Control Framework Overview
Verizon security controls on the commercial book of business sit under a documented framework mapped to SOC 2 Trust Services Criteria (security, availability, confidentiality, processing integrity and privacy), ISO 27001 Annex A, NIST SP 800-53 moderate baseline for federal tenancies and the HIPAA Security Rule safeguards for healthcare customers. Control evidence is collected continuously through an internal GRC platform and rolled up into the annual third-party audit. The SOC 2 Type II attestation letter is available on request to enterprise customers on Platinum and Diamond tiers.
The Verizon framework covers four broad categories. Identity and access management governs how administrators and end users authenticate to the My Verizon portal, how roles are provisioned, how session tokens are scoped and how privileged access is logged. Network and endpoint security covers firewalling, intrusion detection, DDoS mitigation, endpoint posture and data loss prevention on Verizon Business hosted service. Data protection covers encryption at rest, encryption in transit, key management and data classification. Operational security covers vulnerability management, change control, incident response and business continuity.
Security Snapshot
- SOC 2 Type II attested annually by an independent accountant; ISO 27001 certified hosting for My Verizon.
- MFA mandatory on first login; SMS, email OTP, TOTP and FIDO2 factors supported.
- TLS 1.2/1.3 everywhere on customer traffic; AES-256 on data at rest.
- One-hour initial incident response on Platinum and Diamond SLAs.
- Port-out PIN and SIM-swap monitoring standard on every wireless line.
| Category | Description | Standard |
|---|---|---|
| SOC 2 Type II | Independent annual audit of security, availability, confidentiality, processing integrity and privacy controls. | AICPA Trust Services Criteria |
| ISO 27001 | Information security management system certification covering My Verizon hosting and provisioning systems. | ISO/IEC 27001:2022 |
| MFA Policy | Multi-factor authentication required on first login from a new device and recommended every session. | NIST SP 800-63B AAL2 |
| Encryption in Transit | TLS 1.2 and TLS 1.3 between customer device and portal; 3GPP ciphering on radio interfaces. | TLS 1.3 / 3GPP TS 33.501 |
| Encryption at Rest | Customer records, billing data and provisioning tables encrypted at rest under managed keys. | AES-256 |
| FedRAMP Moderate | Authorisation covering federal customer tenancies on qualifying service profiles. | NIST SP 800-53 Moderate |
Multi-Factor Authentication on My Verizon
Every Verizon session starts on the Verizon login portal and, on first login from any new device, steps up to a second factor. The supported factor library covers SMS one-time codes to the registered mobile number, email one-time codes to the registered administrator address, time-based one-time codes from any RFC 6238 authenticator app and FIDO2 hardware security keys. On enterprise tenants federated to Okta, Azure AD or PingFederate, the step-up factor can be delegated to the customer's own identity provider and its own enforcement policy.
Device trust on the Verizon portal is the companion to the MFA challenge. After a successful authentication the browser is issued a trust token with a configurable lifetime (default thirty days, minimum one day on high-security tenants). A subsequent session from the same browser within the trust window skips the second factor; a session from a new browser, a new IP prefix or an anomalous geolocation forces a new MFA challenge. Administrators can view and revoke trusted devices from the security tab inside the My Verizon dashboard.
Verizon password policy on the portal is aligned to NIST SP 800-63B guidance. Minimum length is twelve characters, complexity rules are replaced with a breached-password check against the HIBP corpus at every password-change event, and rotation is only required on compromise — not on a fixed calendar. Accounts lock after ten sequential failed password attempts with a progressive backoff and a 30-minute automatic unlock, with a manual unlock path through account verification on the reach-out line.
Fraud Protection and SIM-Swap Defence
Verizon fraud controls on Verizon Business lines span the whole account lifecycle. At enrolment, identity is verified through business-registry lookups (Dun & Bradstreet, Secretary of State filings) and a bank-account micro-deposit challenge on the initial payment method. Once live, line-level activity is scored by an internal risk engine that flags deviations from the account's baseline — a sudden device order surge, an unusual upgrade velocity, an out-of-pattern international roaming activation — and places a temporary hold on the transaction while a fraud analyst reviews.
Verizon SIM-swap protection is the specific control for the most common attack on wireless accounts. Every line carries a port-out PIN that is required at port-out request and at SIM-swap request; the PIN is set by the administrator at activation and can be rotated anytime inside My Verizon. Port-out requests from an originating carrier that do not carry the PIN are rejected; SIM-swap requests at retail are blocked unless the requestor can clear a three-factor in-person verification. Administrators can enable an additional "port freeze" that requires a second-factor challenge in My Verizon before any port-out will even be considered.
Network Encryption and Data Protection
Customer traffic between devices and Verizon services is encrypted end-to-end in transit. The radio link on LTE and 5G runs the 3GPP-standard ciphering with AES-128 or AES-256 keys derived per-session from the device credentials. The backhaul and the internal provisioning links run under IPsec with managed key rotation. The customer-facing portal at my-verizon-login.html and every API endpoint accept only TLS 1.2 and TLS 1.3, with the weaker cipher suites disabled and HSTS preloaded on every subdomain.
Customer records, billing histories and provisioning tables sit in database stores encrypted at rest under AES-256, with keys managed in a centralised HSM-backed key management service and rotated annually. Backup images carry the same encryption into the offline store. Access to the raw database is tightly scoped to a short list of on-call engineers, with every query against customer data written to an immutable audit log that is reviewed weekly by the internal security operations centre.
Incident Response Process
The Verizon incident response process is exercised quarterly through a table-top drill and annually through a full live-fire exercise. Detection feeds come from the internal SOC (24/7 operations, Tier 1 through Tier 3 analysts), customer reports logged through the support hub, external threat-intelligence feeds and automated anomaly detection on telemetry. On a confirmed incident the SOC opens a ticket, notifies the incident commander and starts the containment clock.
Verizon response timing is specified in the enterprise SLA. The initial response — acknowledgement to the customer with a ticket reference, initial severity assessment and first containment action — is committed within one hour on Platinum and Diamond tiers and within four hours on standard commercial tiers. Status updates flow on a four-hour cadence (or faster if the situation is active). A written post-incident review is delivered within ten business days of closure and covers timeline, root cause, containment actions, lessons learned and follow-up commitments.