Trust Center

Code of Business Ethics and Conduct

Last Updated: April 14, 2025 2:42 pm MDT

Zayo’s purpose is that We Connect What’s Next and we at Zayo are among the most ambitious, collaborative and innovative people in the industry who connect with each other, our customers and vendors while living the values of our newly defined culture. As we work toward connecting the world, we must always empower each other to do the right thing.

Employee Code of Business Ethics & Conduct

Zayo’s internal Code of Business Ethics & Conduct (“Code”) allows us to put our values into practice.

Image of Zayo Values

Key points of the employee Code of Business Ethics and Conduct include:

  • Respect
    • Harassment and Discrimination
    • Workplace Safety
  • Honesty
    • Confidential Information
    • Conflicts of Interest
  • Integrity
    • Financial Accounts, Records, and Disclosures
    • Anti-Bribery Laws
    • Antitrust Laws
    • Compliance
  • Responsibility
    • Reporting
    • Penalties for Violations
    • Whistleblower Protection Policy
    • Waivers

Contractor Code of Conduct

Zayo is committed to high standards of social responsibility and ethical conduct. Zayo requires its contractors to meet the same high standards it has set for itself and to review the clauses below which are referred to herein as the Code of Conduct and agree to adhere to its principles as a condition of doing business and supplying goods or services to Zayo.

Compliance with Laws

Contractor shall comply with all applicable laws and regulations regarding, among other things, environmental matters, occupational health and safety, labor and employment practices, human rights, immigration, anticorruption, privacy protection, product safety, shipping and product labelling. Labor and Human Rights. Contractor shall not use workers under the applicable legal age of employment or forced or involuntary labor or engage any third party that uses such workers. Contractor shall have in place and enforce appropriate policies to ensure the workplace is free of harassment, abuse, and discrimination, and Contractor will not engage in any discrimination in hiring and employment practices.

Wages and Compensation

Contractor must comply with all applicable employment standards laws, including those relating to minimum wages, overtime hours and legally mandated benefits.

Health and Safety

Contractor shall have in place and enforce appropriate policies to ensure that workers will not be subjected to unsafe working conditions, including workplace harassment and violent, and shall provide its workers with a safe and healthy workplace in compliance with all applicable health and safety laws and regulations. Contractor shall inspect the working environments where its employees, agents, or subcontractors are or may be present on the right-of-way owner’s premises and shall promptly take action to correct conditions that cause or may reasonably be expected to cause these working environments to become an unsafe place of employment. Contractor shall indemnify and hold harmless Zayo and the right-of-way owner, their respective directors, officers, employees, servants, heirs, assigns, and agents from and against any and all claims, loss, or liability in any manner arising directly or indirectly out of Contractors’ failure to comply with this Code of Conduct. This indemnification specifically extends to all fines and penalties, costs and attorney’s fees incurred as the result of the conduct caused by or contributed to by Contractor.

Environment

Contractor must comply with all applicable environmental laws and requirements, and are encouraged to have programs and policies in place to minimize their organization’s overall environmental impact.

Contractor Assessment and Monitoring

Zayo reserves the right to assess and monitor Contractor’s practices regarding this Code of Conduct. Contractor may be asked to provide a report outlining their compliance with this Code of Conduct. In the case of non-compliance, Contractor will take all reasonable measures to meet the standards outlined in this Code of Conduct in a diligent manner, or face the termination of their right to supply goods and services to Zayo.

SAFETY REQUIREMENTS

When working on any railroad right-of-way, the safety and continuity of operations of trains are of paramount importance. Contractor shall arrange its Services so that the personnel, trains and the tracks and appurtenances will be protected and safeguarded at all time.

  • Contractor shall utilize a suitably qualified safety inspector who will head its safety management program. This safety inspector will be responsible for developing the required safety management plan, ensuring attendance by all Contractor’s and its subcontractors’ personnel at railroad safety training classes, and enforce compliance therewith in accordance with the applicable railroad safety rules, requirements, laws, regulations, codes, and the Contract Documents.
  • Accidents, injuries, and illnesses requiring medical attention other than first aid, damage to property of Zayo, right-of-way owner, and Contractor, and fires shall be orally reported to Zayo at the time of the incident. Written reports, satisfactory in form and content to Zayo and meeting applicable codes/regulations, shall be submitted, promptly after each incident, by Contractor to all involved parties as required by the applicable regulations, codes, and other requirements. Contractor shall comply with applicable legislation regarding the reporting of workplace accidents, injuries or illness to the applicable provincial and federal authorities, including the workers’ compensation board.
  • Contractor shall maintain accident, injury and illness records and statistics with respect to the Job Site and as required by all applicable laws, statutes, ordinances, regulations, and codes; and such records and statistics shall be available for inspection and copying by Zayo, and shall be submitted by Contractor to governmental agencies as required by law.
  • When the possibility of injury to persons or damage to property is anticipated, Contractor shall take immediate remedial action, including the stoppage of Services where necessary, to prevent such injury or damage. Should Contractor encounter any unexpected hazardous, toxic, or other condition in furtherance of the Services, Contractor shall immediately cease such activity and shall notify Zayo, and shall thereafter coordinate with Zayo and the pertinent right-of-way owner in efforts to remedy such condition.
  • Contractor shall take particular care to prevent the fouling of the railroad tracks, and to avoid coming into contact with, or causing damage to the railroad tracks, any water, sewer, steam, gas, fuel, or other pipe lines, mains or service pipes, electrical, communications, other energy transmission conduits, cables, wires, or service connections, other private, utility, or governmental facilities, and any hazardous, toxic, or dangerous condition or thing, whether they are located upon, below, or above the ground surface. Contractor shall be responsible for protection of the integrity of all railroad tracks. Repair of any and all damage, if sustained, will be the responsibility of and costs shall be borne solely by Contractor or its subcontractors. Contractor shall take all necessary and/or customary precautions to prevent injury to persons or property from open manholes, excavations, ditches, and from materials or equipment left on the Job Site, by placing signs and lights, erecting barricades, or doing other things as prudence may require or as mandated by law, local regulations, or the right-of-way owner.
  • If hazardous substances of a type of which an employer is required by law to notify its employees are being used on the Job Site by Contractor, a subcontractor or anyone directly or indirectly employed by them, Contractor shall, prior to harmful exposure to any employees on the Job Site to such substance, give both immediate oral notice and follow up written notice of the chemical composition thereof to Zayo in sufficient detail and time to permit compliance with such laws by Zayo, other contractors and employers on the Job Site, to the extent Material Safety Data Sheets (MSDS) exist, they shall also be provided.
  • Contractor shall be responsible for, at Contractor’s expense, the provision of all necessary warning devices, barricades, flaggers, and uniformed patrolmen as are necessary to safely perform and protect the work. Contractor shall be responsible for, at Contractor’s expense, determination of necessity, and provision of, security to protect materials, work in progress, or finished work. The foregoing notwithstanding, on railroad right-of-way Zayo will arrange for and pay for railroad flaggers.
  • In the event Contractor encounters on the Job Site material reasonably believed to be asbestos, lead, or polychlorinated biphenyl (PCB), or other potentially dangerous substance, which has not been rendered harmless, Contractor shall immediately stop work in the area affected and report the condition to Zayo in writing. The Services in the affected area shall resume in the absence of such substances, or when it has been rendered harmless. In case of dispute, Zayo shall have the right to determine whether work should resume and shall so state in writing.
  • Contractor shall comply with applicable legislation regarding the in transportation of materials including, but not limited to regulations which apply to securing of equipment for transport, marking and placarding of transport vehicles and regulations governing driver qualifications. If applicable, Contractor shall comply with the requirements of the drug testing, education and training program imposed upon operators of commercial vehicles by the applicable state or provincial department of transportation.
  • Contractor agrees that if any of the work to be performed is subcontracted, the requirements of the preceding paragraphs in this section shall be incorporated into a written agreement executed between Contractor and the subcontractor.

Vendor Code of Conduct

Zayo is committed to a strong and continuously improving Environmental, Social and Governance (“ESG”) posture. One important part of that commitment is this Supplier Code of Conduct (“Code”). Suppliers and their employees, personnel, agents, subcontractors, and sub-tier suppliers (“Suppliers”) must comply with this Code, and to have their own policies, positions and practices that ensure compliance.  Additionally, Suppliers must conduct training annually to their employees and subcontractors on the subjects identified in this Code to ensure familiarity with the requirements in the Code.

If a Supplier is performing services or providing equipment for a specific Zayo customer, that Supplier must comply with any code of conduct requirements of that customer as a condition of providing services or equipment to Zayo.

If there are questions about the Code, or if there are concerns about any non-compliance by suppliers or Zayo employees, please notify us.  Zayo will, to the extent possible, maintain confidentiality as to any concerns raised and does not tolerate any retaliation against any individual for raising a good faith concern over violation of this Supplier Code of Conduct or reporting any questionable behavior.

Strong Safety Culture 

Suppliers must make a strong safety culture a priority in doing business.  Any safety program should support open and transparent communication of safety related incidents, and focus on event learning for future improvement and avoidance of incident recurrence. Suppliers must comply with all safety related laws and regulations.  Suppliers shall report to Zayo any safety related incidents or inquiries from a regulatory agency occurring in the performance of work for Zayo as soon as possible.  

  • Occupational Safety and Health:  Suppliers must comply with all federal, state, and local safety and health laws and regulations (collectively “Law(s)”) and ensure worker safety by identifying and evaluating and minimizing exposures and potential exposures to hazards including chemical, physical and biological stressors and implement measures to mitigate in accordance with OSHA standards.  Ongoing occupational and safety training must be conducted in accordance with Laws, but at a minimum annually, and if requested by an employee, in the employee’s native language.
  • Emergency Preparations:  Suppliers must identify and plan for potential emergencies and conduct emergency drills as well as having updated disaster response plans.
  • Pregnant and Nursing Mothers: Reasonable steps must also be taken to remove pregnant women and nursing mothers from workplace conditions with high hazards, and remove or reduce any workplace health and safety risks to pregnant women and nursing mothers, and provide reasonable accommodations for nursing mothers.
  • Housing, Food, Sanitation: If applicable, worker housing provided by Supplier must meet local housing and safety standards and provide clean and potable hot water for bathing, showering, and cooking. Ventilation, egress, heat, security, toilet facilities, and lighting must at a minimum meet local requirements.   Sanitary environments for the preparation of food must be provided with requirements on keeping such environments in a safe, sanitary condition.
  • Prohibition on Illegal Drugs:  Supplier must have a strict policy prohibiting the use, possession, sale, or on-premise storage of illegal drugs, and if permitted by law, guidelines addressing the use of legal drugs that may negatively impact workplace performance.

Supplier Diversity 

Advancing a diverse supply base is key to success for Zayo. All Suppliers must promote a culture of diversity, equity, and inclusion in hiring and retaining employees. Supplier selection processes are based on fair and competitive evaluations and awards are made based on decisions that drive the greatest overall value for Zayo.  We actively encourage and promote diversity and inclusion in our Supplier selections and require our Suppliers to do the same.  Zayo recognizes diverse Suppliers in many ways to include small business and those majority-owned by minorities, women, veterans, LBGTQ and the disabled for example.  Certification of diverse status is validated in Zayo’s Supplier onboarding processes. 

  • Non-Discrimination:  Suppliers will not discriminate based on race, color, age, sex, gender, sexual orientation, marital status, pregnancy, religion, political affiliation, ethnicity, national origin, disability, genetic information, medical condition, pregnancy, union membership, covered veteran status, or on the basis of any other status prohibited by Law.
  • Employment Conditions:  Suppliers will not require unlawful medical tests or exams and will prohibit bullying and inhumane treatment or make inquiries about criminal histories as a condition of employment applications or prior to initial interviews or as otherwise restricted by Law.  Suppliers shall demonstrate a commitment to diversity and inclusion in the workplace. 

Environmental Sustainability, Protection, and Compliance 

Suppliers must take reasonable steps to protect the environment (air, water, land, natural resources, etc.), reduce energy consumption, reduce emissions, and must comply with all laws and authorizations required in performing work for Zayo. 

  • GHG Emissions: Zayo is focused on reducing GHG emissions through actively managing energy consumption and seeking clean energy solutions in all operations. Zayo has established a target to reach net zero emissions by 2030, and our Suppliers must set similar goals. It is expected that at some point in the future Zayo will implement shared goal setting with key suppliers as part of its supplier collaboration programs and processes.   

Responsible and Ethical Sourcing 

Suppliers must protect human rights and comply with all domestic and international employment law and principles set forth in International Labour Organization Conventions, including those associated with equal opportunity, immigration, child labor, forced and trafficked or compulsory labor. Employees must be fairly compensated and wages must comply with local laws. Additionally, Suppliers must treat workers with dignity and respect and not prohibit the right of employees to join trade unions or bargain collectively. 

Raw Material Sourcing

Suppliers that obtain raw materials from foreign sources must maintain mechanisms to track and monitor human rights and environmental risks linked to extracting and transporting raw materials in conformity with the Organization for Economic Co-operation and Development (“OECD”) guidelines, and meet the conflict reporting requirements of the Dodd-Frank Wall Street Reform, the Consumer Protection Act, and the Securities and Exchange Commission.

Conflicts of Interest 

Suppliers will act in the best interest of Zayo and avoid any actual or perceived conflicts of interest.  Such conflicts occur when the supplier’s personal interests interfere with its obligations and responsibilities to Zayo.  If suppliers become aware of a conflict or appearance thereof supplier must immediately notify us. 

Suppliers must never offer personal incentives, gifts, meals or business entertainment to Zayo employees in an effort to influence a business decision.  Nominal gifts intended to foster goodwill or strengthen business relationships in normal course are acceptable as long as the value is compliant with local and international regulations, and such gifts are not recurring or frequent.  In no event is a gift of cash or cash equivalent ever acceptable.   

Security, Safeguarding of property and Information Handling 

Suppliers are responsible for protecting Zayo’s and its customers’ assets, intellectual property and confidential information.  Confidential information shared by Zayo shall not be collected or processed in any way other than as authorized in writing by Zayo in order to enable the performance of Supplier.  All information shared is the property of Zayo or its customers and must not be used by the Supplier for its own benefit.

Suppliers must have an updated and comprehensive security and data protection policy governing the use, management, and protection of personal data, and any consumer information, including compliance with, as applicable, General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

Use of Subcontractors by Supplier

Suppliers must obtain Zayo’s written permission prior to engaging a subcontractor to fulfill Supplier’s obligations to Zayo.  Written permission may be obtained by contacting the Zayo Privacy Office at privacy.office@zayo.com for privacy obligations to Zayo or Supplier’s procurement contact at Zayo for other work performed by Supplier.

Follow Laws 

Suppliers shall compete fairly and adhere to all applicable laws and regulations at all times as stated in all Zayo contract and Purchase Order documents.  Suppliers must abide by anti-bribery and anti-corruption laws, including the Foreign Corrupt Practices Act.  

Suppliers must not pay or receive bribes, kickbacks or unlawful payments to or from any public official, or government or other individual, whether foreign or domestic, to secure any contract, concession or favorable treatment.  Suppliers must comply with all applicable export control and economic sanctions laws of the United States.

FAQs

Select a topic to view FAQs by category.

  • Personnel Security

    Is a personnel security program implemented at Zayo?

    Yes.

    Is employee access managed by role?

    Yes.

    Are policies documented for conducting background checks of employees and contractors as permitted by each country in which you operate?  

    Yes.

    Is access to business-critical systems, manufacturing facilities, and assets formally managed and maintained?

    Yes.

    Does Zayo have a process for onboarding personnel?

    Yes.

    Does the process include security awareness training?

    Yes.

    What is the process to determine the level of access to company identifications (IDs), tokens, documents, applications, etc.?

    Zayo implements Role Based Access Controls. Access is granted based on job titles tied to roles.

    What is the process to distribute company assets?

    Assets are distributed based on roles and are determined by role-based access.

    Is the onboarding process documented?

    Yes.

    Does Zayo have policies for conducting background checks of your employees as permitted by the country in which you operate?

    Yes.

    How does Zayo conduct the background checks and document, validate, and update responses?

    This is performed by Human Resources using a third-party vendor.

    Does Zayo have policies for conducting background checks for your suppliers, as permitted by the country in which you operate?

    Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

    Does Zayo have policies for conducting background checks for any subcontractors, as permitted by the country in which you operate?

    Subcontractor companies are required to perform background checks on their subcontractors doing business with Zayo.

    Does Zayo have a process for offboarding personnel?

    Yes.

    Does the process include a process to transfer knowledge to other personnel?

    Yes.

    What is the process to remove access to all company documents, applications, assets, etc.?

    Access is revoked upon termination of user accounts.

    What is the process to recover all company assets?

    Upon termination of an employment contract or a change in employment, the User must return all organizational assets to the Service Desk, or the asset owner in coordination with the manager of the relevant team. All other information related to employment must be given to the Organization in accordance with the employee’s contract. In cases where an employee or Supplier uses their own personal equipment, the User must ensure that all internal use and confidential information are securely transferred to the Organization and securely erased from their personal machine after termination.

    Are personnel security practices formally documented and accessible to all employees?

    Yes.

    Are Personnel Security practices routinely enforced, audited, and updated?

    Yes.

    Are all personnel trained in security best practices?

    Yes, and it includes, but is not limited to insider threats, access control, and data protection.

    Is there additional security training provided to users with elevated privileges?

    Yes.

    Does Zayo have a Code of Conduct for its employees, suppliers and subcontractors?

    Yes.

    Is the Code of Conduct always available and visible to Zayo employees, suppliers, and subcontractors?

    Yes.

    How often is this Code of Conduct updated?

    Annually or as needed

    Does Zayo have personnel designated to address questions or violations to the Code of Conduct?

    Yes.

    Are these employees, suppliers, and subcontractors trained on the Code of Conduct, including privacy and confidentiality requirements, as required by your industry?

    Yes.

  • Third Party and Supply Chain Management

    Does Zayo have a formal process for ensuring supply chain resilience as part of its product offering TPRM practices?

    Yes.

    Does Zayo consider non-technical supply chain resilience threats such as weather, geo-political instability, epidemic outbreak, volcanic, earthquakes, etc.?

    Yes.

    Does Zayo maintain a formally trained and dedicated crisis management team, including on-call staff, assigned to address catastrophic or systemic risks to your supply chain or manufacturing processes?

    Yes.

    Does Zayo require and audit key suppliers for their ability to be prepared for unexpected supply chain disruptions?

    Yes.

    Do Zayo service deliverables outline which services can be done remotely and which cannot?

    Yes, and these are documented in Service Level Agreements (SLAs) or Terms and Conditions.

    Does Zayo consider supplier diversity to avoid single sources and to reduce the occurrence of suppliers being susceptible to the same threats to resilience?

    Yes.

    Does Zayo consider alternate offering delivery channels to mitigate extended supplier outages to include cloud, network, telecommunication, transportation, and packaging?

    Yes.

    Do you maintain inventory of key suppliers with access to systems or data?

    A vendor list mechanism exists, covers all vendors, and is updated as the Organization changes.

    Is the company ownership of suppliers of critical ICT components verified?

    Yes. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

    Are suppliers of critical ICT components under U.S. ownership?

    Not all. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

    If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor?

    Yes. Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, the risks and controls and assesses their strengths.

    Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R3, Protecting Controlled Unclassified Information in Nonfederal Systems?

    Yes. Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. The program’s policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

    Do you perform due diligence on third parties to align with your own corporate policies and/or industry best practice?

    Every Supplier that has logical access, physical access, or access to the Organization’s data must complete the Organization’s security requirements assessment, which must reference the logical, physical, and data controls that must be followed. The Supplier must fill out the Security Requirements assessment upon receipt and indicate if an inability to follow any of the Security Requirements exists. 

    A review by the  Committee on Foreign Investment in the United States (CFIUS) is also required under the following circumstances, and may take up to 45 days:

    • Classify suppliers into risk categories (e.g., low, medium, high) based on business impact and criticality to operations.
    • Suppliers who have access to physical Corporate locations or sensitive personal data of US citizens and pose potential national security risks 
    • Suppliers perform transactions that may involve the transfer of critical technologies or sensitive information to foreign persons
    • Suppliers perform transactions in Corporate locations which are in close proximity to sensitive government facilities
    • Those whose transactions may have direct or indirect involvement by foreign governments
    • Conduct risk-based due diligence for all suppliers before engagement, considering factors such as data security, regulatory compliance, financial stability, and reputational risks.

    All third parties are assessed and re-assessed as service agreements change.

    Do you conduct business continuity and disaster recovery audits on your third-party providers?

    All third parties are included in business continuity and disaster recovery audits including exercises after organizational changes.

    Do you perform an evaluation on the commercial impact for cyber risks associated with third parties?

    Evaluations are performed through formal analysis utilizing modeling of potential financial impacts.

    Do you use defined threshold and escalation processes that help determine the application of appropriate cyber security strategies for identified third parties?

    A formal approach, using multiple metrics, consistent management strategies, and involving senior management helps determine appropriate cyber security strategies for third parties.

    Is a formal process documented for ensuring supply chain resilience as part of Zayo product offering Third Party Risk practices?

    Zayo’s TPRM program includes procedures for verification meeting contractual terms and conditions.

    Do you contractually require third parties to align with pre-defined services and Service Level Agreements (SLAs)?

    All third parties are contractually required to align with pre-defined services and SLAs which are updated as services change.

    Do you contractually require third parties to maintain insurance/other indemnification for any losses caused by the third party?

    All third parties are contractually obligated to maintain insurance/other indemnification for any losses, and terms are updated as services change.

    Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officers?

    Yes.

    Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT?

    Yes. Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services. Based on the security requirements agreed upon when signing the Supplier contract, the Organization reserves the right to conduct formal and regular reviews of the adherence to the specified requirements, which can include Supplier review and product validation. All third parties are assessed and re-assessed as service agreements change. If violations of contractual SCRM requirements or SCRM-related incidents occur, remediation activities are managed as issues as part of Zayo’s Risk and Issue Management program.

    Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers?

    Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.  

    What provisions for auditing are included within supplier contracts?

    The Organization reserves the right to audit Suppliers to validate compliance against MSAs and the Organization’s Corporate Supplier Requirements. The right to audit is a standard clause in all supplier contracts. Zayo reviews supplier contracts during onboarding and contract renewals, and security due diligence assessments are repeated annually.  

    Do you revise your written TPRM requirements regularly to include needed provisions?

    Yes.

    Do you have policies for your suppliers to notify you when there are changes to their subcontractors or their offerings (components, products, services, or support activities)?

    Yes. The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed.

    Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

    Yes, all suppliers must agree to and abide by Zayo policy and standards. 

    Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer’s Information Communications Technology (ICT) Supply Chain Management?

    Yes. The Zayo representative assigned to the customer organization is notified of any changes that occur and is responsible for communicating these changes with the customer/customer management. Customers are notified within 24-48 hours or any changes that may have occurred.

    Is there a documented Quality Management System (QMS) based on an industry standard or framework for the Organization’s Information and Communications Technology (ICT) supply chain operation? 

    Yes. Zayo’s Quality Management System (QMS) is defined as a set of policies, processes, and procedures required for planning and execution in the core business areas of the Organization.  In the EU, the QMS is based on the ISO9001:2015 Plan, Do, Check, Act Model. In the US, the QMS is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. This framework and its supporting policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

    Do you have an organization-wide strategy for managing end-to-end supply chain risks (from development, acquisition, life cycle support, and disposal of systems, system components, and to system services)?

    Yes. Our strategy is to Identify, Analyze, Evaluate, Treat, and Monitor. Actionable issues are created as necessary and assigned appropriately for risk throughout each stage of the lifecycle. Third-party intake, risk identification, measurement and assessment, mitigation, reporting and monitoring, compliance, and governance tasks also include periodic third-party risk audits and assessments.

    Is there a process to verify that suppliers are meeting TPRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers? 

    Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.

    Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

    Yes, all suppliers must agree to and abide by Zayo policy and standards. 

    Are processes in place for addressing reuse and/or recycle of hardware products?

    Yes.

    Do you have a policy or process to ensure that none of your suppliers or third-party components are on any banned list?

    Yes.

    For hardware components included in the product offering, do you only buy from original equipment manufacturers or licensed resellers?

    Yes.

    Do you control the integrity of your hardware/software (HW/SW) development practices by using Secure Development Lifecycle practices?

    Yes.

    How do you manage the conformance of your third parties to your procedures?

    The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed. Open source code provided by a third party is scanned for integrity purposes prior to, during, and post deployment..

    Do you monitor third-party HW/SW products or services for defects?

    Yes.

    What are your processes for managing third-party products and component defects throughout their lifecycle?

    As part of Zayo’s Risk and Issue Management program, defects are logged as issues for remediation.

    What policies and procedures are in place to protect the integrity of the data provided through cloud services?

    To protect the integrity of data provided through cloud services, the Organization:

    • Uses secure communication channels (https/SSL/TLS) to encrypt data between the Organization and cloud service providers
    • Ensures that data stored in the cloud is encrypted to protect it from unauthorized access
    • Implements strong access controls using the principle of least privilege to only provide Users and systems with the minimum level of access required to perform their tasks.
    • Uses Multi-Factor Authentication as an extra layer of security
    • Utilizes network security best practices, such as firewalls, intrusion detection/prevention systems, and network segmentation, to safeguard the flow of data to and from the cloud
    • Sets up logging and monitoring to detect any unusual activities or potential security incidents, and regularly reviews logs and audit trails
    • Conducts periodic security assessments and audits to identify and address vulnerabilities
    • Understands and complies with relevant data protection laws and regulations
    • Ensures cloud service providers comply with the necessary certifications and standards.
    • Implements a robust data backup and recovery strategy to ensure that critical data can be restored in case of accidental deletion, data corruption, or other incident
    • Develops and regularly tests an incident response plan to ensure a swift and coordinated response to security incidents
    • Establishes communication channels and contacts with the Organization’s cloud service providers to report and address security incidents
    • Evaluates the security practices of the Organization’s cloud service providers and understand their security measures, certifications, and compliance with industry standards
    • Educates teams on security best practices regarding the use of cloud services and make them aware of potential risks and how to mitigate them
    • Keeps cloud infrastructure, operating systems, and applications up to date with the latest security patches to address known vulnerabilities

    How do you manage the shared responsibility for cloud service integrity requirements with your suppliers?

    The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements.

    What mechanisms are in place for direct employees and contracted workers to ensure applicable training has been completed?

    Security awareness training is administered, monitored, and reported upon hire and on an annual basis.

    Does Zayo have processes to evaluate prospective third-party suppliers’ product integrity during initial selection?

    Yes.

    What processes or procedures, if any, are in place to ensure that prospective suppliers have met Zayo’s product integrity requirements?

    Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

    How do Zayo policies or procedures ensure appropriate management/leadership input on supplier selection decisions?

    Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

    What provisions for auditing are included within supplier contracts?

    Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services as follows:

    • A description of the information to be provided or accessed and methods of providing or accessing the information
    • The classification of information according to the Organization’s classification scheme; if necessary, also mapping between the Organization’s own classification scheme and the classification scheme of the Supplier
    • Legal and regulatory requirements for the data being processed and the protection of the data as well as a description of how these requirements are met
    • A list of Supplier personnel authorized to access or receive the Organization’s information and a receipt of the information given to the Supplier personnel
    • Security policies relevant to the specific contract
    • Incident management requirements and procedures, including the training and awareness requirements associated
    • Relevant regulations for sub-contracting
    • Screening requirements, if any, for the Supplier’s personnel to ensure that its staff has reasonable and necessary experience to perform the work. Background verification checks on all Supplier’s personnel must be carried out in accordance with relevant laws, regulations and ethics and must be proportional to the business
    • Right to audit the Supplier processes and controls related to the agreement: The Organization reserves the right to audit
    • Suppliers to validate compliance against MSA and the Organization’s Corporate Supplier Requirements
    • Supplier’s obligation to periodically deliver an independent report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report
    • Supplier’s obligations to comply with the Organization’s security requirements

    How do you pass down HW/SW products or services integrity requirements to third party suppliers?

    Requirements are outlined in contractual language and Data Processing Addendums.