Our customers include some of the largest companies in the world. Their trust in the physical and data security environment for the equipment they deploy in our data centers is very important to us. We are dedicated to implementing privacy by design throughout our company, enhancing resilience, enhancing capabilities, and fostering a culture of speed, agility, and a commitment to the user and customer experience.
Equinix’s Global Chief Information Security Officer, in partnership with our Senior Vice President, Global Regulatory, Public Policy, Privacy and Compliance, leads our on-going efforts to apply policies, standards and procedures that enable us to maintain the highest levels of data security across our global platform of systems and applications, and, as part of that, ensure we comply with all applicable and evolving data privacy laws in the countries in which we operate.
Equinix’s Infosec Governance, Risk Compliance (GRC) platform has regulatory change management functionality that provides significant compliance efficiencies by automating our compliance to regulatory changes, which would have otherwise resulted in increased overall risk for the organization. Equinix maintains a global data privacy compliance program that is designed to meet the requirements of applicable privacy laws and particularly, the European Union (EU) General Data Protection Regulation (GDPR). In anticipation of evolving global data privacy regulations, we continue to enhance data privacy measures in existing markets and proactively implement compliance models that meet GDPR-like requirements in new markets. Our proactive approach to data protection compliance allows us to meet local requirements as they arise.
Localized reporting requirements for cybersecurity incidents have also been increasing. In 2022 in India, we established a process to comply with the mandatory CERT-In cybersecurity incident reporting timelines and requirements. In the United States, our legal and public policy teams are working with national trade associations to monitor and respond to expanded rules and regulations from the Security Exchange Commission (SEC) around cybersecurity incident reporting. As a quickly expanding global organization, we are eager to engage with local stakeholders to ensure that we can meet local requirements.
Equinix closely monitors ongoing policy changes, including data localization and sovereignty requirements, to stay ahead of emerging discussions and regulations where we operate. This includes, for example, compliance with the updated Schrems II requirements regarding the safe transfer of personal data from Europe around the world.
Our data security policies, programs and protocols are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST 800-53) and have achieved certification against the ISO 27001 Information Security Management Frameworks. While each IBX® data center site currently maintains its own certification, we are working to certify all Equinix sites under one global certification. We are an early adopter to be compliant with Cybersecurity Maturity Model Certification (CMMC) for contracting with the U.S. federal government and its agencies.
We have a standardized process to manage electronic disposal and work closely with suppliers who meet our strict criteria to ensure that all critical data is sanitized from assets before being removed from our sites.
Information Security programs are approved by the Executive Leadership Team, reported on quarterly to the Board of Directors Nominating and Governance Committee, and are managed as part of Golden Fortress, a set of 12 cybersecurity programs focused on building greater security and resiliency at Equinix. We are fully compliant with SOX regulation. We also achieved global PCI DSS compliance certification for payment card industry security controls in 2022.
Equinix’s Infosec Governance, Risk Compliance (GRC) program reduces cybersecurity risk for the organization by implementing a single, centralized, automated and scalable platform to address key business requirements around Audit Management, Risk Management, Policy Management, Regulatory Change and Compliance Management.
This strong governance foundation allows us to maintain trust and transparency around information security with internal and external stakeholders.
Risk Quantification within the platform has been used as a decision-making tool across some functions within Equinix. In 2022, the Infosec GRC program partnered with the Procurement team to build mandatory security requirements for suppliers and accelerate third-party risk management on a global scale.
Our ability to deliver Continuous Assurance and Compliance by automating various internal controls through this GRC program helped position us higher in various Infosec GRC Maturity Models.
Abdul Khader Aslam, Equinix Director, Information Security, Governance, Risk and Compliance, co-authored and published “Enterprise Cybersecurity – How to Build a Successful Cyberdefense Program Against Advanced Threats”. This is used as a textbook for several university graduate programs.
We’ve continued to look for ways to better communicate data privacy and security to our stakeholders. We started a blog in 2022 to showcase our work on topics that are highly relevant to our employees and customers. We can tell our story and increase customer trust thanks to this and other communication channels.
Trust & Transparency Program
Equinix maintains a Trust & Transparency program that provides assurance to the customer that their equipment and data is always protected when utilizing Equinix products and services. The program includes three elements that work together to support our customer and outlines policies, procedures, and security measures we have in place to protect sensitive data, systems and assets.
Equinix aims to ensure clear communication channels for reporting and addressing security issues and concerns. To ensure that our information security management is fully integrated and supports all business requirements, our Chief Information Security Officer defines and implements security-related policies, all of which are aligned to the National Institute of Standards and Technology (NIST) framework, that are annually reviewed and endorsed by the Information Security Steering Committee, a committee of senior and executive management to govern information security programs. All Equinix managers, employees and contractors are trained on and responsible for complying with these policies.
Audits and Review
We conduct regular internal audits, independent third-party assessments, penetration testing of common controls, and implemented an enterprise threat and vulnerability management program to prioritize remediation of technical risk as part of assurance. In 2022, Equinix supported 3,000 customers to ensure they were achieving and maintaining compliance for their auditors and clients. Equinix also achieved ISO27001 certification and independent assessment report SOC 2 for ECP, Network Edge, Equinix Fabric® and Equinix Metal®. Our converged security systems reach across industrial control systems to ensure compliance with NIST 800-82.
The Information Security team regularly tests our Incident Response capabilities. Testing includes a playbook for responding to data breach scenarios ranging from insider risk to external unauthorized access. This playbook is based on real incidents that we have effectively managed, as well as tactics used by threat actors. The enhanced playbook helps to accelerate our response rate and disclosure requirements that would be activated and by identifying external global authorities, vendors and internal functions that need to be notified in the case of a breach.
and successfully trained 1,279 developers.
Zero-trust principles are grounded on least privilege access and continuous authorization instrumented by a framework of advanced technologies considering access at a moment in time. Equinix’s philosophy is that organizations should not automatically trust anything inside or outside our security perimeters and should continuously validate everyone and everything trying to gain access. By enabling zero-trust principles and controls through our security platform, we increase our security posture and strengthen our customers’ confidence in our commitment to security. We recognize the global threat landscape is continuously evolving and tactics by threat actors continue to mature. The collective intelligence of our cybersecurity platform allows us to continuously evaluate threats and vulnerabilities with the agility to adapt our controls as appropriate.
Employee Data Privacy Notice
The trust of our employees is critical to our success, and we want to be fully transparent with them about their personal data and how we handle it. Our employee Data Privacy Notice is adapted to meet local regulatory requirements but also sends a globally consistent message to our employees. This notice provides details on how Equinix processes employee personal data, for what purpose and how we keep it secure, and allows employees the opportunity to ask questions and exercise their regulatory rights, where applicable. We review and update the plan as Equinix expands to ensure that we are meeting local regulations of the markets in which we are operating.
Equinix is a security destination of choice for customers and IT professionals. We are committed to continually building our talent and security capabilities. While growing our investments in security governance, controls and people, we have emphasized the importance of diversity and inclusivity within the organization. Our teams have strong capabilities aligned with top National Institute of Standards and Technology (NIST) controls, while at the same time aligning with our culture of belonging and trust.
Training and Development
We conduct regular employee training on how to spot suspicious activity and educate our employees on potential data privacy and security risks. In 2022, we began hosting targeted training for specific groups of employees. To start, we focused on new hires and measured a quantifiable reduction of risk based on modified user online behavior. We also reignited in-person training to standardize and address regional challenges. For instance, in Brazil, we provided staff training on the dangers associated with specific messaging platforms, which have significant security threats.
in click rate on phishing emails sent by Infosec in 2022
on the Information Security Awareness Yammer channel
and 10.3k total engagement
included in the Information Security Awareness Yammer channel
Equinix’s dedicated online data privacy training module, focused on GDPR requirements, is open to employees and managers who handle personal data in their scope of responsibility, which is approximately 30% of the employee base. This training module sits between the data privacy components of our Code of Ethics training programs that all employees undertake, and specific departmental training exercises focused on specific aspects of data privacy compliance, such as marketing consent management, breach notification and management.
Gamified Learning in 2022
Equinix successfully began using Yammer to host voluntary, gamified employee learning in 2022. We release games focused on social media security, sensitive data, social engineering, safe browsing and other cybersecurity topics every month. At least 150 players per month are attracted by the engaging format and emphasis on trending security topics. Employees are encouraged to review the relevant accompanying material for additional guidance on the highlighted topics in addition to the game’s content.
Equinix shared the success of our gamified cybersecurity training at the SANS Security Awareness Summit in 2022. We received feedback from attendees interested in adopting gamification for their own employees. Influenced by this interaction and our success, peers in retail and banking are adopting the platform for themselves.
Our Cyber Knights Ambassador Program is a security ambassador program providing a structured development opportunity for our employees. It allows us to scale a culture of security, and allows our employees to help share data security best practices. A dedicated training portal was accessed by a group of global knights from 19 nations in 2022, and they took part in monthly talks, Q&As, and three levels of training. Based on this training, attendees request specific awareness activities for their departments and regions. Our program is aligned with our ambition to help advance the security industry, and is currently being used as a model for an industry baseline.
As we continue to grow as a company and expand our offerings, we remain focused on maintaining a culture of security and trust across the entire company. We monitor this culture by tracking engagement and impact to user behavior throughout our various platforms, data analytics and our Yammer internal social media portal.