Verizon Cybertrust Security Certification Verification> Certification Meaning> Policy Validation

Policy Validation

The Verizon Cybertrust Security Enterprise Certification addresses 31 policy categories that affect all critical control groups within an organization.

The following are a list of some of the policies that all Verizon Cybertrust Security Certified Enterprise organizations have had assessed by Verizon Business. Through Verizon Cybertrust Security Enterprise Certification, these organizations have demonstrated that they have met both data protection obligations (controls, levels of protection, and documentation) and data communication (sharing sensitive data with third parties) standards.

All other Verizon Cybertrust Security certifications (Perimeter, Business, Application) and the Verizon Cybertrust Security Secured Site Program address select controls within these 31 policy categories, and are subject to assessments that are critical only to the individual certification program.

  • Access Control - Applicability, organizational and legal requirements, logical rights management, and "least privilege" process for granting, modifying, and removing access
  • Antivirus - Installation, configuration and update frequency requirements
  • Application Change Control - Testing, patching, production deployment, tracking and resolution
  • Back-Up - Critical devices, complete backups, incremental backups, archive logs, restoration, and system availability
  • Business Continuity / Disaster Recovery - Emergency declaration, escalation, recovery, testing and training
  • Corrective Action - Workforce compliance and enforcement with security policies and procedures
  • Data Handling and Disposal - Sensitive data classification, labeling, handling, ownership, and destruction
  • Data Breach Notification - Communication process for informing affected individuals of security breaches exposing personal data
  • Dial-Up - How and when to use, target devices accessible, installation approval process, configuration requirements for modems and other remote devices
  • E-Mail - Normal use, prohibitions, recording and retention, message content restriction, use of antivirus tool(s), privacy expectations and backup
  • Employee Termination - Responsibilities, applicability, procedures, handling property, and access removal
  • Encryption - When to use, required levels key management, and roles and responsibilities
  • Firewall - Access, authentication, routing, administration, trust relationships, architectures, and default deny
  • Help Desk - Creating and resetting credentials, access, logging, training, logged data, and problem escalation.
  • Hiring - Pre-employment reference checks, interview process, position sensitivity analysis, criminal background checks, credit checks, substance abuse screenings.
  • Incident Response - Incident definitions, clear delineation of roles and responsibilities, detailed escalation procedures, disciplinary procedures, documentation and recovery procedures, as well as ongoing contact with relevant external parties such as law enforcement
  • Internet-facing Devices - Advance approval, deployment, configuration and management
  • Internet Usage - Permitted use, monitoring, disciplinary action and allowed services
  • Key Person Continuity - Identification and designation of key and/or sensitive positions, cross training and maintenance of job descriptions
  • Mobile Computing and Communications - Physical protection responsibilities, access controls, cryptographic protection, back-ups, malcode protection and use in public areas for all mobile devices
  • Non-Corporate Computer Connections - Process for personal laptops, storage devices, etc.
  • Online Visitor Privacy - Use of privacy statements and pre-approval by legal counsel
  • Passwords - Length, age, construction, protection, and reuse requirements for desktops, servers, applications and modems.
  • Personal Computer Usage - Software and hardware installation and configuration, appropriate use, responsibility and physical security
  • Physical Security - Physical access controls, response, contacts, environmental requirements, surveillance, and protection from natural and man-made disasters
  • Service Provider Management - Contract management, due diligence and security documentation review for vendors that create, receive, process, transmit, store, and/or destroy sensitive data.
  • Session Timeout - Screen saver use, configuration, timeout, password protection, and application and terminal session timeout and expiration.
  • Teleworking - Acceptable activities, responsibility, encryption, use of personal equipment, and authentication
  • Third Party Communications - Appropriate contracts, level of protections and documentation
  • VPN - Access, authentication, administration, trust relationships, acceptable use, architecture, and configuration requirements
  • Wireless - Approval, configuration, maintenance, and cryptography requirements

Learn More About Certifications: