MVM GROUP CYBERSECURITY PRINCIPLES
A central directive sets out the minimum requirements for all companies within the MVM Group (hereinafter: Companies) that are necessary for the establishment, effective operation, control and development of a unified framework for the Companies' information security, business continuity and crisis management regulations.
1. Legislation monitoring
Companies are required to monitor legislative changes and ensure compliance with applicable laws. The central Information Security and Crisis Management Department draws attention to the following two laws:
• Companies must comply with Act LXXXIV of 2024 on the resilience of critical entities (hereinafter: Kszetv.) if they are subjects of the law. If companies are affected by the law, they must inform the central Information Security and Crisis Management Department.
• Companies must comply with Act LXIX of 2024 on the cybersecurity of Hungary (hereinafter: Cybersecurity Act) if they are subjects of the law. If companies are affected by the law, they must inform the central Information Security and Crisis Management Department.
2. Information security
2.1. Documents, roles
Companies must have at least the following documents and roles to regulate and operate information security activities.
a) Information security regulations,
b) Information security policy,
c) Information security strategy,
d) Data asset inventory, data classification,
e) Electronic Information Systems (hereinafter: EIS) registry,
f) EIS security classification,
g) Information security risk assessments, determination of risk-proportionate protective measures,
h) Information security officer (hereinafter: ISO).
Companies must clearly define roles and responsibilities related to information security, as well as those responsible for the following information security-related topics:
• Providing executive-level support, funding, and resources,
• Internal and external communication,
• Developing safety awareness among employees,
• Maintaining contact with the affected member companies in case of domino effect,
• Cooperation with authorities in case of official designation.
2.2. Topics to be regulated
Companies must regulate at least the following topics in their policies and designate responsible persons for them:
Information security system
• Designing the information security system and defining its goals and objectives. (Identifying information and information systems, assessing risks, introducing risk-proportionate protective measures and developing processes, as well as managing them effectively.)
• Developing the regulatory environment that forms the basis for the operation of the information security system.
Classification of company into information security category
• Fulfilling the tasks and requirements commensurate with the company’s information security category. (Completing and submitting a classification questionnaire, consistent and professional fulfillment of the related requirements after establishing the level of protection requirements.)
Information security organization
• Defining group-level and company-level actors and contributors.
• Appointing an information security officer.
Protection of electronic information systems
• Throughout the entire life cycle of electronic information systems, the following must be implemented and ensured:
a) the confidentiality, integrity, and availability of data and information processed in electronic information systems and services provided by or accessible through electronic information systems, and
b) closed, comprehensive, continuous, and risk-proportionate protection of the integrity and availability of the components of electronic information systems.
• By the organization exercising supervision over the electronic information system, the data controller or the data processor, for a specific purpose:
a) the tools used to manage data and information, including the environmental infrastructure, hardware, network, and data carriers,
b) the procedures used to manage data and information, including regulations, software, and related processes, and
c) the persons managing, operating the matters reffered in points a) and b),
must also be protected.
Protection of information
• Assessment of data assets, determination of necessary protective measures.
• Data classification. (Security classification of data and information managed by the Companies in the electronic information system in terms of confidentiality, integrity, and availability.)
• Identifying and managing risks, identifying related resources.
• Classifying data assets as personal data. (According to the GDPR)
Access management, authorization management
• In order to protect the data processed and stored, authorization management must be ensured in all IT systems used, which must be regulated in a documented manner.
• Management of technical users in a documented manner.
Organizational and personal security
• Information security requirements for employee access (authorization requests, employee responsibility, access awareness training).
• Termination of employment (including transfer to member companies) (conflict of interest, authorization management, correspondence, archiving, security incident involvement, asset management).
• Security awareness training (aligned with the annual Central Security Awareness Program, with additional specific content as needed).
• Regulation and enforcement of sanctions applicable to employees.
Physical security regulations
• Security zones and applicable requirements.
• Tools used and information security requirements (access control system, locks, mechanical protection, camera surveillance system, alarm system).
Document management procedures
• Security classification of documents, handling of classified data.
• Document management (devices used for document storage, security requirements for transport, archiving and digitization, sorting, destruction).
Development and procurement of IT systems
• General guidelines for the development and procurement of IT systems (identification of requirements, preparation and approval of development plans, implementation of development, testing, release and commissioning).
• Change tracking (maintaining change tracking, results of requirements assessment).
Operation of IT systems
• IT tools for business purposes (workstations, servers, other tools [scanning, printing], installation of applications).
• IT tools for technological purposes (all workstations, servers, printers, other special equipment that is only connected to the company's technological network and does not usually have a direct connection to the business, administrative network).
• Authentication method (password management, strong and two-factor authentication).
• Maintenance (workstations, server maintenance, maintenance plan/log).
• Logging (systems to be logged, basic requirements for logging).
• Monitoring (monitoring of IT systems, monitoring of user activities, monitoring of key users).
• Archiving (frequency and method of archiving, data to be archived).
• Wiping of data carriers (cases of one-time and irreversible deletion, physical destruction).
• Backups (creating and restoring backups).
Use of cryptographic tools
• Full hard disk encryption (for administrative and operational systems, those responsible and expected operation).
• Use of file encryption applications.
• Cases of encryption of electronic mail or other communications.
• Encryption of portable data storage devices (dedicated data storage devices, unencrypted data storage devices, data storage devices used in technological systems).
Network security
• External network (storage of classified data outside the network, conditions for connecting to external networks).
• Internal network (information security guidelines for the operation of internal networks).
• Wireless network (information security rules for internal and external wireless networks).
• Remote access (description of remote access technology, conditions to be met).
Virus protection, protection against malicious code
• Requirements for virus protection in management systems, other virus protection measures.
• Requirements for virus protection in technological systems.
• Requirements for virus protection in corporate mobile devices.
• Handling malicious code (reporting information security incidents when malicious code is detected, incident investigation procedure, parties to be involved).
Electronic communication
• Electronic correspondence, email communication (general principles, rules for sending/receiving emails, rules for remote access).
• Information security rules to be observed when using the Internet.
• Instant messaging applications, centrally provided options.
• Options and rules for using video conferencing.
• File sharing applications.
Use of mobile devices
• Information security requirements related to the use of laptops/notebooks.
• Information security rules for the handling of portable data storage devices.
• Information security rules for the use of mobile phones, smartphones, and tablets.
Access by external contributors and third parties
• Rules relating to the involvement of external parties (information security requirements in contracts).
• Rules relating to the transfer of data to third parties and contractual partners.
• Access rights of external contributors.
Incident management (in accordance with the Central Incident Management Procedure)
• Preparation for event/incident management (types of information security events and incidents, designation of responsible persons).
• Reporting of information security events and incidents, definition of responsibilities and powers.
• Rules for handling information security events and incidents.
• Closing and documenting information security events and incidents.
• Preparing regular reports.
• Training and feedback on incident reporting and handling.
Change tracking, review
• The Companies track changes affecting information security or business continuity and crisis management in their regulatory documents.
• They review these at least annually, but immediately in the event of significant changes (in the legal environment/standards environment).
Audit, review
• Internal, group-level, external audits, extraordinary inspections.
2.3. Other mandatory information security requirements
The Companies are also required to comply with the following:
Data reporting obligations
• The Companies are required to prepare an annual assessment report on their information security system and submit it to the central Information Security and Crisis Management department. The reports have a mandatory table of contents. The central department collects and evaluates the company reports in an annual group-level report.
Operation of IT systems
• The business IT service provider shall ensure the uniform IT security supervision of the Companies' administrative IT systems through its dedicated service (current Central IT Security Service: central logging and analysis (SIEM), identity and access management, vulnerability management). The business IT service provider is responsible for the SIEM system and the trend and anomaly analysis data reports generated from it.
• The Companies must operate a security logging and analysis system (SIEM) to monitor the IT security of their operational IT systems.
• Vulnerability assessments of the Companies' administrative IT systems may only be performed by the business IT service provider or a contractor appointed by it.
• The Companies must ensure that vulnerability assessments of their operational systems are performed (subject to review by the company's information security officer and central approval).
• Companies must use a data leak prevention system (hereinafter: DLP), which is operated by the business IT service provider.
• When developing their IT systems (including modifications and acquisitions), companies must involve the company's information security officer and the data controllers of the data sets concerned. Information security requirements must be documented in a manner that includes information security risks, probabilities, impacts, protective measures, and residual risks. The development and testing environment must not contain real data; such data must be anonymized and depersonalized.
• Companies may only access corporate data assets on mobile devices through channels supervised by the business IT service provider's relevant service. The use of other methods is not permitted in order to protect data assets.
Other considerations
• Companies must develop their internal regulations, documents, and contracts in accordance with the provisions of the current ISO 27001 standard.
3. Extraordinary situation management
3.1. Documents, roles
Companies must have at least the following documents and roles in place to regulate and operate their business continuity and crisis management activities.
a) Business continuity and crisis management policy,
b) Process list, critical process list,
c) Business impact analyses,
d) Business continuity risk analyses,
e) Contingency management plans
f) Company Crisis Team or Crisis Coordinator,
g) Business continuity officer.
In addition, they must clearly define the persons responsible for the following contingency management-related topics:
h) Management-level support, financing, resource provision,
i) Contingency management, decision-making, convening procedures (taking into account different crisis levels),
j) Declaration and termination of a period of exceptional circumstances,
k) Documentation of business continuity and crisis management,
l) Internal and external communication,
m) Maintaining contact with the member companies concerned in the event of a domino effect.
3.2. Topics to be regulated
Companies must regulate at least the following topics in their regulations and assign responsible persons to them:
Development of business continuity and crisis management regulations
• Creation of a regulatory environment, definition of responsibilities.
Establishing the organizational background for business continuity and crisis management
• Defining the participants in implementation and operation, managing substitutions, and appointing at least the following persons:
o Establishing a Company Crisis Team or appointing a Crisis Coordinator (appointing one of the participants for crisis management based on the specific characteristics of the company).
o Appointment of a company business continuity manager (based on centrally defined minimum competencies).
Process assessment, examination of resource and process dependencies
• Preparation of a company process list, identification of resources used in the process (e.g., data, human resources, IT, external service providers, office), linking of different processes, and examination of the extent to which the process depends on the resources it uses and related processes.
Preparation of a damage value table
• Preparation of a matrix of damage types and damage values tailored to the company, which is necessary for assessing the impact of damage.
Preparation of a business impact analysis
• Preparation of a special risk analysis, during which the impact of the failure of an examined process on the organization is assessed based on a damage value table.
Identification, analysis, and management of risks
• Development of protective measures.
• Identification of operational risks associated with the resources serving the processes, company-specific analysis of these risks, and development of risk mitigation measures (e.g., business continuity plan (BCP), disaster recovery plan (DRP).
Calculation of residual risks
• Analysis of the extent to which the introduction of risk mitigation measures reduces the original risk, with the aim of achieving the lowest possible risk value, taking into account the company's capabilities.
Preparation, testing, and training for business continuity plans
• Definition of responsibilities, frequencies, and target groups (e.g., for BCP, DRP).
Preparation of a notification list
• Preparation of a list containing the contact details of employees with tasks or responsibilities in the company's business continuity and crisis management.
Conducting training
• Training all employees on the business continuity and crisis management system in place at the company.
Monitoring changes and conducting reviews
• Reviewing documents related to the business continuity and crisis management system (e.g., plans, training materials, regulations).
Preparing reports
• Preparing a summary report after the incident, crisis has been resolved.
Auditing
• Self-auditing of the company's own business continuity and crisis management system.
Data reporting
• Definition of responsibilities.
Mandatory adoption of the provisions of the specific VPN usage policy for the Unified Digital Radio Communication System in force at any given time.
3.3. Other mandatory requirements
Companies are also required to comply with the following:
• Companies must develop their internal regulations, documents, and contracts in accordance with the provisions of the current ISO 22301 standard.
• Companies are required to appoint a business continuity manager, and the company shall inform the owner exercising rights and the central Information Security and Crisis Management Department of the appointment.
• Companies are required to assess the need to establish and use a crisis center or alternative site.
• Companies are required to prepare for business continuity and crisis management by managing available or deployable resources in such a way as to ensure optimal mitigation of damage.
• Companies must classify the crisis situation at the appropriate crisis level and manage it accordingly. The individual crisis levels determine the need to involve the company's Crisis Team, Crisis Coordinator, Group-level Crisis Team, and state authorities.
• The Companies shall transfer the management of the extraordinary event to the Group-level Crisis Team established as necessary, which shall also coordinate the defense at the group level.
• In order to effectively manage extraordinary events affecting individual companies or the entire MVM Group, MVM Zrt. operates a centralized Information Flow System for crisis events, which is supported by the Unified Digital Radio Communication System (hereinafter: EDR).
o The designated Companies are required to connect to the system.
• Companies are required to prepare an annual evaluation report on their business continuity and crisis management system and send it to the central Information Security and Crisis Management Department. The reports have a mandatory list of contents. The company reports are collected and evaluated by the central department in the annual group-level report.
3.4. Additional expectations regarding internal service providers
Companies providing services within the MVM Group are required to comply with the following:
• They shall provide data regarding their own services and prepare development proposals at the request of the companies using their services, in particular with regard to the following data:
o relevant changes related to the service,
o the time required to use alternative resources (switchover time),
o average planned recovery time for resources,
o currently valid parameters for data loss based on backup and archiving protocols,
o replacement resources and the conditions for their use,
o analysis and trend monitoring of events managed in the SIEM system.
• Based on the data from business continuity analyses, they make recommendations to the central Information Security and Crisis Management department regarding the prioritization of their processes and services at the group level, as well as the framework conditions for their recovery.
• They describe the business continuity and crisis management procedures applicable to their own services to the companies using their services to the extent necessary for their preparedness activities.
• They shall participate in the review and amendment of relevant service contracts to ensure the applicability of corporate business continuity and crisis management procedures (e.g., coordination of maximum acceptable process downtime and service recovery times).
• For services provided under an SLA or a specific contract supporting a critical process, they determine the following in terms of the infrastructure behind the services and the capabilities related to service restoration:
o the maximum downtime and availability requirements based on customer expectations, the business continuity capabilities required of the resources,
o the recovery procedures and plans,
o the expected duration of recovery,
o replacement resources.
• Recovery plans are prepared for services provided under SLAs or individual contracts supporting critical processes, as well as for resources. When introducing any new service or service support system, a recovery plan is developed and tested prior to the introduction of the new service or support system (or a backup and restore test is performed by the IT service provider).
• In the case of services provided under an SLA or a specific contract supporting a critical process, and with regard to its resources, the following shall be planned in accordance with business needs to support its services:
o Fault-tolerant solutions for resources,
o Reserve resources,
o Continuity of external services,
o Preventive maintenance,
o Monitoring solutions,
o Incident management processes.
• Risk analysis is performed with regard to services provided under SLAs or individual contracts supporting critical processes, as well as resources, and protective measures necessary for managing residual risks are planned.
• With regard to internal service providers, they regularly report to the head of the department exercising control and supervision on behalf of MVM Zrt. on service incidents, other outages, related defense procedures, and other events related to their services.
---------------------------------------------------------------------
4. CYBER SECURITY ASPECTS OF THE SUSTAINABILITY REPORT
• Management structures established to handle cybersecurity
Large subsidiaries, including those operating critical infrastructure, perform cybersecurity tasks themselves in accordance with group-level instructions. For subsidiaries that do not have their own IT operations, a specialized MVM company (MVMI Zrt.) is responsible for all cybersecurity compliance in the area of operations. At the group level, cybersecurity requirements are centralized at the holding company.
• The company's management regularly prepares official cybersecurity reports for the management.
All member companies of the MVM Group are required to prepare an annual assessment report on their information security system by March 1 of each year for the information security and business continuity and crisis management function of MVM Zrt. The reports have a mandatory table of contents. The collected reports are analysed by the central department, and the annual group-level reports are submitted to management.
• Cybersecurity training
Mandatory annual employee training courses are organized at all MVM Group companies.
• Regular external cybersecurity assessments and audits
External audits required for ISO 27001 certification are conducted regularly at the companies concerned. These include PCI-DSS audits, but also other types of IT security audits.
The requirements for compliance with the ISO 27001 standard are set out in the central information security and business continuity and crisis management policy.
• The company has launched initiatives to address cybersecurity risks related to operational technologies and/or industrial control systems.
The controls specified in the MVM Group's central information security and business continuity and crisis management policy apply to both IT and OT systems. The review and audit of the NIS 2 compliance of IT and OT systems is currently underway.
• Cooperates with relevant government agencies and shares cybersecurity information with them.
The controls specified in the MVM Group's central policy on information security and business continuity and crisis management apply to both IT and OT systems. This is currently under review with the introduction of NIS 2.
• Continuously monitors cybersecurity threats
As described in the central procedural rules for the management of information security events and incidents, the MVM Group maintains regular contact with the national cybersecurity authority (National Cybersecurity Service, National Cyber Defense Institute).
• Conducts exercises and preparations to manage the risks associated with cyber attacks
The MVM Group operates a security awareness program, which includes mandatory employee training on IT security risks and incident management, held annually.