Integrated Annual Report 2023
ҚАЗ
РУС
ENG
Home Sustainability report Information security and data protection

Information security and data protection

The Company realises the importance of information security and data protection of its customers. Kazakhtelecom JSC continues developing a reliable information security and data protection management system.

Our approach

GRI 418-1, GRI 3-3

Information security is a part of the structural subdivision in the Division of Information Technologies (IT Division) of the Company.

The main internal documents governing information security are:

  • Information Security Policy.
  • Policy of anti-virus protection of Kazakhtelecom JSC’s information systems.
  • Policy on protection of personal data in Kazakhtelecom JSC.
  • Information Security concept.

The Company’s documents regulating information security issues can be found on the Company’s website in the Sustainable Development section, Information Security and Data Protection subsection.


Basic information security principles:

  1. compliance with  legislative norms;
  2. involvement of the Company’s top management in the IS provision process;
  3. business-orientation;
  4. process approach;
  5. integrated use of methods, techniques and means of information protection;
  6. adherence to best practices;
  7. reasonable sufficiency;
  8. awareness and personal responsibility.

To ensure information security, Kazakhtelecom JSC applies a systematic approach. One of the important aspects is round-the-clock control of data at all stages of their  life cycle, starting from the moment they enter the Company’s infrastructure and ending with their archiving or irretrievable destruction.

Currently, the Company uses the best international practices of information security methods. Our internal systems are protected using such solutions as secure remote access to information resources, secure use of the Internet, privileged user monitoring (PAM), vulnerability scanners and others. The Company strives to counter external threats and introduces new solutions and methods of working with resources, including creating the necessary infrastructure in the Company, training qualified specialists, forming an operational centre for information security and introducing the ZeroTrust concept.

The Company also utilises such important security elements as embedding in the governmental cybersecurity system of the ESDI, Internet of Things security, use of Honeypot traps, Machine Learning and others. In addition, the Company carries out the training and IS awareness of its employees on an ongoing basis.

Personal data protection

GRI 418-1

The Company has developed and implemented the Personal Data Protection Policy, which defines the basic principles of processing personal data of customers, suppliers, business partners, employees and other persons, as well as defines the main actions for collection, storage and processing of personal data, as well as measures for their protection.

The Policy is a fundamental document on personal data protection, establishes goals, objectives and principles on personal data protection, which the Company is governed in its activities. It serves as a guideline for the development of relevant personal data protection documents.

The basic principles of ensuring personal data protection are:

  1. observance of constitutional rights and freedoms of a person and citizen;
  2. legality of ensuring personal data protection;
  3. confidentiality of  limited access personal data;
  4. involvement of the Company’s management in the process of ensuring personal data protection;
  5. business orientation;
  6. process approach;
  7. integrated use of methods, techniques and means of protection;
  8. adherence to the best practices;
  9. reasonable sufficiency;
  10. awareness and personal responsibility.

Key results for the reporting period

In terms of information security in 2023, the IT Division reformatted the work of the Information Security and Control Division. Its responsibilities include incident investigation, vulnerability search, preparation of recommendations on eliminating information security incidents, protection of the Company’s perimeter, management of access to information systems/resources, and management of information security solutions.

The Company established an information security division in the Central Administration - Information Security Service - directly reporting to the Managing Director for Security that controls information security issues in the Company at the top  level. In 2024, it is planned to develop and approve the Information Security Strategy for 2025-2028.

In 2023, the Company also realised the first stage of transition to the ZeroTrust model. We started implementation of a hardware and software complex, which will enable segmentation of the corporate network, granular access control and protection of employee end stations.

All these initiatives made it possible to start practical work on the arrangement of the Information Security Operations Centre (ISOC) for monitoring, responding to information security incidents, reflecting and countering external threats. Also, in 2023, the Information Technology Division specialists were trained for the international information security standards ISO 27001, 27005 and 27035 certification. Obtaining ISO 27001 certification by the IT Division will ensure a standardised approach to information security management, guaranteeing data safety, security and confidentiality to customers. In 2024, we will continue to prepare the IT Division to obtain ISO 27001 certification.

In the reporting period, there was one hotline call regarding a possible breach in the processing of customer personal data. The fact of leakage of customer data was not confirmed.

In the reporting period, the Company did not identify any facts of customer data  leakage.


Implementation of ZERO TRUST concept

The purpose of ZeroTrust concept is to protect the Company from advanced cybersecurity threats and data breaches. This concept is based on a complete  lack of trust in the users of processes and systems. This means that for each specific session, the user, be it a device or an application, must authenticate and confirm their right to access certain data. John Kindervag, a former Forrester analyst, developed Zero Trust that is one of the most popular concepts in cybersecurity today.

In 2023, the Company acquired ZeroTrust core, established an Information Security Service in Central Administration, and prevented attempts to introduce and spread malware. During the implementation of the ZeroTrust first stage, many facts of infection of corporate PCs of employees were detected. We prevented spreading a well-known virus called WannaCry (“ransomware virus”).

In 2024, we plan to implement the 2nd stage of transition to ZeroTrust model and introduce a number of solutions to improve information security. By the end of the year, we plan to  launch a corporate operational centre for information security.

In general, ZeroTrust application in the Company will significantly improve the information security  level.

In 2023, the Company detected 160,000 information security events. Thanks to ZeroTrust, the Company will be able to accelerate the process of prompt response to cyberattacks and coordinated resolution of information security issues.

Also it is important that following the full implementation of ZeroTrust concept, the Company plans to pass the international ISO 27001 certification for compliance with the information security management system requirements.

Digitalisation of customer paths of B2B and B2C segments

GRI 418-1

As part of the digitalisation of customer interaction on the telecom.kz and ismet.kz platforms, in 2023, the IT Division transferred the Company’s IT products to the ismet.kz business platform and completed the transition to the New Hosting platform with the implementation of hosting products for small and medium businesses. The platform implements a complete digital customer journey without the human factor.

In 2024, we plan to redesign the hosting platform, launch new services, expand content and digitalise certain processes. A data model was created for the KT Docs electronic document management system, which is planned to be used as a unified electronic document management system covering all digital sales channels in the organisation. The IsmetDocs electronic document management system is being developed on a new microservice architecture. It is planned to integrate the system with the state system of the Unified System of Labour Contracts Accounting (USLCA) and Unified System of Electronic Document Management with State Bodies of the Republic of Kazakhstan (USEDO) (including the ENSI and EXED systems). Additionally, integration with the state information system Unified State Real Estate Cadastre (IS USREC) has been implemented. Together with colleagues from the Corporate Business Division, a new marketplace, IsmetMarket (Business.ismet.kz), was introduced, where users can place their goods and services. Also on this marketplace users will be able to become partners/contractors of the Company for  laying fibre-optic communication  lines in the cable sewer.

In the B2C segment, we worked on optimisation of customer paths on the telecom.kz portal and in the mobile application. We modernised the personal account, including addition of new interaction types, possibility of automatic payment by bank card on a given day through the services of the second-tier banks (STB), and the viewing of receipts to detail subscribers’ accounts. In addition, pilot projects are being  launched for a voice bot to automatically provide advice to citizens via a phone call, surveying subscribers in branches using QR scanning of the questionnaire, and displaying services in the Egov Mobile application as part of the strategy to increase the customer base.

Informing and training employees on information security issues

GRI 418-1

The Company regularly conducts training sessions for its employees to ensure the basic principles of information security - confidentiality, integrity and availability of data.

Information security is ensured both at the administrative  level - each employee is obliged to familiarise himself/herself with and comply with the requirements of the Company’s regulations, rules and policies on information security, and at the technical and physical level - the Company uses various hardware and software complexes, cryptographic information protection means, etc.

In addition, specialists of the IS Division regularly attend various advanced training courses on information security, cyber security, IS risks and threats. General training/ testing on digital hygiene is conducted for employees of the Customer Relations and Human Resources divisions, where the risk of data misuse is quite high.

Glossary
Contacts
© 2023 Kazakhtelecom JSC