Trust Center

Incident Response

Last Updated: March 22, 2025 9:34 pm MDT

Zayo is committed to maintaining a strong and adaptive Incident Response program to safeguard our Organization, stakeholders, customers, and sensitive information. In today’s dynamic and interconnected business environment, organizations face an increasing array of cybersecurity threats and operational disruptions. This program includes:

  • Prompt detection, analysis, and response to security incidents.
  • Minimizing impact of incidents on business operations, data integrity, and customer trust.
  • Clear communication channels and coordination procedures to facilitate effective collaboration among internal and external stakeholders.
  • Documented incident details, response actions, and lessons learned to continuously improve future incident response capabilities.
  • Clearly defined roles and responsibilities for incident response team members, regular training and awareness programs that enhance Zayo’s ability to recognize and report incidents, and periodic testing and updating of incident response procedures.
  • Continuous monitoring and analysis of network activities, incident categorization based on severity and impact, and immediate identification of incidents through the use of monitoring tools and technologies.
  • Defined procedures for isolating and containing incidents, swift eradication of threats and vulnerabilities, and efficient recovery processes to restore normal operations.
  • Established communication protocols for internal and external stakeholders using a clear chain of command for incident reporting and escalation.
  • Post-incident analysis to understand the root cause and improve incident response procedures and documentation of lessons learned and recommendations for continuous improvement

Zayo’s Security Operations Center

Our Security Operations Center (SOC) operates 24×7, and provides continuous security monitoring and alerting mechanisms around Zayo assets. This includes the collection and analysis of data to identify suspicious activity and improve the Organization’s security. Threat data is collected from different log sources such as firewalls, intrusion detection systems, intrusion prevention systems, Security Information and Event Management (SIEM) systems, and threat intelligence. Alerts are sent out to the SOC team members as soon as discrepancies, abnormal trends, or other indicators of compromise are identified.

Our SOC operates under a set of documented processes, including:

  • Incident Detection: Defines how threats are identified, using automated alerts, correlation rules, and threat intelligence feeds.
  • Incident Response and Remediation: Procedures for investigating, containing, and mitigating identified threats.
  • Threat Hunting: Describes methods for proactively searching for undetected cyber threats within the organization’s environment.
  • Forensic Investigation: Procedures for ensuring detailed analysis occurs after an incident for evidence gathering and root cause analysis.
  • Incident Reporting: Outlines how incidents are documented, escalated, and reported.

FAQs

Select a topic to view FAQs by category.

  • Enterprise Resilience

    Does Zayo have a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan?

    Zayo’s Incident Management Plan and Business Continuity Management Program program includes: Identification of a cyber security incident, investigation of the situation (including triage), taking appropriate action (e.g. containing the incident and eradicating its source), reporting to relevant stakeholders, and recovering from a cyber security incident. Zayo treats all events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

    BC/DR plans enable recovery from the following events:

    • Critical technology or software failure
    • Critical technology supplier or utility failure
    • Loss or corruption of any critical information
    • Disclosure of critically sensitive information

    Have Zayo Business Continuity (BCP) and Disaster Recovery (DR) plans been assessed, developed, and tested for large scale remote working?

    The Organization’s Business Impact Analysis considers resource requirements during large scale remote working arrangements. BCP and DR strategies and runbooks are developed to address large scale remote working, and tabletop exercises and simulations include large scale remote working scenarios. Zayo tests its resiliency plans on an annual basis and as real world incidents occur.

    What does the BC/DR exercise program include?

    • Exercises are conducted and updated on a regular, planned basis
    • Exercises cover all operations required to resume business
    • Each exercise has a post-exercise report with recommendations for improvement
    • All key personnel participate in BCP/DR plan exercises
    • BCP/DR plan exercises include critical systems recovery

    Does Zayo have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

    Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

    Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

    Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

    Has Zayo conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services?

    Yes.

    Does the Organization have a Disaster Recovery plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

    Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

    Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

    Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

    Does the Disaster Recovery plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic)?

    Yes.

    Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear)?

    Yes.

    What do Zayo backup processes cover?

    • Applications
    • Databases
    • Endpoints
    • Network Drives (including those used by individuals)
    • Collaboration tools
    • System configurations
    • OT-related systems (if applicable)

    What do Zayo backup processes include?

    • Backup frequency is defined by business criticality
    • Backup restores are performed at a frequency defined by business criticality
    • Backup data is periodically audited for completeness and accuracy
    • Backups are encrypted

    Which cloud provider services are utilized by Zayo as part of the backup strategy to accelerate the recovery of data loss?

    Zayo utilizes cloud solutions that offer cloud-based data storage and email.

    Does Zayo have sufficient redundancies in place to ensure the availability of information processing facilities?

    Redundancy is built into Zayo systems for failover events. Backups for power, operations centers, IT systems, and data are also in place. 

    What kind of backup system is used for devices that connect remotely?

    Backup of all data is enabled, performed locally and centrally at regularly scheduled intervals in alignment with data/security policies.

  • Incident Response

    Does Zayo have a cybersecurity Incident Response Plan?

    Yes. Zayo’s cybersecurity Incident Response Plan is in place and addresses the following:

    • Identification of a cyber security incident
    • Investigation of the situation (including triage)
    • Taking appropriate action (e.g. containing the incident and eradicating its source)
    • Reporting to relevant stakeholders
    • Recovering from a cyber security incident

    How often does Zayo review and update incident response plans?

    Incident response plans are reviewed and updated at least annually.

    Are tabletop exercises performed?

    Yes. Tabletop exercises are performed with the following requirements:

    • Tabletop exercises are based on emerging risks and threats
    • Tabletop exercises involve stakeholders listed in an incident response plan
    • Tabletop exercises involve senior management
    • Lessons learned/improvement actions are documented after tabletop exercises

    Has Zayo partnered with any incident response security vendors?

    Yes. Zayo has partnered with incident response security vendors for the following purposes:

    • Notification & Monitoring
    • Breach Prevention

    Do you have a documented incident response process and a dedicated incident response team?

    Yes.

    What is Zayo’s process for reviewing and exercising the resiliency plan?

    Zayo continuously tests its resiliency protocols and exercises the plans annually and during real-world events that are managed and escalated appropriately.

    What is Zayo’s process to ensure customers and external entities (such as government agencies) are notified of an incident when a product or service is impacted?

    Customers and external entities are notified by email when an impactful incident occurs. Zayo is also implementing a system of notification in the online Trust Center.

    Does Zayo have processes or procedures to recover full functionality, including integrity verification, following a major cybersecurity incident?

    Yes.

    Do you insure for financial harm from a major cybersecurity incident (e.g., self-insure, third party, parent company, etc.)?

    Yes.

    Does coverage include financial harm to Zayo customers resulting from a cybersecurity breach which has impacted your company?

    Yes, to the extent of Zayo’s liability. Zayo is not the controller of customer data.

  • Logging and Monitoring

    Zayo implements logging and monitoring controls on its internal environment. Customers must implement their own security controls to protect their own environments.

    Is security and system log data retained and monitored?

    Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the Security Operations Center (SOC).

    What does Zayo’s logging process include?

    • Logs are synchronized to multiple sources
    • Logs are fed to a central security information and event management system (SIEM)
    • Logs are reviewed regularly for abnormal events
    • SIEM captures source (firewall, IPS, VPN, etc.)
    • SIEM captures category (user activity, proxy, etc.)
    • SIEM captures information type (IP, name, etc.)
    • SIEM outputs are reviewed at least every 24 hours by a member of the IT or Security team
    • Security monitoring is conducted 24/7 by an internal or third-party SOC Service

    Which administrator activities are logged and monitored?

    • Log source (firewall, IPS, VPN, etc.)
    • Log category (User Activity, proxy, etc.)
    • Information type (IP, name, etc.)
    • Use case (authentication, suspicious inbound activity, malicious web site)
    • Administrator logging covers AD, network devices, VPN
    • Modifications to administrator groups, including adds, modifies, removes, unsuccessful logins

    How is usage and capacity of critical assets monitored?

    Effective monitoring of asset usage and capacity ensures optimal system performance, minimizes downtime, and supports proactive resource management. This involves implementing key controls to track and manage system health and efficiency:

    • Outbound Traffic Monitoring
    • Storage Capacity Alerts
    • Error and Fault Reporting
    • Performance Benchmarking

    What other types of monitoring programs does Zayo implement?

    Zayo’s monitoring programs also include:

    • Controls
    • Risk
    • Security and threat intelligence
    • Compliance
    • Threat and file integrity
    • Changes in Organizational structure

  • Risk Management

    What is the difference between a risk and an issue?

    A risk is a potential event or condition that, if it occurs, could impact Zayo’s ability to achieve its business objectives. A risk represents uncertainty about what may or may not happen in the future. A risk rarely goes away, but the level of risk may change based mitigation strategies to lower the impact to the business and likelihood of it occurring.

    An issue is is a current problem or situation that is affecting the Organization right now. It’s something that has already occurred or is currently happening and requires resolution.

    Does collaboration exist between relevant related functions including Internal Audit, Information Technology, Security, Legal / Compliance, Risk Management, and Business Continuity to measure and manage cyber risks?

    Yes, there is formal and consistent collaboration between functions. Zayo’s Risk Management program aligns with the Three Lines of Defense model, consisting of operational units (1st line), risk management and compliance functions (2nd line), and internal audit (3rd line). This multi-layered defense model enhances our ability to identify and address risks and promotes accountability, transparency, and resiliency across the Organization.

    How is the senior cyber security leader engaged during reviews of strategic decisions including significant capital investment, new market entry, new product development, or M&A activity?

    • Provides insight into risks before a decision is made
    • Provides insight into risks after a decision has been made
    • Assists in evaluating commercial impact to the business risk profile
    • Provides recommendations for risk remediation strategies and action plans once a decision is made

    How are risks identified?

    The 1st line of defense, our operational managers and staff, is responsible for identifying risks and issues within their areas and ensuring that the processes and activities are controlled.

    How are risks assessed?

    The risk assessment process is coordinated by the 2nd line of defense, our Risk Management and Compliance teams. When a risk is identified by the 1st line of defense, the 2nd line ensures the risk is added to the Risk Register. The risk is then assigned to the appropriate 1st line operational unit, who then formally assesses the risk to determine a risk rating based on impact and likelihood.

    Image of a Risk Rating table based on Impact and Likelihood

    How are risks treated?

    Once a risk has been identified and assessed, one or more risk treatment options is then applied to the risk:

    Treatment: Response from 1st line on how they will manage the risk
    Accept Accept risk within risk tolerance levels without the need for additional action. Where the risk acceptance relates to non-compliance with a policy or standard, a policy exception is completed to document the risk acceptance.
    Avoid Apply responses to ensure that the risk does not occur. Avoiding a risk may be the best option if there is not a cost-effective method for reducing the risk to an acceptable level. The cost of lost opportunity associated with such a decision is considered as well.
    Mitigate Apply actions (controls) that reduce the threats, vulnerabilities, and impacts of a given risk to an acceptable level. Responses may include those that help prevent a loss or limit such a loss by decreasing the amount of damage and liability.
    Transfer For risks that fall outside of the tolerance levels, the level of risk may be reduced to an acceptable level by sharing a portion of the consequences with another party. While some of the financial consequences may be transferable, there are often consequences that cannot be transferred.

    Does Zayo have processes relating to remediation of security risks and vulnerabilities, and how does Zayo intend to use these processes to remediate any security-related issues discovered in relation to systems holding or processing customer data? 

    Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. The risk assessment process is coordinated by the Security Team, identification of threats and vulnerabilities is performed by asset owners, and assessment of consequences and likelihood is performed by risk owners. Risk treatment is implemented in response to each risk and is conducted by the teams relevant to the risk.  

  • Vulnerability Management

    Does Zayo have network access control policies and procedures in place for your information systems that are aligned with industry standards or control frameworks?

    Yes. Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    What are Zayo practices for items such as federation, privileged users, and role-based access control for end-user devices?

    Access controls include role-based access controls (RBAC), Single Sign On (SSO), and Identity Access Management.

    How does Zayo ensure remote access is managed for end-user devices or employees and suppliers, including deactivation of accounts? (e.g. Multi-factor authorization, encryption, protection from malware, etc.)

    Remote access is managed using MFA, local disk encryption, VPN and ZIA internet protection, and malware protection.

    Is cybersecurity training required for personnel who have administrative rights to your enterprise computing resources?

    Yes.

    What is the frequency for verifying personnel training compliance?

    Training compliance takes place upon hire and on an annual basis.

    What cybersecurity training is required for your third-party stakeholders (e.g., suppliers, customers, partners, etc.) who have network access?

    Vendor workers and contractors are required to complete Organizational security training, which is administered, monitored, and tracked. Suppliers are responsible for their own security training programs.

    Does Zayo include contractual obligations to protect information and information systems handled by your suppliers?

    Yes.

    What standard cybersecurity standards or frameworks are the contractual supplier terms for information protection aligned to, if any?

    Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services. Based on the security requirements agreed upon when signing the Supplier contract, the Organization reserves the right to conduct formal and regular reviews of the adherence to the specified requirements, which can include Supplier review and product validation.

    Do you have an organizational policy on the use of encryption that conforms with industry standards or control frameworks?

    Yes.

    Are incident detection and reporting practices defined and documented which outline the actions that should be taken in the case of an information security or cybersecurity event?

    Yes. The Security Information and Event Management (SIEM) system detects anomalous and malicious activity in the Zayo environment by correlating logs and events across the Zayo network. This tool help provide real-time analysis to the Security Operations Center (SOC) to identify patterns that indicate potential security breaches such as unusual access patterns, failed login attempts or data exfiltration. Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the SOC.

    What industry standards or controls frameworks are followed for encryption and key management?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    Does Zayo have hardening standards in place for network devices (e.g., wireless access points, firewalls, etc.)?

    Yes.

    What protections exist to provide network segregation where appropriate (e.g., intrusion detection systems)?

    Customer and Corporate Production, Telemetry (monitoring), and Business systems are segmented and isolated from one another.

    What controls exist to continuously monitor changes to your network architecture?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    How does Zayo manage prioritization and mitigation of threats discovered on your networks?

    Security Operations is active 24/7. Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents creates response tasks that are tracked and managed.

    How does Zayo track changes to software versions on your servers?

    Changes are tracked using reports from our scanning agents.

    How does Zayo convey cloud security requirements to your suppliers/sub-contractors?

    Requirements are agreed upon through contractual language and Data Processing Addendums.

    Does Zayo run automated scans to detect vulnerabilities?

    Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents creates response tasks tracked and managed and responded to by the Security Operations Center (SOC).

    How does Zayo obtain information about vulnerabilities?

    Threat hunting, machine learning, and threat intelligence is used.

    Does Zayo you configure and refresh systems/endpoints using a standard image build?

    A defined standard build exists and is enforced as appropriate.

    How does Zayo manage critical patches?

    Per policy, based on severity ratings, the patch policy priority schedule is as follows:

    • Critical: Review within seven (7) business days with deployment based on review
    • High: Review within 30 days with deployment based on review
    • Medium: Review within 90 days with deployment based on review
    • Low: 180 days

    Are there policies and procedures in place to ensure that the environment providing service to customers is not capable of being accessed from or reliant upon equipment present within a Restricted Country?

    Zayo allows access from those locations/countries where our employees, contractors, and vendors are located. Zayo’s Threat Intelligence infrastructure will always block specific sources of high risk or active threats, regardless of location. Zayo determines high risk countries based on the following criteria:

    The following high risk countries are not permitted for inbound traffic:

    • China
    • Cuba
    • Iran
    • Iraq
    • North Korea
    • Russia/Ukraine

    Does Zayo engage a third party for external penetration testing on your physical properties?

    No external penetration testing is conducted on physical properties.

    Does Zayo perform inspections for physical tampering or alteration of hardware components within the system?

    Yes, inspections are performed for physical tampering on some systems.

    Does Zayo have protective monitoring (e.g. SOC services) enabled for all remote assets?

    Proactive monitoring is in place for all endpoints using advanced tooling; protective monitoring and response enabled to manage incidents such as network access control (NAC), privileged access management (PAM), managed detection and response (MDR), and data loss prevention (DLP).

    Does Zayo engage a third party for external penetration testing on your network?

    Yes, although much of our penetration testing is done internally. The following tests are performed internally on a regular cadence to identify potential vulnerabilities and assess the Organization’s security posture:

    • Network penetration testing
    • Web application penetration testing
    • Mobile application penetration testing

    A third party is engaged for external penetration testing on our network on an ad hoc basis.

    Does Zayo have documented policies or procedures for identification and detection of cyber threats?

    Yes.

    What processes does Zayo have in place to promptly detect cyber threats?

    Multiple endpoint detection and response tools are in place providing detection, enterprise logging, and compromise indicators of vulnerability.

    Does Zayo have defined and documented incident detection practices that outline which actions should be taken in the case of an information security or cybersecurity event? 

    Yes.

    Are cybersecurity events centrally logged, tracked, and continuously monitored?

    Yes. The Security Information and Event Management (SIEM) system detects anomalous and malicious activity in the Zayo environment by correlating logs and events across the Zayo network. This tool help provide real-time analysis to the Security Operations Center (SOC) to identify patterns that indicate potential security breaches such as unusual access patterns, failed login attempts or data exfiltration. Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the SOC.

    Are incident detection practices continuously improved?

    Yes.

    Does Zayo require vulnerability scanning of software running within the enterprise prior to acceptance?

    Yes.

    What procedures or policies exist, if any, for detecting vulnerabilities in externally obtained software (such as penetration testing of enterprise and non-enterprise software)?

    Architecture reviews/acceptance criteria, vulnerability scans, and penetration testing.

    Does Zayo manage updates, version tracking of new releases, and patches (including patching history) for your software and software services offerings?

    Yes.

    Does Zayo deploy anti-malware software?

    Yes.

    How does Zayo manage the identification of threats within your supply chain, including suppliers and sub-contractors?

    Suppliers must immediately report any security or other event that creates reasonable suspicion that there may be a violation of the above requirements and take appropriate steps to immediately address any security incident and cooperate with the Organization in respect to the investigation of such incident.

    What processes are in place to act upon external credible cyber security threat information received?

    Security Operations is active 24/7. Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents automatically create response tasks that are tracked and managed.

    Does Zayo address the interaction of cybersecurity operational elements (e.g., SOC, CSIRT, etc.) with the physical security operational elements protecting the organization’s physical assets?

    Yes.

    How does Zayo ensure that physical security incidents and suspicious events are escalated to cybersecurity operations staff?

    Incident response for both physical security and cyber security are managed by Security Operations.

    Are cybersecurity vulnerabilities for industrial control systems, including physical access controls and video monitoring systems, tracked?

    Yes.

    What standards or frameworks are followed for management of IT and OT system interactions?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    Does Zayo have a policy or procedure for the handling of information that is consistent with its classification?

    Yes.

    What is Zayo’s process to verify that information is classified according to legal, regulatory, or internal sensitivity requirements?

    We have adopted a zero-trust control and principles of least privilege.

    How does Zayo convey requirements for data retention, destruction, and encryption to your suppliers?

    Through contractual language and Data Processing Addendums.

    Does Zayo have documented policies or procedures for internal identification and management of vulnerabilities within your networks and enterprise systems?

    Yes.

    What industry standards or frameworks are followed for vulnerability management?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    How does Zayo identify vulnerabilities in your supply chain (suppliers/subcontractors) before they pose a risk to your organization?

    The Supplier must immediately report any security or other event that creates reasonable suspicion that there may be a violation of the above requirements and take appropriate steps to immediately address any security incident and cooperate with the Organization in respect to the investigation of such incident.

    How does Zayo assess and prioritize the mitigation of vulnerabilities discovered on your internal networks and systems?

    Upon discovery, Security Operations creates an incident ticket for remediation.