Sustainability Report / 2024

O'Z Ру En SR CSR

Information security

GRI 418-1

The company consistently implements sustainable development approaches, placing particular emphasis on the reliability of information processes and data protection. The Privacy Policy has been developed in accordance with the Decree of the President of the Republic of Uzbekistan №-6079 dated October 5, 2020 «On the Approval of the Strategy «Digital Uzbekistan — 2030» and Measures for its Effective Implementation”, in accordance with Articles 367-369 of the Civil Code of the Republic of Uzbekistan, industry standards, and the level of current cyber risks. The design and operation of information systems shall take into account the nature of the data being processed, the criticality of business processes, and the potential for external and internal threats.

The information security management system includes legal, organizational, and strategic components.

Legislative and regulatory compliance:

The company ensures compliance with the requirements of the legislation of the Republic of Uzbekistan in the field of information protection, personal data, and digital technologies. Internal policies are brought into line with applicable regulatory acts and international standards in the field of information security. Constant interaction with relevant government agencies contributes to compliance with all regulatory requirements.

Organization and control:

Information security functions are distributed across various levels of management. The Company has an internal control and risk assessment system in place for data protection. Regular internal audits and checks are conducted to monitor the effectiveness of the measures in place and respond quickly to potential threats. The security service is structurally subordinate to the Deputy Chairman of the Management Board for Information Security and Compliance and includes four full-time employees, as well as employees responsible for information security in the branches.

Strategic approach and risk management:

To ensure sustainable operations, regular threat analysis is carried out, including risks of data leakage, technical failures, and other vulnerabilities. Monitoring and response tools have been implemented, and the information security policy is integrated into the Company’s overall sustainable development strategy.

Information processing is mainly carried out in an automated mode, without the involvement of employees or contractors. in cases where access to data is necessary for the performance of employment or contractual obligations, it is provided strictly to the minimum extent necessary, with mandatory compliance with information security requirements. All employees and external contractors are required to comply with internal policies, procedures, and technical regulations for information protection, including measures to ensure the confidentiality of user data.

TC-TL-220a.1, 2, 3, 4

In accordance with the Law of the Republic of Uzbekistan «On Personal Data”, the Company does not transfer or process confidential personal data of subscribers for advertising purposes, to provide additional personalized services, or for secondary purposes (including analytics and transfer to third parties) without obtaining the prior separate consent of the subject. Personal data is also not provided at the request of law enforcement agencies, unless otherwise provided by law. at the end of 2024, there were no court proceedings related to violations of customer privacy, and therefore no financial losses were recorded on this basis.

TC-TL-230a.1, 2, GRI 418-1

No incidents of personal data leaks, theft, or loss were recorded. There were no confirmed complaints received in connection with violations of customer personal data confidentiality, including complaints received from external parties and complaints received from regulatory authorities. No information about affected personal data subjects is available. The Company has implemented a comprehensive approach to identifying and eliminating information security risks, including:

  • the development and implementation of appropriate policies, including a Privacy Policy (regulating the collection, storage, and protection of user data and technical security measures);
  • development of partnerships and joint programs for the implementation of necessary software, including international cooperation in the area of zero-trust access, including the launch of our own security service for corporate clients;
  • cloud and data center solutions with additional protection and authentication;
  • additional training on threat response, including subscriber awareness and webinars and conferences on information security, including DLP and personal data protection topics;
  • threat assessment and vulnerability analysis (on an ongoing basis);
  • proactive monitoring and response.

Cybersecurity activities are carried out in accordance with the recommendations of the Information Security Center under the State Committee for Communications, Informatization, and Telecommunications Technologies of the Republic of Uzbekistan. Antivirus protection, network traffic monitoring, and security incident analysis are provided.

TC-TL-550a.1, 2

In 2024, no malfunctions in the operation of telecommunications equipment were recorded. Despite the disconnection of the main power supply by the supplier, Regional Electric Grids, the Company’s network equipment, equipped with backup (secondary) power sources, ensured the uninterrupted provision of telecommunications services. as a result, no interruptions in service provision were recorded. The Company took all necessary measures to comply with the requirements of the Telecommunications Law, as well as relevant industry and regulatory documents, including O’z DSt 3207:2023, harmonized with ITU-T recommendations.

Thus, the Company ensures compliance with the principles of information resilience and maintains the trust of users, customers, and partners through a systematic approach to cybersecurity.

TC-TL-520a.3

The Company adheres to the principles of network neutrality and does not engage in paid traffic prioritization practices. The Company does not restrict user access to legal content, does not slow down the speed of services, and does not provide preferential services to individual service providers. at the time of preparing this report, there were no incidents indicating risks related to violations of network neutrality, including user complaints or inquiries from regulatory authorities. The Company assesses such risks as insignificant.

go to the next section

Projects aimed at supporting and improving the quality of life in the regions where the Company operates