Is a personnel security program implemented at Zayo?
Yes.
Is employee access managed by role?
Yes.
Are policies documented for conducting background checks of employees and contractors as permitted by each country in which you operate?
Yes.
Is access to business-critical systems, manufacturing facilities, and assets formally managed and maintained?
Yes.
Does Zayo have a process for onboarding personnel?
Yes.
Does the process include security awareness training?
Yes.
What is the process to determine the level of access to company identifications (IDs), tokens, documents, applications, etc.?
Zayo implements Role Based Access Controls. Access is granted based on job titles tied to roles.
What is the process to distribute company assets?
Assets are distributed based on roles and are determined by role-based access.
Is the onboarding process documented?
Yes.
Does Zayo have policies for conducting background checks of your employees as permitted by the country in which you operate?
Yes.
How does Zayo conduct the background checks and document, validate, and update responses?
This is performed by Human Resources using a third-party vendor.
Does Zayo have policies for conducting background checks for your suppliers, as permitted by the country in which you operate?
Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.
Does Zayo have policies for conducting background checks for any subcontractors, as permitted by the country in which you operate?
Subcontractor companies are required to perform background checks on their subcontractors doing business with Zayo.
Does Zayo have a process for offboarding personnel?
Yes.
Does the process include a process to transfer knowledge to other personnel?
Yes.
What is the process to remove access to all company documents, applications, assets, etc.?
Access is revoked upon termination of user accounts.
What is the process to recover all company assets?
Upon termination of an employment contract or a change in employment, the User must return all organizational assets to the Service Desk, or the asset owner in coordination with the manager of the relevant team. All other information related to employment must be given to the Organization in accordance with the employee’s contract. In cases where an employee or Supplier uses their own personal equipment, the User must ensure that all internal use and confidential information are securely transferred to the Organization and securely erased from their personal machine after termination.
Are personnel security practices formally documented and accessible to all employees?
Yes.
Are Personnel Security practices routinely enforced, audited, and updated?
Yes.
Are all personnel trained in security best practices?
Yes, and it includes, but is not limited to insider threats, access control, and data protection.
Is there additional security training provided to users with elevated privileges?
Yes.
Does Zayo have a Code of Conduct for its employees, suppliers and subcontractors?
Yes.
Is the Code of Conduct always available and visible to Zayo employees, suppliers, and subcontractors?
Yes.
How often is this Code of Conduct updated?
Annually or as needed
Does Zayo have personnel designated to address questions or violations to the Code of Conduct?
Yes.
Are these employees, suppliers, and subcontractors trained on the Code of Conduct, including privacy and confidentiality requirements, as required by your industry?
Yes.