Digital responsibility Cybersecurity
Protecting the security of our systems and networks is a top priority for us. To more effectively address the cybersecurity threats posed today, Verizon has a dedicated Chief Information Security Officer whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. Verizon’s comprehensive information security program includes, among other aspects, vulnerability management, antivirus and malware protection, file integrity monitoring, encryption and access control. The Chief Information Security Officer leads an annual review and discussion with the full Board dedicated to Verizon’s cyber risks, threats and protections, and provides updates throughout the year, as warranted.
Identifying data security risks and managing vulnerabilities
Verizon’s enterprise-wide Information Security Policy is aligned with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1). As part of this policy, we have deployed a comprehensive Enterprise Vulnerability Management (EVM) program designed to identify and protect against data security risks through the following methods:
Framework. Our EVM program is governed by a comprehensive policy which outlines the core components, cadence and personnel responsibilities necessary to sustain a healthy and well-balanced program.
Risk identification. We continually assess the threat and vulnerability landscape using various commercial, government, vendor and publicly available information sources.
Risk detection. We use both manual and automated detection methods, including Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), on a scheduled and real-time basis to identify vulnerabilities within our network infrastructure.
Risk evaluation. Identified vulnerabilities are assigned a severity classification based on their evaluated risk using an industry standard scoring model.
Remediation. Vulnerabilities are then reported to the appropriate asset owners and custodians for remediation. If remediation is not feasible within the policy timeframe, a work plan is developed and tracked. In rare circumstances, an exception may be approved, which is tracked in a central system of record as mitigating or compensating controls are considered and deployed.
Metrics & reporting. We collect and retain data for reporting purposes and to enhance management accountability for remediation of vulnerable assets. We also use the data to assess threat trends and for strategic planning of ongoing program improvements.
Enhancing 5G cybersecurity
We recognize that potential cybersecurity risks will continue, or arise anew, as adoption of 5G expands. Our approach to addressing these concerns is guided by principles in security that have underpinned our previous networks and that we can use with greater efficiency and effect in 5G.
We are designing and deploying the 5G network with security as a central element, relying exclusively on trusted vendors that have undergone rigorous supply-chain vetting processes. We routinely assess the software and hardware that goes into our network and employ rigorous, documented policies and procedures for secure configuration and operation of equipment and devices we deploy throughout the network. Components of our 5G infrastructure, even within the network itself, are required to authenticate to one another prior to performing their functions.
Further, we leverage the new 5G architecture and technical standards, which we ourselves have helped develop, to provide new security features that did not exist in previous generations of wireless technology. Finally, we have helped spearhead global advances in the security of the Internet of Things (IoT) and other devices that connect to the 5G network and will continue to advance new security innovations in the future. Please read our white paper on how our 5G network is designed, deployed and operated with security at its core.
Data breach investigations report
Verizon publishes an annual Data Breach Investigations Report to help our customers better understand the cybersecurity threats they may face and how to manage these risks effectively.