The Organization’s security program ensures compliance with a multitude of industry standards, regulations, and best practices through a single framework, based upon the Unified Compliance Framework (UCF), by aggregating authoritative sources into a collective whole. This framework then aligns and harmonizes the mandates within a de-duplicated list of common controls.
Internal Policies
As part of the Security Governance Framework, the Security team has adopted common definitions for policies and associated documentation. This hierarchy guides the structure of these documents to ensure consistent application throughout the Organization.

| Authoritative Sources EXAMPLE: ISO or NIST | – Guidance, standards, requirements, and best practices to ensure confidentiality, integrity, and availability of information – Shape and maintain effective information security practices |
| Control Objectives EXAMPLE: Ensure confidentiality, integrity, and availability of personal data | – Specifications defined by authoritative sources to satisfy control objectives and ensure protection of information, systems, and assets – Address potential risks and safeguard sensitive information and systems |
| Policy EXAMPLE: Zayo Security Policy | What and why must this be done? – Defines the rules, intent, and expectations of the Organization to guide decision making and operations – Long-term focus with routine reviews, but remain fairly static – Shaped by leading governance practices, laws, regulations, and industry standards |
| Standard EXAMPLE: Technical Security Standard | What does “good” look like? – Defines specific, measurable requirements – Updated more frequently than policy and span multiple topic areas – Testable criteria – Removes ambiguity and supports policy |
| Process EXAMPLE: System Backup Process | How does work flow across roles? – Describes workflows and responsibilities – Includes inputs and outputs – Cross-functional |
| Procedure EXAMPLE: Submitting an Exception Request | How exactly is this task performed? – Step-by-step execution instructions – System / tool-specific – Repeatable |
| Runbook EXAMPLE: Restarting a Server | How do we handle known operational events? – Handles routine operational tasks – Action-based, predictable scenarios – Often repeatable |
| Playbook EXAMPLE: Malware Detection Response | How do we respond when something goes wrong? – Guides response to incidents or scenarios – Decision trees, roles, communication, escalation paths |
Zayo does not share internal governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.
Security Governance Framework
TOC – Security Governance Framework
Zayo’s Security Governance Framework establishes the structure used to manage security policies, standards, procedures, controls, and supporting governance records across the organization. The framework is designed to align security governance with business objectives, legal and regulatory obligations, contractual commitments, risk management expectations, and Zayo’s Common Controls Framework.
The framework defines how security requirements are organized, owned, reviewed, approved, monitored, and maintained. It establishes a governance hierarchy that distinguishes enterprise-level policies and standards from operational processes, procedures, runbooks, and playbooks. This approach helps ensure that security expectations are clear, consistent, auditable, and appropriately tailored to their intended audience.
The framework also emphasizes accountability, traceability, risk-based prioritization, document lifecycle management, exception handling, and continuous improvement. It supports audit readiness by maintaining linkages between authoritative sources, control objectives, internal requirements, evidence expectations, and responsible stakeholders. Overall, the framework provides the foundation for a consistent, risk-informed, and compliance-aligned security governance program.
Zayo Security Policy
Zayo’s Security Policy establishes the organization’s enterprise-level security expectations for protecting information, systems, facilities, services, and operations. The policy supports Zayo’s Information Security Management System and Common Control Framework by aligning security requirements with business objectives, legal and regulatory obligations, contractual commitments, customer expectations, and industry practices.
The policy defines broad requirements for acceptable use, protection of information, identity and access management, devices and assets, collaboration and information sharing, artificial intelligence tools, physical security, monitoring, incident reporting, business continuity, secure operations, supplier security, privacy, and security awareness. It requires users and suppliers to use approved resources responsibly, protect sensitive information, report suspected incidents, and comply with applicable security requirements.
The policy also establishes governance responsibilities across leadership, security, management, control owners, data owners, system owners, users, and suppliers. Overall, it provides the top-level security foundation for Zayo’s supporting standards and helps ensure confidentiality, integrity, availability, resilience, compliance, and continual improvement across the security program.
Acquisition or Sale of Facilities, Technology, and Services Standard
TOC – Acquisition or Sale of Facilities, Technology, and Services Standard
Zayo’s Acquisition or Sale of Facilities, Technology, and Services Standard defines security, privacy, compliance, operational, and risk management expectations for acquiring, upgrading, selling, transferring, retiring, or disposing of facilities, technology, systems, products, and services. The standard is intended to ensure that such activities are planned, assessed, approved, documented, and monitored in alignment with business needs and applicable obligations.
The standard requires acquisition and disposition activities to consider business justification, due diligence, supplier and third-party risk, legal and contractual requirements, data protection, privacy, access control, incident response, system documentation, testing, acceptance, production authorization, configuration management, and ongoing monitoring. It also addresses controls for approved technologies and suppliers, anti-counterfeit protections, product and service upgrades, secure data handling during sale or disposal, and customer-facing processes such as payment handling, error correction, and complaint management.
This standard helps ensure that Zayo introduces, changes, or disposes of technology, services, and facilities in a controlled manner that protects customers, information, operations, compliance obligations, and business continuity.
Audits and Risk Management Standard
TOC – Audits and Risk Management Standard
Zayo’s Audits and Risk Management Standard defines the organization’s approach to assessing risk, conducting audits, monitoring controls, and tracking corrective actions. The standard supports effective governance by requiring structured audit and risk management practices that align with business needs, regulatory obligations, contractual commitments, and the Common Controls Framework.
The standard establishes expectations for audit planning, independent review, technical compliance assessments, audit logging, management reporting, anomaly detection, and evidence retention. It also defines a risk management approach that includes risk identification, assessment, rating, ownership, treatment, monitoring, escalation, and reporting.
A key objective of this standard is to ensure that significant risks, control gaps, audit findings, and corrective actions are documented, prioritized, assigned, and tracked through resolution. The standard also addresses role-based training, risk disclosure where required, and periodic review of risk information. Overall, it provides a consistent basis for evaluating control effectiveness, strengthening accountability, and supporting informed management oversight.
Harmonization Methods and Manual of Style Standard
TOC – Harmonization Methods and Manual of Style Standard
Zayo’s Harmonization Methods and Manual of Style Standard establishes requirements for consistent security and compliance documentation, control harmonization, and traceability. The standard supports the organization’s use of a Common Controls Framework by consolidating overlapping requirements from laws, regulations, contracts, industry standards, internal policies, and other authoritative sources into a more efficient and manageable control structure.
The standard promotes a “single source of truth” approach by requiring control mappings, authoritative source references, document structure, terminology, formatting, version control, and cross-references to be maintained in a consistent and auditable manner. This reduces duplication, improves clarity, and helps stakeholders understand how external requirements connect to internal policies, standards, procedures, controls, and evidence.
This standard also establishes expectations for plain-language documentation, clear mandatory requirements, controlled use of terminology, and periodic review of harmonized controls and external requirement mappings. Overall, it improves the maintainability, usability, and auditability of Zayo’s security governance documentation.
Human Resources Management Standard
TOC – Human Resources Management Standard
Zayo’s Human Resources Management Standard establishes personnel-related security requirements throughout the employment and engagement lifecycle. The standard is designed to ensure that users are suitable for their roles, understand their responsibilities, complete required training and acknowledgements, and continue to protect organizational information and assets during onboarding, employment, role changes, and offboarding.
The standard addresses workforce roles and responsibilities, segregation of duties, workforce competence, personnel screening, employment terms, confidentiality obligations, health and safety, conduct and ethics, conflicts of interest, whistleblower reporting, sanctions, security awareness, insider threat training, workforce changes, termination, and information security event reporting. It also requires records sufficient to demonstrate that HR-related security controls are implemented, reviewed, and maintained.
This standard supports a secure and accountable workforce by integrating security expectations into HR processes, training programs, access-related personnel changes, confidentiality obligations, and incident or weakness reporting.
Leadership and High Level Objectives Standard
TOC – Leadership and High Level Objectives Standard
Zayo’s Leadership and High Level Objectives Standard establishes leadership expectations and governance requirements for the organization’s security, compliance, risk, and information assurance activities. The standard supports alignment between business strategy, risk tolerance, legal and regulatory obligations, the Common Control Framework, and the supporting policies and standards that define detailed security requirements.
The standard requires leadership to demonstrate commitment to the Information Security Management System by setting security objectives, allocating resources, assigning accountability, supporting risk management, promoting security awareness, and monitoring program effectiveness. It also addresses governance documentation, stakeholder communication, contact with authorities, industry information sharing, business context, decision management, monitoring, quality management, corrective action, and continual improvement.
This standard provides the leadership and governance foundation for Zayo’s security program. It helps ensure that security and compliance expectations are communicated, monitored, integrated into business decisions, and continuously improved through management oversight, risk-based planning, reporting, and corrective action.
Monitoring and Measurement Standard
TOC – Monitoring and Measurement Standard
Zayo’s Monitoring and Measurement Standard establishes requirements for monitoring, logging, measurement, reporting, and corrective action across security, risk, compliance, operational, service, and control activities. The standard supports effective governance and continuous improvement by requiring the organization to monitor critical assets, services, controls, risks, compliance obligations, and security events.
The standard addresses event logging, audit trails, clock synchronization, capacity and usage monitoring, security monitoring, threat detection, control monitoring, risk monitoring, compliance monitoring, and organizational change monitoring. It also defines expectations for corrective action, management reporting, metric governance, data quality, and the use of key performance and risk indicators to evaluate program effectiveness.
This standard helps ensure that Zayo can identify issues, detect threats, assess performance, track remediation, report meaningful results, and improve security and compliance outcomes over time.
Operational and Systems Continuity Standard
TOC – Operational and Systems Continuity Standard
Zayo’s Operational and Systems Continuity Standard defines requirements for maintaining business and technology resilience during disruptive events. The standard addresses business continuity, disaster recovery, incident coordination, backup and restoration, alternate facilities, workforce continuity, telecommunications resilience, and recovery planning.
The standard requires Zayo to identify and prioritize critical business functions, systems, services, dependencies, personnel, suppliers, and recovery requirements through business impact analysis, risk assessment, dependency mapping, and criticality tiering. It also establishes expectations for continuity and recovery plans, backup and restoration practices, power and telecommunications resilience, alternate work arrangements, and supplier continuity considerations.
To validate readiness, the standard requires periodic testing, exercises, training, lessons learned, remediation tracking, plan maintenance, and management reporting. It also requires incidents that may affect continuity, availability, confidentiality, integrity, or service obligations to be reported, escalated, assessed, and communicated through appropriate governance and incident management processes. Overall, the standard supports organizational resilience by helping ensure that critical services can continue or recover in alignment with business, customer, regulatory, and contractual expectations.
Operational Management Standard
TOC – Operational Management Standard
Zayo’s Operational Management Standard defines operational requirements for protecting the confidentiality, integrity, availability, resilience, compliance, and effective operation of systems, services, information, assets, and supporting processes. It establishes expectations for operating procedures, production operations, asset and software management, maintenance, change management, capacity management, cloud services, service management, network management, artificial intelligence, incident management, accessibility, and environmental management.
The standard requires operational activities to be documented, owned, controlled, reviewed, monitored, and improved in accordance with business, legal, regulatory, contractual, customer, and security requirements. It also addresses inventories, change approvals, service readiness, incident response, supplier coordination, cloud operations, performance monitoring, and operational records.
This standard supports reliable and secure service delivery by ensuring that operational processes are governed, traceable, risk-aware, and continuously improved.
Physical and Environmental Protection Standard
TOC – Physical and Environmental Protection Standard
Zayo’s Physical and Environmental Protection Standard establishes risk-based safeguards to protect facilities, secure areas, systems, equipment, media, personnel, customers, and services from unauthorized physical access, theft, tampering, damage, environmental threats, and operational disruption.
The standard addresses site security classification, physical security perimeters, entry controls, visitor access, access credentials, key control, secure areas, monitoring and logging, equipment protection, cabling security, maintenance, asset removal, removable media, clear desk and clear screen practices, and environmental and utility protections. It also requires physical and environmental incidents to be reported and escalated through approved processes.
This standard helps protect Zayo’s facilities and infrastructure by aligning physical safeguards, environmental controls, asset protection, and incident reporting with site criticality, risk, and business continuity needs.
Privacy Protection for Information and Data Standard
TOC – Privacy Protection for Information and Data Standard
Zayo’s Privacy Protection for Information and Data Standard defines privacy and data protection requirements for personal data and personally identifiable information collected, used, processed, stored, transferred, retained, disclosed, or disposed of by the organization. The standard reflects Zayo’s commitment to protecting personal information in alignment with applicable privacy laws and global privacy expectations.
The standard addresses privacy governance, privacy notices, data inventories, records of processing, privacy-by-design, data collection and use, employee and customer data, consent and preference management, payment card information, customer proprietary network information, automated decision-making, data subject rights, third-party processing, cross-border transfers, retention, de-identification, anonymization, anti-spam requirements, privacy incident response, training, monitoring, and reporting.
This standard helps ensure that personal data is handled lawfully, fairly, transparently, securely, and only for appropriate business purposes, while supporting individual privacy rights and accountable privacy governance.
Records Management Standard
TOC – Records Management Standard
Zayo’s Records Management Standard establishes requirements for managing organizational records throughout their lifecycle in support of legal, regulatory, contractual, audit, privacy, security, and business requirements. It is intended to ensure records remain confidential, accurate, complete, available, authentic, traceable, and protected from unauthorized access, alteration, loss, disclosure, or destruction.
The standard addresses records governance, data classification, labeling, handling, data protection, record integrity, information transfer, external sharing, official repositories, retention, preservation, legal hold, e-discovery, archival, retrieval, physical records, printed materials, disposition, destruction, and media sanitization. It also defines expectations for monitoring, training, auditability, and accountability over records management practices.
This standard supports responsible information management by ensuring that Zayo records are properly classified, protected, retained, retrievable, and securely disposed of when no longer required.
Systems Design, Build, and Implementation Standard
TOC – Systems Design, Build, and Implementation Standard
Zayo’s Systems Design, Build, and Implementation Standard defines requirements for securely designing, developing, acquiring, testing, implementing, maintaining, and retiring systems, applications, services, platforms, and supporting technologies. The standard integrates security, privacy, compliance, resilience, accessibility, and operational requirements throughout the system lifecycle.
The standard addresses secure system requirements, SDLC governance, phase gates, risk assessments, secure architecture, secure design principles, threat modeling, supplier solutions, technical documentation, secure coding, source control, secrets management, development and test environments, security testing, release readiness, deployment authorization, vulnerability remediation, ongoing maintenance, decommissioning, supplier development, and accessibility requirements.
This standard helps ensure that systems are built and changed in a controlled, auditable, and risk-based manner that protects organizational, customer, and regulated information from design through retirement.
Systems Hardening Through Configuration Management Standard
TOC – Systems Hardening Through Configuration Management Standard
Zayo’s Systems Hardening Through Configuration Management Standard establishes requirements for secure configuration management and system hardening across organizational systems and technology assets. The standard is designed to reduce vulnerabilities, minimize attack surface, prevent unauthorized configuration changes, and support consistent security across technology environments.
The standard addresses configuration governance, baseline configurations, configuration items, system labeling, configuration metadata, drift management, deployment validation, least functionality, logging and monitoring configuration, authentication and privileged access settings, platform-specific hardening baselines, removable media controls, server hardening, database hardening, application hardening, operating system baselines, software control, supplier components, and configuration evidence.
This standard helps ensure that Zayo systems are securely configured, monitored, validated, and maintained throughout their lifecycle using approved baselines, controlled changes, and risk-based remediation.
Technical Security Standard
TOC – Technical Security Standard
Zayo’s Technical Security Standard establishes technical control requirements to safeguard systems, applications, networks, data, and supporting technology assets. The standard supports confidentiality, integrity, availability, secure access, system integrity, network protection, vulnerability management, and incident reporting.
The standard addresses access control, account lifecycle management, identity proofing, authentication, credential management, password controls, service accounts, emergency access, multi-factor authentication, data protection, malware protection, cryptography, PKI and key management, virtual environments, remote work, backup and restore, data loss prevention, information flow control, network segmentation, boundary defense, wireless security, vulnerability scanning, penetration testing, security assessments, patch management, and technical evidence.
This standard provides a broad technical security foundation for protecting Zayo’s technology environment through secure access, strong authentication, data protection, network controls, monitoring, vulnerability management, and risk-based remediation.
Third Party and Supply Chain Oversight Standard
TOC – Third Party and Supply Chain Oversight Standard
Zayo’s Third Party and Supply Chain Oversight Standard establishes requirements for identifying, assessing, managing, monitoring, and remediating supplier and supply chain risks throughout the supplier relationship lifecycle. The standard is intended to ensure that suppliers supporting Zayo services, systems, facilities, data, or operations meet appropriate security, privacy, compliance, service delivery, continuity, and contractual expectations.
The standard addresses supplier governance, supplier inventories, criticality, dependencies, due diligence, risk assessment, contractual obligations, information flow requirements, supplier security and data handling, monitoring, audits, attestations, service delivery, supplier change management, issue remediation, incident and disruption reporting, exit planning, transition support, data return or destruction, third-party payments, financial integrity, product and ICT supply chain integrity, anti-counterfeit controls, traceability, and supplier code of conduct expectations.
This standard helps ensure that third-party relationships are governed, risk-assessed, contractually controlled, monitored, and exited in a way that protects Zayo, its customers, information assets, services, and supply chain integrity.
External Policies
Zayo is dedicated to conducting business with the highest level of integrity and responsibility. We believe that ethical practices and compliance with all relevant laws and regulations are fundamental to building trust and ensuring the long-term success of our relationships with customers, partners, and stakeholders.
We are committed to maintaining transparency, fairness, and accountability in all our business dealings, adhering to the highest ethical standards and continuously monitoring our operations to ensure compliance with applicable laws and industry regulations. Our external policies are available to all under the Governance category of Trust Center.