Zayo implements security controls on its internal environment, systems, and applications. Customers must implement their own security controls to protect their own environments.
Does Zayo protect all sensitive information at rest?
Data at rest is encrypted, including all removable media (USB sticks, CDs, etc.), and there is a tool in place to prevent and monitor data loss.
Does Zayo protect sensitive information data in transit?
Data in transit encrypted and there is a tool in place to prevent and monitor data loss.
What customer data is collected or processed by Zayo?
Please refer to the Privacy Policy.
Is customer data hosted by Zayo?
No. While Zayo has protections in place to protect all data, Zayo does not host customer data. Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement. Zayo is not the controller of customer data.
Will Zayo affiliates, subsidiaries, or parent companies have access to customer data?
Please refer to the Privacy Policy.
Will data be shared with any third parties at any point?
Please refer to the Privacy Policy.
Is the organization PCI-DSS certified as its defined Merchant level?
With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).
- Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
- Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.
What are your employees able to access when working remotely?
Virtual applications and desktop solutions, with full access to corporate data, internal and external systems.
Does Zayo classify its data to identify additional controls to safeguard information? (e.g. personally identifiable information, intellectual property, health data)
Data is classified regularly, during significant changes, and includes all use cases.
Does Zayo have a Data Classification Policy?
To ensure appropriate protection and handling of data, the Organization uses two classification criteria: Sensitivity and Criticality. Information owners, data custodians, and the Security Manager are responsible for ensuring that relevant information and systems are classified appropriately. For information on how to label physical assets, reach out to the appropriate team manager for documentation on the procedure. The labels must be easily recognizable and the labeling must be consistent with the classifications defined herein. If an asset or a document is not labeled, it must be considered as “Internal Use”.
The following sensitivity categories shall be used:
- Restricted – This is the highest classification. It applies to information that is highly sensitive and critical to the business. Unauthorized disclosure of this information could result in the inability to conduct business, severely impact the financial stability of the company, attract significant legal liability or place the company at a serious competitive disadvantage. Sensitive personal information of Users, which includes but is not limited to Social Insurance Number (SIN), Social Security Number (SSN) or Government- issued number, date of birth (DOB) and credit card numbers, etc. is also classified as restricted.
- Confidential – Confidential information is shared on a need-to-know basis only, and it must only be shared with those on the distribution list for that information.
- Internal Use – This classification relates to all Organization business information. Access to this information must be restricted to Users in the Organization, and is not for general distribution outside of the organization. Examples include but are not limited to: general benefits program information, employee wellness descriptions, and other employee content.
- Public – This is information that can be presented to users outside of the Organization. This is data where its disclosure would not adversely affect the company, its Users, its Suppliers, or its customers. Examples include content for public-facing web properties, job postings, and public corporate contact information (e.g., mailing address, monitored phone numbers, and customer service contact information).
Which tools are used to protect data?
- Mobile Device Management, including remote wipe capability and password management, is in place to safeguard against data leakage
- Email monitoring tools to recognize, block, and limit potentially unsafe attachments, links, executables, etc.
- Web, phishing, document isolation through cloud-based virtualization
- Heuristic-based scanning to detect and prevent file encryption