What is the Unified Compliance Framework (UCF)?
The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.
How is Zayo’s Security Governance Framework structured?
Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.
Does Zayo share its governance documentation with customers?
No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.
Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?
Yes. Information is categorized using data classification standards and document retention policies.
Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?
Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.
Do you have company-wide, publicly available security policies in place covering privacy?
Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.
What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?
Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided. Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.
Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?
There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.
Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?
Yes. Reports include:
- Key threats and associated cyber security activities
- Cyber incidents and underlying causes
- Ownership responsibilities and accountabilities
- Roadmaps, action plans, and progress
- Key Risk Indicators, tolerances and financial thresholds / limits
- Cyber security performance metrics and trends
- Information on emerging threats
How often does the Board receive reporting on Zayo’s cyber risk profile?
Board reporting occurs quarterly or more frequently as needed.
Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?
Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.