Vodafone are committed to providing world-class security. We deliver some of the most secure telecommunications services in the world and have a proven record for delivering trusted mission-critical services to a wide range of customers, including government, utility, finance, and retail sectors.
We have developed an embedded security culture through awareness, education and empowerment to ensure we deliver a great customer experience. Appropriate security controls are in place and operating effectively to deliver assurance in line with contractual agreements.
How does Vodafone manage security?
Vodafone operates an Information Security Management System (ISMS) based on the recommendations of ISO27001:2013, including risk management, business continuity, incident management, physical security, security awareness training and much more.
The Vodafone ISMS ensures that Security Governance is in place at the core of the organisation. Information Security Senior Management Reviews and Security Steering Committees meet on a bi-monthly basis to monitor performance; these meetings include senior stakeholders from across Cyber Security, Corporate Security, Enterprise Operations, Service Operations and relevant business owners and help to ensure that a wide security strategy is sustained so that business exposure to threats and risks is reduced.
Vodafone have designed the external certifications that we maintain so that customer services are covered from end to end, with either a dedicated assessment or as part of a wider management system; full coverage is generally achieved using a combination of Group, Local Market and Partner certification scopes.
Vodafone Business Security Group aims to protect Vodafone Business, its people, customers and critical assets in order to build a secure digital future. The business unit comprises Corporate Security, Customer Security Services, Customer Technical Assurance, Security Pre-Sales and Security Support and Delivery functions and includes a front desk that handles all Customer security related requests internally and from Vodafone Business Customers.
How does Vodafone manage risk?
We have a robust enterprise risk management process that is subject to regular reviews and continuous improvement. This ensures that risks are identified, recorded, managed and mitigated as appropriate throughout our business and including customer specific operational risks. Major risks are reported and escalated to the board.
Our risk management process methodically addresses risks that may pose a threat to Vodafone, its infrastructure and services (both internal and external), its customers, staff, brand and assets. The risk management strategy provides a framework for the proactive management of risks to eliminate or minimize any impact.
Vodafone Group and local markets operate security risk governance programs and processes that ensure that security risks are captured, assessed and addressed by appropriate risk owners. Each program escalates its top significant risks into Vodafone Group, where "Top Tier" risks are reported and managed using Riskonnect.
How does Vodafone manage information classification?
All information is classified and protected to keep it safe. Our classification scheme uses “C1” to “C4” identification and rules of how to handle and manage information at each level is enforced through our Information Security Classification and Protection Global Policy and the implementation of a data loss prevention tool. Additional Vodafone Security Polices detail what controls we implement to manage both Vodafone and Customer data, including data retention and disposal.
How does Vodafone manage physical security?
Vodafone ensures that we provide a secure environment for all of our colleagues and customers. We use live site monitoring and electronic protection systems to safeguard the integrity and security of Vodafone’s assets and our customer’s infrastructure, applications and data. A 24x7 physical security control centre provides this live monitoring as well as management of all site access, management of third party access, travel security briefs and much more.
How does Vodafone manage staff screening/vetting?
All Vodafone colleagues and contractors are subject to a process of pre-employment screening that meets good commercial practice. Employee checks and vetting vary across the different countries in which we operate.
As standard, these checks will look to verify some or all of the following:
Where applicable: Right to Work in the Country.
Satisfactory business references from the previous three years of employment. Any gaps in employment history fully explained within the applicant’s CV or Resume, and Confirmation checks on claimed academic and professional qualifications.
Where applicable: Credit check.
Where applicable: Social Security trace for the US.
How does Vodafone manage suppliers and third parties?
We effectively manage cyber security risks associated with Vodafone suppliers by assessing and improving their security controls to safeguard Vodafone’s customer data, systems and other assets.
We continually evaluate our suppliers using a series of assessments throughout the supplier lifecycle, starting from the initial stages of supplier on boarding through to in-life and service termination. We embed appropriate security requirements in supplier contracts in line with our internal policies and global regulations. Additionally, we require our suppliers to complete our detailed security risk and control assessment process to evaluate the effectiveness of their security controls and confirm that they meet Vodafone security policies and requirements. To further validate the security controls of our suppliers, we require independent assurance certifications and reports (e.g. ISO27001, SOC2), and we also use an independent security rating service to scan our critical suppliers’ internet facing systems, address identified issues and obtain a real-time insight into the supplier risk posture.
Through our supplier risk and control assessments, we identify and scrutinise critical and high-risk suppliers who are then scheduled for more detailed reviews. We re-assess suppliers regularly to identify whether their services, security control effectiveness and any associated risks have changed.
Building on all assessments, we continually work with all our suppliers to improve their security controls, safeguard our customer data and reduce the cyber security risk.
Certificate scope covering: “The Provision, Maintenance and Operations for Cyber Defence, Data Centres, Network, Infrastructure and Application services for Local Markets and Vodafone Business; Office IT services, Shared Service Centres and relevant Business Processes. Vodafone Business services includes International Network Connectivity, Unified Communications & Connectivity, Internet of Things, Cloud & Hosting and Customer Service Desks.”
Certificate scope covering: “Systems, processes & resources that support Vodafone services to all Enterprise customers in Unified Communications, Mobile Voice, Fixed Data Networks (including IP, MPLS & Satellite), Converged Technologies, Data Centre hosting, and Internet of Things (IoT) across our Sell, Build & Run operating model.”