Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture
2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction 3 Governance 3 Security Policies 3 Access, Intervention, Transfer and Separation Control 3 Service Integrity & Availability Controls 4 Activity Logging, Input Control 4 Physical Security, Entry Control 4 Order Control 4 Compliance 4 Summary Introduction Cloud computing offers business leaders costeffective elasticity and scalability, which is critical in today s dynamic and fiercely competitive market. Software as a Service, or SaaS, further optimizes this concept by shifting much of the onus of deployment, administration, maintenance, and security of applications, middleware, databases, operating systems, hypervisors, servers, storage, and networking to the service provider. It is natural for any responsible business leader to be wary of relinquishing command over the Information Technology policies and controls protecting their data to a third party. The impact of a data breach can be catastrophic, and when it comes to protecting your data, not all SaaS providers are equal. At IBM, data privacy and security are not afterthoughts or the cost of doing business. IBM continues our long tradition of privacy and security leadership because data security and privacy have been essential values of our organizational culture for decades. The results of IBM s security-driven culture are manifest, for example, in the numerous awards and accolades IBM continues to receive from around the globe acknowledging the robustness and value of IBM Security offerings, such as X-Force, Managed Security Services, Security consulting practices, and our comprehensive line of IT Security products. IBM maintains one of the largest single databases of known cybersecurity threats in the world. We continuously identify and analyze emerging threats, often before they are known to the world at large. We are uniquely able to analyze and use this information to derive deep insights into the cyber threat landscape. It is important to bear all of this in mind when comparing IBM to other SaaS providers because with any SaaS offering you are trusting your provider with one of your most critical assets: your data. While SaaS customers must assess any SaaS offering to determine if its data processing and security measures satisfy their organizational and regulatory requirements, the SaaS provider decides where risks lie in its services and implements security measures accordingly. The provider s capabilities, experience, and attitude towards data privacy and security matter greatly. IBM SaaS offerings are the only SaaS offerings protected by IBM s unparalleled wealth of knowledge and skills, extensive range of capabilities, and decades of proven success, leadership, and innovation in secure computing practices. These advantages are just a few of the reasons why IBM is able to better defend against and manage ever-evolving cyber threats in a holistic and effective manner. IBM maintains the confidentiality of the data you own and upload into an IBM SaaS offering. We do not use, disclose, or access your data for any reason except to deliver services and support to you in accordance with the terms of the offering. We would like to share with you some of the practices and principles we live by at IBM that keep our systems and data safe, as it is this same securitydriven culture that safeguards the confidentiality,
Data Security and Privacy Principles for IBM SaaS 3 integrity, and availability of the data you entrust to IBM SaaS. Governance IBM s IT Security policies are defined by essential principles and practices centered on a philosophy of continuous improvement. We continuously assess the effectiveness of IT Security measures and evaluate them against emerging threats and technological advances that can further enhance IBM s secure computing capabilities. Security Policies IBM security policies are reviewed regularly and refined as necessary to keep current with modern threats and in line with international standards updates. IBM security incidents are handled in accordance with our comprehensive incident response procedures, taking into account any data breach notification requirements under applicable law. IBM employees are required to complete security and privacy education annually and certify each year that they will comply with IBM s ethical business conduct, privacy, confidentiality, and security requirements, as set out in IBM s Business Conduct Guidelines. Access, Intervention, Transfer and Separation Control The architecture of IBM SaaS offerings maintain logical separation of client data. Internal rules and measures separate data processing (store, change, copy, delete and/or transfer data) and/or storage media according to the contracted purposes. Access to client data (including any personal data) is allowed only by authorized personnel in accordance with principles of segregation of duties, strictly controlled under IBM s identity and access management policies, and monitored in accordance with IBM s internal privileged user monitoring and auditing program. IBM s privileged access authorization is individual, role-based, and subject to regular validation. Access to client data is only granted as necessary to deliver services and support to the client (i.e., least required privilege). Transfer of data within IBM s network takes place behind IBM s firewalls. Wi-Fi is not used within IBM production data centers. Service Integrity & Availability Controls Modifications to operating system resources and application software are governed by IBM s rigorous change management process. Changes to firewall rules are also governed by the change management process and are separately reviewed by IBM security staff before implementation. IBM systematically monitors production data center resources 24x7. Internal and external vulnerability scanning is regularly conducted by authorized administrators to help detect and resolve potential exposures. IBM s data center services support a variety of information delivery protocols for transmission of data over public networks such as HTTPS, SFTP, and FTPS. IBM policy defines clear back-up requirements for production systems and data. Compliance with these policies is monitored and rigorously enforced. Backup data intended for off-site storage, if any, is encrypted prior to transport. Security configuration and patch management activities are performed and reviewed regularly. IBM s infrastructure is subject to emergency planning concepts (i.e., disaster recovery, solid disk mirroring, etc.). Business continuity plans for IBM s infrastructure are documented and regularly revalidated.
4 Data Security and Privacy Principles for IBM SaaS Activity Logging, Input Control IBM maintains logs of its activity for systems, applications, and network infrastructure devices. Changes made to production systems are logged and governed in accordance with IBM s change management policies. Physical Security, Entry Control IBM maintains physical security standards designed to restrict unauthorized physical access to data center resources. Only limited access points exist at IBM data centers, which are controlled by access readers and monitored by surveillance cameras. Access is allowed only by authorized personnel. Delivery areas and loading docks where unauthorized persons may enter the premises are strictly controlled. Non-IBM operations and security staff are registered upon entering the premises and are escorted by authorized personnel while on the premises. Employees upon termination are removed from the access list and required to surrender their access badge. Usage of access badges is logged. Order Control Data processing is performed according to written agreement by which IBM describes the terms, functionality, support, and maintenance of a SaaS offering and measures taken to maintain the confidentiality, integrity, and availability of clientowned data. Assessments and audits are conducted regularly by IBM to confirm compliance with its information security policies, and industry standard audits are performed annually in all IBM production data centers. A copy of the most recent and applicable external audit summary letters are available to clients by written request. Summary While no SaaS provider can promise 100% protection against cybersecurity threats, our clients rest assured knowing that their data is protected by IBM. No other SaaS provider on the planet can match our depth of skills and knowledge, resources, and decades-long record of data security and privacy leadership. Additional resources IBM SaaS Trust and Security http://www.ibm.com/cloud-computing/us/en/trustsaas.html IBM Software Products and Software-as-a-Service Privacy Statement http://www-01.ibm.com/software/info/product-privacy/ A Letter to Our Clients about Government Access to Data http://asmarterplanet.com/blog/2014/03/open-letter-data.html IBM Business Conduct Guidelines http://www.ibm.com/investor/governance/business-conductguidelines.html Compliance IBM security standards are regularly reviewed against broadly accepted, industry standard practices, such as ISO 27001 and SSAE 16 SOC 2. We continue to develop external auditing and certification requirements for IBM SaaS offerings as they and applicable standards and regulations evolve.
Data Security and Privacy Principles for IBM SaaS 5 Copyright IBM Corporation 2015 IBM Corporation Route 100 Somers, NY 10589 Produced in the United States of America May 2015 IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Please Recycle