Trust Center

Policies and Standards

Last Updated: March 22, 2025 10:18 pm MDT

The Organization’s security program ensures compliance with a multitude of industry standards, regulations, and best practices through a single framework, based upon the Unified Compliance Framework (UCF), by aggregating authoritative sources into a collective whole. This framework then aligns and harmonizes the mandates within a de-duplicated list of common controls.

Internal Policies

As part of the Security Governance Framework, the Security team has adopted common definitions for policies and associated documentation. This hierarchy guides the structure of these documents to ensure consistent application throughout the Organization.

Authoritative Sources
EXAMPLE: ISO or NIST		Guidance, standards, requirements, and best practices to ensure confidentiality, integrity, and availability of information
Shape and maintain effective information security practices
Citations
EXAMPLE: ISO 6.8 – Information Security Event Reporting		– Specifications defined by authoritative sources to satisfy standards/control objectives and ensure protection of information, systems, and assets
– Address potential risks and safeguard sensitive information and systems
Policies
EXAMPLE: Zayo Security Policy		– Overview of corporate security standards/control objectives intended to guide decision making and operations
– Long-term focus with routine reviews, but remain fairly static
– Shaped by leading governance practices, laws, regulations, and industry standards
Standards
(Control Objectives)
EXAMPLE: Technical Security Standard		– Built from authoritative source citations to set parameters or configurations that support policy
– Updated more frequently that Policies and span multiple topic areas
– Multiple standards may be associated with a single policy
– Multiple runbooks may be associated with a single standard
Runbooks (Controls)
EXAMPLE: Secure Coding Runbook		– Procedures, plans, guidelines, or processes owned by different parts of the Organization and applied to entities/assets to satisfy standards/control objectives

Zayo does not share internal governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards. This approach underscores Zayo’s commitment to resilience and security.

External Policies

Zayo is dedicated to conducting business with the highest level of integrity and responsibility. We believe that ethical practices and compliance with all relevant laws and regulations are fundamental to building trust and ensuring the long-term success of our relationships with customers, partners, and stakeholders.

We are committed to maintaining transparency, fairness, and accountability in all our business dealings, adhering to the highest ethical standards and continuously monitoring our operations to ensure compliance with applicable laws and industry regulations. Our external policies are available to all under the Governance category of Trust Center.

Related Topics

FAQs

Select a topic to view FAQs by category.

  • Security Governance

    What is the Unified Compliance Framework (UCF)?

    The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

    How is Zayo’s Security Governance Framework structured?

    Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.

    Does Zayo share its governance documentation with customers?

    No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.

    Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?

    Yes. Information is categorized using data classification standards and document retention policies. 

    Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    Do you have company-wide, publicly available security policies in place covering privacy?

    Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.

    What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?

    Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization. 

    Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?

    There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.

    Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?

    Yes. Reports include:

    • Key threats and associated cyber security activities
    • Cyber incidents and underlying causes
    • Ownership responsibilities and accountabilities
    • Roadmaps, action plans, and progress
    • Key Risk Indicators, tolerances and financial thresholds / limits
    • Cyber security performance metrics and trends
    • Information on emerging threats

    How often does the Board receive reporting on Zayo’s cyber risk profile?

    Board reporting occurs quarterly or more frequently as needed.

    Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?

    Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.