Security Program

Zayo implements access controls on its internal environment systems and applications. Customers must implement their own access controls to protect their own environments.

Does Zayo restrict administrator access rights (i.e. separate ID for admin, internet/email, local admin)?

Administrator access rights are restricted for all systems based on the risk of the elevated privileges.

Does Zayo re-certify access rights including segregation of duties at regular intervals?

Access rights re-certification is automated and occurs for all systems at least quarterly.

Does Zayo use an automated tool to provision/de-provision identities?

An automated tool covers all systems and is updated to align with emerging risks at least annually.

Does Zayo promptly revoke access for employees to accounts, services, and systems upon termination from the organization or job/role change?

Access is revoked automatically on termination notification or job role change through automated scripts/tools within 24 hours.

Does Zayo maintain an audit log of modifications to administrator groups, including adds, modifies, removes, and unsuccessful logins?

Audit logs exist for all internal systems and are monitored based on the risk of administrator groups.

Which document locations include implemented access controls?

• File Systems
• Network Shares
• Applications
• Databases

What password configurations are standard across the technology environment including active directory, applications, servers, databases, and endpoints?

• Password configurations require an expiration interval
• Password configurations require complexity including at least 16 characters
• Password configurations require a lockout on repeat attempts
• Password configurations do not allow for re-using previous passwords
• A solution is in place to prevent users from setting common and known-breached passwords, even if they meet complexity requirements (such as “Passw0rd!”)
• A Privileged Access Management (PAM) solution is used to manage passwords and access for privileged accounts 

For which systems are default passwords changed?

• Applications
• Servers
• Databases
• Firewalls
• Wireless Access Points
• OT devices and systems (i.e. ICS and SCADA devices if applicable)
• IOT devices (if applicable)

Does Zayo implement Single Sign-On (SSO) for its system applications?

SSO is deployed, includes all critical administrative access, and is updated to align with industry emerging threats.

Where does Zayo require multi-factor authentication?

• Administrator and privileged access
• Access to critical information
• Remote access
• Personal devices
• Cloud resources

Does Zayo take steps to ensure that credentials used for accessing its systems are not common or easily guessable?

Zayo uses a password management system, SSO, and MFA within the Organization. Strict policies defined in the password management system ensure that user passwords are complex and unique. Passwords are encrypted, stored separately from application system data, cannot be reused, and require changing every 90 days.

How do remote workers authenticate to business systems/data?

Single sign-on for key system in addition to multi-factor authentication is employed.

Zayo implements application security controls on its internal environment systems and applications. Customers must implement their own security controls to protect their own environments.

Does Zayo deploy application firewalls and block unauthorized access to critical systems?

Yes.

Which controls are included in Zayo secure coding practices?

• Protect applications from insufficient anti-automation
• Protect applications from improper access control
• Protect applications from improper error handling
• Protect applications from insecure communications
• Protect applications from attacks on business logic
• Protect applications from format string attacks
  Protect applications from XML external entities
• Protect applications from insecure deserialization
• Refrain from hard-coding security parameters in source code
• Protect applications from injection flaws
• Protect applications from attacks on data and data structures
• Control user account management
• Restrict direct access of databases to the database administrator
• Protect applications from buffer overflows
• Protect applications from cross-site scripting
• Protect against coding vulnerabilities
• Protect applications from broken authentication and session management
• Protect applications from insecure cryptographic storage
• Protect applications from cross-site request forgery
• Protect databases from unauthorized database management actions
• Refrain from displaying error messages to end users

Which practices are implemented into Zayo’s software development lifecycle?

• Define and document business needs, assess security risks, and establish governance requirements
• Separate development environments from production environments
• Develop secure architecture and establish security controls before development begins
• Ensure secure coding practices and integrate security testing into development
• Implemented separation of duties between developer and production support teams
• Masking/obfuscation of data during testing and destroys data upon completion
• Validate security, compliance, and resilience through rigorous testing
• Ensure secure deployment with change management and monitoring
• Sustain security post-deployment with continuous monitoring and risk management
• Securely retire systems while mitigating risks

Which types of application penetration testing does Zayo perform?

• Web application scanning
• Mobile application penetration testing
• Dynamic code analysis (i.e. DAST, black-box, gray-box testing)
• Static code analysis (i.e. SAST, White-box testing)
• Interactive code analysis (i.e. IAST or RIA)
• Software Composition Analysis
• Application Threat Modeling
• Runtime Application Software Protection (i.e. RASP)

Is security tested as part of the development process for any system or application?

Any new and updated systems must go through testing during the development process. This testing must include the schedule of activities to complete, test inputs, as well as the expected outputs for the conditions being tested. Where applicable, according to the importance and nature of the system, independent acceptance testing must be completed to ensure that the system or code works as expected.

What is covered by application allow listing technology?

Application allow listing technology covers executables, code libraries, and scripts.

How does Zayo control execution of unauthorized software?

Application allow listing technology is deployed on all devices to control software execution and is updated at least bi-annually.

Does Zayo have a policy restricting the installation of software on company-issued devices?

Yes. Software must be approved and installed on company-issued devices by a System Administrator. Internal acceptable use of assets requirements are discussed in the Operational Management Standard. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards. This approach underscores Zayo’s commitment to resilience and security.

Does Zayo host customer data?

No. Zayo acts as a processor, not a controller of customer data. Customer personal data retained by the Organization is limited to billing information and service provisioning, and is stored separately from our solutions environment. Any processing or storage of personal data is primarily limited to customer contact information necessary for service provisions. The Organization conducts comprehensive reviews of its data processing activities, including internal data transfer assessments and resulting Data Processing Addendums (DPAs) to ensure compliance.

How does Zayo interact with customer data?

Fiber & Transport and Network Connectivity: Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through company infrastructure may include customer information, Zayo is not acting in the role of processor of customer data, and Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.

Cloud services (Object Based Storage Services): Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Zayo only permits access by a limited number of employees to customer-stored content at the request of the authorized customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized customer party access to customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policies governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Customers may make a request through their designated Zayo contact to initiate the process for executing a DPA.

Voice services: Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the customer dashboard, a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees for the purpose of providing customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees.

Customer portals for programming phones may be accessed only by select Zayo employees upon request of the customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.

Zayo provides telecommunications and infrastructure offerings to customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing Customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings.

How does Zayo use customer data?

Zayo uses customer data for the following purposes:

• Contract Administration: Zayo processes personal data contact information as necessary for the performance of offerings pursuant to a contract between Zayo and its Customer. Contact information is needed for ongoing contract administration, to provide Customer notices and service announcements, to assist with service incident resolution, to install and maintain services on Customer premises and to address billing and payment inquiries.
• Physical Security Controls: Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and Customer equipment. Identity information is collected to authenticate individuals based on Customer approvals.
• Traffic Data: Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
• Website: Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web-based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.

In what instances is customer personal data processed?

When personal data is processed, it is processed in the following instances:

• Contact Information: Zayo receives personal data from data subjects in their role as employees of our Customers. Information required by Zayo to enable communications with Customers, administer Customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our offerings and communications with our Customers.
• Website Application and Other Associated Service Portals: Zayo processes personal data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings. Zayo collects this information directly from data subjects through the interaction and use of our websites. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.
• Marketing: Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
• Opt Out: If Zayo uses personal data for the purpose of sending Customers sales and marketing communications, Customers may manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.
• Submission of Personal Data by Customer: In cases where contact information is provided by the Customer in accordance with contractual requirements, the Customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, Customer has obtained any required consent from the data subject prior to providing personal data to Zayo.
• Identity Information: For Customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the data subject at each designated Zayo facility.
• Network Traffic Data: Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol (IP) addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted Customer to identify an individual.

What privacy laws and regulations does Zayo comply with?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. Authoritative privacy requirements incorporated into Zayo’s security program include, but are not limited to:

• California Consumer Protection Act (CCPA)
• Colorado Privacy Act
• General Data Protection Regulation (GDPR)
• Payment Card Information Data Security Standard (PCI-DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)

For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Is Zayo PCI compliant?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
• Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

What are my Data Subject rights as a customer?

As a customer you have:

• Right to Access: Individuals may request access to their personal data
• Right to Correction: Individuals may request to rectify inaccuracy of their data
• Right to Erasure: Individuals may request deletion of their data, subject to legal and regulatory obligations
• Right to Restriction of Processing: Individuals may request their data in a structured, commonly used format
• Right to Data Portability: Individuals may object to data processing based on legitimate interests or direct marketing
• Right to Opt Out: Individuals may opt out of the sale of their personal information
• Right to Not Be Discriminated Against: Individuals may exercise their privacy rights without discrimination

Customers may manage the receipt of marketing and non-transactional communications from Zayo by clicking the Manage preference link located on the bottom of Zayo marketing emails.

Customers may update, correct, or remove personal data or to object to the processing of their information related to website visit or web application support, by contacting privacy.office@zayo.com or by using the Support options on portals or applications.

Can Zayo transfer customer data across borders?

The Organization is not prohibited from transferring personal information to an organization in another jurisdiction for processing. However, the Organization is held accountable for the protection of personal information transfers under each individual outsourcing arrangement.

The Organization is responsible for protecting personal information under its control. Personal information may be transferred to third parties for processing but contractual or other means are required to provide a comparable level of protection while the information is being processed by the third party.

Does Zayo share customer data with third parties?

Generally, Zayo may disclose customer personal data: (i) as set forth in a Data Processor Addendum (DPA) between Zayo and a customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.

Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide personal data, limited to name, contact information, and title, to its sub-processors to fulfill its obligations to its customers and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable.

When Zayo transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” is interpreted to include any use of the information by a third party processor for a purpose for which the transferring organization can use it. 

Third party processors must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.

How is customer data retained and disposed of?

Zayo retains personal data contact information and website application information for as long as the customer maintains an active account and for seven (7) years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep personal data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when personal data contact information is no longer required in support of a defined purpose, it is properly and securely deleted.

How does Zayo handle data breaches?

Events involving unauthorized access, release, theft, or use of sensitive, protected, or confidential customer data are treated as security incidents by the Organization. Upon incident identification and confirmation, Zayo:

• Takes immediate steps to secure systems and prevent further unauthorized access.
• Assesses what data was exposed, identifies the customers affected, and evaluates potential risks.
• Promptly notifies customers via email about the breach and informs them of any actions they should take, such as changing passwords or monitoring accounts.
• Notifies regulatory authorities as per applicable laws. 
• Offers support services as applicable to the incident.
• Provides updates on any investigation, steps to breach resolution, and inform customers about any necessary further actions.
• Reviews the incident, identifies root causes, and strengthens security measures to prevent future breaches.

How do I report a data breach?

If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.

Zayo implements security controls on its internal environment, systems, and applications. Customers must implement their own security controls to protect their own environments.

Does Zayo protect all sensitive information at rest?

Data at rest is encrypted, including all removable media (USB sticks, CDs, etc.), and there is a tool in place to prevent and monitor data loss.

Does Zayo protect sensitive information data in transit?

Data in transit encrypted and there is a tool in place to prevent and monitor data loss.

What customer data is collected or processed by Zayo?

Please refer to the Privacy Policy.

Is customer data hosted by Zayo?

No. While Zayo has protections in place to protect all data, Zayo does not host customer data. Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. 

Will Zayo affiliates, subsidiaries, or parent companies have access to customer data?

Please refer to the Privacy Policy.  

Will data be shared with any third parties at any point?

Please refer to the Privacy Policy.

Is the organization PCI-DSS certified as its defined Merchant level?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
• Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

What are your employees able to access when working remotely?

Virtual applications and desktop solutions, with full access to corporate data, internal and external systems.

Does Zayo classify its data to identify additional controls to safeguard information? (e.g. personally identifiable information, intellectual property, health data)

Data is classified regularly, during significant changes, and includes all use cases.

Does Zayo have a Data Classification Policy?

To ensure appropriate protection and handling of data, the Organization uses two classification criteria: Sensitivity and Criticality. Information owners, data custodians, and the Security Manager are responsible for ensuring that relevant information and systems are classified appropriately. For information on how to label physical assets, reach out to the appropriate team manager for documentation on the procedure. The labels must be easily recognizable and the labeling must be consistent with the classifications defined herein. If an asset or a document is not labeled, it must be considered as “Internal Use”.

The following sensitivity categories shall be used:

• Restricted – This is the highest classification. It applies to information that is highly sensitive and critical to the business. Unauthorized disclosure of this information could result in the inability to conduct business, severely impact the financial stability of the company, attract significant legal liability or place the company at a serious competitive disadvantage. Sensitive personal information of Users, which includes but is not limited to Social Insurance Number (SIN), Social Security Number (SSN) or Government- issued number, date of birth (DOB) and credit card numbers, etc. is also classified as restricted.
• Confidential – Confidential information is shared on a need-to-know basis only, and it must only be shared with those on the distribution list for that information. 
• Internal Use – This classification relates to all Organization business information. Access to this information must be restricted to Users in the Organization, and is not for general distribution outside of the organization. Examples include but are not limited to: general benefits program information, employee wellness descriptions, and other employee content.
• Public – This is information that can be presented to users outside of the Organization. This is data where its disclosure would not adversely affect the company, its Users, its Suppliers, or its customers. Examples include content for public-facing web properties, job postings, and public corporate contact information (e.g., mailing address, monitored phone numbers, and customer service contact information).

Which tools are used to protect data?

• Mobile Device Management, including remote wipe capability and password management, is in place to safeguard against data leakage
• Email monitoring tools to recognize, block, and limit potentially unsafe attachments, links, executables, etc.
• Web, phishing, document isolation through cloud-based virtualization
• Heuristic-based scanning to detect and prevent file encryption

Does Zayo have a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan?

Zayo’s Incident Management Plan and Business Continuity Management Program program includes: Identification of a cyber security incident, investigation of the situation (including triage), taking appropriate action (e.g. containing the incident and eradicating its source), reporting to relevant stakeholders, and recovering from a cyber security incident. Zayo treats all events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

BC/DR plans enable recovery from the following events:

• Critical technology or software failure
• Critical technology supplier or utility failure
• Loss or corruption of any critical information
• Disclosure of critically sensitive information

Have Zayo Business Continuity (BCP) and Disaster Recovery (DR) plans been assessed, developed, and tested for large scale remote working?

The Organization’s Business Impact Analysis considers resource requirements during large scale remote working arrangements. BCP and DR strategies and runbooks are developed to address large scale remote working, and tabletop exercises and simulations include large scale remote working scenarios. Zayo tests its resiliency plans on an annual basis and as real world incidents occur.

What does the BC/DR exercise program include?

• Exercises are conducted and updated on a regular, planned basis
• Exercises cover all operations required to resume business
• Each exercise has a post-exercise report with recommendations for improvement
• All key personnel participate in BCP/DR plan exercises
• BCP/DR plan exercises include critical systems recovery

Does Zayo have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Has Zayo conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services?

Yes.

Does the Organization have a Disaster Recovery plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does the Disaster Recovery plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic)?

Yes.

Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear)?

Yes.

What do Zayo backup processes cover?

• Applications
• Databases
• Endpoints
• Network Drives (including those used by individuals)
• Collaboration tools
• System configurations
• OT-related systems (if applicable)

What do Zayo backup processes include?

• Backup frequency is defined by business criticality
• Backup restores are performed at a frequency defined by business criticality
• Backup data is periodically audited for completeness and accuracy
• Backups are encrypted

Which cloud provider services are utilized by Zayo as part of the backup strategy to accelerate the recovery of data loss?

Zayo utilizes cloud solutions that offer cloud-based data storage and email.

Does Zayo have sufficient redundancies in place to ensure the availability of information processing facilities?

Redundancy is built into Zayo systems for failover events. Backups for power, operations centers, IT systems, and data are also in place. 

What kind of backup system is used for devices that connect remotely?

Backup of all data is enabled, performed locally and centrally at regularly scheduled intervals in alignment with data/security policies.

Does Zayo have a cybersecurity Incident Response Plan?

Yes. Zayo’s cybersecurity Incident Response Plan is in place and addresses the following:

• Identification of a cyber security incident
• Investigation of the situation (including triage)
• Taking appropriate action (e.g. containing the incident and eradicating its source)
• Reporting to relevant stakeholders
• Recovering from a cyber security incident

How often does Zayo review and update incident response plans?

Incident response plans are reviewed and updated at least annually.

Are tabletop exercises performed?

Yes. Tabletop exercises are performed with the following requirements:

• Tabletop exercises are based on emerging risks and threats
• Tabletop exercises involve stakeholders listed in an incident response plan
• Tabletop exercises involve senior management
• Lessons learned/improvement actions are documented after tabletop exercises

Has Zayo partnered with any incident response security vendors?

Yes. Zayo has partnered with incident response security vendors for the following purposes:

• Notification & Monitoring
• Breach Prevention

Do you have a documented incident response process and a dedicated incident response team?

Yes.

What is Zayo’s process for reviewing and exercising the resiliency plan?

Zayo continuously tests its resiliency protocols and exercises the plans annually and during real-world events that are managed and escalated appropriately.

What is Zayo’s process to ensure customers and external entities (such as government agencies) are notified of an incident when a product or service is impacted?

Customers and external entities are notified by email when an impactful incident occurs. Zayo is also implementing a system of notification in the online Trust Center.

Does Zayo have processes or procedures to recover full functionality, including integrity verification, following a major cybersecurity incident?

Yes.

Do you insure for financial harm from a major cybersecurity incident (e.g., self-insure, third party, parent company, etc.)?

Yes.

Does coverage include financial harm to Zayo customers resulting from a cybersecurity breach which has impacted your company?

Yes, to the extent of Zayo’s liability. Zayo is not the controller of customer data.

Zayo implements logging and monitoring controls on its internal environment. Customers must implement their own security controls to protect their own environments.

Is security and system log data retained and monitored?

Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the Security Operations Center (SOC).

What does Zayo’s logging process include?

• Logs are synchronized to multiple sources
• Logs are fed to a central security information and event management system (SIEM)
• Logs are reviewed regularly for abnormal events
• SIEM captures source (firewall, IPS, VPN, etc.)
• SIEM captures category (user activity, proxy, etc.)
• SIEM captures information type (IP, name, etc.)
• SIEM outputs are reviewed at least every 24 hours by a member of the IT or Security team
• Security monitoring is conducted 24/7 by an internal or third-party SOC Service

Which administrator activities are logged and monitored?

• Log source (firewall, IPS, VPN, etc.)
• Log category (User Activity, proxy, etc.)
• Information type (IP, name, etc.)
• Use case (authentication, suspicious inbound activity, malicious web site)
• Administrator logging covers AD, network devices, VPN
• Modifications to administrator groups, including adds, modifies, removes, unsuccessful logins

How is usage and capacity of critical assets monitored?

Effective monitoring of asset usage and capacity ensures optimal system performance, minimizes downtime, and supports proactive resource management. This involves implementing key controls to track and manage system health and efficiency:

• Outbound Traffic Monitoring
• Storage Capacity Alerts
• Error and Fault Reporting
• Performance Benchmarking

What other types of monitoring programs does Zayo implement?

Zayo’s monitoring programs also include:

• Controls
• Risk
• Security and threat intelligence
• Compliance
• Threat and file integrity
• Changes in Organizational structure

Zayo implements network security controls on its internal environment. Customers must implement their own security controls to protect their own environments.

How are network devices configured?

• Network devices are deployed using standard approved configurations
• Changes to network devices or configurations are managed via a standard approval process with business justification
• Administrative access is limited on a need to know basis for network devices

Does Zayo have network perimeter defense tools including firewall, IPS, web filtering, malware detection?

Yes.

• Firewalls are deployed at all internet gateways and breakouts
• Intrusion detection and intrusion prevention capabilities are deployed at all internet gateways and internet breakouts
• Malware detection capabilities are deployed at all internet gateways and internet breakout
• Web filtering is deployed at all internet gateways and internet breakouts

How are network devices managed?

• Network Intrusion Prevention Systems deployed to detect and block network based attacks
• Strong egress firewall rules configured to limit everything but web traffic outside of the enterprise
• Web traffic proxied to allowed websites and unknown websites are blocked
• Communications limited to only trusted and known IP addresses
• Communication denied over unauthorized TCP/UDP ports
• System manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service attacks

Are network environments logically separated to ensure protection and isolation of critical systems and data?

Networks are physically or logically separated to ensure protection and isolation of all critical systems and data.

Does Zayo have the capability to detect anomalous or malicious activity within its networks? 

Yes. The Security Information and Event Management (SIEM) system detects anomalous and malicious activity in the Zayo environment by correlating logs and events across the Zayo network. This tool help provide real-time analysis to the Security Operations Center (SOC) to identify patterns that indicate potential security breaches such as unusual access patterns, failed login attempts or data exfiltration. Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the SOC.

Does Zayo have the capability to supply details of normal/baseline system and traffic behaviour to enable customers to update asset management and network monitoring systems relating to services supplied?

Zayo utilizes a suite of monitoring and analytical tools to monitor and assess baseline traffic for security purposes. Network traffic monitoring tools, such as intrusion detection and prevention systems, machine learning algorithms, SIEM logs and events, audits and threat hunting, and anomaly detection tools ensure the integrity and security of systems that host and support customer equipment. 

How are wireless networks protected?

• Any unauthorized wireless network devices/access points are detected and removed
• Default passwords and SSID are changed on all wireless devices
• Access is restricted on all wireless devices
• Minimum standard of WPA encryption is utilized
• Host-based intrusion detection firewall is installed on all devices
• Wireless access is disabled on devices that do not have a business purpose for wireless access
• A separate wireless network is created for personal and untrusted devices

Does the system manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service attacks?

It is the responsibility of all Zayo asset owners globally to ensure that resources are monitored and tuned. Projections must be made for future capacity requirements to ensure the required system performance.

Depending on the criticality of the system, capacity requirements must be identified, tuned, and monitored to ensure availability and efficiency of systems. Projections must take into account new business, system, trends, and requirements for Zayo’s information processing. Monitoring must include identifying trends and utilization to identify and avoid potential bottlenecks and dependence on specific individuals within the Organization. 

Managing capacity includes:

• Deletion of obsolete data (disk space) following proper Media Sanitation procedures outlined
• Decommissioning of applications, systems, databases or environments
• Optimizing batch processes and schedules
• Optimizing application logic or database queries
• Denying or restricting bandwidth for resource-hungry services if these are not business critical

Does Zayo utilize full disk encryption (i.e. laptop/desktop/mobile)?

Full disk encryption is deployed for all endpoints and updated to align technology with emerging risks.

Does Zayo utilize endpoint protection (EPP) which includes anti-virus?

Endpoint software is installed on all devices and is updated regularly with latest signatures. Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents creates response tasks tracked and managed in ServiceNow and responded to by the Security Operations Center (SOC).

Does Zayo utilize endpoint software which detects threats or vulnerabilities for unknown files?

Endpoint software is installed on all mobile devices, configured not to auto-run content from removable media, and sends malware detection events to enterprise central team.

Can the malware protection solution provide forensics capabilities for incident response and/or remediation?

Endpoint software is configured to provide forensics capabilities on all devices and is updated regularly with latest signatures.

Does Zayo utilize an endpoint protection, detection and prevention solution (EDR, MDR, XDR, etc)?

Endpoint software is installed on all devices and is updated regularly with latest signatures.

Does Zayo employ a host-based intrusion Prevention/Detection System?

Host IDS is configured on all devices and regularly reviewed for updates.

Which security systems are in place to monitor email?

• Our email solution is cloud-based
• Our email solution stops malware in email (URL, attachments, etc.)
• Our email solution measures number of threats blocked per day
• Our email solution alerts employees when an email originates from outside the organization
• Our email solution automatically disables macros

Zayo implements physical security controls on its internal environment and physical locations. Customers must implement their own security controls to protect their own environments and locations.

Are requirements in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all critical ICT components?

Yes. Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, the risks and controls and assesses their strengths. Equipment is procured from OEM or authorized distributors and delivered and received at a Zayo facility. Zayo maintains control over the chain of custody from supplier to Zayo to customer.

Are counterfeit prevention requirements passed on to second and third party suppliers? 

Yes, through contractual agreements.

Do you have requirements that all items being shipped have tamper-evident packaging?

Yes.

Are Zayo facilities configured with air conditioning, water detection, humidity detection, heat/smoke detection, raised floors, and fire suppression systems to protect computer equipment?

Yes, facilities are configured with applicable environmental controls to protect computer equipment.

Do Zayo facilities have an uninterrupted power supply for at least 48 hours?

Critical key facilities have an uninterrupted power supply.

What is the duration the generators can run at the first instance of a power outage? 

Generators are sized to run at full load for 24 hours before refueling.

How often are the generators tested?

Tests are run weekly. Load tests are done annually by a third party service.

Does Zayo have fuel reserves? 

Fuel onsite depends on location, but tanks are sized for 24 hours of full load run time. During an event, onsite techs monitor fuel levels. When levels reach 50%, tanks are refilled to full capacity.

What is the length of time services can remain operational in a worst case scenario?

Services can remain operational indefinitely.

Are physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented to safeguard sensitive data and information systems?

Yes, facilities are configured with applicable systems and physical security controls to protect sensitive data and information systems.

Do you limit access to your own personnel and authorized sub-contractors, agents, or visitors?

Access is limited at all locations to authorized personnel, sub-contractors, agents, or visitors.

How is media disposed of?

Media must be disposed of securely and safely when no longer required in order to ensure that sensitive information is not leaked to persons out of the Organization, or to persons who do not have the need-to-know, through careless disposal of media.

Three techniques must be used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information. Verification of sanitization results is required, and a certificate of media disposition is obtained.

Does Zayo have a clear desk and clear screen policy?

Yes. If the authorized User is not at their workplace, all paper documents (including but not limited to notebooks), as well as storage media (laptops, cell phones, USBs, tablets) must be removed from the desk or other areas surrounding including printers, scanners, fax machines, photocopiers, etc. to prevent unauthorized access to the internal use or confidential data. All information must be removed from their screen, and access must be denied to all systems for which the person has authorization.

In the case of short absences, Organization-owned laptop and desktop screens must be locked with a strong passcode/password. For cell phones and tablets with authorized access to the Organization data, Users must ensure that these devices are set to lock after a given amount of inactivity.

Upon Users leaving their desk for extended periods of time (hours or for the day), Users must take their computer with them, or lock it to their desk, in a cabinet, or to other form of furniture that can also be locked.

What is the difference between a risk and an issue?

A risk is a potential event or condition that, if it occurs, could impact Zayo’s ability to achieve its business objectives. A risk represents uncertainty about what may or may not happen in the future. A risk rarely goes away, but the level of risk may change based mitigation strategies to lower the impact to the business and likelihood of it occurring.

An issue is is a current problem or situation that is affecting the Organization right now. It’s something that has already occurred or is currently happening and requires resolution.

Does collaboration exist between relevant related functions including Internal Audit, Information Technology, Security, Legal / Compliance, Risk Management, and Business Continuity to measure and manage cyber risks?

Yes, there is formal and consistent collaboration between functions. Zayo’s Risk Management program aligns with the Three Lines of Defense model, consisting of operational units (1st line), risk management and compliance functions (2nd line), and internal audit (3rd line). This multi-layered defense model enhances our ability to identify and address risks and promotes accountability, transparency, and resiliency across the Organization.

How is the senior cyber security leader engaged during reviews of strategic decisions including significant capital investment, new market entry, new product development, or M&A activity?

• Provides insight into risks before a decision is made
• Provides insight into risks after a decision has been made
• Assists in evaluating commercial impact to the business risk profile
• Provides recommendations for risk remediation strategies and action plans once a decision is made

How are risks identified?

The 1st line of defense, our operational managers and staff, is responsible for identifying risks and issues within their areas and ensuring that the processes and activities are controlled.

How are risks assessed?

The risk assessment process is coordinated by the 2nd line of defense, our Risk Management and Compliance teams. When a risk is identified by the 1st line of defense, the 2nd line ensures the risk is added to the Risk Register. The risk is then assigned to the appropriate 1st line operational unit, who then formally assesses the risk to determine a risk rating based on impact and likelihood.

How are risks treated?

Once a risk has been identified and assessed, one or more risk treatment options is then applied to the risk:

Does Zayo have processes relating to remediation of security risks and vulnerabilities, and how does Zayo intend to use these processes to remediate any security-related issues discovered in relation to systems holding or processing customer data? 

Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. The risk assessment process is coordinated by the Security Team, identification of threats and vulnerabilities is performed by asset owners, and assessment of consequences and likelihood is performed by risk owners. Risk treatment is implemented in response to each risk and is conducted by the teams relevant to the risk.  

What is the purpose of the Security Awareness Training Program?

Zayo’s Security Awareness Training Program ensures that employees understand cybersecurity best practices, company security policies, and compliance requirements to help protect sensitive information and mitigate security risks.

Who is required to complete security training?

All employees, including contractors with system access, must complete mandatory security training as part of their onboarding and annual refresher courses.

How often do users need to complete security training?

Security training is required annually, with additional sessions or refreshers assigned based on role, compliance needs, or emerging security threats.

How is the training delivered?

Training is provided through Zayo’s internal learning platform and may include interactive modules, video-based learning, quizzes, and live training sessions.

What happens if users don’t complete their required training on time?

Failure to complete training within the designated timeframe may result in system access restrictions, compliance violations, or disciplinary action.

Are there different training requirements based on user role?

Yes, additional role-based security training may be required for employees handling sensitive data, IT personnel, and managers with access to critical systems.

Can users take additional cybersecurity training beyond what is required?

Yes! Users are encouraged to explore optional security awareness courses available in Zayo’s learning platform to enhance their knowledge.

How does Zayo track training completion?

Training completion is automatically tracked in the learning platform, and reports are reviewed by the security and compliance teams.

Is security training aligned with compliance requirements?

Yes, Zayo’s training program is designed to meet regulatory and industry-specific security compliance standards.

What is the Unified Compliance Framework (UCF)?

The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

How is Zayo’s Security Governance Framework structured?

Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.

Does Zayo share its governance documentation with customers?

No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.

Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?

Yes. Information is categorized using data classification standards and document retention policies. 

Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Do you have company-wide, publicly available security policies in place covering privacy?

Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.

What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?

Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization. 

Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?

There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.

Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?

Yes. Reports include:

• Key threats and associated cyber security activities
• Cyber incidents and underlying causes
• Ownership responsibilities and accountabilities
• Roadmaps, action plans, and progress
• Key Risk Indicators, tolerances and financial thresholds / limits
• Cyber security performance metrics and trends
• Information on emerging threats

How often does the Board receive reporting on Zayo’s cyber risk profile?

Board reporting occurs quarterly or more frequently as needed.

Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?

Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.

Does Zayo have a formal process for ensuring supply chain resilience as part of its product offering TPRM practices?

Yes.

Does Zayo consider non-technical supply chain resilience threats such as weather, geo-political instability, epidemic outbreak, volcanic, earthquakes, etc.?

Yes.

Does Zayo maintain a formally trained and dedicated crisis management team, including on-call staff, assigned to address catastrophic or systemic risks to your supply chain or manufacturing processes?

Yes.

Does Zayo require and audit key suppliers for their ability to be prepared for unexpected supply chain disruptions?

Yes.

Do Zayo service deliverables outline which services can be done remotely and which cannot?

Yes, and these are documented in Service Level Agreements (SLAs) or Terms and Conditions.

Does Zayo consider supplier diversity to avoid single sources and to reduce the occurrence of suppliers being susceptible to the same threats to resilience?

Yes.

Does Zayo consider alternate offering delivery channels to mitigate extended supplier outages to include cloud, network, telecommunication, transportation, and packaging?

Yes.

Do you maintain inventory of key suppliers with access to systems or data?

A vendor list mechanism exists, covers all vendors, and is updated as the Organization changes.

Is the company ownership of suppliers of critical ICT components verified?

Yes. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

Are suppliers of critical ICT components under U.S. ownership?

Not all. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor?

Yes. Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, the risks and controls and assesses their strengths.

Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R3, Protecting Controlled Unclassified Information in Nonfederal Systems?

Yes. Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. The program’s policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Do you perform due diligence on third parties to align with your own corporate policies and/or industry best practice?

Every Supplier that has logical access, physical access, or access to the Organization’s data must complete the Organization’s security requirements assessment, which must reference the logical, physical, and data controls that must be followed. The Supplier must fill out the Security Requirements assessment upon receipt and indicate if an inability to follow any of the Security Requirements exists. 

A review by the  Committee on Foreign Investment in the United States (CFIUS) is also required under the following circumstances, and may take up to 45 days:

• Classify suppliers into risk categories (e.g., low, medium, high) based on business impact and criticality to operations.
• Suppliers who have access to physical Corporate locations or sensitive personal data of US citizens and pose potential national security risks 
• Suppliers perform transactions that may involve the transfer of critical technologies or sensitive information to foreign persons
• Suppliers perform transactions in Corporate locations which are in close proximity to sensitive government facilities
• Those whose transactions may have direct or indirect involvement by foreign governments
• Conduct risk-based due diligence for all suppliers before engagement, considering factors such as data security, regulatory compliance, financial stability, and reputational risks.

All third parties are assessed and re-assessed as service agreements change.

Do you conduct business continuity and disaster recovery audits on your third-party providers?

All third parties are included in business continuity and disaster recovery audits including exercises after organizational changes.

Do you perform an evaluation on the commercial impact for cyber risks associated with third parties?

Evaluations are performed through formal analysis utilizing modeling of potential financial impacts.

Do you use defined threshold and escalation processes that help determine the application of appropriate cyber security strategies for identified third parties?

A formal approach, using multiple metrics, consistent management strategies, and involving senior management helps determine appropriate cyber security strategies for third parties.

Is a formal process documented for ensuring supply chain resilience as part of Zayo product offering Third Party Risk practices?

Zayo’s TPRM program includes procedures for verification meeting contractual terms and conditions.

Do you contractually require third parties to align with pre-defined services and Service Level Agreements (SLAs)?

All third parties are contractually required to align with pre-defined services and SLAs which are updated as services change.

Do you contractually require third parties to maintain insurance/other indemnification for any losses caused by the third party?

All third parties are contractually obligated to maintain insurance/other indemnification for any losses, and terms are updated as services change.

Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officers?

Yes.

Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT?

Yes. Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services. Based on the security requirements agreed upon when signing the Supplier contract, the Organization reserves the right to conduct formal and regular reviews of the adherence to the specified requirements, which can include Supplier review and product validation. All third parties are assessed and re-assessed as service agreements change. If violations of contractual SCRM requirements or SCRM-related incidents occur, remediation activities are managed as issues as part of Zayo’s Risk and Issue Management program.

Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers?

Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.  

What provisions for auditing are included within supplier contracts?

The Organization reserves the right to audit Suppliers to validate compliance against MSAs and the Organization’s Corporate Supplier Requirements. The right to audit is a standard clause in all supplier contracts. Zayo reviews supplier contracts during onboarding and contract renewals, and security due diligence assessments are repeated annually.  

Do you revise your written TPRM requirements regularly to include needed provisions?

Yes.

Do you have policies for your suppliers to notify you when there are changes to their subcontractors or their offerings (components, products, services, or support activities)?

Yes. The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed.

Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

Yes, all suppliers must agree to and abide by Zayo policy and standards. 

Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer’s Information Communications Technology (ICT) Supply Chain Management?

Yes. The Zayo representative assigned to the customer organization is notified of any changes that occur and is responsible for communicating these changes with the customer/customer management. Customers are notified within 24-48 hours or any changes that may have occurred.

Is there a documented Quality Management System (QMS) based on an industry standard or framework for the Organization’s Information and Communications Technology (ICT) supply chain operation? 

Yes. Zayo’s Quality Management System (QMS) is defined as a set of policies, processes, and procedures required for planning and execution in the core business areas of the Organization.  In the EU, the QMS is based on the ISO9001:2015 Plan, Do, Check, Act Model. In the US, the QMS is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. This framework and its supporting policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Do you have an organization-wide strategy for managing end-to-end supply chain risks (from development, acquisition, life cycle support, and disposal of systems, system components, and to system services)?

Yes. Our strategy is to Identify, Analyze, Evaluate, Treat, and Monitor. Actionable issues are created as necessary and assigned appropriately for risk throughout each stage of the lifecycle. Third-party intake, risk identification, measurement and assessment, mitigation, reporting and monitoring, compliance, and governance tasks also include periodic third-party risk audits and assessments.

Is there a process to verify that suppliers are meeting TPRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers? 

Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.

Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

Yes, all suppliers must agree to and abide by Zayo policy and standards. 

Are processes in place for addressing reuse and/or recycle of hardware products?

Yes.

Do you have a policy or process to ensure that none of your suppliers or third-party components are on any banned list?

Yes.

For hardware components included in the product offering, do you only buy from original equipment manufacturers or licensed resellers?

Yes.

Do you control the integrity of your hardware/software (HW/SW) development practices by using Secure Development Lifecycle practices?

Yes.

How do you manage the conformance of your third parties to your procedures?

The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed. Open source code provided by a third party is scanned for integrity purposes prior to, during, and post deployment..

Do you monitor third-party HW/SW products or services for defects?

Yes.

What are your processes for managing third-party products and component defects throughout their lifecycle?

As part of Zayo’s Risk and Issue Management program, defects are logged as issues for remediation.

What policies and procedures are in place to protect the integrity of the data provided through cloud services?

To protect the integrity of data provided through cloud services, the Organization:

• Uses secure communication channels (https/SSL/TLS) to encrypt data between the Organization and cloud service providers
• Ensures that data stored in the cloud is encrypted to protect it from unauthorized access
• Implements strong access controls using the principle of least privilege to only provide Users and systems with the minimum level of access required to perform their tasks.
• Uses Multi-Factor Authentication as an extra layer of security
• Utilizes network security best practices, such as firewalls, intrusion detection/prevention systems, and network segmentation, to safeguard the flow of data to and from the cloud
• Sets up logging and monitoring to detect any unusual activities or potential security incidents, and regularly reviews logs and audit trails
• Conducts periodic security assessments and audits to identify and address vulnerabilities
• Understands and complies with relevant data protection laws and regulations
• Ensures cloud service providers comply with the necessary certifications and standards.
• Implements a robust data backup and recovery strategy to ensure that critical data can be restored in case of accidental deletion, data corruption, or other incident
• Develops and regularly tests an incident response plan to ensure a swift and coordinated response to security incidents
• Establishes communication channels and contacts with the Organization’s cloud service providers to report and address security incidents
• Evaluates the security practices of the Organization’s cloud service providers and understand their security measures, certifications, and compliance with industry standards
• Educates teams on security best practices regarding the use of cloud services and make them aware of potential risks and how to mitigate them
• Keeps cloud infrastructure, operating systems, and applications up to date with the latest security patches to address known vulnerabilities

How do you manage the shared responsibility for cloud service integrity requirements with your suppliers?

The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements.

What mechanisms are in place for direct employees and contracted workers to ensure applicable training has been completed?

Security awareness training is administered, monitored, and reported upon hire and on an annual basis.

Does Zayo have processes to evaluate prospective third-party suppliers’ product integrity during initial selection?

Yes.

What processes or procedures, if any, are in place to ensure that prospective suppliers have met Zayo’s product integrity requirements?

Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

How do Zayo policies or procedures ensure appropriate management/leadership input on supplier selection decisions?

Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

What provisions for auditing are included within supplier contracts?

Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services as follows:

• A description of the information to be provided or accessed and methods of providing or accessing the information
• The classification of information according to the Organization’s classification scheme; if necessary, also mapping between the Organization’s own classification scheme and the classification scheme of the Supplier
• Legal and regulatory requirements for the data being processed and the protection of the data as well as a description of how these requirements are met
• A list of Supplier personnel authorized to access or receive the Organization’s information and a receipt of the information given to the Supplier personnel
• Security policies relevant to the specific contract
• Incident management requirements and procedures, including the training and awareness requirements associated
• Relevant regulations for sub-contracting
• Screening requirements, if any, for the Supplier’s personnel to ensure that its staff has reasonable and necessary experience to perform the work. Background verification checks on all Supplier’s personnel must be carried out in accordance with relevant laws, regulations and ethics and must be proportional to the business
• Right to audit the Supplier processes and controls related to the agreement: The Organization reserves the right to audit
• Suppliers to validate compliance against MSA and the Organization’s Corporate Supplier Requirements
• Supplier’s obligation to periodically deliver an independent report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report
• Supplier’s obligations to comply with the Organization’s security requirements

How do you pass down HW/SW products or services integrity requirements to third party suppliers?

Requirements are outlined in contractual language and Data Processing Addendums.

Does Zayo have network access control policies and procedures in place for your information systems that are aligned with industry standards or control frameworks?

Yes. Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

What are Zayo practices for items such as federation, privileged users, and role-based access control for end-user devices?

Access controls include role-based access controls (RBAC), Single Sign On (SSO), and Identity Access Management.

How does Zayo ensure remote access is managed for end-user devices or employees and suppliers, including deactivation of accounts? (e.g. Multi-factor authorization, encryption, protection from malware, etc.)

Remote access is managed using MFA, local disk encryption, VPN and ZIA internet protection, and malware protection.

Is cybersecurity training required for personnel who have administrative rights to your enterprise computing resources?

Yes.

What is the frequency for verifying personnel training compliance?

Training compliance takes place upon hire and on an annual basis.

What cybersecurity training is required for your third-party stakeholders (e.g., suppliers, customers, partners, etc.) who have network access?

Vendor workers and contractors are required to complete Organizational security training, which is administered, monitored, and tracked. Suppliers are responsible for their own security training programs.

Does Zayo include contractual obligations to protect information and information systems handled by your suppliers?

Yes.

What standard cybersecurity standards or frameworks are the contractual supplier terms for information protection aligned to, if any?

Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services. Based on the security requirements agreed upon when signing the Supplier contract, the Organization reserves the right to conduct formal and regular reviews of the adherence to the specified requirements, which can include Supplier review and product validation.

Do you have an organizational policy on the use of encryption that conforms with industry standards or control frameworks?

Yes.

Are incident detection and reporting practices defined and documented which outline the actions that should be taken in the case of an information security or cybersecurity event?

Yes. The Security Information and Event Management (SIEM) system detects anomalous and malicious activity in the Zayo environment by correlating logs and events across the Zayo network. This tool help provide real-time analysis to the Security Operations Center (SOC) to identify patterns that indicate potential security breaches such as unusual access patterns, failed login attempts or data exfiltration. Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the SOC.

What industry standards or controls frameworks are followed for encryption and key management?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Does Zayo have hardening standards in place for network devices (e.g., wireless access points, firewalls, etc.)?

Yes.

What protections exist to provide network segregation where appropriate (e.g., intrusion detection systems)?

Customer and Corporate Production, Telemetry (monitoring), and Business systems are segmented and isolated from one another.

What controls exist to continuously monitor changes to your network architecture?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

How does Zayo manage prioritization and mitigation of threats discovered on your networks?

Security Operations is active 24/7. Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents creates response tasks that are tracked and managed.

How does Zayo track changes to software versions on your servers?

Changes are tracked using reports from our scanning agents.

How does Zayo convey cloud security requirements to your suppliers/sub-contractors?

Requirements are agreed upon through contractual language and Data Processing Addendums.

Does Zayo run automated scans to detect vulnerabilities?

Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents creates response tasks tracked and managed and responded to by the Security Operations Center (SOC).

How does Zayo obtain information about vulnerabilities?

Threat hunting, machine learning, and threat intelligence is used.

Does Zayo you configure and refresh systems/endpoints using a standard image build?

A defined standard build exists and is enforced as appropriate.

How does Zayo manage critical patches?

Per policy, based on severity ratings, the patch policy priority schedule is as follows:

• Critical: Review within seven (7) business days with deployment based on review
• High: Review within 30 days with deployment based on review
• Medium: Review within 90 days with deployment based on review
• Low: 180 days

Are there policies and procedures in place to ensure that the environment providing service to customers is not capable of being accessed from or reliant upon equipment present within a Restricted Country?

Zayo allows access from those locations/countries where our employees, contractors, and vendors are located. Zayo’s Threat Intelligence infrastructure will always block specific sources of high risk or active threats, regardless of location. Zayo determines high risk countries based on the following criteria:

• https://ofac.treasury.gov/
• https://www.bis.doc.gov/index.php/policy-guidance/country-guidance/sanctioned-destinations
• https://www.eeas.europa.eu/eeas/european-union-sanctions_en#10710

The following high risk countries are not permitted for inbound traffic:

• China
• Cuba
• Iran
• Iraq
• North Korea
• Russia/Ukraine

Does Zayo engage a third party for external penetration testing on your physical properties?

No external penetration testing is conducted on physical properties.

Does Zayo perform inspections for physical tampering or alteration of hardware components within the system?

Yes, inspections are performed for physical tampering on some systems.

Does Zayo have protective monitoring (e.g. SOC services) enabled for all remote assets?

Proactive monitoring is in place for all endpoints using advanced tooling; protective monitoring and response enabled to manage incidents such as network access control (NAC), privileged access management (PAM), managed detection and response (MDR), and data loss prevention (DLP).

Does Zayo engage a third party for external penetration testing on your network?

Yes, although much of our penetration testing is done internally. The following tests are performed internally on a regular cadence to identify potential vulnerabilities and assess the Organization’s security posture:

• Network penetration testing
• Web application penetration testing
• Mobile application penetration testing

A third party is engaged for external penetration testing on our network on an ad hoc basis.

Does Zayo have documented policies or procedures for identification and detection of cyber threats?

Yes.

What processes does Zayo have in place to promptly detect cyber threats?

Multiple endpoint detection and response tools are in place providing detection, enterprise logging, and compromise indicators of vulnerability.

Does Zayo have defined and documented incident detection practices that outline which actions should be taken in the case of an information security or cybersecurity event? 

Yes.

Are cybersecurity events centrally logged, tracked, and continuously monitored?

Yes. The Security Information and Event Management (SIEM) system detects anomalous and malicious activity in the Zayo environment by correlating logs and events across the Zayo network. This tool help provide real-time analysis to the Security Operations Center (SOC) to identify patterns that indicate potential security breaches such as unusual access patterns, failed login attempts or data exfiltration. Zayo collects logs focused on security related activities and source owner audit purposes. Logs are retained for 365 days and are under continuous review. Alerts are automated as logs are tested against system rules, and actionable events are addressed by the SOC.

Are incident detection practices continuously improved?

Yes.

Does Zayo require vulnerability scanning of software running within the enterprise prior to acceptance?

Yes.

What procedures or policies exist, if any, for detecting vulnerabilities in externally obtained software (such as penetration testing of enterprise and non-enterprise software)?

Architecture reviews/acceptance criteria, vulnerability scans, and penetration testing.

Does Zayo manage updates, version tracking of new releases, and patches (including patching history) for your software and software services offerings?

Yes.

Does Zayo deploy anti-malware software?

Yes.

How does Zayo manage the identification of threats within your supply chain, including suppliers and sub-contractors?

Suppliers must immediately report any security or other event that creates reasonable suspicion that there may be a violation of the above requirements and take appropriate steps to immediately address any security incident and cooperate with the Organization in respect to the investigation of such incident.

What processes are in place to act upon external credible cyber security threat information received?

Security Operations is active 24/7. Multiple endpoint detection and response tools are in place providing detection, enterprise logging and compromise indicators of vulnerability. Notifications of incidents automatically create response tasks that are tracked and managed.

Does Zayo address the interaction of cybersecurity operational elements (e.g., SOC, CSIRT, etc.) with the physical security operational elements protecting the organization’s physical assets?

Yes.

How does Zayo ensure that physical security incidents and suspicious events are escalated to cybersecurity operations staff?

Incident response for both physical security and cyber security are managed by Security Operations.

Are cybersecurity vulnerabilities for industrial control systems, including physical access controls and video monitoring systems, tracked?

Yes.

What standards or frameworks are followed for management of IT and OT system interactions?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Does Zayo have a policy or procedure for the handling of information that is consistent with its classification?

Yes.

What is Zayo’s process to verify that information is classified according to legal, regulatory, or internal sensitivity requirements?

We have adopted a zero-trust control and principles of least privilege.

How does Zayo convey requirements for data retention, destruction, and encryption to your suppliers?

Through contractual language and Data Processing Addendums.

Does Zayo have documented policies or procedures for internal identification and management of vulnerabilities within your networks and enterprise systems?

Yes.

What industry standards or frameworks are followed for vulnerability management?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

How does Zayo identify vulnerabilities in your supply chain (suppliers/subcontractors) before they pose a risk to your organization?

The Supplier must immediately report any security or other event that creates reasonable suspicion that there may be a violation of the above requirements and take appropriate steps to immediately address any security incident and cooperate with the Organization in respect to the investigation of such incident.

How does Zayo assess and prioritize the mitigation of vulnerabilities discovered on your internal networks and systems?

Upon discovery, Security Operations creates an incident ticket for remediation.