What we do: Switch is a colocation data center provider. Colocation data centers provide a shared physical environment for enterprise clients to ‘co-locate’ their mission critical IT infrastructure. Our business operations entail the provision of space, power, cooling, and physical security for the servers, storage arrays, and networking equipment owned and operated by our clients. In addition to colocation services, Switch also provides access to a variety of telecommunications and network service providers at a minimum cost and complexity.
What we do not do: Switch does not manage, maintain, control, or have visibility to the data residing on its customers’ servers or data transmitted to/from the telecommunications networks connected to our data centers. Moreover, Switch does not directly engage in the provision of cloud services, managed hosting, software, or logical security services that may involve the collection of, or responsibility for customer data. As such, our contracts stipulate that customers shall maintain full right of access, rectification, and deletion of their data at all times.
Switch has several programs and policies in place related to data security and the protection and privacy of customer data. Please reference directly below for additional information. For information regarding governance structures for data privacy management, please reference the section above titled “Governance Structures”.
Cyber Security Program Plan (CSPP)
The Switch Cyber Security Program reflects our commitment to implement leading data protection standards on behalf of our clients and with respect to our own internal data systems. Its primary mission is to protect the Confidentiality, Integrity, and Availability of the Switch Information System. Thus, the CSPP outlines a framework for implementing a defense-in-depth layered protection approach that consists of complementary technical, operational, and management controls for the Switch Information System.
Program Scope: The CSPP applies to the entire Switch Information System (any system that stores, process, or transfers Switch data), which includes support systems, major applications, and minor applications. In accordance with the IT Information Security Policy, NIST 800-53 Risk Assessment, and ISO 27001 ISMS, the CSPP describes the requirements designed to sustain a defense-in-depth approach for protecting the Confidentiality, Integrity and Availability of the Switch Information System. It provides guidance and requirements for the implementation of security controls to protect Switch from cyber-attacks and threats; thus, minimizing any impacts to the systems and information that are necessary to manage and operate Switch facilities and services.
Physical and Environmental Security
As a trusted service provider of the world’s only Class 5 Platinum data center facilities, we are fully focused on delivering physical and environmental security for our data centers worthy of supporting mission critical deployments. Third-party audited reports regarding our compliance with these initiatives are available upon request. Simply email firstname.lastname@example.org for assistance. You may also visit https://www.switch.com/audit-reports/
Incident Response and Reporting Mechanisms
Switch is committed to notify data subjects (including customer representatives and Switch employees) in a timely manner with respect to policy changes and/or any known incidents regarding the breach of customer data.
The Switch Network Operations Center (NOC) is available 24/7/365 for data subjects to raise concerns about data privacy. Users are the first line of defense, as they are likely to detect any odd behaviors within their systems. The Switch NOC provides an incident response support resource to offer advice and assistance to users of the information system for the handling and reporting of security incidents. Users are required to notify the NOC of an obvious or potential cyber security-related event occurring on any Switch system.
Additionally, the Switch Ethics Hotline is a third-party, anonymous reporting hotline allowing users to report incidents related to ethical and compliance concerns/violations.
Privacy Risk Assessments and Third-Party Audits
Various independent audits are conducted annually by Schellman & Company regarding Switch’s technologies, security protocols, and practices affecting the privacy of user data.
ISO Certificate Directory
Other audit reports include: SOC 1, SOC 2, SOC 3, MPAA, PCI DSS-ROC, PCI DSS-AOC, NIST 800-53 (Type 1), HIPAA (Type 1). These reports are available upon request at https://www.switch.com/audit-reports/
Information Technology System Controls and Security Oversight
The Switch Board of Directors’ Nominating and Corporate Governance Committee provides oversight and guidance to management regarding Switch’s information technology system controls and security, including periodically reviewing Switch’s cybersecurity and other information technology risks, controls, initiatives and action plans. Our data privacy and cybersecurity programs and policies cover all Switch business activities across all geographic locations in which we operate.
Compliance and Information Security
INFOSEC responsibilities and methods:
Switch has operational measures in place to monitor and respond to data breaches and cyberattacks. Please reference directly below for additional information.
Annual Cyber Risk Assessment
A cyber risk assessment is conducted annually by our Information Security team. This involves the identification of, and mitigation plan for key risks, including: (1) denial of service, (2) malicious code, (3) unauthorized access, (4) compromised asset or information, (5) social engineering, (6) internal/external hacking, (7) unauthorized data leakage, (8) inappropriate usage, (9) Environmental/External, (10) business model, (11) leadership changes, (12) third party, (13) fraud.
Incident Response Plan (IRP)
An Incident Response Plan (IRP) has been developed as an integral component of Switch’s overall information security program. The IRP includes action plans that deal with intrusions, data theft, denial of service (DoS), and other IT security-related incidents.
The six major steps of the IRP are designed to ensure Switch is prepared to effectively detect and respond to incidents in an effective manner to minimize adverse impacts and provide lessons learned.
The IRP steps are as follows:
INCIDENT RESPONSE PLAN
Cyber Kill Chain
Switch InfoSec uses the Cyber Kill chain model for intelligence used to identify and prevent intrusion activity. The model identifies what the adversaries must complete in order to achieve their objective.
Switch SAFE is a scalable DDOS mitigation service available for customer use at every Switch data center campus location. It is a sophisticated system of software applications and hardware appliances that support client data security. Click here for additional information regarding Switch SAFE.
Switch has a policy in place for regular internal security audits that address vulnerability assessments or penetration testing of the company’s systems, products and practices affecting user data. Please reference directly below for additional information.
Automated scans are continuously conducted on the entire Switch Information System, this includes the critical infrastructure that is segmented and access controlled. Information Security is responsible for ensuring that the signatures used by the Vulnerability Assessment Suite are updated periodically.
A third-party penetration test is conducted semi-annually. The scope of these regular tests are as follows:
Switch has a policy in place for its employees to undergo regular training on Information Security Awareness. Please reference directly below for additional information.
Information Security Awareness
Switch’s cyber management system is certified to ISO 27001 standards and 100% of the ISO 27001 requirements are covered/certified for our colocation services. A list of additional audit reports can be accessed on the audit reports page of our corporate website, by clicking here. Please email email@example.com for an approval code to access these reports.
Customer Data Policy
As a provider of data center infrastructure, Switch covenants not to attempt to logically or digitally access, manage, maintain, or process any information on customer equipment without the prior written consent of the relevant customer; and each customer covenants not to provide Switch with access to such information without the prior written consent of Switch. Moreover, Switch does not transmit, receive, store, process, control, sub-process, manage, manipulate, or otherwise access or utilize data: (a) on behalf of our customers; or (b) resident on customer equipment, servers, or computers. Additionally, Switch is not able to monitor the processing of customer personal data, nor do we share customer data with third-parties under any circumstances.
Please reference our Acceptable Use Policy and our statement on GDPR Compliance for additional information regarding Switch’s programs and policies relating to the usage, collection, and protection of customer data.
Switch maintains a library of additional policies and procedures to ensure its services are Tier 5 Platinum compliant and meet Switch’s aggressive sustainability standards. Switch secures these policies on site, to avoid the security risks of espionage, terrorism, sabotage, and cyber attack, inherent in unauthorized duplication, proliferation, or exploitation of these policies. If you would like additional detail or an on-site tour of Switch’s facilities to inspect these policies, please contact the Investor Relations Team (firstname.lastname@example.org) or the Switch Policy team (email@example.com).