Switch’s cyber management system is certified to ISO 27001 standards and 100% of the ISO 27001 requirements are covered/certified for our colocation services. A list of additional audit reports can be accessed on the audit reports page of our corporate website, by clicking here. Please email firstname.lastname@example.org for an approval code to access these reports.
Customer Data Policy
As a provider of data center infrastructure, Switch covenants not to attempt to logically or digitally access, manage, maintain, or process any information on customer equipment without the prior written consent of the relevant customer; and each customer covenants not to provide Switch with access to such information without the prior written consent of Switch. Moreover, Switch does not transmit, receive, store, process, control, sub-process, manage, manipulate, or otherwise access or utilize data: (a) on behalf of our customers; or (b) resident on customer equipment, servers, or computers. Additionally, Switch is not able to monitor the processing of customer personal data, nor do we share customer data with third-parties under any circumstances.
Please reference our Acceptable Use Policy and our statement on GDPR Compliance for additional information regarding Switch’s programs and policies relating to the usage, collection, and protection of customer data.
Switch has a structure in place for the oversite, compliance, and responsibilities for cybersecurity. Please reference directly below for additional information.
Compliance and Information Security
INFOSEC responsibilities and methods:
Switch has operational measures in place to monitor and respond to data breaches and cyberattacks. Please reference directly below for additional information.
Annual Cyber Risk Assessment
A cyber risk assessment is conducted annually by our Information Security team. This involves the identification of, and mitigation plan for key risks, including: (1) denial of service, (2) malicious code, (3) unauthorized access, (4) compromised asset or information, (5) social engineering, (6) internal/external hacking, (7) unauthorized data leakage, (8) inappropriate usage, (9) Environmental/External, (10) business model, (11) leadership changes, (12) third party, (13) fraud.
Incident Response Plan (IRP)
An Incident Response Plan (IRP) has been developed as an integral component of Switch’s overall information security program. The IRP includes action plans that deal with intrusions, data theft, denial of service (DoS), and other IT security-related incidents.
The six major steps of the IRP are designed to ensure Switch is prepared to effectively detect and respond to incidents in an effective manner to minimize adverse impacts and provide lessons learned.
The IRP steps are as follows:
INCIDENT RESPONSE PLAN
Cyber Kill Chain
Switch InfoSec uses the Cyber Kill chain model for intelligence used to identify and prevent intrusion activity. The model identifies what the adversaries must complete in order to achieve their objective.
Switch SAFE is a scalable DDOS mitigation service available for customer use at every Switch data center campus location. It is a sophisticated system of software applications and hardware appliances that support client data security. Click here for additional information regarding Switch SAFE.
Switch has a policy in place for regular internal security audits that address vulnerability assessments or penetration testing of the company’s systems, products and practices affecting user data. Please reference directly below for additional information.
Automated scans are continuously conducted on the entire Switch Information System, this includes the critical infrastructure that is segmented and access controlled. Information Security is responsible for ensuring that the signatures used by the Vulnerability Assessment Suite are updated periodically.
A third-party penetration test is conducted semi-annually. The scope of these regular tests are as follows:
Switch has a policy in place for its employees to undergo regular training on Information Security Awareness. Please reference directly below for additional information.
Information Security Awareness
Switch has several programs and policies in place related to data security and the protection and privacy of customer data. Please reference directly below for additional information. For information regarding governance structures for data privacy management, please reference the section above titled “Governance Structures”.
Cyber Security Program Plan (CSPP)
The Switch Cyber Security Program reflects our commitment to implement leading data protection standards on behalf of our clients and with respect to our own internal data systems. Its primary mission is to protect the Confidentiality, Integrity, and Availability of the Switch Information System. Thus, the CSPP outlines a framework for implementing a defense-in-depth layered protection approach that consists of complementary technical, operational, and management controls for the Switch Information System.
Program Scope: The CSPP applies to the entire Switch Information System (any system that stores, process, or transfers Switch data), which includes support systems, major applications, and minor applications. In accordance with the IT Information Security Policy, NIST 800-53 Risk Assessment, and ISO 27001 ISMS, the CSPP describes the requirements designed to sustain a defense-in-depth approach for protecting the Confidentiality, Integrity and Availability of the Switch Information System. It provides guidance and requirements for the implementation of security controls to protect Switch from cyber-attacks and threats; thus, minimizing any impacts to the systems and information that are necessary to manage and operate Switch facilities and services.
Physical and Environmental Security
As a trusted service provider of the world’s only Class 5 Platinum data center facilities, we are fully focused on delivering physical and environmental security for our data centers worthy of supporting mission critical deployments. Third-party audited reports regarding our compliance with these initiatives are available upon request. Simply email email@example.com for assistance. You may also visit https://www.switch.com/audit-reports/
Incident Response and Reporting Mechanisms
Switch is committed to notify data subjects (including customer representatives and Switch employees) in a timely manner with respect to policy changes and/or any known incidents regarding the breach of customer data.
The Switch Network Operations Center (NOC) is available 24/7/365 for data subjects to raise concerns about data privacy. Users are the first line of defense, as they are likely to detect any odd behaviors within their systems. The Switch NOC provides an incident response support resource to offer advice and assistance to users of the information system for the handling and reporting of security incidents. Users are required to notify the NOC of an obvious or potential cyber security-related event occurring on any Switch system.
Additionally, the Switch Ethics Hotline is a third-party, anonymous reporting hotline allowing users to report incidents related to ethical and compliance concerns/violations.
Privacy Risk Assessments and Third-Party Audits
Various independent audits are conducted annually by Schellman & Company regarding Switch’s technologies, security protocols, and practices affecting the privacy of user data.
Other audit reports include: SOC 1, SOC 2, SOC 3, MPAA, PCI DSS-ROC, PCI DSS-AOC, NIST 800-53 (Type 1), HIPAA (Type 1). These reports are available upon request at https://www.switch.com/audit-reports/
Switch maintains a library of additional policies and procedures to ensure its services are Tier 5 Platinum compliant and meet Switch’s aggressive sustainability standards. Switch secures these policies on site, to avoid the security risks of espionage, terrorism, sabotage, and cyber attack, inherent in unauthorized duplication, proliferation, or exploitation of these policies. If you would like additional detail or an on-site tour of Switch’s facilities to inspect these policies, please contact the Investor Relations Team (firstname.lastname@example.org) or the Switch Policy team (email@example.com).