Silver & Gold
Evidence carriers and partners ask for — not checkboxes.
Cyber insurers and Alliance Partners increasingly require documented proof of controls. Silver and Gold attestation is built on evidence, not self-reported promises.
Multi-factor authentication
SILVERGOLDDocumented MFA on email, remote access, banking, and privileged accounts — a baseline carriers and Alliance Partners expect before attestation.
Example artifacts
- · MFA policy screenshot
- · Identity provider enrollment report
- · Admin account MFA status
Endpoint detection and response
SILVERGOLDBehavioral monitoring beyond traditional antivirus — increasingly required for cyber insurance and mature Silver/Gold evidence packets.
Example artifacts
- · EDR/XDR console status
- · Agent coverage report
- · Alert response log sample
Encrypted, tested backups
SILVERGOLDBackups that are encrypted, immutable or air-gapped where appropriate, and restored on a documented schedule — not just “we use cloud storage.”
Example artifacts
- · Backup job success log
- · Restore test date and outcome
- · Retention policy excerpt
Incident response program
SILVERGOLDWritten IRP with roles, contacts, and evidence of review or tabletop exercise — aligned with Reg S-P and carrier expectations for mature firms.
Example artifacts
- · IRP document version date
- · Tabletop exercise summary
- · Incident contact tree
Access controls & vendor oversight
SILVERGOLDLeast-privilege access, separate admin accounts, and documented vendor security expectations — especially for firms handling client financial or health data.
Example artifacts
- · Access review checklist
- · Vendor security addendum
- · Privileged account inventory
Ongoing monitoring (Gold)
GOLDContinuous visibility into systems and periodic control review — the distinguishing expectation for Gold beyond Silver implementation evidence.
Example artifacts
- · Monitoring dashboard summary
- · Quarterly control review notes
- · Alliance Partner attestation letter
Integrity rules
- Self-attestation alone is never sufficient for Silver or Gold.
- Alliance Partner attestation requires documented evidence — not a checkbox.
- Third-party verification ($299) is available when no Alliance Partner attestation exists.
- Evidence supports attestation and carrier conversations — it does not replace legal compliance obligations.
Bronze establishes baseline readiness through the 15-part readiness assessment. Silver and Gold mature that foundation with partner attestation and evidence — see Trust Badges for tier requirements.
Boundary
What a Legacy Core credential does not attest to
A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.
- FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
- HIPAA compliance or OCR audit readiness (medical / dental)
- ABA or State Bar ethics sign-off (attorneys)
- SEC Regulation S-P compliance (investment advisers)
- NAIC Insurance Data Security Model Law (including in California — not adopted)
- CCPA cybersecurity audit certification (threshold-gated regulation)
- Cyber insurance approval or claim guarantee
- Penetration test, SOC 2, CMMC, or government endorsement
Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.
Industry-specific obligations by vertical: Regulatory context guides
Start with documented readiness.
Earn Bronze first — then work with an Alliance Partner on the evidence Silver and Gold require.