Customer Security

We have a robust enterprise risk management process that is subject to regular reviews and continuous improvement. This ensures that risks are identified, recorded, managed and mitigated as appropriate throughout our business and including customer specific operational risks. Major risks are reported and escalated to the board.

Our risk management process methodically addresses risks that may pose a threat to Vodafone, its infrastructure and services (both internal and external), its customers, staff, brand and assets. The risk management strategy provides a framework for the proactive management of risks to eliminate or minimize any impact.

Vodafone Group and local markets operate security risk governance programs and processes that ensure that security risks are captured, assessed and addressed by appropriate risk owners.  Each program escalates its top significant risks into Vodafone Group, where "Top Tier" risks are reported and managed using Riskonnect.
 

All information is classified and protected to keep it safe. Our classification scheme uses “C1” to “C4” identification and rules of how to handle and manage information at each level is enforced through our Information Security Classification and Protection Global Policy and the implementation of a data loss prevention tool. Additional Vodafone Security Polices detail what controls we implement to manage both Vodafone and Customer data, including data retention and disposal.

Vodafone ensures that we provide a secure environment for all of our colleagues and customers. We use live site monitoring and electronic protection systems to safeguard the integrity and security of Vodafone’s assets and our customer’s infrastructure, applications and data. A 24x7 physical security control centre provides this live monitoring as well as management of all site access, management of third party access, travel security briefs and much more.

All Vodafone colleagues and contractors are subject to a process of pre-employment screening that meets good commercial practice. Employee checks and vetting vary across the different countries in which we operate.

As standard, these checks will look to verify some or all of the following:

• Identity Checks.
• Where applicable: Right to Work in the Country.
• Satisfactory business references from the previous three years of employment. Any gaps in employment history fully explained within the applicant’s CV or Resume, and Confirmation checks on claimed academic and professional qualifications.
• Criminal history.
• Where applicable: Credit check.
• Where applicable: Social Security trace for the US.

We effectively manage cyber security risks associated with Vodafone suppliers by assessing and improving their security controls to safeguard Vodafone’s customer data, systems and other assets.

We continually evaluate our suppliers using a series of assessments throughout the supplier lifecycle, starting from the initial stages of supplier on boarding through to in-life and service termination. We embed appropriate security requirements in supplier contracts in line with our internal policies and global regulations.  Additionally, we require our suppliers to complete our detailed security risk and control assessment process to evaluate the effectiveness of their security controls and confirm that they meet Vodafone security policies and requirements. To further validate the security controls of our suppliers, we require independent assurance certifications and reports (e.g. ISO27001, SOC2), and we also use an independent security rating service to scan our critical suppliers’ internet facing systems, address identified issues and obtain a real-time insight into the supplier risk posture.

Through our supplier risk and control assessments, we identify and scrutinise critical and high-risk suppliers who are then scheduled for more detailed reviews. We re-assess suppliers regularly to identify whether their services, security control effectiveness and any associated risks have changed.

Building on all assessments, we continually work with all our suppliers to improve their security controls, safeguard our customer data and reduce the cyber security risk.