Our commitment is to reach a level of security in our services that guarantees the adequate protection of the information we process, so that that all our customers can use them reliably.
The highest official in charge of the Global Security and Intelligence function at Telefónica is the Global Director of Security and Intelligence, who reports directly to the General Secretary and Regulatory Affairs, Telefónica S.A., a member of the Board of Directors and the Executive Committee. He has also delegated the authority and responsibility by the Board of Directors to establish the global security strategy and lead the security governance model and to lead and manage global security initiatives. In addition, it promotes and drives the Digital Security Committee (created in 2018), in which members of the Executive Committee participate and that reports to the Board of Directors of Telefónica, S.A. through the Audit and Control Committee and the Sustainability and Quality Committee. Each company or country in which the Telefónica Group is present, has a Security Director, proposed by the Global Director of Security and Intelligence.
In addition, for the purposes of governance and coordination, there is a Global Security Committee chaired by the Global Director of Security and Intelligence, in which the corporate directors of the other business areas participate (Compliance, Audit, Legal, Technology and Operations, People, Sustainability etc.), as well as the Security Directors of the countries. There are also local and functional Security SubCommittees chaired by the Security Directors at country level, that collaborate in the definition of strategic initiatives and global guidelines and implement them in each country.
Furthermore, we have a Security Advisory Council, composed of relevant external actors to the Company in the field of security. Its aim is to offer advice based on best industry practices and give its opinion on the company´s strategy in security matters.
The Telefónica security strategy is based on our Corporate Policy and Norms for Information Security and the Corporate Regulations for Minimum Security Controls. We respect it in the following principles:
- Confidentiality: We guarantee that the data and systems are only accessed by duly authorized persons.
- Integrity: We guarantee the accuracy of the information and systems against accidental or fraudulent alteration, loss, or destruction.
- Availability: We guarantee that the information and systems can be used in the manner and time required.
- Auditability: We guarantee that any action or transaction can be unequivocally related, ensuring compliance with the key controls established in the corresponding norms.
The companies of the Telefónica Group follow the information security guidelines established by the Corporate Committee for Security. The objective of this body is to monitor the continuous improvement in security, guaranteeing homogeneous minimum standards, in accordance to the needs of each business unit.
Its responsibilities also include the establishment of policies, standards, and implementation of procedures for responsible uses and good practices, the monitoring of the compliance with certifications within the companies of the Group, and continuous monitoring with a view to improvement actions.
We perform internal audits on our processes for the protection of personal information and cybersecurity
Reliability and continuity of services
At Telefónica, we design and manage our services and infrastructures in such a way that they are capable of resisting and overcoming the various environmental or technological incidents that occur on a daily basis, without our customers being affected.
Our commitment to customers is to guarantee an optimal and uninterrupted service and to be transparent about the state of our networks and infrastructures at all times, even during adverse situations.
We anticipate our capabilities to continue to offer our products and services at an acceptable predefined level, in the event of serious incidents, natural phenomena, external factors, power failures or any other situation that may affect our service.
In order to reduce the time of a possible incident to a minimum, we work continuously to create greater resilience. We manage these situations through the Global Business Continuity Programme and a Global Crisis Management System. This system allows us to be prepared to face incidents in an orderly and coordinated manner, in such a way that communication and collaboration between all the areas involved is ensured in order to work in a degraded mode, minimizing impacts and subsequently recovering operational normality.
The critical situations that have arisen over the last year can be found in the security section of the chapter on Digital Trust in the 2019 Integrated Report.
With regard to IT infrastructure, during 2019 we had 10 incidents, with none of them having led to the payment of a fine or economic losses.
Adequate use of the services
Maintaining an adequate level of security is everyone’s job, even our customers. We expect our customers to use the contracted services in accordance to the law and with what is stipulated in the “policy of adequate use”.
In compliance with current legislation, we implement the viable technical measures aimed at minimizing the negative impact on our services generated by actions with illicit purposes or effects, actions that are damaging to the rights and interests of third parties, or actions that in some way or another try to damage, render useless, overload, or deteriorate the services, computer equipment, and contents, or that try to prevent their normal use by other clients and users of the Internet community.
Many of our customers and users help us improve our services by making them more secure and reliable, or by identifying those activities that have purposes or effects that are contrary to security.
The effort we make to understand the new threats and the latest trends in the digital world as well as to anticipate changes with innovative security solutions, is reflected in a wide range of security products and services.
For this, we have specific capabilities of research and development in Eleven Paths and specific developments for operations, engineering and support in Telefonica Security Engineering.
Get to know more about our performance on these topics.
Cyber-intelligence and incident management
We have tools, capabilities and procedures for the entire cycle of potential incidents: detection, mitigation, recovery, notification and lesson learned.
The steps that Telefonica takes to address the impact of incidents are elaborated in our internal rules, where the controls that must be implemented, monitored, reviewed and improved are identified based on the proper communication of the incidents, minimize their impact, identify trends or patterns of activities suspicious, recover availability as soon as possible, analyse the causes, learn from the incidents and take appropriate measures so that they do not happen again.
(CVD) Coordinated Vulnerability Disclosure
Telefonica uses the procedures and technologies to prevent vulnerabilities in the products and services that it launches to the market. In case a vulnerability in the product has been founded after the launch, we do everything we can to solve it as soon as possible.
We dedicate internal and external professionals to the continuous search of vulnerabilities in our infrastructure, in collaboration with the community of researchers. We ask them to give us the opportunity to correct the vulnerabilities that they find before publishing them, as we do if we discover them in a third-party product.
This collaboration helps us to protect the interest of clients in their use of updated and safe products.
Therefore, we are committed to report any vulnerability discovered in third-party products or services directly to the suppliers of the affected products, to a national CERT or through any private services that will also inform the supplier in private.
If you are aware of any threat or vulnerability that could affect Telefónica's technological infrastructure, you may contact the Global Cyber Security Incident Response Team (CSIRT) through the following form. You can use our public PGP key to encrypt the information. Many thanks.