Data Security Practices
Verisign has adopted and will continue to maintain appropriate technical and organisational security practices for customer data. These involve Verisign infrastructure, software, employees and procedures and take into account the nature, scope and purposes of the processing as specified in the customer’s agreement. The security controls and practices are designed and intended to protect the confidentiality, integrity and availability of customer data against the risks inherent in the processing of personal data, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer data transmitted, stored or otherwise processed. Verisign continually works to strengthen and improve those security controls and practices.
Verisign operates under practices which are aligned with the AICPA, Trust Services Principles and Criteria (System and Organisation Controls (“SOC”)) (www.aicpa.org). Verisign’s information security practices establish and govern areas of security applicable to Verisign and customers’ use of Verisign’s services. Verisign personnel, including employees, contractors, and temporary employees, are subject to these practices and any additional policies that govern their employment or the services they provide to Verisign.
Verisign’s approach to information security is comprehensive, implementing a multi-layered strategy where physical security, network infrastructure, software and employee security practices and procedures all play a key role reinforced by robust governance and oversight.
a) Physical Safeguards
Verisign employs measures specifically designed to prevent unauthorised persons from gaining access to Verisign facilities in which customer data is hosted, including its office locations and all of its production infrastructure. Common controls utilised between office locations and Verisign co-locations/data centres include, for example:
- All physical access is restricted and requires authorisation.
- All Verisign premises are controlled and monitored by video with recording capability.
- Entrances are protected by physical barriers designed to prevent unauthorised entry by vehicles.
- Premises are manned 24 hours a day, 365 days a year by security guards who perform, among other things, visual identity recognition and visitor escort management.
- All employees and visitors must visibly wear official identification while on-site.
- Visitors must sign a visitor's register and be escorted and/or observed while on-site.
- Possession of keys/access cards and the ability to access the locations is monitored. Staff leaving Verisign employment must return keys/cards.
- Multiple generators, UPS, HVAC and fire suppression systems have been implemented at all locations.
b) Systems Access Controls
Firewalls, perimeter security controls, VPNs, and access-controlling routers are in place and configured to Verisign’s standards to prevent unauthorised communications. Network-based intrusion detection systems are configured to detect attacks or suspicious behaviour and vulnerability scans are performed to identify potential weakness to the security and confidentiality of systems and data. Verisign may, depending on the specific service, apply the following controls: (i) authentication via passwords and/or multi-factor authentication; (ii) documented authorisation and change management processes; and (iii) logging of access. Software supporting Verisign’s infrastructure includes operating systems, databases and anti-virus software that is updated as needed. Internally-developed applications perform product delivery functions. In addition, Verisign uses multiple backup/restore utilities to perform daily and periodic backups of production systems.
Verisign’s access to its customers’ data is restricted to authorised personnel and access is granted after receiving proper approval from management. Only Verisign staff with a need to know will be granted access to customer data for the sole purpose of providing customers with support. In addition, Verisign provides a mechanism by which customers can control access to their environments and to their content by their authorised staff.
c) Transmission and Connection Control
Verisign implements measures to prevent customer data from being read, copied, altered or deleted by unauthorised parties during rest, transmission and transport. This is accomplished by various measures including the use of adequate firewalls, VPN, secure protocol and encryption technologies to protect the gateways and pipelines through which customer data travels. Customers’ access to Verisign customer portals is also accomplished through a secure communication protocol provided by Verisign. If access is through a Transport Layer Security (“TLS”) enabled connection, that connection is negotiated for at least 128-bit encryption. The private key used to generate the cipher key is at least 2048 bits. TLS is implemented or configurable for all web-based TLS-certified applications deployed at Verisign.
d) Data Segregation
Customer data is logically or physically segregated from that of other customers hosted in Verisign’s environments.
e) Confidentiality and Training
Verisign staff that may have access to customer data are subject to confidentiality agreements. Verisign staff are required to periodically complete training.
f) Verisign Information Security Policies
Verisign information security policies establish and govern areas of security applicable to Verisign services and customers’ use of those services. Verisign personnel are subject to the Verisign information security policies and any additional policies that govern their employment or the services they provide to Verisign. Relevant information about these policies is available in the applicable SOC 2 or other third-party reports that can be shared with customers upon request.
g) Security Assessments
Verisign employs internal processes for regularly testing, assessing, evaluating and maintaining the effectiveness of the technical and organisational security measures described here. Verisign may employ third parties to conduct independent reviews and ensure compliance with the following (the availability and scope of reports may vary by service and country):
- AICPA, Trust Services Principles and Criteria (System and Organisation Controls System and Organisation Controls (SOC) 2 Type II)
- Sarbanes-Oxley Act of 2002
- Other independent third-party security testing to review the effectiveness of administrative and technical controls.
Effective: 24 May 2018