various technical security standards for infrastructure, cloud, web-related components, and best practices for developers and IT administrators to follow. Based on technical standards, the Internal Security team prepares configuration baseline files that are utilized by IT teams for automation of deployment and enforcement of secure configurations.

Additionally, compliance scans are performed via a vulnerability assessment tool where feasible. ESET has an established Penetration Testing Program, and ESET-developed products, applications, and services are subject to regular penetration testing based on the program plan. All findings are documented and reported to Product stakeholders to ensure they are mitigated as soon as possible.

Physical Security

The Policy on Physical Security and related physical security standards define the rules for physical security around office premises and data centers. This policy stipulates rules and procedures for:

•protection of the premises of ESET

•physical access control

•offices, rooms and buildings security

•work in secure areas

•security of equipment, cabling and infrastructure

Data Center Security

IT infrastructure components are physically located within multiple data centers; therefore, redundancy is achieved within each region.

The physical security perimeter is defined in the Policy on Physical Security and related security standards for office premises and data centers - Physical security standard for data centers. ESET defined rules for setting out a security perimeter and controls to be applied on the physical security perimeter. Key controls—including physical security zoning and segregation, access and visitor management, fire and flood prevention, as well as CCTV and manned surveillance—are clearly defined, implemented, and continuously monitored. Security of DC is regularly reviewed by responsible personnel and external auditors.

ESET relies to CSPs physical security measures and controls; therefore, regularly reviews corresponding CSPs compliance reports.

Physical Access Controls

The physical entry controls are set out in the Policy on Physical Security and related security standards for office premises and data centers. Premises are divided into protected zones with specific access controls.

Authentication is managed in line with security best practices by using keys, ID/access cards and PINs.

Physical access monitoring and unauthorized access prevention/detection are implemented. All entries are monitored by CCTV with a logged record. Perimeter is also monitored by motion or glass-break sensors (including weak resistance walls (i.e., glass or dry-wall), fire exits, and windows).

Business Continuity and Disaster Recovery

ESET maintains, regularly reviews, evaluates and implements improvements to its business continuity management system in accordance with the Policy on Business Continuity Management in line with ISO 22301.

ESET has established the BCM Program, which prioritizes all activities within the Company and undergoes CISO approval according to BCM Policy. BCM Program defines operational activities and activities to mitigate BCM-related risks, e.g., via redundancies or replication of functions and IT infrastructure.

Business Impact Analyses (BIA) with defined business continuity objectives (RTO, RPO, MTD, recovery priorities) are being prepared and reviewed. Disaster recovery plans (DRP) are reviewed and tested according to BCM Program. Business Continuity strategy determines the approach to maintain critical business assets. All outputs from regular business continuity activities serve as an input for continual improvements.

Third-Party Risk Management

Monitoring and review of supplier services is governed by the Policy on Information Security in Supplier Relationships. Reviews are performed on a quarterly basis, and results are stored in Supplier evaluation.