Asset Management

Does Zayo maintain asset inventory of hardware and software?

Yes, using a Configuration Management Database (CMDB). 

Does Zayo run automated discovery tools?

Discovery scanning tools are used to detect unauthorized devices on the network at least weekly.

How does Zayo ensure that systems involved in or relating to providing services to customers are not end-of-life and no longer supported, e.g. by having security updates available?

Using a system inventory and infrastructure analysis reports, Zayo ensures that physical devices are supported by the manufacturer and are not End of Life, End of Support, or End of Sale.

What is the process to recover all company assets upon employment changes?

Upon termination of an employment contract or a change in employment, the User must return all organizational assets to the Service Desk, or the asset owner in coordination with the manager of the relevant team. All other information related to employment must be given to the Organization in accordance with the employee’s contract.

Do you inventory and audit back-up and/or replacement hardware and software assets to ensure their accountability and integrity?

Yes.

What recognized standards or frameworks does Zayo follow to ensure integrity of backup assets? (e.g., NIST 800-53, NIST 800-171 DFARS, ISA/IEC 62443 or ISO 27001/2)

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Does Zayo have a defined governance scope for asset management, including line of business technology, facilities, devices, and all other data-generating hardware (like Internet of Things devices)?

Yes.

Does Zayo have processes or procedures in place to ensure that devices and software installed by users external to your IT department (e.g., line of business personnel) are being discovered, properly secured, and managed?

Yes.

Does Zayo have an asset management program approved by management for your IT assets that is regularly maintained?

Yes.

What are Zayo’s methods to manage IT assets on the network?

Each asset is assigned ownership when the assets are created or when assets are transferred to the Organization. Assets are identified and an inventory of these assets is maintained in the CMDB. Assets must have information documented including the creation, processing, storage, transmission, deletion and destruction of the asset if applicable.

The asset owner is responsible for the confidentiality, integrity and availability of information in the asset in question throughout the whole asset lifecycle and must ensure that the asset is inventoried and ensure that assets are appropriately classified. 

The Security team ensures these assets are protected according to the security best practices for the device and works with the asset owner to ensure any updates are in place and vulnerabilities are remediated.

How does Zayo manage other IT hardware and software assets which are not network connected, regardless of network presence?

Assets are identified and an inventory of these assets is maintained in the CMDB. Assets must have information documented including the creation, processing, storage, transmission, deletion and destruction of the asset if applicable.

What are Zayo’s methods of verifying acceptable use of assets, including verified asset return, for your network-connected assets?

Assets are identified and an inventory of these assets is maintained in the CMDB. Assets must have information documented including the creation, processing, storage, transmission, deletion and destruction of the asset if applicable.

Does Zayo have documented policies or procedures to manage enterprise network-connectable assets throughout their lifecycle?

Yes.

What are Zayo’s processes to manage obsolescence of network-connected assets?

Assets are identified and an inventory of these assets is maintained in the CMDB. Assets must have information documented including the creation, processing, storage, transmission, deletion and destruction of the asset if applicable.

What are Zayo’s policies or procedures to ensure appropriate controls are in place for internal or third-party cloud services?

To protect sensitive data and ensure the privacy and integrity of Organizational information using cloud services, the Organization:

• Uses secure communication channels (https/SSL/TLS) to encrypt data between the Organization and cloud service providers
• Ensures that data stored in the cloud is encrypted to protect it from unauthorized access
• Implements strong access controls using the principle of least privilege to only provide Users and systems with the minimum level of access required to perform their tasks.
• Uses Multi-Factor Authentication as an extra layer of security
• Utilizes network security best practices, such as firewalls, intrusion detection/prevention systems, and network segmentation, to safeguard the flow of data to and from the cloud
• Sets up logging and monitoring to detect any unusual activities or potential security incidents, and regularly review logs and audit trails
• Conducts periodic security assessments and audits to identify and address vulnerabilities
• Understands and complies with relevant data protection laws and regulations
• Ensures cloud service providers comply with the necessary certifications and standards.
• Implements a strong data backup and recovery strategy to ensure that critical data can be restored in case of accidental deletion, data corruption, or other incident
• Develops and regularly tests its incident response plan to ensure a swift and coordinated response to security incidents
• Establishes communication channels and contacts with its cloud service providers to report and address security incidents
• Evaluates the security practices of its cloud service providers and understands their security measures, certifications, and compliance with industry standards
• Educates teams on security best practices regarding the use of cloud services and makes them aware of potential risks and how to mitigate them
• Keeps cloud infrastructure, operating systems, and applications up to date with the latest security patches to address known vulnerabilities

Does Zayo ensure that you are not sourcing assets on a banned list to customers (e.g., ITAR, NDAA Section 889)?

Yes. Please see Section 889 of the National Defense Authorization Act (NDAA) Statement of Compliance.

How does Zayo ensure that you are not providing assets on a banned list to customers?

All product and service providers are thoroughly assessed and vetted prior to onboarding.  

Does Zayo have documented hardware and software policies and practices in place to ensure asset integrity?

Yes.

What recognized standards or frameworks are followed to ensure asset integrity?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

How does Zayo ensure that regular reviews and updates of the asset integrity policies and practices are performed?

The asset owner is responsible for the confidentiality, integrity and availability of information in the asset in question throughout the whole asset lifecycle and must ensure that the asset is inventoried and ensure that assets are appropriately classified.