SOC 2 Type II: The Anchor Audit for Verizon Business
SOC 2 Type II is the audit evidence that enterprise procurement teams request first of Verizon. An independent accountant evaluates the operating effectiveness of Verizon controls over a minimum six-month observation window against the five trust-services criteria — security, availability, processing integrity, confidentiality and privacy. The Verizon Business segment completes the Verizon audit annually, the audit letter is available on request for Platinum and Diamond tier Verizon accounts, and a bridge letter covers the gap between the audit close and the next Verizon audit start.
The Verizon controls catalogue behind the audit covers administrator identity, device posture, application change management, network segmentation, incident response, backup and recovery, and vendor management. Each Verizon control carries an owner, a testing frequency and an evidence artefact. A customer requesting the Verizon audit letter also receives a summary of the audit-period scope, the control-objective exceptions (if any) and the management response. The report is released under mutual non-disclosure through the Verizon connect team directory.
Security Tile Profile
- SOC 2 Type II annual audit with bridge-letter continuity.
- MFA enforced on every My Verizon administrator session.
- TLS 1.3 in transit and AES-256 at rest across the administrative environment.
- CPNI handling aligned with FTC privacy framework and FCC rules.
- ISO 27001 information-security management alignment.
- Zero-trust migration underway: identity layer complete, device-posture converting.
| Control | Standard | Scope |
|---|---|---|
| Multi-Factor Authentication | NIST SP 800-63B AAL2 | All My Verizon administrator sessions |
| Transport Encryption | TLS 1.3 | Admin console, API endpoints, billing portal |
| SOC 2 Type II Attestation | AICPA Trust Services Criteria | Administrative environment and customer-data systems |
| ISO 27001 Alignment | ISO/IEC 27001:2022 | Information-security management system |
| CPNI Handling | FCC CPNI Rules, FTC Privacy Framework | Customer call, usage and billing records |
| PCI-DSS Controls | PCI-DSS v4.0 | Payment-processing path on POS connectivity services |
MFA on My Verizon and Verizon Session Hygiene
Every primary and secondary Verizon administrator on My Verizon operates under enforced Verizon MFA. Supported second factors on Verizon include TOTP authenticator apps such as Google Authenticator or Authy, FIDO2 security keys for the highest-assurance Verizon workflow, and SMS OTP as a fallback where the customer security policy still accepts it. Verizon recovery codes generate at enrolment and re-generate on demand. Verizon administrator sessions expire on inactivity and on device-trust revocation, and high-risk Verizon actions such as bulk line-suspend or payment-method change trigger step-up re-authentication.
Device trust is layered on top of MFA. An administrator enrols a device through the welcome-letter activation flow or through a self-service device-add on a known browser. Trusted devices bypass repeated MFA challenges during the session window but are invalidated on password reset, on suspicious-login flag, or on a manual revoke from the primary administrator. The audit trail captures every device-trust event for SIEM ingestion.
Network Encryption and Data-at-Rest
All customer-facing administrative endpoints run TLS 1.3 with modern cipher suites and HSTS preloading. The API estate enforces the same transport baseline. At rest, customer usage records, CPNI-bearing data and billing artefacts encrypt under AES-256 against an enterprise key-management service. Key rotation runs on a documented schedule and key access is segregated from data access under dual-control. Customer-managed-key options for the largest accounts allow the master-admin to hold the rotation cadence on their side.
The long-haul and access transport layers rely on MACsec on metro fiber segments and on IPsec for any multi-tenant carrier-interconnect path. Customers who need an explicit encryption floor on a dedicated-access circuit can contract for MACsec-on-wire via the dedicated network service line. The background reference covers how the long-haul layer ended up inside the segment through the 2006 MCI acquisition.
Incident Response and Coordinated Disclosure
The incident response framework follows a documented intake, triage, containment, eradication and recovery loop backed by a named incident commander for each severity-one event. The customer-facing contact path runs through the help-desk tier with escalation to the account team on a Platinum or Diamond tier relationship. A coordinated-disclosure policy applies for security-researcher reports: the segment acknowledges within two business days and provides status updates at documented cadence until fix or mitigation ship. Researchers report through a secured channel published on the regulatory reference page.
Post-incident reviews conclude with a root-cause analysis and an action-item list with named owners. Significant events that touch customer-proprietary network information are disclosed under the FCC CPNI breach rules and, where applicable, under state data-breach notification statutes. Regulatory alignment notes from the FCC and FTC govern the customer-notice templates used in those cases.
ISO 27001 Alignment and Zero-Trust Migration
ISO 27001:2022 alignment covers the information-security management system around the administrative environment. The alignment is evidenced through internal audits, management-review minutes, risk-treatment logs and Annex-A control statements. Customers who need a full certificate (rather than alignment evidence) can route the request through the named account team, which determines whether the specific segment-level scope fits the customer's own compliance scope or whether a higher-level corporate certificate satisfies the request.
The zero-trust migration replaces implicit network-edge trust with continuous identity and device-posture verification. The identity layer is fully converted — every internal administrative session now runs through the identity provider with MFA and device-posture signals. The device-posture layer is mid-conversion, which means a small number of legacy administrative tools still accept a softer posture signal during the migration window. The network-segmentation layer is on a multi-year track. Customer-facing impact is limited to occasional additional step-up challenges on higher-risk actions and is visible in the audit trail.