The Essential Service Operator (hereinafter referred to as the ESO or the Company) has defined basic roles and responsibilities within cybersecurity, which include at least: cybersecurity manager (person responsible for security), incident manager, asset owners, internal auditor, change manager and the company's data protection officer (DPO).

The company regularly monitors applicable legislation and complies with the following:

 • ISO 27001 and ISO 9001 standards

 • requirements for the operator of the essential service under the Slovak Cyber Security Law

 • requirements of the U3 government cloud

 • relevant GDPR requirements

The statutory body is demonstrably committed to compliance with cybersecurity obligations and has adopted a cybersecurity strategy. The Cyber Security Manager defined and the company implemented an internal control system for cybersecurity. This includes a review of security objectives that are based on the company's business objectives, internal control and audit plan, and cyber resilience testing plans.

Risk management in a company consists of:

• identification of assets;

• identifying threats relevant to the asset;

• identifying and analysing risks (probability and impact) with respect to the asset;

• the determination of the risk owner;

• implementation of organisational and technical security measures depending on the identified risks - threats, including information on which security measures are 

• implemented and which security measures are not implemented, together with justification,

• and periodically reviewing the risks identified and, depending on that, updating the security measures taken.

The information and cybersecurity risk analysis for relevant important and critical assets shall be carried out according to an agreed methodology and at least annually. The Cybersecurity Manager is responsible for the regular review of the risk treatment plan. The risk assessment analyses relevant threats to assets and relevant mitigation measures and follows the methodology of the National Security Authority of the Slovak Republic.

We have an inventory and management of information assets (end-user devices, including portable and mobile, network devices and servers connected to infrastructure physically, virtually, remotely and in cloud environments).

We have an enforcement process for the use of only authorized software, and a process for detecting and removing illegal or unauthorized software.

The necessary primary (processes and information) and supporting information assets (technical and software equipment, applications, external services, mobile devices, workstations, servers, etc.) are evaluated on an agreed scale of 1 - 4 in terms of confidentiality requirements (public, internal, protected and strictly protected), availability and integrity (low, medium, high and critical). Assets rated grade 3 and above must be subject to regular risk analysis at least annually.

There is the use of tools and processes to safely destroy data. We use a mobile device management (MDM) solution for all relevant laptops and smartphones.

Secure configuration of information assets and software is introduced, including secure configuration of portable devices, mobile devices, operating system on servers and workstations, secure configuration of applications used. Secure configuration standards are evaluated in tools such as OpenSCAP or CIS CAT benchmark, or according to vendor recommendations or according to the results of relevant vulnerability scans (e.g. OpenVAS, Nessus). All default passwords by the manufacturer must be changed or accounts deactivated.

We maintain the security of computers/laptops through demonstrable patch management and a regularly updated antivirus program. Workstations are equipped with antivirus, automatic time lock that requires authentication, full hard drive encryption, EDR and HIDS enabled, and web content filtering and firewall.

It shall be ensured that only approved storage media (USB, external drives) are used for the transmission and storage of information.

We have developed, documented and implemented a policy of encryption and cryptographic controls. The policy defines the encryption of data during its storage and transmission. Encryption also applies to external storage media such as USB sticks and hard drives. The ESO uses only currently secure encryption algorithms and regularly checks them.

Any electronic communication that exchanges internal, confidential and top secret information of the company externally must not take place in plain text, we do not use protocols that do not support secure encryption (such as Telnet, HTTP, SMTP), secure encrypted protocols such as SFTP, IMAPS, SSH, HTTPS, TLS, SMTPS must be used instead, or the files themselves (such as email attachments) must be encrypted. The Company must not use outdated protocols and cryptographic algorithms that are not secure according to current encryption standards (for example, not using TLS1.0).

We have a policy that Authorized Persons are not allowed to use private e-mail for work purposes or store information on unauthorized Internet storage. Email attachments containing sensitive information must be encrypted. Passwords used for private purposes may not be used for work purposes.

The ESO has the following access control procedures in place:

• measures to limit electronic access to authorised personnel only;

• All employees who have access to the asset are clearly identified and verified.

• Creating a strong password

• secure password storage.

There is formal management of user accounts (creation of unique identifiers, approval and withdrawal of accounts and user rights), including administrator and service accounts. Use strong passwords of at least 10 characters with uppercase enforcement, numbers, and special characters. Blocking of unused accounts (regular review of accounts at least once a year, which is recorded, blocking accounts that have not been used for more than 90 days, blocking brute force attacks). Separation of administrator and user accounts for day-to-day activities.

The principle of least privilege for the user is applied, the principle of access by roles and access to information according to the principle of current need to know. Centralized identity management systems are used and immediate enforcement of a default password change for users and administrators after they log in for the first time. The identity is re-verified after a specified period of session inactivity.

User and device identity must be verified before access is granted. Multi-factor authentication (MFA) must be used to access sensitive systems and administrative accounts, if technically feasible. The use of multi-factor authentication must be enabled/enabled where possible and must be technically enforced where possible so that the use of multi-factor authentication cannot be avoided by users.

In terms of the technical capabilities and capabilities of the security systems that the company has, the principles of access management based on security conditions (based on identity, location, device type and risk profile) and conditional access and device health checks and the principles of zero trust for network and/or application access are enforced. To do this, the company uses MS Intune and Fortinet ZTNA technologies.

Upon termination of employment or business contract, employees demonstrably return all assets entrusted to them. A record is made of the return.

Access to the information and assets of the Basic Service Operator within the subject of the Agreement is permitted only from the company's facilities (managed by the company) under the company's control.

Remote access to information systems is only possible via a VPN connection or a ZTNA gateway.

The use of BYOD devices for privileged user access is strictly prohibited. 2FA authentication is required for privileged access where technically possible.

On the perimeter of the company's networks with the public network and their interconnections, the deployment of relevant firewalls (NGFW), the deployment of intrusion detection/prevention systems (IDS/IPS) between the network layers and on the network perimeter, and the deployment of mechanisms for recording, monitoring and protecting the network perimeter and applications are ensured. Only approved firewalls and systems that are configured and managed using security best practices and standards are allowed.

Authorized persons of the ESO must use only their login data, they must not use the login data of another person and they must not provide their login data to other persons. The use of group accounts, i.e. the sharing of login data by several people, is prohibited.

The company has measures in place to temporarily isolate subnets and network components and devices, if necessary. The company regularly performs scans of networks and equipment exposed to public networks to identify open or vulnerable points and diagnose security levels.

All critical systems exposed to and accessible from the public network (Internet) (applications, websites, servers, web applications and web application portals, network devices, user devices, and network perimeters) are regularly scanned for vulnerabilities to identify security vulnerabilities. Security patch updates are applied in a timely manner, at least within one month of release.

Where possible, we use automated security patch application mechanisms (including operating systems and web browsers, MS Office, and AV signatures) to increase efficiency and reduce human error.

The ESO has introduced: Protection of e-mail and internet browsers. Use only fully supported email clients and internet browsers. Spam filtering. Filtering dangerous web content.

The email server has properly set up anti-spoofing, this includes domain-based message authentication (DMARK), sender policy framework (SPF), and identified mail domain keys (DKIM).

It ensures that all devices, including servers and mobile personal and business devices, are equipped with EDR and HIDS, and an up-to-date antivirus (with advanced detection mechanisms based on heuristics and behavior not just signatures), an enabled firewall, anti-DLP and anti-malware tools, and active full-disk encryption.

We have in place regular Penetration Testing and Clearance of Penetration Test Findings at least once every 2 years. (Regular performance of penetration tests by a certified company, including the top 10 vulnerabilities from the OWASP list)

All relevant audit, operational, and security logs/logs from all relevant information assets are collected and correlated through a central security information and event monitoring system (SIEM) and analyzed by the Security Operations Centre (SOC) by analysts. The SOC must report defined security events, anomalies, and alerts directly to the IT department.

The logs are securely stored (at least 12 months), protected from unauthorized access and secured against unauthorized manipulation to ensure their reliability. The Company has a Dedicated and Centralized Logging Server for the purpose of adequate protection against alteration of log integrity and unauthorized access, which is separate from the production environment where the logs themselves are created.

Networks, information systems, software assets, devices and applications are monitored for anomalous behaviour and appropriate, preferably automated, measures are taken to evaluate cybersecurity events (SIEMs).

Predefined scenarios of potential security incidents or unwanted activities, detection rules, alerts, and the classification and categorization process in the SIEM system are constantly checked and tuned (false positives and false negatives and their correction) and updated (new IoCs and attack vectors) by the Security Operations Center (SOC). SOC services are external.

The ESO has a formal incident management process in place. Monitoring mechanisms are in place to detect and identify security incidents early. Known incident type plans are maintained, outlining procedures for detecting, responding, mitigating and recovering from incidents.

The Company has a documented Backup Plan and agrees upon to prevent unacceptable loss of data and systems, and to ensure that data and systems are restored within acceptable timeframes according to the business continuity strategy. There is a process of regularly backing up data and checking the ability to restore data from backup.

The principle of storing backups in logically, physically and geographically separated areas is established and observed.

We test continuity and disaster recovery plans so that assets and activities are not compromised even in cases of unexpected or emergency situations (Recovery Point (RPO) = 4 hours, Recovery Time (RTO) = 24 hours

Critical and important business processes and necessary assets (BIA analysis), minimum service levels acceptable for service delivery, acceptable recovery targets (RTO and RPO) and catastrophic scenarios are identified. Recovery strategies and resources are developed to meet acceptable recovery times and points, which are included in the recovery plans for activities related to the implementation of the subject matter of the Contract.

The infrastructure of networks, information systems and applications is established with sufficient redundancy.

We ensure the preparation, maintenance and regular testing of BCP/DR plans that will enable the availability of all critical services in relation to the subject of the Agreement in the event of an emergency or disaster and meet the conditions of the minimum required level of service.

Authorised persons with access to data and systems are trained in information and cyber security policies. The training also covers the areas of information protection and the areas of home workplace protection. According to the roles, we have regular training of employees in the areas of: GDPR, Information Security, Secure Programming and Principles of Acceptable Use of Assets.

We have processes and specific provisions in place to ensure adequate background checks.

Employment and other employment contracts specify responsibilities for cybersecurity, formalized disciplinary processes and a duty of confidentiality, which also applies to the termination of an employment relationship or contract.

Authorized persons are demonstrably familiar with the acceptable use policy.

The ESO has in place and adheres to a formal process for managing, planning, and approving changes, this includes assessing the security risks for a change that may affect cybersecurity, and possibly the need to test the change. Change request management refers to all changes in an organization's information systems, infrastructure, applications, and processes that could affect their availability, integrity, or security.

Before approving the use of a new information system or third-party application, the company must agree, set and assess the minimum security requirements that the company has defined. If necessary, a risk assessment must be carried out according to the company's change management and risk management process. Exclusions or missing actions must be assessed in terms of security risks and reported to the Cybersecurity Manager.

We ensure that no one can carry out a coherent set of dangerous operations relevant at both the organizational and technical levels (Separation of Powers Principle, 4 Eyes Principle, Segregation of Authority, Separation of Control and Executive Functions).

The ESO has secured areas in which information assets are located, measures for the protection of secure areas and security rules for different levels of secured areas are established, documented, implemented and the rules are followed. Only workers whose work duties require access to specific secured areas (specifically a building, specific office rooms, server room, data centre, document archive) have access to secure premises.

Critical systems are placed in a secure room with higher security measures. Access to the secure room is controlled and monitored. They include double locks, a camera system, an alarm, a guestbook and, if necessary, air conditioning, fire extinguishers or fire sensors and UPS equipment. It is ensured that those parts of the network and information system that require continuous operation are protected against power outages and that such a failure does not occur.

Clean desk rules for paper documents and portable storage media are defined and appropriately enforced, as well as the policy of visitors in the company building (escort by a responsible employee of the company and continuous presence of an authorized person in the protected area if there are other than authorized persons in the protected area).

Access to the premises where services are provided is secured against unauthorized entry, damage, theft or misuse of assets.

The ESO has documented security configuration standards for all authorized network devices (including all configuration rules that allow data to flow in the network).

Network Domain Segregation (VLAN) is in place within the network.

The ESO has established the use of WAF (Web Application Firewall) for web applications.

The ESO has a procedure in place to respond to security breaches and unusual or suspicious events and incidents to limit further damage to information systems.

Network security checks and relevant security updates (such as firewall policies, network device security standard) are applied regularly.

The network service provider should inform the PSC of any changes to the configuration and settings that are relevant to safety or have an impact on safety (Changes in the configuration of network security controls are subject to a formal change management process).

The network service provider should have an adequate security protection mechanism in place in the networks to control and protect against unauthorised access to network equipment; Allow access only to authorized users and devices. and configure network devices in a secure manner.

We use the Advanced Encryption Standard (AES) to encrypt wireless data in transit and ensure that protocols are used to verify the security of the wireless network.

Network devices are synchronized with the correct Network Time Protocol (NTP).

In the contracts, we have that the Contractor is responsible for the physical security of the infrastructure, including but not limited to: the choice of the location of the equipment room; power supply; refrigeration equipment; protection against fire, water, electric shock and theft.

In the contracts we have that the Supplier must have physical security mechanisms such as card access, fencing, walls, barriers, reception, camera system, security service and environmental controls such as HVAC, firefighting and security alarms must be implemented.

We have in our contracts that the Supplier is responsible for the security and lifecycle of computing, storage devices and network hardware.

In the contracts we have that Before moving or moving hardware, software or data to external premises, it is necessary to obtain permission from the ESO.

In the contracts, we have that the Supplier will establish policies and procedures for the safe disposal of equipment (according to the type of asset) used outside the organization's premises. This includes using a data deletion program or a disposal process that makes it impossible to recover the information. Erasing consists of completely overwriting the disk to ensure that the erased disk is released into inventory for reuse and deployment or safely stored until it can be disposed of.

We have in the contracts that Entry and exit to secure areas must be restricted and monitored by physical access control mechanisms to ensure that only authorized persons have access.

We have in our contracts that Suppliers must ensure that tools or services for assessing security vulnerabilities are adapted to the virtualization technologies used (e.g. virtualization technologies).

We have in our agreement that Network Environments and Virtual Instances must be designed and configured by Vendor to limit and monitor traffic between trusted and untrusted connections. These configurations must be reviewed at least annually and supported by a documented justification of use for all permitted services, protocols, ports, and compensatory checks.

We have in our contracts that Multi-tenant provider-owned or managed (physical and virtual) applications and infrastructure, system and network components must be designed, developed, deployed and configured in such a way that the access of the provider and the customer (tenant) is reasonably separated from other tenants.

In the contracts, we have that Access to all hypervisor management functions or administrative consoles for systems hosting virtualization systems must be limited to personnel based on the principle of minimum privileges and supported through technical controls (e.g. two-factor authentication, audit trail logging, IP address filtering, firewalls and communication with administrative consoles encapsulated in TLS).

We have in the contracts that the Supplier must have processes and tools to present evidence to support potential legal action subject to the relevant jurisdiction. Proper forensic procedures, including the chain of evidence, are required after an information security incident. Upon notification, customers and/or other third-party business partners affected by the security breach will have the opportunity to participate in the forensic investigation to the extent permitted by law.

In the contracts, we have that the Contractor is responsible for developing and practicing service continuity plans and disaster recovery plans for the infrastructure. Backups are checked at least once a week, and full backups are stored with a 7-day archive. Data centers have backup power generators.

We have defined and implemented processes and procedures to manage the risks associated with the use of third-party products, processes or services.

We have a contract with each third party with significant influence, the conclusion of the contract is preceded by a risk analysis, and we have specified security requirements and the right to audit in contracts with suppliers.

We regularly evaluate the provision of third-party services and test incident responses and the degree of service provided by suppliers.

The supplier, who is also a personal data processor from the point of view of the GDPR, has concluded an intermediary agreement with us for the protection of personal data.

The company's Secure Development Framework (SDLC) ensures the security of internally developed applications, the security of source code, secure coding practices, and the security of development environments and devices used during application development.

During development before deployment to production, source code integrity tests and source code vulnerability tests (static code analysis) must be performed. This also includes scanning third-party code and libraries for vulnerabilities. Every application that the company develops for customers is subjected to penetration testing before its first deployment and finally at least once every two years.

Communication between the application server and the client's web browser takes place using the secure HTTPS protocol (TLS 1.2, 1.3 Encryption at fly).

Web applications are protected by WAF.

Possibility of encrypting the SQL database at the request of the client.

Application login passwords are hashed and salted.

It is possible to set up multi-factor MFA authentication (name and password + email notification) at the client's request to access the Hour application, and it is also possible to set up SSO (currently only to Entra ID).

Automatic logout of the user and the Hour application after a set time.

Separately segregated and maintained environments for development, testing, and production.