Verizon Internal Systems Information Security Exhibit

Information Security: To secure the internal systems, networks, and applications that support enterprise/business services (“Internal Systems”), Verizon operates in a manner consistent with its information security policies and maintains the physical, technical, and administrative safeguards appropriate to protect its Internal Systems. While Verizon information security policies are based on generally accepted industry practices, individual services may have different and/or additional security features that Verizon can review with Customer upon request.

Verizon scope for securing Internal Systems includes the following:

Building and maintaining a secure network

  • Using a variety of industry-recognized security practices to protect our internal networks, including appropriately configured firewalls, network segmentation and networking monitoring.
  • Changing vendor-supplied defaults for system passwords and other security parameters.
  • Logging and monitoring access to Verizon’s networks and Internal Systems.
  • Regularly testing security systems and processes utilized for network security.

Protecting sensitive information

  • Maintaining a Verizon Code of Conduct for Verizon employees (available to the public at http://www.verizon.com/about/our-company/code-conduct) which requires that they comply with information security policies and procedures.
  • Using contractual and other measures to obtain third party suppliers’ compliance with appropriate information security requirements, such as Verizon’s baseline security requirements for suppliers, our Supplier Code of Conduct and other materials.
  • Providing physical security controls for each computer room, data center, and similar facilities that may contain sensitive information. 
  • Providing technical and other controls protecting sensitive information stored in Internal Systems, consistent with Verizon’s information security policies and procedures.
  • Complying with applicable laws and regulations related to protecting sensitive information stored by Verizon.

Maintaining a vulnerability management program

Verizon’s practices require:

  • Proper use of anti-virus software on systems to address malware threats against its systems.
  • Developing and maintaining secure systems and applications consistent with industry standards.
  • Maintaining a patch management process.
  • Scheduling, monitoring, controlling, and tracking significant changes affecting Internal Systems.
  • Employing processes to identify new security vulnerabilities with assistance from outside sources for security vulnerability information.

Implementing strong access control measures

  • Enforcing proper authentication for Internal System access.
  • Using effective security mechanisms and procedures in Verizon data centers and for general building security protocols.
  • Assigning a unique ID, consistent with Verizon’s information security policies, for employees, agents, and contractors to use when accessing Internal Systems.
  • Appropriate application of the “Principle of Least Privilege” to Internal System access.

Maintaining an information security policy

  • Maintaining formal, documented information security policies that are available to Verizon employees.
  • Providing training and awareness to Verizon employees and contractors concerning the importance of information security.
  • Complying with applicable privacy laws and regulations to which Verizon is subject.
  • Maintaining a dedicated information security team to promote and assist in enforcement of information security policies and practice.

Disaster recovery

  • Maintaining business continuity and disaster recovery protocols to avoid service disruptions.
  • Identifying through Verizon’s business continuity and disaster recovery practices potential recovery risks to Verizon’s Internal Systems.
  • Developing and implementing strategies to minimize recovery risks and validate Verizon’s response capabilities.

Incident management

Maintaining a formal incident management program that:

  • Addresses the identification, management, and resolution of security issues requiring attention;
  • Communicates, consistent with contractual and legal obligations, the status of material issues affecting Customer, and;
  • Mandates a post-incident review.

February 2019