Consolidated Management Report
Consolidated Financial Statements
Information security management
Significant milestones in 2019 |
Main challenges for 2020 |
Definition and implementation of Strategic Global Security Plan for Cybersecurity and Physical Security. |
Deployment of Global Security Office and intelligence & legal vigilance service in all integrated countries in 2019 (Spain, France, Italy, The Netherlands, Switzerland and UK). |
Establish an information security governance model. |
Analysis and deployment of a risk management technical solution that enables automated management of global security risks. |
ISO 27001 certification in all countries. |
Implementation of a security event monitoring model in all integrated countries in 2019. |
|
Deployment of a CASB solution to enable policy enforcement and governance of cloud applications. |
The telecommunications sector needs to be protected from a wide variety of different types of threats to provide a stable and high-quality service to its customers. For this reason, Cellnex has been placing special emphasis on the area of security, whether physical or IT, performing a large number of activities aimed at avoiding and mitigating any possible threat that might affect its service.
Accordingly, this year we have devised a Strategic Global Security Plan for Cybersecurity and Physical Security that allows high-impact events to be anticipated, in accordance with Reference Frameworks. The Plan applies to all companies in the Cellnex group and covers all aspects of corporate security regardless of the type of threat, whether physical, IT, or hybrid. The following actions were rolled out under this plan:
- Integral Security Assessment.
- Definition of a risk map.
- Development of a global action plan
- Three-year budget approval
In the first place, we analyse company security based on standard frameworks (NIST cybersecurity and ISO 27001) with focus on IT, OT and Physical, and five high-level blocks, which encompass a variety of security activities (identify, protect, detect, respond and recover). Each control has been evaluated considering the maturity level of the Business Units, whose levels have been classified into four categories (Not implemented, partially implemented, widely implemented and fully implemented).
On the other hand, a three-year global action plan has been defined, in agreement with the Risk Committee, with the aim of improving the safety level of Cellnex. This Plan has defined six strategic lines and 36 initiatives, most of which are at corporate level or for Spain, but there are also projects in other countries. To this end, an objective maturity threshold has been established based on benchmarking.
The Strategic Global Security Plan for Cybersecurity and Physical Security has been formalised in the Information Security Policy applicable to all the companies that compose the Cellnex group, which is aligned with ISO standard 27001.
This policy sets out the guidelines and lines of action for Information Security that will govern how Cellnex will manage and protect its information and services, as well as its communication to stakeholders and implementation in all Group companies and functional units.
The information security governance model has also been defined and is structured as follows:
- At group level
- Global security manager
- Security Control Centre
- Security office
- At the country level:
- Local cyber security (logical security)
- Responsible for physical security
- Local front end
As a result of these actions, in 2019 there were no data leaks, theft or loss in Cellnex, nor were any complaints received in relation to information security and data protection.
In September, ISO 27001 certification was obtained for all countries and all companies. This standardisation guarantees the implementation of the industrial model and the homogenisation of processes at a global level in a group as diverse as the Cellnex group, which integrates different countries and allows for continuous improvement. This certification also enables us to have access to certain markets and customers who require this certification in order to work with them.
In order to obtain ISO 27001 certification, in 2019 the Corporation, Spain, Switzerland and Italy were audited. In 2020 the Netherlands and France will be audited, together with Spain and the Corporation, which will always be audited owing to their size and importance in the Cellnex group.
The progress made in 2019 will raise the level of maturity and reduce the level of risk associated with information management.
With regard to the personal data managed by the company, with the entry into force of the new General Data Protection Regulation (GDPR) on 25 May 2018, the Group has made several changes to ensure full compliance. One of the main changes under the GDPR was that it became compulsory to appoint a Data Protection Officer (DPO). In Cellnex these duties will be performed by José María Miralles, the company's Director of Legal Affairs, who will periodically report to the Committee of Ethics and Compliance on the status of GDPR implementation and compliance in the companies of the Group. Because the company fully complied with the previous European regulation and already had a mature and robust system, it has adapted quickly and effectively.
In addition, this year the deployment of some projects has begun to protect of information and prevent the leakage of the most sensitive types, notably the following:
- AIP implementation (Azure Information Protection): aimed at protecting information, regardless of whether it is hosted at Cellnex, in the Cloud or at third-party locations.
- Replacement MDM (Mobile Device Management): allows advanced management of mobile devices, ensuring that only authorised devices can access corporate information.
- Regularisation of administrator users: allows access to be given to information, with the appropriate permissions for processing it.
- Implementation CASB (Cloud Access Security Broker): allows access control for information located in public clouds.