Millicom and its affiliated entities (“Millicom”), takes protecting our networks and customers as one of our highest priorities. Millicom has a dedicated Global Chief Information Security Officer (“Global CISO”) whose team oversees the strategy and direction of all security-related actives across Millicom. . Millicom’s global information security program provides policies and standards, vulnerability management, third-party risk management, and oversees the implementation of technical solutions across Millicom. The Global CISO regularly reports on new and evolving risks and technology initiatives to the Millicom Board of Directors. Additionally, general progress of the security program is highlighted in Millicom’s annual report to investors, which can be found here.
Since Millicom operates in many countries around the world, developing a risk framework that can address the various legal and regulatory reporting needs, as well as the unique challenges individual countries face, is paramount. Millicom has implemented a risk framework which is based on a combination of the NIST Cybersecurity Framework (CSF) as well as the ISO/IEC 27001:2013. This blended approach allows each individual country to address local regulators in whichever format they prefer, while providing a common risk and maturity measurement across our entire enterprise.
Risk Identification and Monitoring
Millicom strongly believes in a pro-active risk identification and monitoring program. Our global security operations center constantly monitors for attacks against our networks. Additionally, our proactive vulnerability management program strives to uncover and identify vulnerabilities that could potentially impact our infrastructure and our customers. While no vulnerability management process is perfect, Millicom is constantly expanding and maturing the identification of risks with in our environment. Finally, Millicom provides focused and targeted end-user training to all employees, in local languages, to ensure all Tigo employees understand the real business risks of todays interconnected environments.
Millicom is committed to protecting our customers’ information and maintaining the security of our networks, systems, and applications. Millicom does not currently operate a ‘bug bounty’ program. However, we encourage security researchers to contact us to report any discovered vulnerabilities within any of our online properties.
While we appreciate and encourage security researchers make us aware of potential vulnerabilities within the Millicom environment, we do not authorize intrusive testing that could impact the safety, accessibility, reliability, or confidentiality of our customers, subscribers, or business partners. The following types of tests are explicitly excluded from any type of testing:
- Phishing or Social Engineering of any kind
- Denial of Service attacks of any kind
- Brute-force account attacks
Responsible disclosures can be submitted to Millicom at Security.Disclosure@Millicom.com. When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the affected service name/IP address, the steps you took, the tools you used, and any artifacts discovered to support the findings.