Interoute, Security, and You

At Interoute, we know that data is at the heart of all ICT solutions. This is why, in our solutions, we ensure its security is underpinned by Industry best practices.

To maintain the Confidentiality, Integrity and Availability of your data across our solutions, and for your peace of mind, Interoute has implemented a series of policies designed to demonstrate a robust security control environment with which to manage security and reduce information risk consistently within the business.

Interoute believes that your data is more secure when your security is layered onto our own.

This means that you can maintain your own data security through Interoute’s provided solution, giving your company both the flexibility and the control to meet industry standards for best practice. We take your security as seriously as you do.

Our products: Unified Communications, Unified Computing, Unified Connectivity, Unified Transport and our Virtual Data Centre (VDC) have security built into them from the start. Our services are built on our own secure network, and within our ISO 27001 certified Data Centres.

This means that Interoute can offer secure, quality, cost effective connectivity to and between our environments, still assuring the Confidentiality, Integrity and Availability of your data within it.

Should you need further security measures, Interoute has an extensive portfolio of solutions, and our teams would be delighted to talk with you about any requirements you may have.

ISO 27001

EntErprISE SEcurIty ManagEMEnt

Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK. Telephone: +44 20 7025 9000 Email: info@interoute.com

© Interoute Communications Limited www.interoute.com

Hosting

Video Services

Internet

VPN

Voice

Bandwidth

Infrastructure

Access Control

Communications & Operations Management

Physical & Environment

Security

Systems Development &

Maintenance

Incident Management

Human Resources

Security Organisation Management

Compliance Management

Business Continuity

Management

Asset Management

Con�dentiality

INFORMATION

Availabilty

P

Integrity

Security Policy Management

UN

IFIE

D

CO

MP

UTI

NG

UN

IFIE

D

TRA

NS

PO

RT

UN

IFIE

D

CO

NN

ECTI

VIT

YU

NIF

IED

C

OM

MU

NIC

ATI

ON

S

ISO 27001

Interoute has established, and maintains, an Enterprise-wide ISO 27001 (ISO/IEC 27001:2005) certified Security Management System for our Operations Centres and Data Centres.

ISO 27001 is an internationally recognised and independent specification for information security management. It provides an extensive checklist of best-practice security controls which must be considered for use in the organisation’s information security control framework. These controls include technical, procedural, HR and legal compliance controls and a rigorous system of internal and independent external audits.

ISO 27001 certification allows Interoute to demonstrate a robust information security control environment to manage security and reduce Information risk consistently within its business.

By embedding ISO 27001 security controls into the design of our solutions, Interoute controls the Confidentiality, Integrity & Availability of our customers’ data holistically across the various infrastructure and platform technologies supporting our solutions, as well as our own network and service management systems.

Governance & Accreditations

Interoute specifically adopted ISO 27001 for our Data and Operations Centres to work within a framework of best practice to manage Information Security risk. Beyond implementing ISO 27001 security best practices, and combining with ITIL processes throughout the organisation, Interoute has achieved:

• Payment Card Industry Data Security Standard (PCI DSS) certification

• 3rd party assurance in the form of an ISAE 3402 Type II report

Security Services

Interoute’s Expertise, along with our extensive product portfolio of security solutions, can help you achieve your own certification, using our solution as a base to develop from.

Our experience security professionals can leverage their knowledge, with your solution, and our Security products to meet your business technology needs.

Our Security Products include:

• Firewalls,

• DDOS protection,

• IPS,

• Web and URL filtering,

• Email filtering,

• other security solutions

• professional services,

all of which are available based on your requirements.

Let us help you maintain your Security.

Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK. Telephone: +44 20 7025 9000 Email: info@interoute.com

© Interoute Communications Limited www.interoute.com

EntErprISE SEcurIty ManagEMEnt

ISO 27001

Enterprise Security Integration

Interoute has integrated our ISO 27001 controls within ITIL processes throughout the organisation.

Our Enterprise Security Management System is continually improved using a variety of control mechanisms, with Security Management measured on a ‘Plan-Do-Check-Act’ monitoring program. This approach represents a risk and security management framework which enables us to improve our operations as well as sustaining our customer requirements continually.

Scope

The scope of the Interoute ISO 27001 certification applies all of the 11 main ISO 27001 control areas across the scope of the certification.

Interoute drives our integrated Enterprise Security Management System across all our operations, ensuring customer data security throughout.

This methodology is maintained through:

• Extensive Information Security and Physical Security policy suites

• 24x7x365 Service Monitoring and Customer Operations Centre

• 24x7x365 Network Operations Monitoring & Technical Operations Centre

• Geographically diverse Operations Centres

• Operations Event and Incident Management

• Change and Configuration Management

• Business Continuity & Crisis Management

• Service Level Availability Commitments

• Physical Security Management and Controls (CCTV, intrusion/motion detection and 24x7 monitoring)

• Facility Management through Building Management Systems and 24x7 monitoring

• N+1 facility, infrastructure and network technology designs

• Employee security roles, responsibilities and security awareness training

• Field Operations across Europe, with dedicated technology platform resources to respond to failures

• Internal and External Technology Expertise and Support Resources

• Internal Auditing

Establish ISMS

Implement & Operate

ISMS

Maintain & Improve ISMS

Monitor & Review ISMS

Plan

Act

Do

Check

Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK. Telephone: +44 20 7025 9000 Email: info@interoute.com

© Interoute Communications Limited www.interoute.com

EntErprISE SEcurIty ManagEMEnt

ISO 27001

Control Areas & Mechanisms

Security Policy Management - Interoute has a comprehensive suite of security policies which define the principles of security management

across our operations, and have enabled us to attain ISO 27001 certification for our Operations Centre (Prague) and ISO 27001 certification or national equivalent for Data Centre Operations in Amsterdam, Berlin, Geneva, and Stockholm. All Interoute’s Operations Centres and Data Centres follow the same processes, regardless of certification status, and expansion of the certification is planned for all key facilities.

Security Organization Management - Interoute’s Enterprise Security Management System is coordinated by the Chief Security and Risk

Officer, through the Interoute Security Committee (ISC), and chaired by the Executive V.P. of Network Operations. It includes dedicated security resources with defined roles and responsibilities across operations functions, and regular internal audits to manage security policies, processes and ensure compliance to security policies and controls.

Asset Management - Interoute maintains formal inventories of the information assets requiring protection by an extensive suite of security

policies, processes and controls. These detail all service and platform components, with pre-defined functional owners for maintenance, and are reviewed on an annual basis.

Human Resources – Interoute’s policies set out the roles and responsibilities involved in information security. Interoute maintains a formal process

defining clear security rules and processes for reviewing and terminating systems access. Employees have to comply with our security policies and have a minimum of annual security awareness training, with their security responsibilities defined in their job descriptions. Specific sensitive jobs with access to internal systems must sign codes of conduct.

Physical & Environment Security - Interoute’s corporate systems are maintained within Interoute ISO 27001 accredited Data Centres, with 24x7

security guards, CCTV and intrusion detection. All physical access is restricted to Interoute employees.

All technical facilities are monitored 24x7 with fire detection and fire suppression systems, with a resilient N+1 design for power and network resiliency, and POPs monitored 24x7.

Communications & Ops Management - Interoute‘s security policies cover the correct and secure operation of information processing

facilities, designed to protect and maintain the integrity and availability of information and information processing facilities, minimizing the risk of systems failures. These include backups, segregation of duties, and additional security solutions both within Interoute’s systems, and available to our customers depending upon requirements.

Access Control - Interoute‘s security policies cover logical and physical access controls, as well as specific product features to protect critical

information. Access to data and systems is based on the principle of least privilege, with rights granted based on functional responsibilities. This is reviewed regularly to ensure security compliance, and includes specific escalation processes for any non-compliance.

Systems Development & Maintenance - Interoute has integrated security into every stage of the system development life cycle with any issues or

non-conformities escalated to Security & Risk management for review and remediation.

Incident Management - Interoute has established a Security Incident Management Methodology to respond to operational risks and measure

compliance to applicable security policies in order to preserve the integrity of Interoute by detecting and reporting incidents to the Chief Security & Risk Officer and the Director of Operations Security, with notification on detection to impacted customers.

The process defines the criteria for identifying and managing Security Incidents affecting the Interoute network and customer services, and defines, at a high level, how to open, handle and resolve Security Trouble Tickets (STTs).

Business Continuity Management - Interoute’s critical operations are protected by a comprehensive Business Continuity Management

system, integrating best practices from BS 25999, ITIL and ISO 27001. This includes continuity tests for our Operations and Data Centres, across operations functions, network platforms and corporate systems. Our Data Centres require specific BCP plans and tests for accreditation. However, customer Disaster Recovery solutions are also available, providing differing levels of high availability solutions.

Compliance Management - Interoute‘s ISO 27001 based Security Management system requires on-going audits across all functions of Interoute

business operations. This means that we consistently apply the prescribed best practice to ISO 27001 security policies and business processes. In order to maintain our compliance, we are subject to annual continuing assessment visits by independent certification body, and Interoute has also embedded quarterly technical compliance audits into the core of our operations functions.

Find out how Interoute can support your business. For more information visit www.interoute.com or email info@interoute.com

EntErprISE SEcurIty ManagEMEnt

ISO 27001

Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK. Telephone: +44 20 7025 9000 Email: info@interoute.com

© Interoute Communications Limited www.interoute.com