Baseline Security Requirements For Verizon Suppliers for the performance of work under an Agreement, Supplier must Sanitize (or at Verizon’s election return to Verizon) all copies of all Verizon Confidential Information, including all backup and archival copies, in any electronic or non-electronic form. e. All hardcopy documents must be cross-cut shredded. f. Maintain records for all media that have been destroyed, sanitized or returned to Verizon. Records must be maintained for a minimum of four (4) years and made available to Verizon for inspection upon request.
Baseline Security Requirements For Verizon Suppliers. The following information security requirements (“Requirements”) are generally applicable to Supplier engagements with Verizon. These Requirements are not intended to address specific security functionality or attributes of devices, software or systems sold, leased or licensed to Verizon by Supplier and will not limit more stringent or other security related Requirements set forth in this Agreement. For the avoidance of doubt, security industry terms used herein which are undefined in the Agreement have the meaning described in information security guidance issued by the National Institute of Standards and Technology (NIST), or similarly regulatory bodies that issue industry accepted standards governing information security.
Baseline Security Requirements For Verizon Suppliers i. Securely access the Supplier information systems from Supplier’s third parties’ information systems; and ii. Securely process, store or transmit organization-controlled information using Supplier’s third parties’ information systems.
Baseline Security Requirements For Verizon Suppliers. Supplier must: a. Employ reasonable controls to secure source code, including version control, segregation of source code repositories, and least privilege access principles. b. Incorporate security vulnerability and malicious code assessments throughout the software development life cycle. c. Ensure the information system separates user functionality (including user interface services) from information system management functionality. d. Implement denial of service (DoS) detection and mitigation controls. e. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system. f. Implement subnetworks for publicly accessible system components that are either physically or logically separated from internal, trusted Supplier networks. g. Connect to and allow connections from external networks only through managed interfaces consisting of boundary protection devices and security gateways. h. Implement appropriate cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission. i. Encrypt (in Transit and at Rest) Verizon Highly Confidential information. j. Establish and manage cryptographic keys in accordance with established and industry accepted key management procedures for systems encrypting and or decrypting Verizon data. k. Ensure retention and restoral of electronic mail when directed by Verizon in connection with actual or anticipated legal proceedings. l. Adhere to the following requirements when connecting to a Verizon network: i. Assets used to connect to a Verizon network must either be provided by Verizon or must be owned/leased by the Supplier or permitted subcontractors. ii. Personally owned assets may not be used to perform work for Verizon.
Baseline Security Requirements For Verizon Suppliers g. Maintain logical and/or physical separation between production and non-production environments (e.g., development, testing), sufficient to prevent unauthorized access between them. h. Prohibit the use of Verizon Confidential data in a non-production environment (i.e. test or development) unless approved by Verizon. i. Develop backup plans and schedules to protect against malicious destruction of information. j. Mask or truncate Verizon Highly Confidential Information in display to prevent disclosure when unnecessary to perform a required business function and when required by law.
Baseline Security Requirements For Verizon Suppliers a. Identify information system users, processes acting on behalf of users, and devices. b. Require Authentication for users, processes, and devices as a prerequisite to allowing access to information systems. c. Ensure the information system uniquely identifies and Authenticates users (or processes acting on behalf of users). d. Implement Strong Authentication for network access to privileged accounts. e. Implement Strong Authentication for remote access to privileged and non-privileged accounts. f. Implement an Identification and Authentication policy consistent with and or more secure than the current NIST 800-63 Digital Identity Guidelines publication. g. Ensure information systems store and transmit only cryptographically-protected Authenticators.
Baseline Security Requirements For Verizon Suppliers f. Ensure all permitted third-parties that will perform services in support of this Agreement on behalf of Supplier (e.g. subcontractors), including cloud service providers, comply in writing with materially similar Requirements to those outlined in this Exhibit. g. Monitor security control compliance by external service providers on an ongoing basis.
Baseline Security Requirements For Verizon Suppliers. 3. Customer Proprietary Network Information (CPNI) means, for the purposes of these Requirements, information about a customer’s telecommunications service that is identifiable to that customer, such as call detail, usage, features, geo-location information associated with such service and service subscription information, and further including information contained in bills pertaining to telephone exchange service or telephone toll service and subject to Federal Communications Commission regulations at 47 U.S.C. Section 222(f)(1).
Baseline Security Requirements For Verizon Suppliers. Supplier must:
Baseline Security Requirements For Verizon Suppliers. 12. Verizon Confidential Information means non-public information received from Verizon and non-public information generated for Verizon in connection with any agreement between Verizon and Supplier (an "Agreement") under which Supplier provides products or services to Verizon or to others at Verizon's request or direction, as well as any other information defined as "Confidential Information" under such agreement. Some Confidential Information has increased sensitivity and is categorized as "Highly Confidential Information," further described below . For avoidance of doubt, "Highly Confidential" should also be considered "Confidential Information" in these Requirements.
