Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture



Similar documents
Cloud Security Who do you trust?

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Strengthen security with intelligent identity and access management

Cloud Security Who do you trust?

IBM Connections Cloud Security

IBM Security Privileged Identity Manager helps prevent insider threats

Safeguarding the cloud with IBM Dynamic Cloud Security

Applying IBM Security solutions to the NIST Cybersecurity Framework

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

IBM Security Intrusion Prevention Solutions

Securing the Service Desk in the Cloud

The Protection Mission a constant endeavor

Preemptive security solutions for healthcare

IBM Security QRadar Risk Manager

IBM Software Cloud service delivery and management

Cloud Security Trust Cisco to Protect Your Data

IBX Business Network Platform Information Security Controls Document Classification [Public]

Stay ahead of insiderthreats with predictive,intelligent security

THE BLUENOSE SECURITY FRAMEWORK

Securing and protecting the organization s most sensitive data

HIPAA/HITECH Compliance Using VMware vcloud Air

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Safeguarding the cloud with IBM Security solutions

IBM Security QRadar Risk Manager

Ensuring the security of your mobile business intelligence

GoodData Corporation Security White Paper

Strategies for assessing cloud security

IBM MobileFirst Managed Mobility

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

BMC s Security Strategy for ITSM in the SaaS Environment

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Simplify security management in the cloud

IBM Security X-Force Threat Intelligence

Leveraging security from the cloud

Secure, Scalable and Reliable Cloud Analytics from FusionOps

IBM Tivoli Netcool Configuration Manager

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

8 Steps to Holistic Database Security

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Client Security Risk Assessment Questionnaire

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

A clearer view. Security, compliance, and the cloud

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Security Issues in Cloud Computing

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Boosting enterprise security with integrated log management

Breaking down silos of protection: An integrated approach to managing application security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

For healthcare, change is in the air and in the cloud

SAS 70 Type II Audits

Addressing Cloud Computing Security Considerations

Consolidated security management for mainframe clouds

Cloud computing White paper November IBM Point of View: Security and Cloud Computing

IBM Security QRadar Vulnerability Manager

IBM Rational AppScan: Application security and risk management

Cloud Contact Center. Security White Paper

Using the cloud to improve business resilience

Cloud Contact Center. Security White Paper

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Breaking through the haze: understanding

Paxata Security Overview

Security Officer s Checklist in a Sourcing Deal

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

SAP Product and Cloud Security Strategy

The Next Generation of Security Leaders

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Security Information & Policies

security changes with Orange focus on your business, we focus on your security

Document ID. Cyber security for substation automation products and systems

IBM QRadar Security Intelligence Platform appliances

IBM Data Security Services for endpoint data protection endpoint encryption solution

Embracing SaaS: A Blueprint for IT Success

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Cloud-based web hosting consolidation with an IBM Drupal solution

We employ third party monitoring services to continually audit our systems to measure performance and identify potential bottlenecks.

Library Systems Security: On Premises & Off Premises

The case for cloud-based disaster recovery

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Protecting Data and Privacy in the Cloud

Keyfort Cloud Services (KCS)

IBM Endpoint Manager for Server Automation

Security in Space: Intelsat Information Assurance

FormFire Application and IT Security. White Paper

Retention & Destruction

Provide access control with innovative solutions from IBM.

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

AskAvanade: Answering the Burning Questions around Cloud Computing

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

PCI DSS Reporting WHITEPAPER

Supplier Security Assessment Questionnaire

Security Controls What Works. Southside Virginia Community College: Security Awareness

Transcription:

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction 3 Governance 3 Security Policies 3 Access, Intervention, Transfer and Separation Control 3 Service Integrity & Availability Controls 4 Activity Logging, Input Control 4 Physical Security, Entry Control 4 Order Control 4 Compliance 4 Summary Introduction Cloud computing offers business leaders costeffective elasticity and scalability, which is critical in today s dynamic and fiercely competitive market. Software as a Service, or SaaS, further optimizes this concept by shifting much of the onus of deployment, administration, maintenance, and security of applications, middleware, databases, operating systems, hypervisors, servers, storage, and networking to the service provider. It is natural for any responsible business leader to be wary of relinquishing command over the Information Technology policies and controls protecting their data to a third party. The impact of a data breach can be catastrophic, and when it comes to protecting your data, not all SaaS providers are equal. At IBM, data privacy and security are not afterthoughts or the cost of doing business. IBM continues our long tradition of privacy and security leadership because data security and privacy have been essential values of our organizational culture for decades. The results of IBM s security-driven culture are manifest, for example, in the numerous awards and accolades IBM continues to receive from around the globe acknowledging the robustness and value of IBM Security offerings, such as X-Force, Managed Security Services, Security consulting practices, and our comprehensive line of IT Security products. IBM maintains one of the largest single databases of known cybersecurity threats in the world. We continuously identify and analyze emerging threats, often before they are known to the world at large. We are uniquely able to analyze and use this information to derive deep insights into the cyber threat landscape. It is important to bear all of this in mind when comparing IBM to other SaaS providers because with any SaaS offering you are trusting your provider with one of your most critical assets: your data. While SaaS customers must assess any SaaS offering to determine if its data processing and security measures satisfy their organizational and regulatory requirements, the SaaS provider decides where risks lie in its services and implements security measures accordingly. The provider s capabilities, experience, and attitude towards data privacy and security matter greatly. IBM SaaS offerings are the only SaaS offerings protected by IBM s unparalleled wealth of knowledge and skills, extensive range of capabilities, and decades of proven success, leadership, and innovation in secure computing practices. These advantages are just a few of the reasons why IBM is able to better defend against and manage ever-evolving cyber threats in a holistic and effective manner. IBM maintains the confidentiality of the data you own and upload into an IBM SaaS offering. We do not use, disclose, or access your data for any reason except to deliver services and support to you in accordance with the terms of the offering. We would like to share with you some of the practices and principles we live by at IBM that keep our systems and data safe, as it is this same securitydriven culture that safeguards the confidentiality,

Data Security and Privacy Principles for IBM SaaS 3 integrity, and availability of the data you entrust to IBM SaaS. Governance IBM s IT Security policies are defined by essential principles and practices centered on a philosophy of continuous improvement. We continuously assess the effectiveness of IT Security measures and evaluate them against emerging threats and technological advances that can further enhance IBM s secure computing capabilities. Security Policies IBM security policies are reviewed regularly and refined as necessary to keep current with modern threats and in line with international standards updates. IBM security incidents are handled in accordance with our comprehensive incident response procedures, taking into account any data breach notification requirements under applicable law. IBM employees are required to complete security and privacy education annually and certify each year that they will comply with IBM s ethical business conduct, privacy, confidentiality, and security requirements, as set out in IBM s Business Conduct Guidelines. Access, Intervention, Transfer and Separation Control The architecture of IBM SaaS offerings maintain logical separation of client data. Internal rules and measures separate data processing (store, change, copy, delete and/or transfer data) and/or storage media according to the contracted purposes. Access to client data (including any personal data) is allowed only by authorized personnel in accordance with principles of segregation of duties, strictly controlled under IBM s identity and access management policies, and monitored in accordance with IBM s internal privileged user monitoring and auditing program. IBM s privileged access authorization is individual, role-based, and subject to regular validation. Access to client data is only granted as necessary to deliver services and support to the client (i.e., least required privilege). Transfer of data within IBM s network takes place behind IBM s firewalls. Wi-Fi is not used within IBM production data centers. Service Integrity & Availability Controls Modifications to operating system resources and application software are governed by IBM s rigorous change management process. Changes to firewall rules are also governed by the change management process and are separately reviewed by IBM security staff before implementation. IBM systematically monitors production data center resources 24x7. Internal and external vulnerability scanning is regularly conducted by authorized administrators to help detect and resolve potential exposures. IBM s data center services support a variety of information delivery protocols for transmission of data over public networks such as HTTPS, SFTP, and FTPS. IBM policy defines clear back-up requirements for production systems and data. Compliance with these policies is monitored and rigorously enforced. Backup data intended for off-site storage, if any, is encrypted prior to transport. Security configuration and patch management activities are performed and reviewed regularly. IBM s infrastructure is subject to emergency planning concepts (i.e., disaster recovery, solid disk mirroring, etc.). Business continuity plans for IBM s infrastructure are documented and regularly revalidated.

4 Data Security and Privacy Principles for IBM SaaS Activity Logging, Input Control IBM maintains logs of its activity for systems, applications, and network infrastructure devices. Changes made to production systems are logged and governed in accordance with IBM s change management policies. Physical Security, Entry Control IBM maintains physical security standards designed to restrict unauthorized physical access to data center resources. Only limited access points exist at IBM data centers, which are controlled by access readers and monitored by surveillance cameras. Access is allowed only by authorized personnel. Delivery areas and loading docks where unauthorized persons may enter the premises are strictly controlled. Non-IBM operations and security staff are registered upon entering the premises and are escorted by authorized personnel while on the premises. Employees upon termination are removed from the access list and required to surrender their access badge. Usage of access badges is logged. Order Control Data processing is performed according to written agreement by which IBM describes the terms, functionality, support, and maintenance of a SaaS offering and measures taken to maintain the confidentiality, integrity, and availability of clientowned data. Assessments and audits are conducted regularly by IBM to confirm compliance with its information security policies, and industry standard audits are performed annually in all IBM production data centers. A copy of the most recent and applicable external audit summary letters are available to clients by written request. Summary While no SaaS provider can promise 100% protection against cybersecurity threats, our clients rest assured knowing that their data is protected by IBM. No other SaaS provider on the planet can match our depth of skills and knowledge, resources, and decades-long record of data security and privacy leadership. Additional resources IBM SaaS Trust and Security http://www.ibm.com/cloud-computing/us/en/trustsaas.html IBM Software Products and Software-as-a-Service Privacy Statement http://www-01.ibm.com/software/info/product-privacy/ A Letter to Our Clients about Government Access to Data http://asmarterplanet.com/blog/2014/03/open-letter-data.html IBM Business Conduct Guidelines http://www.ibm.com/investor/governance/business-conductguidelines.html Compliance IBM security standards are regularly reviewed against broadly accepted, industry standard practices, such as ISO 27001 and SSAE 16 SOC 2. We continue to develop external auditing and certification requirements for IBM SaaS offerings as they and applicable standards and regulations evolve.

Data Security and Privacy Principles for IBM SaaS 5 Copyright IBM Corporation 2015 IBM Corporation Route 100 Somers, NY 10589 Produced in the United States of America May 2015 IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Please Recycle

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information