www.interoute.com

To maintain the Confidentiality, Integrity and Availability of

your data across our solutions, and for your peace of mind,

Interoute has implemented a series of policies designed to

demonstrate a robust security control environment with which

to manage security and reduce information risk consistently

within the business.

Interoute believes that your data is more secure when your

security is layered onto our own.

This means that you can maintain your own data security

through Interoute’s provided solution, giving your company both

the flexibility and the control to meet industry standards for best

practice. We take your security as seriously as you do.

Our products: Unified Communications, Unified Computing,

Unified Connectivity and Unified Transport have security built

into them from the start. Our services are built on our own secure

network, and within our ISO 27001 certified Data Centres.

This means that Interoute can offer secure, quality, cost effective

connectivity to and between our environments, still assuring the

Confidentiality, Integrity and Availability of your data within it.

Should you need further security measures, Interoute has

an extensive portfolio of solutions, and our teams would be

delighted to talk with you about any requirements you may have.

ENTERPRISE SECURITY MANAGEMENT

ISO 27001

Interoute, Security, and YouAt Interoute, we know that data is at the heart of all ICT solutions. This is why, in our solutions, we ensure its security is underpinned by Industry best practices.

ISO 27001

Interoute has established, and maintains, an Enterprise-wide ISO

27001 (ISO/IEC 27001:2005) certified Security Management

System for our Operations Centre and Data Centres.

ISO 27001 is an internationally recognised and independent

specification for information security management. It provides

an extensive checklist of best-practice security controls which

must be considered for use in the organisation’s information

security control framework. These controls include technical,

procedural, HR and legal compliance controls and a rigorous

system of internal and independent external audits.

ISO 27001 certification allows Interoute to demonstrate a robust

information security control environment to manage security

and reduce Information risk consistently within its business.

By embedding ISO 27001 security controls into the design of

our solutions, Interoute controls the Confidentiality, Integrity &

Availability of our customers’ data holistically across the various

infrastructure and platform technologies supporting our solutions,

as well as our own network and service management systems.

Interoute’s product portfolio provides a variety of security

solutions, including Firewalls, DDOS protection, Intrusion

prevention, Web and URL filtering, Email filtering, and “Secure

Access”, as well as other security solutions, all of which are

available based on your requirements.

Enterprise Security Integration

Interoute has integrated our ISO 27001 controls within ITIL

processes throughout the organisation.

Our Enterprise Security Management System is continually

improved using a variety of control mechanisms, with Security

Management measured on a ‘Plan-Do-Check-Act’ monitoring

program. This approach represents a risk and security management

framework which enables us to improve our operations as well as

sustaining our customer requirements continually.

Further Accreditations

Interoute specifically adopted ISO 27001 for our Data and

Operations Centres to work within a framework of best practice

to manage Information Security risk. Beyond implementing ISO

27001 security best practices, and combining with ITIL processes

throughout the organisation, Interoute has achieved:

• Payment Card Industry Data Security Standard (PCI DSS)

certification

• 3rd party assurance in the form of an ISAE 3402 report

• EU Data Protection Directive compliance

Scope

The scope of the Interoute ISO 27001 certification applies all

of the 11 main ISO 27001 control areas across the scope of the

certification, with 120 of the 133 control objectives applicable

to the certificate.

Interoute drives our integrated Enterprise Security Management

System across all our operations, ensuring customer data

security throughout.

This methodology is maintained through:

• Extensive Information Security and

Physical Security policy suites

• 24x7x365 Service Monitoring and

Customer Operations Centre

• 24x7x365 Network Operations Monitoring

& Technical Operations Centre

• Geographically diverse Operations Centres

• Operations Event and Incident Management

• Change and Configuration Management

• Business Continuity & Crisis Management

• Service Level Availability Commitments

• Physical Security Management and Controls (CCTV,

intrusion/motion detection and 24x7 monitoring)

• Facility Management through Building

Management Systems and 24x7 monitoring

• N+1 facility, infrastructure and network technology designs

• Employee security roles, responsibilities

and security awareness training

• Field Operations across Europe, with dedicated

technology platform resources to respond to failures

• Internal and External Technology

Expertise and Support Resources

• Internal Auditing

• Establish ISMS • Implement & Operate ISMS

• Maintain & Improve ISMS

• Monitor & Review ISMS

Plan

Act

Do

Check

www.interoute.com

Control Areas & Mechanisms

Security Policy Management - Interoute has a

comprehensive suite of security policies which define

the principles of security management across our

operations, and have enabled us to attain ISO 27001 certification

for our Operations Centre (Prague) and ISO 27001 certification

or national equivalent for Data Centre Operations in Amsterdam,

Berlin, Geneva, and Stockholm. All Interoute’s Operations Centres

and Data Centres follow the same processes, regardless of

certification status, and expansion of the certification is planned

for all key facilities.

Security Organization Management - Interoute’s

Enterprise Security Management System is coordinated

by the Chief Security and Risk Officer, through the

Interoute Security Committee (ISC), and chaired by the Executive

V.P. of Network Operations. It includes dedicated security

resources with defined roles and responsibilities across operations

functions, and regular internal audits to manage security policies,

processes and ensure compliance to security policies and controls.

Asset Management - Interoute maintains formal

inventories of the information assets requiring

protection by an extensive suite of security policies,

processes and controls. These detail all service and platform

components, with pre-defined functional owners for maintenance,

and are reviewed on an annual basis.

Human Resources – Interoute’s policies set out the

roles and responsibilities involved in information

security. Interoute maintains a formal process defining

clear security rules and processes for reviewing and terminating

systems access. Employees have to comply with our security

policies and have a minimum of annual security awareness training,

with their security responsibilities defined in their job descriptions.

Specific sensitive jobs with access to internal systems must sign

codes of conduct.

Physical & Environment Security - Interoute’s

corporate systems are maintained within Interoute

ISO 27001 accredited Data Centres, with 24x7

security guards, CCTV and intrusion detection. All physical access

is restricted to Interoute employees.

All technical facilities are monitored 24x7 with fire detection and

fire suppression systems, with a resilient N+1 design for power

and network resiliency, and POPs monitored 24x7.

Communications & Ops Management - Interoute‘s

security policies cover the correct and secure operation

of information processing facilities, designed to

protect and maintain the integrity and availability of information

and information processing facilities, minimizing the risk of

systems failures. These include backups, segregation of duties, and

additional security solutions both within Interoute’s systems, and

available to our customers depending upon requirements

Access Control - Interoute‘s security policies cover

logical and physical access controls, as well as specific

product features to protect critical information. Access

to data and systems is based on the principle of least privilege,

with rights granted based on functional responsibilities. This is

reviewed regularly to ensure security compliance, and includes

specific escalation processes for any non-compliance.

Systems Development & Maintenance - Interoute

has integrated security into every stage of the system

development life cycle with any issues or non-

conformities escalated to Security & Risk management for review

and remediation

Incident Management - Interoute has established

a Security Incident Management Methodology to

respond to operational risks and measure compliance

to applicable security policies in order to preserve the integrity

of Interoute by detecting and reporting incidents to the Chief

Security & Risk Officer and the Director of Operations Security,

with notification on detection to impacted customers.

The process defines the criteria for identifying and managing

Security Incidents affecting the Interoute network and customer

services, and defines, at a high level, how to open, handle and

resolve Security Trouble Tickets (STTs)

Business Continuity Management - Interoute’s

critical operations are protected by a comprehensive

Business Continuity Management system, integrating

best practices from BS 25999, ITIL and ISO 27001. This includes

continuity tests for our Operations and Data Centres, across

operations functions, network platforms and corporate systems.

Our Data Centres require specific BCP plans and tests for

accreditation. However, customer Disaster Recovery solutions are

also available, providing differing levels of high availability solutions.

Compliance Management - Interoute‘s ISO 27001 based Security

Management system requires on-going audits across all

functions of Interoute business operations. This means

that we consistently apply the prescribed best practice

to ISO 27001 security policies and business processes. In order

to maintain our compliance, we are subject to annual continuing

assessment visits by independent certification body, and Interoute

has also embedded quarterly technical compliance audits into the

core of our operations functions.

Find out how Interoute can support your business. For more information visit www.interoute.com or email info@interoute.com.