|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
At the Board of Directors level, the responsibility for cybersecurity falls to the Director of Network and IT Solutions. Vice President (VP) of Network/IT Strategy, Technology & Architecture is responsible for Group’s overall cybersecurity strategy and governance, while our Operational Vice President (OVP) of Cyber Security is responsible for managing the day-to-day operation of Telkom’s Cyber Security Operation. Both reports directly to the Director of Network
& IT Solutions. Our Cyber Security Operation Center operates 24/7 to address cybersecurity threats and collaborates with related units to protect sensitive data. Its responsibilities include monitoring and responding to security threats and incidents, analyzing and investigating security events, conducting forensics, performing security testing and vulnerability management, and managing security threat intelligence.
Since 2022, the Telkom Group Cyber Security Squad was initiated to support cross-entity collaboration on cybersecurity. In 2024, this function was formalized as the Telkom Group Cyber Security Committee, which includes representatives from all Telkom Directorates and cybersecurity representatives from our subsidiaries. The Committee’s Management is led by the Director of Network & IT Solutions, with the VP of Network/IT Strategy, Technology & Architecture serving as Working Level Coordinator. The Committee oversees the Group’s cybersecurity governance, providing strategic direction, as well as cybersecurity related risks.
Cybersecurity risks are incorporated into our overall risk profile and our risk management team is responsible for managing these risks. Our risk management team, together with the management of each unit throughout our Group, ensures that risk assessment is carried out, establishes and executes our Risk Treatment Plan, implements controls, monitors and reviews the effectiveness of our information security system operations, and documents the results. We conduct risk assessments at least once a year, according to rules set out in our Risk Assessment Policy Standards. We also conduct internal and external audits periodically or at least once a year. Discrepancies between implementation and policy identified in the operational process and audit results are followed up with evaluations and necessary corrective steps, which are fully documented. For oversight purposes, our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.
Incident Management
Our Computer Security Incident Response Team (“CSIRT”) manages and responds to cybersecurity incidents. Our CSIRT is part of the Group’s Crisis Management Team (CMT), which is responsible for preparing for and responding to potential emergencies and crises that could impact our organization. The CSIRT is responsible for managing crises related to cybersecurity.
Policies and Procedures
We implement several policies and procedures designed to protect confidential information and personal data, as part of a comprehensive approach to maintaining confidentiality and preventing unauthorized access or disclosure. These policies and procedures include:
Furthermore, we implement and regularly update our cybersecurity policies to align with evolving needs and industry standards and regulations. These updates incorporate changes and improvements in information security management to ensure that our practices remain effective and relevant. In order to keep our information security standards current and effective, we endeavor to adhere to international standards such as ISO/IEC 27001:2013, which are globally recognized frameworks for information security. We attained these certifications on April 12, 2022. In addition, with respect to application development, we consider the OWASP Secure Coding Practices Checklist, which provides guidance on best practices in coding to enhance application security. This checklist specifically helps developers avoid common coding pitfalls that could lead to security vulnerabilities. We also conduct vulnerability and penetration tests on the applications to ensure compliance with our cybersecurity standards.
Overall, our policies and procedures collectively form a framework aimed at preserving the confidentiality of sensitive information and preventing unauthorized disclosure through technical, administrative, and procedural safeguards.
Employees and Third Parties
We endeavor to establish clear guidelines for employee behavior and raise cybersecurity awareness among our workforce in the following ways. In addition to our own employees, we also extend our information security regulations to external parties and work partner employees. This means that individuals or organizations who collaborate with or provide services to us are required to adhere to our information security policies and standards.
To effectively address potential cybersecurity threats stemming from our engagement with third-party service providers, we carefully identify and assess cybersecurity risks inherent to such engagement on a case-by-case basis. Following such identification of risks and assessment, we may include specific agreements, covenants and representations in our contracts with such third-party service providers to require compliance with cybersecurity standards we deem appropriate.
Employee Behavioral Guidelines
We have established clear and detailed guidelines designed to safeguard confidential information and minimize the risk of information leakage or misuse by our employees. These guidelines encompass various aspects of data handling, confidentiality, and the acceptable use of company resources. Specifically, our guidelines cover the following:
These guidelines aim to ensure that our employees act responsibly with regard to the handling and distribution of confidential and sensitive information. The measures are designed to cultivate a security-conscious environment, thereby reducing the likelihood of inadvertent leaks or malicious misuse of company data and resources.
Increasing Cybersecurity Awareness
We conduct programs aimed at improving the cybersecurity awareness of our employees. This includes continuous socialization of our Information Security Governance policies and competency enhancement related to cybersecurity awareness. We also test the level of cybersecurity awareness of our employees periodically or as needed.
We also have a procedure in place for enforcing discipline regarding any violations of our information security regulations, which includes coordination among relevant units, such as the Human Capital Management Unit and Cyber Security Unit.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Incident Management
Our Computer Security Incident Response Team (“CSIRT”) manages and responds to cybersecurity incidents. Our CSIRT is part of the Group’s Crisis Management Team (CMT), which is responsible for preparing for and responding to potential emergencies and crises that could impact our organization. The CSIRT is responsible for managing crises related to cybersecurity.
Policies and Procedures
We implement several policies and procedures designed to protect confidential information and personal data, as part of a comprehensive approach to maintaining confidentiality and preventing unauthorized access or disclosure. These policies and procedures include:
Furthermore, we implement and regularly update our cybersecurity policies to align with evolving needs and industry standards and regulations. These updates incorporate changes and improvements in information security management to ensure that our practices remain effective and relevant. In order to keep our information security standards current and effective, we endeavor to adhere to international standards such as ISO/IEC 27001:2013, which are globally recognized frameworks for information security. We attained these certifications on April 12, 2022. In addition, with respect to application development, we consider the OWASP Secure Coding Practices Checklist, which provides guidance on best practices in coding to enhance application security. This checklist specifically helps developers avoid common coding pitfalls that could lead to security vulnerabilities. We also conduct vulnerability and penetration tests on the applications to ensure compliance with our cybersecurity standards.
Overall, our policies and procedures collectively form a framework aimed at preserving the confidentiality of sensitive information and preventing unauthorized disclosure through technical, administrative, and procedural safeguards.
Employees and Third Parties
We endeavor to establish clear guidelines for employee behavior and raise cybersecurity awareness among our workforce in the following ways. In addition to our own employees, we also extend our information security regulations to external parties and work partner employees. This means that individuals or organizations who collaborate with or provide services to us are required to adhere to our information security policies and standards.
To effectively address potential cybersecurity threats stemming from our engagement with third-party service providers, we carefully identify and assess cybersecurity risks inherent to such engagement on a case-by-case basis. Following such identification of risks and assessment, we may include specific agreements, covenants and representations in our contracts with such third-party service providers to require compliance with cybersecurity standards we deem appropriate.
Employee Behavioral Guidelines
We have established clear and detailed guidelines designed to safeguard confidential information and minimize the risk of information leakage or misuse by our employees. These guidelines encompass various aspects of data handling, confidentiality, and the acceptable use of company resources. Specifically, our guidelines cover the following:
These guidelines aim to ensure that our employees act responsibly with regard to the handling and distribution of confidential and sensitive information. The measures are designed to cultivate a security-conscious environment, thereby reducing the likelihood of inadvertent leaks or malicious misuse of company data and resources.
Increasing Cybersecurity Awareness
We conduct programs aimed at improving the cybersecurity awareness of our employees. This includes continuous socialization of our Information Security Governance policies and competency enhancement related to cybersecurity awareness. We also test the level of cybersecurity awareness of our employees periodically or as needed.
We also have a procedure in place for enforcing discipline regarding any violations of our information security regulations, which includes coordination among relevant units, such as the Human Capital Management Unit and Cyber Security Unit.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
At the Board of Directors level, the responsibility for cybersecurity falls to the Director of Network and IT Solutions. Vice President (VP) of Network/IT Strategy, Technology & Architecture is responsible for Group’s overall cybersecurity strategy and governance, while our Operational Vice President (OVP) of Cyber Security is responsible for managing the day-to-day operation of Telkom’s Cyber Security Operation. Both reports directly to the Director of Network
& IT Solutions. Our Cyber Security Operation Center operates 24/7 to address cybersecurity threats and collaborates with related units to protect sensitive data. Its responsibilities include monitoring and responding to security threats and incidents, analyzing and investigating security events, conducting forensics, performing security testing and vulnerability management, and managing security threat intelligence.
Since 2022, the Telkom Group Cyber Security Squad was initiated to support cross-entity collaboration on cybersecurity. In 2024, this function was formalized as the Telkom Group Cyber Security Committee, which includes representatives from all Telkom Directorates and cybersecurity representatives from our subsidiaries. The Committee’s Management is led by the Director of Network & IT Solutions, with the VP of Network/IT Strategy, Technology & Architecture serving as Working Level Coordinator. The Committee oversees the Group’s cybersecurity governance, providing strategic direction, as well as cybersecurity related risks.
Cybersecurity risks are incorporated into our overall risk profile and our risk management team is responsible for managing these risks. Our risk management team, together with the management of each unit throughout our Group, ensures that risk assessment is carried out, establishes and executes our Risk Treatment Plan, implements controls, monitors and reviews the effectiveness of our information security system operations, and documents the results. We conduct risk assessments at least once a year, according to rules set out in our Risk Assessment Policy Standards. We also conduct internal and external audits periodically or at least once a year. Discrepancies between implementation and policy identified in the operational process and audit results are followed up with evaluations and necessary corrective steps, which are fully documented. For oversight purposes, our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Telkom Group Cyber Security Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|our risk management team provides a quarterly report on our risk profile to the Planning and Risk Evaluation and Monitoring Committee, which is part of our Board of Commissioners.
|Cybersecurity Risk Role of Management [Text Block]
|risk management team is responsible for managing these risks
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Computer Security Incident Response Team (“CSIRT”) manages and responds to cybersecurity incidents. Our CSIRT is part of the Group’s Crisis Management Team (CMT), which is responsible for preparing for and responding to potential emergencies and crises that could impact our organization. The CSIRT is responsible for managing crises related to cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CSIRT consists of designated personnel with specific roles and responsibilities related to cybersecurity incident management, such as the Coordinator and the Secretary, and multiple specific fields within it, such as Legal, Communications & Public Relations, IT & Infrastructure, among others. These designees each have designated tasks such as coordinating incident response activities, monitoring cybersecurity incident activities, supporting data management and reporting, undergoing post-incident evaluations, and ensuring all actions adhere to specific procedural and security response guidelines
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CSIRT is responsible for reporting cybersecurity incidents to the relevant authorities, our management, and affected parties, as per our incident response plan, to ensure compliance with applicable regulatory requirements.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef