Zayo implements access controls on its internal environment systems and applications. Customers must implement their own access controls to protect their own environments.
Does Zayo restrict administrator access rights (i.e. separate ID for admin, internet/email, local admin)?
Administrator access rights are restricted for all systems based on the risk of the elevated privileges.
Does Zayo re-certify access rights including segregation of duties at regular intervals?
Access rights re-certification is automated and occurs for all systems at least quarterly.
Does Zayo use an automated tool to provision/de-provision identities?
An automated tool covers all systems and is updated to align with emerging risks at least annually.
Does Zayo promptly revoke access for employees to accounts, services, and systems upon termination from the organization or job/role change?
Access is revoked automatically on termination notification or job role change through automated scripts/tools within 24 hours.
Does Zayo maintain an audit log of modifications to administrator groups, including adds, modifies, removes, and unsuccessful logins?
Audit logs exist for all internal systems and are monitored based on the risk of administrator groups.
Which document locations include implemented access controls?
- File Systems
- Network Shares
- Applications
- Databases
What password configurations are standard across the technology environment including active directory, applications, servers, databases, and endpoints?
- Password configurations require an expiration interval
- Password configurations require complexity including at least 16 characters
- Password configurations require a lockout on repeat attempts
- Password configurations do not allow for re-using previous passwords
- A solution is in place to prevent users from setting common and known-breached passwords, even if they meet complexity requirements (such as “Passw0rd!”)
- A Privileged Access Management (PAM) solution is used to manage passwords and access for privileged accounts
For which systems are default passwords changed?
- Applications
- Servers
- Databases
- Firewalls
- Wireless Access Points
- OT devices and systems (i.e. ICS and SCADA devices if applicable)
- IOT devices (if applicable)
Does Zayo implement Single Sign-On (SSO) for its system applications?
SSO is deployed, includes all critical administrative access, and is updated to align with industry emerging threats.
Where does Zayo require multi-factor authentication?
- Administrator and privileged access
- Access to critical information
- Remote access
- Personal devices
- Cloud resources
Does Zayo take steps to ensure that credentials used for accessing its systems are not common or easily guessable?
Zayo uses a password management system, SSO, and MFA within the Organization. Strict policies defined in the password management system ensure that user passwords are complex and unique. Passwords are encrypted, stored separately from application system data, cannot be reused, and require changing every 90 days.
How do remote workers authenticate to business systems/data?
Single sign-on for key system in addition to multi-factor authentication is employed.