Verizon Security Summary

Verizon’s Corporate Information Security Program has implemented administrative, technical and physical safeguards that help to protect the confidentiality, integrity and availability of systems, networks, and information. To secure the internal systems and networks that support Enterprise Services (“Verizon Assets”), Verizon operates in a manner consistent with its information security policies and maintains physical, technical, and administrative safeguards appropriate to protect Verizon Assets.   While Verizon information security policies are based on generally accepted industry practices, individual Enterprise Services may have different and/or additional security features. Verizon’s substantial investment in the people, processes and tools necessary to secure the products and services that our customers trust and depend on, demonstrates our commitment to security excellence every day. Our continuous improvement strategy strives to stay ahead of the curve by implementing forward thinking security controls and techniques to protect customer data and the Verizon Network.

Verizon scope for securing Internal Systems includes the following:

• Verizon maintains a formal, documented information security policy, which is based on various recognized industry security standards and is aligned to the NIST Cybersecurity Framework and is applicable to all Verizon employees and Authorized Users on Verizon Assets
• Verizon maintains information security teams to promote and assist in the enforcement of Verizon’s information security policy and practices.
• Verizon has a formal Cyber Security Awareness Program to ensure Verizon personnel are provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with policy and the underlying control framework.
• Verizon develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.
• Verizon complies with applicable privacy laws and regulations to which Verizon is subject.

• Verizon uses a variety of industry-recognized security practices to protect our internal networks, including appropriately configured firewalls, network segmentation and networking monitoring.
• Verizon implements security continuous monitoring which includes logging and monitoring access to Verizon’s networks and assets. Hardware and software-based tools have been deployed throughout the Verizon network to provide real-time alerting from devices such as firewalls, intrusion detection systems, routers and switches.
• Verizon changes vendor-supplied defaults for system passwords and other security parameters.
• Verizon regularly tests systems and processes utilized for network security to maximize operational capacity.
• Verizon develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.

• Verizon maintains a Verizon Code of Conduct for Verizon employees (available to the public at http://www.verizon.com/about/our-company/code-conduct) which requires that they comply with information security policies and procedures.
• Verizon uses contractual and other measures to obtain third party suppliers’ compliance with appropriate information security requirements, such as Verizon’s baseline security requirements for suppliers, our Supplier Code of Conduct and other materials.
• Verizon develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.
• Verizon manages data protection in a systematic and structured manner to enforce confidentiality requirements throughout the data’s lifecycle of creation, transmission, storage, modification, retention and destruction. Based on risk, industry standard encryption is used to protect data-in-transit and data-at-rest.
• Verizon provides physical security controls for each computer room, data center, and similar facilities that may contain sensitive information.
• Verizon complies with applicable laws and regulations related to protecting sensitive information stored by Verizon.

• Verizon uses anti-virus software on systems to address malware threats against its systems.
• Verizon has an established patch management process for production hardware and software installed on the Verizon network.
• Verizon schedules, monitors, controls, and tracks significant changes affecting Verizon Assets.
• Verizon performs internal and external vulnerability scans on a periodic basis.  System owners may schedule real-time vulnerability system scans as needed to adapt to changing threat vectors.

• Logical access control policies are defined, documented and managed to ensure that only authorized personnel have access to critical business applications and systems based on position and job requirements.
• Access to Verizon Assets requires the use of multi-factor authentication. Where appropriate and based on risk, network integrity is further protected by incorporating network segregation between production systems.
• Verizon assigns a unique ID, consistent with Verizon’s information security policies, for employees, agents, and contractors to use when accessing Verizon Assets.
• Verizon implements controls to restrict physical access to facilities housing Verizon systems to authorized personnel. Depending on the type of facility, access may be permitted by electronic card access readers, keys, security guards, or local company personnel.
• Verizon utilizes the Principle of Least Privilege to manage access for each of its systems. Privileged access for production network, system or application functions are controlled and restricted to as few personnel as operationally feasible and is authorized on a “need to know” or “event by event” basis.

• Verizon maintains business continuity and disaster recovery protocols designed to enhance Verizon’s ability to respond to significant events that might disrupt Verizon’s networks and facilities or otherwise impair Verizon’s ability to provide service.
• Verizon’s business continuity and disaster recovery practices identify potential recovery risks to Verizon Assets, and implement measures designed to help minimize and mitigate those risks using industry-accepted practices.

• Verizon maintains a written, actionable incident response plan to ensure timely reaction to Security Events, Security Incidents and Data Breaches by the Verizon Threat Management Center.
• Verizon addresses the identification, management, and resolution of security issues requiring attention.
• Verizon communicates, consistent with contractual and legal obligations, the status of material issues affecting the Customer.

Last update, September, 2020