Zayo implements physical security controls on its internal environment and physical locations. Customers must implement their own security controls to protect their own environments and locations.
Are requirements in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all critical ICT components?
Yes. Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, the risks and controls and assesses their strengths. Equipment is procured from OEM or authorized distributors and delivered and received at a Zayo facility. Zayo maintains control over the chain of custody from supplier to Zayo to customer.
Are counterfeit prevention requirements passed on to second and third party suppliers?
Yes, through contractual agreements.
Do you have requirements that all items being shipped have tamper-evident packaging?
Yes.
Are Zayo facilities configured with air conditioning, water detection, humidity detection, heat/smoke detection, raised floors, and fire suppression systems to protect computer equipment?
Yes, facilities are configured with applicable environmental controls to protect computer equipment.
Do Zayo facilities have an uninterrupted power supply for at least 48 hours?
Critical key facilities have an uninterrupted power supply.
What is the duration the generators can run at the first instance of a power outage?
Generators are sized to run at full load for 24 hours before refueling.
How often are the generators tested?
Tests are run weekly. Load tests are done annually by a third party service.
Does Zayo have fuel reserves?
Fuel onsite depends on location, but tanks are sized for 24 hours of full load run time. During an event, onsite techs monitor fuel levels. When levels reach 50%, tanks are refilled to full capacity.
What is the length of time services can remain operational in a worst case scenario?
Services can remain operational indefinitely.
Are physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented to safeguard sensitive data and information systems?
Yes, facilities are configured with applicable systems and physical security controls to protect sensitive data and information systems.
Do you limit access to your own personnel and authorized sub-contractors, agents, or visitors?
Access is limited at all locations to authorized personnel, sub-contractors, agents, or visitors.
How is media disposed of?
Media must be disposed of securely and safely when no longer required in order to ensure that sensitive information is not leaked to persons out of the Organization, or to persons who do not have the need-to-know, through careless disposal of media.
Three techniques must be used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information. Verification of sanitization results is required, and a certificate of media disposition is obtained.
Does Zayo have a clear desk and clear screen policy?
Yes. If the authorized User is not at their workplace, all paper documents (including but not limited to notebooks), as well as storage media (laptops, cell phones, USBs, tablets) must be removed from the desk or other areas surrounding including printers, scanners, fax machines, photocopiers, etc. to prevent unauthorized access to the internal use or confidential data. All information must be removed from their screen, and access must be denied to all systems for which the person has authorization.
In the case of short absences, Organization-owned laptop and desktop screens must be locked with a strong passcode/password. For cell phones and tablets with authorized access to the Organization data, Users must ensure that these devices are set to lock after a given amount of inactivity.
Upon Users leaving their desk for extended periods of time (hours or for the day), Users must take their computer with them, or lock it to their desk, in a cabinet, or to other form of furniture that can also be locked.