Trust Center

Policies and Standards

Last Updated: April 9, 2026 9:25 am MDT

The Organization’s security program ensures compliance with a multitude of industry standards, regulations, and best practices through a single framework, based upon the Unified Compliance Framework (UCF), by aggregating authoritative sources into a collective whole. This framework then aligns and harmonizes the mandates within a de-duplicated list of common controls.

Internal Policies

As part of the Security Governance Framework, the Security team has adopted common definitions for policies and associated documentation. This hierarchy guides the structure of these documents to ensure consistent application throughout the Organization.

Authoritative Sources
EXAMPLE: ISO or NIST		– Guidance, standards, requirements, and best practices to ensure confidentiality, integrity, and availability of information
– Shape and maintain effective information security practices
Control Objectives
EXAMPLE: Ensure confidentiality, integrity, and availability of personal data		– Specifications defined by authoritative sources to satisfy control objectives and ensure protection of information, systems, and assets
– Address potential risks and safeguard sensitive information and systems
Policy
EXAMPLE: Zayo Security Policy		What and why must this be done?

– Defines the rules, intent, and expectations of the Organization to guide decision making and operations
– Long-term focus with routine reviews, but remain fairly static
– Shaped by leading governance practices, laws, regulations, and industry standards
Standard
EXAMPLE: Technical Security Standard		What does “good” look like?

– Defines specific, measurable requirements
– Updated more frequently than policy and span multiple topic areas
– Testable criteria
– Removes ambiguity and supports policy
Process
EXAMPLE: System Backup Process		How does work flow across roles?

– Describes workflows and responsibilities
– Includes inputs and outputs
– Cross-functional
Procedure
EXAMPLE: Submitting an Exception Request		How exactly is this task performed?

– Step-by-step execution instructions
– System / tool-specific
– Repeatable
Runbook
EXAMPLE: Restarting a Server		How do we handle known operational events?

– Handles routine operational tasks
– Action-based, predictable scenarios
– Often repeatable
Playbook
EXAMPLE: Malware Detection Response		How do we respond when something goes wrong?

– Guides response to incidents or scenarios
– Decision trees, roles, communication, escalation paths

Zayo does not share internal governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards. This approach underscores Zayo’s commitment to resilience and security. Tables of contents are available for download:

Security Governance Framework
Zayo Security Policy
Acquisition or Sale of Facilities, Technology, and Services Standard
Audits and Risk Management Standard
Harmonization Methods and Manual of Style Standard
Human Resources Management Standard
Leadership and High Level Objectives Standard
Monitoring and Measurement Standard
Operational and Systems Continuity Standard
Operational Management Standard
Physical and Environmental Protection Standard
Privacy Protection for Information and Data Standard
Records Management Standard
Systems Design, Build and Implementation Standard
Systems Hardening Through Configuration Management Standard
Technical Security Standard
Third Party and Supply Chain Oversight Standard

External Policies

Zayo is dedicated to conducting business with the highest level of integrity and responsibility. We believe that ethical practices and compliance with all relevant laws and regulations are fundamental to building trust and ensuring the long-term success of our relationships with customers, partners, and stakeholders.

We are committed to maintaining transparency, fairness, and accountability in all our business dealings, adhering to the highest ethical standards and continuously monitoring our operations to ensure compliance with applicable laws and industry regulations. Our external policies are available to all under the Governance category of Trust Center.

Related Topics

FAQs

Select a topic to view FAQs by category.

  • Security Governance

    What is the Unified Compliance Framework (UCF)?

    The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

    How is Zayo’s Security Governance Framework structured?

    Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.

    Does Zayo share its governance documentation with customers?

    No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.

    Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?

    Yes. Information is categorized using data classification standards and document retention policies. 

    Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

    Do you have company-wide, publicly available security policies in place covering privacy?

    Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.

    What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?

    Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization. 

    Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?

    There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.

    Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?

    Yes. Reports include:

    • Key threats and associated cyber security activities
    • Cyber incidents and underlying causes
    • Ownership responsibilities and accountabilities
    • Roadmaps, action plans, and progress
    • Key Risk Indicators, tolerances and financial thresholds / limits
    • Cyber security performance metrics and trends
    • Information on emerging threats

    How often does the Board receive reporting on Zayo’s cyber risk profile?

    Board reporting occurs quarterly or more frequently as needed.

    Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?

    Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.