on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...

IBMÒ WatsonÒ on the IBMÒ Cloud

CSA CAIQ V1.0 February 2018

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

Introduction

IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential within unstructured data. Fundamental to providing a strong foundation for companies wanting to leverage Watson services, IBM uses best-in-class security and compliance processes that allow for successful execution of challenging workloads.

The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. This CAIQ document gives detailed responses to those questions for IBM Watson on IBM Cloud and provides additional links where applicable on IBM and Watson security processes, procedures &/or technical controls.

IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated workloads. Compliance of Watson services are maintained though regular reviews by both IBM internal and 3rd party auditors.

Additional information on how Watson is securely deployed on the IBM Cloud can be found below:

• Watson Trust Center: https://ibm.biz/BdjD4r • ISO 27001 certificate: https://ibm.biz/BdjWav • ISO 27017 certificate: https://ibm.biz/BdjWam • ISO 27018 certificate: https://ibm.biz/BdjWaK • Full list of IBM products covered under 27001: https://ibm.biz/BdjWab • IBM Cloud Services data security and privacy principles: https://ibm.biz/Bdsm3x • Additional details around IBM Cloud compliance: https://www.ibm.com/cloud/compliance • How to secure your applications using Watson services:

https://www.ibm.com/cloud/garage/content/architecture/securityArchitecture/overview

Control Domain

Control ID

Question ID

Control Specification

Consensus Assessment Questions

Consensus Assessment Answers

Watson Notes Yes No Not Applicable

Application&InterfaceSecurityApplicationSecurity

AIS-01 AIS-01.1

Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.

Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?

WatsonservicesontheIBMCloudleveragetheIBMSecureEngineeringStandardwhichisalignedwithOWASPtoensuresecurityaspartofourSDLC.Thosestandardsincludeprocessesforsecurecoding,vulnerabilityassessment,penetrationtesting,education,processesfor3rdpartycodeapprovalandthreatmodelling.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Seehttps://www.ibm.com/security/PenetrationtestingisperformedbybothIBMandthirdpartiesandcoversbothexternalandinternaltestingofendpoints.Vulnerabilityassessmentrequiresautomatedcodeandapplicationscanninginadditiontomanualtesting.SecurecodingmandatesmanualreviewforsecurerelatedcodeandreviewsagainstOWASPtoptenattacks.WatsonserviceshavebeencertifiedbyanindependentauditoragainsttheISO27001certificationstandard.

AIS-01.2

Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.

AIS-01.3

Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?

AIS-01.4

DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?

DevelopmentworkforIBMWatsonontheIBMCloudisnotoutsourced.Forall3rdpartycomponentsused,e.g.,librariesoropensourcecode,theIBMSecureEngineeringStandardprohibitstheiruseunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.

AIS-01.5

(SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?

Application&InterfaceSecurityCustomerAccessRequirements

AIS-02 AIS-02.1

Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.

Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?

IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsoncompliancecertificationsdemonstratethecontrolsinplacetoprovideasecureplatform.Additionalinformationavailablehere:http://www.ibm.com/watson/watson-security.html

AIS-02.2

Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented? X

RequirementsandtrustlevelsforcustomeraccessareestablishedcontractuallyforeachIBMWatsoncustomer.

Application&InterfaceSecurityDataIntegrity

AIS-03 AIS-03.1

Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.

Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata? x

IBMWatsonservicesareonlyavailablethroughAPIcalls,thissignificantlylimitsanattacker’sabilitytointeractandcompromiseaservice.IBMWatsoncustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.ISO27001compliancedemonstratesthecontrolsIBMWatsonhasinplacetosafeguardagainsttheunauthorizedaccess,destruction,lossoralterationofdata.Securitytestingoccurspriortoproductionrollouttoensureinput&outputsfromtheAPIaresecure&meetsdesignspecifications.

Application&InterfaceSecurityDataSecurity/Integrity

AIS-04 AIS-04.1

Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.

IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?

IBMWatsonontheIBMCloudDataSecurityArchitectureisdesignedusingindustrystandardsandbestpracticesaligningwithISO27001andNISTframeworks.

AuditAssurance&ComplianceAuditPlanning

AAC-01

AAC-01.1

Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.

Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?

IBMWatsonservicesuseexternalandinternalauditorstoconductstructured,industrystandardauditassertionsandreports.Extensiveauditplanning&preparationoccursforeachaudit.Theseareperformedataminimumannually.Seehttp://www.ibm.com/watson/watson-security.html

AuditAssurance&ComplianceIndependentAudits

AAC-02

AAC-02.1

Independentreviewsandassessmentsshallbeperformedatleast

DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?

IBMWatsonservicesproviderelevantthird-partyauditattestation,certificationand/orpentestingreportswhereaNon-DisclosureAgreement(NDA)isinplace.

AAC-02.2

annuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.

Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.

AAC-02.3

Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.

AAC-02.4

Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

InternalauditsareroutineandvirtuallycontinuousforIBMWatsonontheIBMCloud.Theseareinitiated/conductedatleastonceeachquarter.

AAC-02.5

Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

IBMWatsonservicesataminimum,useexternalauditorsannuallytoconductISO27001assessments&audits.

AAC-02.6

Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?

IBMWatsonservicesproviderelevantthird-partypentestingattestations&/orreportswhereaNon-DisclosureAgreement(NDA)isinplace.

AAC-02.7

Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?

x IBMWatsonservicesproviderelevantthird-partyauditattestationstocustomersattheir

request.ExecutivelevelreportsordetailsmaybeprovidedwhereaNon-DisclosureAgreement(NDA)isinplace.

AAC-02.8

Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments? x

IBMWatsonservicesusemultipleinternalentitiestoconductcrossfunctionalauditassessments.IBMhasarobustinternalauditorganizationutilizingmatureprocessesthathavebeendevelopedandrefinedtoensurealignmentofallbusinessunitsandinternalorganizationstocorporatestandards.

AuditAssurance&ComplianceInformationSystemRegulatoryMapping

AAC-03

AAC-03.1

Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthe

Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?

Dataatrestandintransitisencrypted.AccesscontroltechnologiesareleveragedinallIBMWatsonservicesdeliverymodelstoensurecustomerscanonlyaccesstheirdata&workloads.AdditionallayersoflogicalsegmentationareavailableinPremium&DedicatedmodelsofdeliveryofWatsonservices.

AAC-03.2

Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?

x IBMWatsonservicescustomersareultimatelyresponsiblefortheirdataandtheintegrityofanyworkloadscommunicatingwithWatsonviaAPI.MostIBMWatsonCloudPlatformServicesarestatelesswherebyclientspecificdatadoesnotpersist.

AAC-03.3

Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?

IBMWatsonservicesprovidecustomerswithoptionstodeploytheirapplicationsanddataindifferentregions.Thedatawillresideintheregiondefinedintheoriginalsolutiondesignandspecifiedintheservicescontractunlesscustomerelectstomoveitthemselves.

AAC-03.4

businessprocessesarereflected.

Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?

IBMWatsonservicesmanagement&complianceteamsregularlysurveychangesintheregulatoryenvironment.TheIBMLegalDepartmentalsomonitorsregulatoryrequirementsfortheirimpactuponIBMsecurityprograms.Customersareultimatelyresponsiblefortheircomplianceandtrackinganychangestotheirregulatoryrequirements.

BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning

BCR-01

BCR-01.1

Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusinesscontinuityplansincludethefollowing:•Definedpurposeandscope,alignedwithrelevantdependencies•Accessibletoandunderstoodbythosewhowillusethem•Ownedbyanamedperson(s)whoisresponsiblefortheirreview,update,andapproval•Definedlinesofcommunication,roles,andresponsibilities•Detailedrecoveryprocedures,manual

Doyouprovidetenantswithgeographicallyresilienthostingoptions? x

IBMWatsonservicesencouragecustomerstotakeadvantageofourglobaldeploymentmodeltoaccomplishgeographicresiliency.

BCR-01.2

Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?

IBMWatsonservicesaredesigned,implemented&configuredutilizingHAandareexclusivelyhostedbyIBM.

work-around,andreferenceinformation•Methodforplaninvocation

BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting

BCR-02

BCR-02.1

Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.

Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?

Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.

BusinessContinuityManagement&OperationalResiliencePower/Telecommunications

BCR-03

BCR-03.1

Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorother

Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?

IBMWatsonservicesprovidecustomerstheoptiontodeploytheirapplicationsanddataindifferentregions.Forstatefulservicesorspecificcustomerworkloads,thedataremainsinthatregionunlessthecustomermovesit.CustomershavedifferentoptionsonhowtheyconnecttotheirIBMWatsonservices,e.g.overpublicnetworkoroveradedicatedVPNtoadedicatedinstance.

BCR-03.2

Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?

Directinternetconnectivityisthepreferredsolution,butotheroptionsareavailablefordedicatedcustomers.AlltrafficintransittoIBMWatsonservicesareencrypted.

redundanciesintheeventofplannedorunplanneddisruptions.

BusinessContinuityManagement&OperationalResilienceDocumentation

BCR-04

BCR-04.1

Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures

Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?

IBMWatsonservicesproviderobustdocumentationwithineachservicedescriptiontoassistcustomerswithproperlyconfiguringandusageofitsservices.IBMWatsonserviceshaveextensivedocumentationontheinformationsystem,thisdocumentationisavailabletoauthorizedIBMpersonnel.Thisinformationmayalsobedistributedthroughtrainingwhereapplicable.

BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks

BCR-05

BCR-05.1

Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.

Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?

IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.

BusinessContinuityManagement&OperationalResilienceEquipmentLocation

BCR-06

BCR-06.1

Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.

Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?

x IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.

BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance

BCR-07

BCR-07.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.

Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?

IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.SpecifichardwarerestoreandrecoveryoptionsaretransparenttocustomersofIBMWatsonservicesastheseareprovidedattheunderlyingIaaSlayer.

BCR-07.2

Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?

ThiscanbeavailableinIBMWatsonservicesdedicateddeliverymodel.

BCR-07.3

Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?

x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.

BCR-07.4

Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?

BCR-07.5

Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?

BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures

BCR-08

BCR-08.1

Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.

Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)? x

IBMDataCenterPhysicalandEnvironmentalProtectioncontrolsareinplaceinalldatacenters.ThesecontrolsaremaintainedthroughfrequentinternalauditsandarevalidatedbyexternalauditorsthroughassessmentsincludingbutnotlimitedtoFedRAMP,ISO27001,SOC,PCI,andHIPAA.IBMDataCenterSOCreportsprovideadditionalinsightthesecuritymechanismsimplementedtoprotectagainstoutages.TheSOC3reportisavailabletocustomersandprospectivecustomershere:https://www.ibm.com/cloud-computing/bluemix/sites/default/files/assets/docs/SoftLayer%20SOC%203%201H%202017%20

Report_FINAL%20%281%29_0.pdfTheSOC2reportisavailabletocustomersandcanberequestedviathecustomerportalorbycontactingtheirsalesteam.

BusinessContinuityManagement&OperationalResilienceImpactAnalysis

BCR-09

BCR-09.1

Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption•Estimatethe

DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net

BCR-09.2

Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?

BCR-09.3

DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?

resourcesrequiredforresumption

BusinessContinuityManagement&OperationalResiliencePolicy

BCR-10

BCR-10.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.

Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?

IBMWatsonservicesfollowIBMCoreSecurityPracticescoveringSystems,NetworkingandSecureEngineeringbestpractices.SecurityreadinessfocalpointsareassignedforeachPlatformcomponentandserviceandareresponsibletodriveconformancetothosesecuritypolicies.AllIBMemployeesarerequiredtotakesecurityrelatededucationannually.

BusinessContinuityManagement&OperationalResilienceRetentionPolicy

BCR-11

BCR-11.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodof

Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?

SpecificdataretentionconfigurationoptionsareavailabletocustomersutilizingdedicatedIBMWatsonservices.

BCR-11.2

anycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.

Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?

IBMWatsonservicesdonotsharecustomerdataunlesssubjecttodisclosuretogovernmentagenciespursuanttojudicialproceeding,courtorder,orlegalprocess.Formoredetailsonprivacyandtrust,refertohttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsp,https://www.ibm.com/cloud-computing/bluemix/security-privacy#privacy,https://www-01.ibm.com/software/info/product-privacy/

BCR-11.4

Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?

IBMWatsonservicesaredesignedwithHighAvailabilityasakeyrequirement.Theservicesaredeployedwithredundancyaspartofthedesign.Dataretentionpoliciesandproceduresaredefinedandmaintainedinaccordancetotheapplicableregulatoryandcompliancestandard.

BCR-11.5

Doyoutestyourbackuporredundancymechanismsatleastannually? x

IBMWatsonservicesaredesigned,implemented&configuredutilizingHighavailability(HA)andareexclusivelyhostedbyIBM.Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.Databackupisacustomerretainedresponsibility.

ChangeControl&ConfigurationManagementNewDevelopment/Acquisition

CCC-01

CCC-01.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunction.

Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.AlldeploymentsarecontrolledviaIBMChangeManagementPolicyandassociatedprocedures.https://www.ibm.com/security/secure-engineering/

CCC-01.2

Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?

Extensivedocumentationisavailableintheformofproductdocumentation,whitepapers,tutorialsandvideosinIBMCloudDocsandviaIBMdeveloperWorksandIBMCloudGaragesites.https://console.bluemix.net/docs/https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/https://www.ibm.com/cloud-computing/bluemix/garage

ChangeControl&ConfigurationManagementOutsourcedDevelopment

CCC-02

CCC-02.1

Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).

Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?

DevelopmentworkfortheIBMWatsonservicesisnotoutsourced.TheIBMSecureEngineeringStandardprohibitsuseofall3rdpartycomponentsused,e.g.,librariesoropensourcecodeunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.

CCC-02.2

Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.ThesetestsoccuronallcodethatmakesupIBMWatsonservices.

ChangeControl&ConfigurationManagementQualityTesting

CCC-03

CCC-03.1

Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.

Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?

IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.Thegoalofthesecureengineeringstandardistoassurequalityandminimizeriskstodeployedsystems.ItenforcessecurityeducationforallIBMstaffwithmorespecificsecurityeducationbasedonroleandmandatestheuseofthreatmodellingforalldeploymentswhichincludesariskassessmentphase.Additionaldetailsareavailablehere:https://www.ibm.com/security/secure-engineering/IBMWatsonservicesareISO27001certifiedbyexternalauditors.Thiscertificationisavailabletocustomersandhasseveralcontrolpointswhichfocusonqualityassuranceandriskassessmentmethodology.

CCC-03.2

Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotifications

foralltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/status

CCC-03.3

Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?

IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statushttps://www.ibm.com/security/secure-engineering/process.html

CCC-03.4

Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?

IBMSecureEngineeringstandarddictatesthatcodereviewsmustbeperformedagainstasecurecodingreviewchecklistwhichincludescheckstoremoveanydebugcode.

ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations

CCC-04

CCC-04.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.

ChangeControl&ConfigurationManagementProductionChanges

CCC-05

CCC-05.1

Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.

Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?

IBMWatsonservicesareISO27001certifiedandthisincludesreviewofcontrolsonchangemanagement.Reportscanbemadeavailabletocustomersonrequest.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.

DataSecurity&InformationLifecycleManagementClassification

DSI-01 DSI-01.1

Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.

Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?

IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.

DSI-01.2

Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)? x

Specifichardwareandvirtualmachinesareassignedtocustomerspursuanttotheircontractedspecifications.ThiscapabilityisprovidedtoIBMWatsonservicesandsupportteamsbutistransparenttothecustomer.

DSI-01.3

Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?

x IndedicatedIBMWatsonservices,customerscanauthenticatetheirownusersviaSSOandcan

utilizegeography-basedauthenticationfactors.

DSI-01.4

Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?

x IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesof

Watsonservicesaredeployed.Datastoredaspartoftheserviceremaininthatregionunlessthecustomermovesit.

DSI-01.5

Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?

x IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatson

servicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

DSI-01.6

Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?

IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.Customersareultimatelyresponsibleforclassifying&managingtheirdata.

DSI-01.7

Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?

IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

DataSecurity&InformationLifecycleManagementDataInventory/Flows

DSI-02 DSI-02.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyother

Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?

IBMWatsonserviceutilizeanextensiveanddetailedthreatmodelingprocesswherealldataflowsaredocumentedpriortomajorreleases.

DSI-02.2

Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?

IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

businessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyifcustomerdataisusedaspartoftheservices.

DataSecurity&InformationLifecycleManagementE-commerceTransactions

DSI-03 DSI-03.1

Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.

Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?

IBMWatsonservicesleverageopenencryptionmethodologies.DatainmotionandatrestisencryptedusingAESencryption.DatainmotionistransmittedusingTLS1.2.

DSI-03.2

Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?

WithinIBMWatsonservices,alldatatransmittedoverpublicnetworkswillbeencryptedperIBMpolicy.http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf

DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy

DSI-04 DSI-04.1

Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.

Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?

IBMWatsonservicesfollowIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallassetscontainingIBMandcustomerowneddata.

DSI-04.2

Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?

Allcustomerdataisconsideredconfidentialandrequiresdatatobeencryptedatrestandinmotion.

DataSecurity&InformationLifecycleManagementNonproductionData

DSI-05 DSI-05.1

Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.

Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?

IBMWatsonserviceshaveprocesses&procedurestoaffordsegregateddevelopment,stagingandproductionenvironments.ThesearedeployedindifferentVLANsindifferentIaaSaccounts.EachcustomerenvironmentisconsideredtobeaproductionenvironmentbyIBM,thoughthecustomermayhavemultipleenvironmentsfortheirpurposesaswell.IBMCloudprovidescustomerswiththeabilitytopromoteWatsonserviceinstancesintoproductionandnon-productionspaces.Itisthecustomer'sresponsibilitytorestrictthemovementofworkloadbetweentheirenvironmentsandensureproductiondataisnotreplicatedtonon-productionenvironment.https://www.ibm.com/developerworks/cloud/library/cl-intro4-app/index.html

DataSecurity&InformationLifecycleManagementOwnership/Stewardship

DSI-06 DSI-06.1

Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.

Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?

IBMWatsonservicessupportstafffollowsIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallIBMandcustomerowneddata.IBMWatsonservicecustomersareresponsibleformanagingandlabellingtheirowndatawithintheWatsonservice.

DataSecurity&InformationLifecycleManagementSecureDisposal

DSI-07 DSI-07.1

Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.

Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?

IBMWatsonservicesemployadecommissioningandreclaimprocessforallhardwarebeingreclaimed.ThereclaimeddriveiswipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.Seehttp://blog.softlayer.com/tag/disposal

DSI-07.2

Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?

SpecificDataSanitizationoptionsareavailableforcustomersusingdedicatedversionsoftheIBMWatsonservicesandwillbedefinedaspartofthecontractualprocess.

DatacenterSecurityAssetManagement

DCS-01

DCS-01.1

Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.

Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?

IBMWatsonservicesrecordallphysicalandvirtualassetsinanIBMassetinventorysystemthatcapturesdetailsincludingassetowner,classesofdatamanaged,andlocationsofhostinginfrastructureandcontactdetails.TheassetinventoryprocesshasbeenassessedbyexternalauditorsaspartofISO27001.

DCS-01.2

Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?

IBMWatsonservicesdocumentcriticalsuppliers,alongwithappropriatecontactinformation.

DatacenterSecurityControlledAccessPoints

DCS-02

DCS-02.1

Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.

Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?

IBMDatacentersaresecured,withserver-roomaccesslimitedtocertifiedemployees.Physicalsecurityparameterscanincludebutarenotlimitedtofences,walls,barriers,securityguards,gates,electronicsurveillance,videosurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols.Thecontrolshavebeencertifiedbyanexternalauditor.SeeNIST800-53PEandISO27001A11fortherelevantcontrolshttps://www.ibm.com/cloud-computing/bluemix/complianceSeehttps://www.ibm.com/cloud-computing/bluemix/data-centersformoredetailsonIBMDatacentersecurity.

DatacenterSecurityEquipmentIdentification

DCS-03

DCS-03.1

Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.

Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?

IBMWatsonservicesmanageallassetsfollowinganIBMassetinventoryprocessandthishasbeenassessedbyexternalauditorsaspartofISO27001compliance.https://console.bluemix.net/docs/security/compliance.html#compliance

DatacenterSecurityOffsiteAuthorization

DCS-04

DCS-04.1

Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.

Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,andreplication)?

IBMWatsonservicesprovidecustomerswithoptionstodeploytheirservicesanddataindifferentregions.Thatdataisremainsinthatregionunlessthecustomermovesit.

DatacenterSecurityOffsiteEquipment

DCS-05

DCS-05.1

Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.

Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?

IBMWatsonservicesleverageanIBMClouddecommissioningandreclaimprocessforallhardwareorsoftwarebeingreclaimedordeterminedtobeendoflife.ReclaimedharddrivesarewipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.IBM'sassetmanagementandrepurposingprocessesarevalidatedfrequentlybyexternalauditorsthroughassessmentsincludingbutnotlimitedtoISO27001/17/18,SOC,andHIPAA.

DatacenterSecurityPolicy

DCS-06

DCS-06.1

Policiesandproceduresshallbeestablished,andsupportingbusiness

Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintaininga

IBMWatsonservicesengagethirdpartyauditorstovalidateourcompliancewithmanydifferentframeworksincludingbutnotlimitedtoISO27001.TheadditionallayersofthecloudunderlyingIBMWatsonservicesalsogothroughextensivethird-partyauditsthroughouteachyear.Theseinclude,butarenotlimitedto,ISO27001/17/18,SOC,andHIPAA.

processesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.

safeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?

DCS-06.2

Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?

IBMWatsonserviceemployeescompleteannualrequiredIBMsecurityawarenesstrainingwhichincludestrainingonpolicies,standards&/orprocedures.Securityawarenesstrainingisincludedaspartofexternalandinternalauditsforverification&validation.

DatacenterSecuritySecureAreaAuthorization

DCS-07

DCS-07.1

Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.

Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?

IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesofWatsonservicesaredeployed.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.Thisisperformedduringtheordering&contractnegotiationprocess.

DatacenterSecurityUnauthorizedPersonsEntry

DCS-08

DCS-08.1

Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.

Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?

IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance

DatacenterSecurityUserAccess

DCS-09

DCS-09.1

Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.

Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?

IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance

Encryption&KeyManagementEntitlement

EKM-01

EKM-01.1

Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.

Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?

IBMhasdefinedaKeyManagementpolicytosupportencryptionofdataatrestandintransitforallWatsonplatformcomponents.Encryptionismanagedatthedisklevelandkeysarenottiedtoclients.

Encryption&KeyManagementKeyGeneration

EKM-02

EKM-02.1

Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.

Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?

x ThisisavailableforcustomersusingIBMWatsonservicesdedicatedservicedeliverymodels.

EKM-02.2

Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?

X EncryptionkeysonthebackendoftheIBMWatsonservicesaremanaged&maintainedbyIBM.

EKM-02.3

Doyoumaintainkeymanagementprocedures? X

IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthekeylifecycle,includingkeyaccess,strength,rotation,&revocability.Keymanagementproceduresareintheprocessofbeingdocumented.

EKM-02.4

Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?

X IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthe

keylifecycle,includingkeyownershipateachstageofthelifecycle.

EKM-02.5

Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?

IBMWatsonserviceshaveimplementedarobustKeyManagementsolutionthatleveragesopensource,3rdparty&proprietarycomponents.

Encryption&Key

EKM-03

EKM-03.1

Policiesandproceduresshallbeestablished,and

Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?

x IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.

ManagementEncryption

EKM-03.2

supportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.

Doyouleverageencryptiontoprotectdataandvirtualmachineimagesduringtransportacrossandbetweennetworksandhypervisorinstances?

IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.

EKM-03.3

Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?

IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.

EKM-03.4

Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?

ThisisincludedaspartoftheDataSecurityandPrivacyPrinciplesthatisincludedasstandardcontractlanguage.Documentationisavailablehere:http://www.ibm.com/cloud/data-security&https://www-05.ibm.com/support/operations/files/pdf/csa_us.pdf

Encryption&KeyManagementStorageandAccess

EKM-04

EKM-04.1

Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.

Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?

Allencryptionalgorithmsinuseareopen/validatedformatsandarefollowNIST.SP.800-57pt1standards.Ciphersandprotocolsarereviewedonatleastanannualbasisandupdatedaccordingly.Bydefault,allconnectionsstartatTLS1.2anddataatrestisAES128orbetter.

EKM-04.2

Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?

IBMWatsonkeysareownedandmanagedbyIBMWatson.

EKM-04.3

Doyoustoreencryptionkeysinthecloud?

x Yes,keysarestoredwithintheIBMCloudenvironment.

EKM-04.4

Doyouhaveseparatekeymanagementandkeyusageduties?

x IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.

GovernanceandRiskManagement

GRM-01

GRM-01.1

Baselinesecurityrequirementsshallbeestablishedfordevelopedor

Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,

IBMmaintainssystembaselinesforallcriticalcomponentsandthishadbeenverifiedbyanindependentauditoraspartofISO27001certification.

BaselineRequirements

acquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.

operatingsystems,routers,DNSservers,etc.)?

GRM-01.2

Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?

EndpointsareroutinelymonitoredattheOSleveltoensurecompliancewithasetofsecuritystandards.ThosesecuritystandardsfollowtheIBMsecuritypoliciesandchecklistswhichinturnalignwithISO27001standards.

GRM-01.3

Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?

IBMWatsonservicesareonlyavailableasaserviceprovidedbyIBM.

GovernanceandRiskManagementRiskAssessments

GRM-02

GRM-02.1

Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedata

DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?

SecuritylogsarecreatedforallcriticaloperationsinIBMWatsonservicese.g.authentication,privilegedoperations,etc.TheseareavailableonrequesttoWatsondedicatedcustomersfortheirenvironment.ISO27001reportsareavailableonrequestanddemonstratetheuseofsecuritycontrolsinIBMWatsonservices.CustomersmayleveragetheIBMCloudConsoletomonitorforhealthofservices.https://console.bluemix.net/status

GRM-02.2

isstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,andfalsification

Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?

IBMWatsonservicesareISO27001certifiedbyexternalauditors.PartofthecertificationrequiresanISMS(InformationandSecurityManagementSystem)andriskmanagementprocessbeinplaceandapprovedbyIBMseniormanagement.Additionally,regularpenetrationtestingisperformedbybothIBMinternalandexternalteamsaswellasregularnetworkandapplicationscanning.IBMSecureEngineeringstandardrequiresthatthreatmodellingbecarriedoutonatleastanannualbasisandpartofthatmethodologyisriskassessment.Seehttps://www.ibm.com/security/secure-engineering/

GovernanceandRiskManagementManagementOversight

GRM-03

GRM-03.1

Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.

Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?

IBMSecuritystandardsrequiremanagerstoownthesecurityandrisksfortheirservices,eachmustappointasecurityfocaltomanagesecurityandcomplianceforallaspectsoftheservice.IBMSecureEngineeringstandardrequiresallemployeestotakesecurityeducationonanannualbasis.ThisareaisreviewedannuallyaspartoftheIS027001certificationforIBMWatsonservices.

GovernanceandRiskManagementManagementProgram

GRM-04

GRM-04.1

AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnot

DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?

IBMWatsonservicesareISO27001certifiedbyexternalauditorsandavailableforreviewbycustomers.ISO27001isfocusedonsecuritymanagementprocessesandvalidatesthatIBMWatsonservicessecurityprocessesconformtotheISO27001controlstandards.IBMSecurityPrinciplesareavailablehere:http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf

GRM-04.2

DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?

IBMISMS&itsspecificationinregardtoIBMWatsonservicesarereviewedatleastannually.

belimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,andmaintenance

GovernanceandRiskManagementManagementSupport/Involvement

GRM-05

GRM-05.1

Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.

Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforserviceprovidersarereviewed.

GovernanceandRiskManagementPolicy

GRM-06

GRM-06.1

Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbythe

Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?

IBMinformationsecurityandprivacypoliciesarebasedon&alignwithindustrystandardssuchasNIST800-53andISO27001.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.

GRM-06.2

Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

Agreementsareinplacetoverifyandmonitorsuppliercompliancewithindustrystandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.

GRM-06.3

organization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesandresponsibilitiesforbusinessleadership.

Canyouprovideevidenceofduediligencemappingofyourcontrols,architecture,andprocessestoregulationsand/orstandards?

ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.

GRM-06.4

Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith? x

ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.Foradditionaldetailsrefertohttps://www.ibm.com/watson/watson-security.html

GovernanceandRiskManagementPolicyEnforcement

GRM-07

GRM-07.1

Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.

Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?

Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.

GRM-07.2

Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?

Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.

GovernanceandRiskManagementBusiness/PolicyChangeImpacts

GRM-08

GRM-08.1

Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.

Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective? x

IBMWatsonservicesensureriskassessmentsareconductedatleastquarterly.Policies,proceduresandstandardsaresubjecttorevisionasanoutcomeoftheseassessments.

GovernanceandRiskManagementPolicyReviews

GRM-09

GRM-09.1

Theorganization'sbusinessleadership(orotheraccountable

Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?

IBMWatsonservicesdedicatedtenantsarenotifiedofchangestotheirenvironmentincludingthoseresultingfrommodifiedsecuritypolicies.AlldeploymentsarecontrolledviatheChangeManagementPolicyandcustomersareapproversforanychangesthathappenoutsideagreedmaintenancewindows.

GRM-09.2

businessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.

Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?

Securitypoliciesarereviewedatleastannually.TheprivacypolicyisupdatedandreviewedbytheIBMCorporatePrivacyOffice.Formoredetailsonprivacy&datasecuritypoliciesseehttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dspandhttps://www-01.ibm.com/software/info/product-privacy/

GovernanceandRiskManagementAssessments

GRM-10

GRM-10.1

Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance).

Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?

RegularriskassessmentsareconductedquarterlyanddocumentedaspartoftheISMS.Theseincludelikelihoodandimpactforallidentifiedrisksusingqualitativeandquantitativemethods.

GRM-10.2

Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?

Resultsfromregular3rdpartyaudits/assessmentsandpenetrationtestingareoneofthemanyfeedsintotheoverallriskmanagementprogram.Additionally,independentinternalIBMcomplianceteamsperformquarterlyreviewstoensureongoingriskidentification&compliance.ThreatmodelingisalsorequiredforeachoftheWatsonservices.

GovernanceandRiskManagementProgram

GRM-11

GRM-11.1

Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.

Doyouhaveadocumented,organization-wideprograminplacetomanagerisk? x

IBMrecognizesriskassessmenttobeanimportantfactorinsecurityandhasestablishedaperiodicriskassessmentprocessthatisapplicabletothesystemsthathostWatsonasaService.AssessmentsareenteredintotheIBMGovernance,Risk,andComplianceprogramtodetermine&managethecurrentriskposture.IBMhasawell-establishedriskmanagementprograminplacethatisvalidatedaspartoftheannualISO27001auditandassessment.

GRM-11.2

Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?

VariousdocumentsarepublishedexternallyregardingIBMRiskManagementprograms,services,&solutions.RisksidentifiedthatrequirecustomerstotakeanactionarereleasedaspartofthePSIRTprocess.Additionalprograminformationavailablehere:https://www.ibm.com/security/secure-engineering/process.html

HumanResourcesAssetReturns

HRS-01

HRS-01.1

Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.

Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?

IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityorprivacyincidentinvolvinganyWatsonorCustomersystemordata.RefertoSecurityIncidentResponseManagementinthe‘SecuringWorkloadsinIBMCloud’whitepaperandIBMincidentresponseprocesshere:https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

HRS-01.2

IsyourPrivacyPolicyalignedwithindustrystandards?

IBMprivacypoliciesarealignedwithindustryandcountryrequirementsandiscontinuouslymonitoredforupdatesSeetheselinksformoreinformation:https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/

HumanResourcesBackgroundScreening

HRS-02

HRS-02.1

Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.

Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?

IBMCorporateHRpoliciesdictatethatallemploymentcandidatesaresubjecttobackgroundverification.

HumanResourcesEmploymentAgreements

HRS-03

HRS-03.1

Employmentagreementsshallincorporateprovisionsand/ortermsforadherence

Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.AdditionalsecurityeducationisrequiredonaperiodicbasisforIBMWatsonservicesteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HRS-03.2

toestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.

Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted? x

IBMemployeesmustacknowledgecompletionoftrainingandthisacknowledgmentisdocumentedandstored.

HRS-03.3

AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?

AllemployeesofIBMsignNDAorconfidentialityagreementsregardingcorporateandclientinformation.

HRS-03.4

Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?

Timelycompletionofthetrainingprogramisaprerequisitetogaining/maintainingaccesstoIBMcomputingresources,whichmayincludesensitivesystems&customerdata.

HRS-03.5

Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?

x IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonan

annualbasis.Refertohttps://www.ibm.com/security/secure-engineering/

HumanResourcesEmploymentTermination

HRS-04

HRS-04.1

Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.

Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?

IBMCorporateHRpoliciesprovideabaselineofstandardsforchangesin,andterminationofemployment.TheIBMCloudaccesscontrolsolutionqueriestheIBMCorporatesystemtodetectanyemployeeterminationsonadailybasis.

HRS-04.2

Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?

IBMCorporateHRpoliciesprovideabaselineofstandardstoensureallemployeesystemaccessisterminatedandassetsarecollectedattimeoftermination.IBMWatsonservicesaremanagedviaanIBMCloudIAMsolutionwhichensuresrole-basedaccesstoanyWatsonsystem.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessownerandtheprocessincludesapproval/continuedbusinessneedandvalidation/revocationonemployeetermination.

HumanResourcesPortable/MobileDevices

HRS-05

HRS-05.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).

Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?

IBMITSecuritystandardsmandatethatmobiledevicesarenotpermittedaccesstocustomerenvironments.Privilegedlaptopsarerequiredforaccesstocustomerenvironmentsandownersofthoselaptopsarerequiredtoinstallandmaintainfulldiskencryptionandotherincreasedsecuritycontrols.Thisismanagedwithextensiveaccesssecuritycontrolswhicharevalidatedatleastannuallybuy3rdpartyauditors.

HumanResourcesNon-DisclosureAgreements

HRS-06

HRS-06.1

Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.

Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?

AllIBMpoliciesandproceduresarereviewedonatleastanannualbasis.Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedataminimumofonceannually.

HumanResourcesRoles/Responsibilities

HRS-07

HRS-07.1

Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.

Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant? x

Allrolesandresponsibilitiesrelatingtoinformationsecurityandenvironmentoperationsaredocumentedfordedicatedenvironments.

HumanResourcesAcceptableUse

HRS-08

HRS-08.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.

Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?

x RefertoIBMPrivacy&Datasecuritysitesformoreinformation.

https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/

HRS-08.2

Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?

ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.

HRS-08.3

Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?

ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.

HumanResourcesTraining/Awareness

HRS-09

HRS-09.1

Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswith

Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HRS-09.2

accesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.

Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?

HumanResourcesUserResponsibility

HRS-10

HRS-10.1

Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment

Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?

HRS-10.2

Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?

HRS-10.3

Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?

HumanResourcesWorkspace

HRS-11

HRS-11.1

Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.

Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?

Tenantandservicelevelconflictsofinterestareresolvedviaoperationalandmanagementplanning.

HRS-11.2

Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?

SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEM(SecurityInformationandEventManagement)whichismonitored24x7bytheIBMSOC.TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingWatsonCloudPlatformServicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAM(IdentityandAccessManagement)governancesolution.

HRS-11.3

Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?

SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEMwhichismonitored24x7bytheIBMSOC(SecurityOperationsCenter).TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingIBMWatsonservicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAMgovernancesolution.

Identity&AccessManagementAuditToolsAccess

IAM-01

IAM-01.1

Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.

Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?

Allaccessrequiresapprovalfromboththeemployeemanagerandthesystemaccessowner.Thisprovidestheuserwithrole-basedaccesstotherequestedsystem.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.

IAM-01.2

Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?

Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.

Identity&AccessManagement

IAM-02

IAM-02.1

Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusiness

Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?

InternalaccesstoIBMWatsonservicesarerevokedonemployeetermination.Routineverificationofaccessisalsoperformedwithuser’smanagementtoensurebusinesspurposesalignwithexistingaccess.

UserAccessPolicy

IAM-02.2

processesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsof

Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?

ManagementofIBMID'sisanIBMretainedresponsibility.Thisinternalprocessisautomatedandtestedthroughourexternalauditsrepeatedlythroughouttheyear.ClientID'saremanagedbyclientandareclientresponsibility.

assuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions

(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements

Identity&AccessManagementDiagnostic/ConfigurationPortsAccess

IAM-03

IAM-03.1

Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.

Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure? x

IBMCloudmanagementnetworktrafficisprocessedusingmanagementcontrolplanewithstrictaccesscontrol.VPNsareutilizedwhereneededtoprovideadditionallayerofsecurityforsensitivenetworkswithinIBM.

Identity&AccessManagementPoliciesandProcedures

IAM-04

IAM-04.1

PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuseridentity.

DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?

IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.

IAM-04.2

Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?

IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.

Identity&AccessManagementSegregationofDuties

IAM-05

IAM-05.1

Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.

Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.

Identity&AccessManagementSourceCodeAccessRestriction

IAM-06

IAM-06.1

Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.

Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

IAM-06.2

Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

Identity&AccessManagementThirdPartyAccess

IAM-07

IAM-07.1

Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriate

Doyouprovidemulti-failuredisasterrecoverycapability?

X N/A.Customersdesiringmulti-failuredisasterrecoveryshouldconsiderdesignsleveragingmultipleregionsacrosstheIBMGlobalCloudinfrastructure.

IAM-07.2

access.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.

Doyoumonitorservicecontinuitywithupstreamprovidersintheeventofproviderfailure?

IBMWatsonservicesavailabilityismonitoredandpublishedusingtheIBMCloudconsole.UpstreamprovidersaremonitoredforservicecontinuityandavailabilityattheIBMCloudIaaSlayer.

IAM-07.3

Doyouhavemorethanoneproviderforeachserviceyoudependon?

x TherearemultipleISPproviderswithintheIBMClouddatacenterswhichsupportIBMWatson

services.

IAM-07.4

Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?

Aspublishedwithintheexternallyavailableauditreports.

IAM-07.5

Doyouprovidethetenanttheabilitytodeclareadisaster?

x ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.

IAM-07.6

Doyouprovideatenant-triggeredfailoveroption? x

ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.

IAM-07.7

Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?

x Aspublishedwithintheexternallyavailableauditreportsandasrequiredbycontract.

Identity&AccessManagementUserAccessRestriction/Authorization

IAM-08

IAM-08.1

Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.

Doyoudocumenthowyougrantandapproveaccesstotenantdata? x

Thisisonaneed-to-knowbasisonlyandisonlyeverleveragedintheneedtosupportaclientsupportrequestorrequirement.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.

IAM-08.2

Doyouhaveamethodofaligningproviderandtenantdataclassificationmethodologiesforaccesscontrolpurposes?

Allcustomerdataisratedassensitive.DependingonIBMWatsonservicesdeploymentmodel,tenantdataisisolatedbasedonsolutiondesignandcontractualagreement.

Identity&AccessManagementUserAccessAuthorization

IAM-09

IAM-09.1

Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedand

Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.

IAM-09.2

appropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedaspartoftheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?

x IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.BackendsystemaccessisrestrictedtoIBMemployeeswithbusinessneedonly.

Identity&AccessManagementUserAccessReviews

IAM-10

IAM-10.1

Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjob

Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?

IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

IAM-10.2

Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?

IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

IAM-10.3

function.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.

Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?

RevalidationreportsareforIBMaccess&useonly.

Identity&AccessManagementUserAccessRevocation

IAM-11

IAM-11.1

Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?

IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

IAM-11.2

Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?

IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

Identity&AccessManagement

IAM-12

IAM-12.1

Internalcorporateorcustomer(tenant)useraccountcredentialsshallbe

Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.ThisintegrationwithcustomerdirectoryservicesallowsforSSO(SingleSignOn)capabilities.

UserIDCredentials

IAM-12.2

restrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)

Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?

x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM

serviceswhichleveragesopenstandardstoallowfordelegationofauthenticationcapabilitiestoIBMWatsonservicestenants.

IAM-12.3

Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?

Customerintegration&SAML(SecurityAssertionMarkupLanguage)federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.

IAM-12.4

DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.

IAM-12.5

Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?

CustomerintegrationaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.

IAM-12.6

Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.ThisintegrationallowsforclientstoleverageexistingMFA(MultifactorAuthentication)optionsasestablishedwithintheirorganizationanddirectoryservices.

IAM-12.7

Doyouallowtenantstousethird-partyidentityassuranceservices?

x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM

services.Thisintegrationallowsforclientstoleveragethird-partyidentityassuranceservices.Also,thisisoftenaccomplishedusingthird-partycertificate/keyauthorizationservices.

IAM-12.8

Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?

IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

IAM-12.9

Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?

IAM-12.10

Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon?

x IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimum

passwordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

IAM-12.11

Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?

Identity&AccessManagementUtilityProgramsAccess

IAM-13

IAM-13.1

Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.

Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Thiswouldincludepermissionsandaccesstoutilitiesthatcanmanagevirtualizedpartitions.Privilegedaccessutilizingsuchutilitieswouldbeloggedandsentinnearreal-timetoIBMQRadarSIEM.

IAM-13.2

Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?

AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandallaccessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.

IAM-13.3

Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?

x AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandall

accessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.

Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection

IVS-01 IVS-01.1

Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.

Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?

x ThisisanongoingprojectandcompensatingcontrolsexistusingadvancedloggingandSIEMmonitoring.

IVS-01.2

Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?

AuditlogsaresecuredandencryptedusingtheQRadartool.AccesstotheselogswouldfollowtheIBMAccesscontrolpolicies&procedures.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.

IVS-01.3

Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?

ThisisaccomplishedviaIBMComplianceteamsleveragingtheIBMISO27001basedISMS(InformationSecurityManagementSystem)&alsoCSA(CloudServiceAlliance)CloudControlMatrix.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththosecertificationsbeingavailabletocustomers.AspartofISO27001auditsandassessments,duediligencemappingtoregulationsandstandardsisreviewed.

IVS-01.4

Areauditlogscentrallystoredandretained?

x IBMWatsonservicessecuritylogsfeedintoaSELM(SecurityEventLogMonitor)service(IBMQRadar)andaremonitoredandmanagedviaaSOC.Logsareretainedaminimumof90days.

IVS-01.5

Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?

IBMWatsonservicessecuritylogsfeedintoaSELMserviceandmonitoredutilizingQRadarSIEMandmanagedviaaSOC.

Infrastructure&VirtualizationSecurity

IVS-02 IVS-02.1

Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.

Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?

AllchangesandprivilegedactionstoVM(VirtualMachine)imagesareloggedandsenttoIBMQRadarSIEMformonitoringandalerting.

ChangeDetection

IVS-02.2

Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).

Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?

IBMCloudmanagesthebackendIaaSsupporting/providingallvirtualinfrastructureforthecustomersuchthatallchangestoVMsaretransparenttotheIBMWatsonservicesbeingprovided.

Infrastructure&VirtualizationSecurityClockSynchronization

IVS-03 IVS-03.1

Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.

Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?

IBMCloudprovidescentralized,synchronizedNTP(NetworkTimeProtocol)servicesforIBMWatsonservices.

Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning

IVS-04 IVS-04.1

Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuture

Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios? x

ForIBMWatsonservicesthisshouldbetransparenttotheenduser.SLAswillbemetasagreedtointhecustomercontract.SpecificcapacityrequirementscanbenegotiatedanddocumentedinDedicatedservicedeliverymodels.

IVS-04.2

Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?

ThisisprovidedbyIBMCloudIaaS.

IVS-04.3

capacityrequirementsshallbemadetomitigatetheriskofsystemoverload.

Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?

IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.

IVS-04.4

Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?

IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.

Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement

IVS-05 IVS-05.1

Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).

Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)? x

TheIBMSecureEngineeringstandarddictatesmultiplescanningtechniquesbeusedagainstproductionsystems.Theseincludeautomateddynamicscans,manualpenetrationtestsandthreatmodelling.Theseactivitiesincludeboththevirtualizationtechnologiesandallvirtualmachinesandcontainersdeployedonthosevirtualizationtechnologies.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Vulnerabilitytools,processes,&proceduresareassessed&auditedannuallywithinternalandthird-partyauditors.

Infrastructure&VirtualizationSecurityNetworkSecurity

IVS-06 IVS-06.1

Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.

ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?

IBMWatsonservicesdonotprovideIaaScapabilitiesdirectlytoclients.IBMCloudmanagestheInfrastructureentirelyforIBMWatsonservicescustomers.

IVS-06.2

Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?

IBMWatsonservicesarchitecturesarereviewedaspartofathreatmodelingprocesses,procedures&exercisewhicharemandatedpriortoservicesgoingtogeneralavailabilityandthenwithmajorreleases.Theseincludedocumentingdataflowsanddatamaps.

IVS-06.3

Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?

IBMWatsonservicesconductreviewsonallfirewallsonanannualbasis.

IVS-06.4

Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification? x

AllchangestoIBMfirewallsmustfollowthechangemanagementprocesswhichrequiresbusinessjustificationandmultiplelevelsofreviewandapprovalbeforedeployment.

Infrastructure&VirtualizationSecurityOSHardeningandBaseControls

IVS-07 IVS-07.1

Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.

Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?

AllhostmachinesinIBMWatsonservicesaredeployedasstandardbuildswhichremoveunnecessaryports,protocols,andservices.Authenticatedscanningisperformedonallmachinestovalidatecompliancewithasetofhardeningrulesonaatleastamonthlybasis.

Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments

IVS-08 IVS-08.1

Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.

ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?

CustomerscanchoosetoprovisionmultipleinstancesofaserviceandimplementaccesscontrolsthroughIBMCloudPlatformthatwillsupportthisprocess.

IVS-08.2

ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?

IBMWatsonservicesareSaaS,IBMmanagesthearchitectureexclusively.

IVS-08.3

Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?

IBMWatsonserviceshavemultiplenon-productionenvironmentsthatsupportdevelopmentandstagingforbothPublicandDedicatedsolutions.Theseenvironmentsareusedtoperformanytestingpre-deploymentpriortopushingtoproductionenvironments.Thenon-productionenvironmentsarelogicallysegregatedfromproductionenvironments.

Infrastructure&VirtualizationSecuritySegmentation

IVS-09 IVS-09.1

Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,and

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?

Allsystemsandresourcesareprotectedbyatleastonefirewall.

IVS-09.2

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?

IVS-09.3

configuredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?

Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.

IVS-09.4

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?

Infrastructure&VirtualizationSecurityVMSecurity-DataProtection

IVS-10 IVS-10.1

Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.

Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?

PerIBMpolicydataisencryptedintransit.IBMWatsonservicesarebuilt&deployedinvirtualizedenvironments.

IVS-10.2

Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers? x

Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.

Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening

IVS-11 IVS-11.1

Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).

Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?

IBMWatsonservicesprivilegedusersrequestaccesstoIBMCloudenvironments,includingadministrativetools,hypervisorsandvirtualmachines,viaanIBMUserAccessManagementtool.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessowner.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEMtopreventunauthorizedaccesstodatabyIBMemployees.Allsystemsandresourcesareprotectedandisolatedbyatleastonefirewall.Allaccesstoadministrativeconsoles,hypervisorsandVirtualMachinesisoverTLSandallIBMCloudPaaSPlatformdataisencryptedintransit.

Infrastructure&VirtualizationSecurityWirelessSecurity

IVS-12 IVS-12.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,

Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?

x IBMWatsonservicesteamdoesnothaveaccesstophysicalEthernetports,anddoesnothavetheabilitytoimplementwirelessintheenvironment.IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

IVS-12.2

Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?

x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

IVS-12.3

Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?

x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetwork

Infrastructure&VirtualizationSecurityNetworkArchitecture

IVS-13 IVS-13.1

Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.

Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?

IBMWatsonservicesnetworkdiagramsandthreatmodelsclearlydocumenttheboundariesofdifferentenvironmentsandsystemsincludingthedataflowsacrossboundariesanddatastores.

IVS-13.2

Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?

AttheIaaSlayeracleanpipesolutionisimplementedtoensureonlyappropriatetrafficispassedthroughtotheFWswhichthenpassesthetrafficbacktoanapplicationproxytoauthenticatethetrafficbeforeallowingittoreachanyoftheWatsonservices.IBMWatsonserviceshaveimplementedaDDoS(DistributedDenialofService)solutiontomitigateDDoSattacks.

Interoperability&PortabilityAPIs

IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.

DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?

AlistofallavailableAPIsispublishedwithineachservicesdescriptionpage.Additionaldetailsavailablehere:https://www.ibm.com/watson/products-services/

Interoperability&PortabilityDataRequest

IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).

Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?

CustomersmayelecttoprovideadditionaltraininginformationtocustomizetheirWatsonservice.Thisdataistypicallyprovidedbythecustomerandistheirresponsibilitytomanage.Someservices,suchasWatsonKnowledgeStudio,doallowcustomerstoexportthecustomizedtrainingmodelstheyhavecreated.

Interoperability&PortabilityPolicy&Legal

IPY-03 IPY-03.1 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence.

Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?

PoliciesandproceduresareinplacegoverningtheuseofAPIsbetweenIBMWatsonservicesandthird-partyapplicationsaspartofthestandardcontractlanguage.

IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?

IBMWatsonservicescustomersareresponsibleforthedataincludinghowandwhenthatdataismigrated.Pleasechecktheservicedescriptionsforadditionaldetails.

Interoperability&PortabilityStandardizedNetworkProtocols

IPY-04 IPY-04.1 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportand

Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?

PerIBMpolicydataisencryptedintransit.

IPY-04.2 exportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.

Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved? x

Tenantscanreceivethisdatauponrequest.Pleasechecktheservicedescriptionsforadditionaldetails.

Interoperability&PortabilityVirtualization

IPY-05 IPY-05.1 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.

Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?

IBMWatsonservicesuseindustrystandardvirtualizationformatsandtechnologiestohelpensureinteroperability,suchasKubernetes,DockerContainers,andVMWare.

IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?

IBMWatsonservicesIaaSdoesnothavesolution-specificvirtualizationhooks.

MobileSecurityAnti-Malware

MOS-01

MOS-01.1

Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.

Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining? x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Anti-malwareawarenesstraining,specifictomobiledevices,isincludedinthattraining.

MobileSecurityApplicationStores

MOS-02

MOS-02.1

Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.

Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?

Alistofapprovedapplicationstoresisavailableandhasbeencommunicatedtousers.

MobileSecurityApprovedApplications

MOS-03

MOS-03.1

Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.

Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?

IBMCorporateSecuritymandatestheinstallationofaMobileDeviceManagementclientonallBYODsusedforIBMbusiness.ThatclientensurescompliancewithIBMCorporatesecuritystandardsincludingensuringthatonlyapprovedapplicationstorescanbeused.

MobileSecurityApprovedSoftwareforBYOD

MOS-04

MOS-04.1

TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.

DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?

TheIBMCorporatesecuritypolicyclearlystateswhichapplicationsandapplicationstoresareapproved.MobileDeviceManagementisinplacetoblockriskyextensionsandplugins.

MobileSecurityAwarenessandTraining

MOS-05

MOS-05.1

Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.

Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?

IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.

MobileSecurityCloudBasedServices

MOS-06

MOS-06.1

Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageof

Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?

IBMCorporatesecuritypolicydefinesthepre-approvedvendor(s)forcloudstorageonmobiledeviceswithregardstocompanybusinessdata.

companybusinessdata.

MobileSecurityCompatibility

MOS-07

MOS-07.1

Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.

Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues? x

IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.

MobileSecurityDeviceEligibility

MOS-08

MOS-08.1

TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.

DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage? x

IBMCorporatesecuritypoliciesdefinetheeligibilityrequirementstoallowforBYODusage.BYODisnotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.

MobileSecurityDeviceInventory

MOS-09

MOS-09.1

Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.

Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?

Mobiledevicesarenotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.

MobileSecurityDeviceManagement

MOS-10

MOS-10.1

Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.

Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Nomobiledevicesarepermittedtostore,transmitorprocesscustomerdata.

MobileSecurityEncryption

MOS-11

MOS-11.1

Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.

Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices? x

IBMCorporatesecuritypoliciesrequirefulldeviceencryptiononmobiledevicesaswellasBYOD.SensitivedataisnotpermittedonmobiledevicesoronBYOD.

MobileSecurityJailbreakingandRooting

MOS-12

MOS-12.1

Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).

Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreakingorrootingispreventedandreportedon.

MOS-12.2

Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.

MobileSecurityLegal

MOS-13

MOS-13.1

TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.

DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?

IBMCorporateSecurityPoliciesdefinetheseelementsforBYOD.

MOS-13.2

Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x

BYODarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.

MobileSecurityLockoutScreen

MOS-14

MOS-14.1

BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.

DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?

AutomaticlockoutsareconfiguredforBYODandmobiledevices.

MobileSecurityOperatingSystems

MOS-15

MOS-15.1

Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.

Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses? x

IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.Changesareimplementedperpolicyandwithmobiledevicechangemanagementprocesses.

MobileSecurityPasswords

MOS-16

MOS-16.1

Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.

Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?

AllmobiledevicesandBYODhaverequiredpasswords.

MOS-16.2

Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)? x

Passwordsareenforcedthroughamobiledevicemanagementtool.

MOS-16.3

Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?

Authenticationrequirementsforpasswordsresidingonthedevice,e.g.,screenpin,can'tbechangedandthisisenforcedbyamobiledevicemanagementtool.

MobileSecurityPolicy

MOS-17

MOS-17.1

ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).

DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?

Dataisstoredonthecloudandenforcedviaamobiledevicemanagementsolutionwhereneeded,thusthecorporatedataisbackedup.Thereisnodeviceresidentdataexceptforauthenticationkeys.

MOS-17.2

DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?

BYODmobiledevicesarenotpermittedtouseunapprovedapplicationstores.

MOS-17.3

DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?

Anti-malwareisrequiredonBYODandenforcedviamanagementtools.

MobileSecurityRemoteWipe

MOS-18

MOS-18.1

AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.

DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?

Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.

MOS-18.2

DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?

Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.

MobileSecuritySecurityPatches

MOS-19

MOS-19.1

Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.

Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?

AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO.

MOS-19.2

DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?

AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO,throughtheMobileDeviceManagementTool.

MobileSecurityUsers

MOS-20

MOS-20.1

TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.

DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?

ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.

MOS-20.2

DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?

ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.Userswhoseprimaryroleisaccessingormaintainingcustomerdevicesmustuseacompanyprovidedprivilegedworkstation.

SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance

SEF-01

SEF-01.1

Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.

Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?

IBMCybersecurityandIBMLegalmaintainrelationshipswiththeproperlocalauthorities.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement

SEF-02

SEF-02.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.

Doyouhaveadocumentedsecurityincidentresponseplan?

IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityincidentinvolvinganyIBMWatsonorCustomersystemordata.https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

SEF-02.2

Doyouintegratecustomizedtenantrequirementsintoyoursecurityincidentresponseplans?

TheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedasuspectedsecurityincidentinvolvinganyIBMorCustomersystemordata.Oneoftheirresponsibilitiesistoengagewiththecustomerandkeeptheminformedontheinvestigation,findingsandanyrootcauseanalysisactions.

SEF-02.3

Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?

RefertoSecurityIncidentResponseandSupportinthe‘SecuringWorkloadsinIBMCloud’whitepaper.https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

SEF-02.4

Haveyoutestedyoursecurityincidentresponseplansinthelastyear?

x TheSecurityincidentresponseplanisreviewedandtestedatleastannually.

SecurityIncidentManagement,E-Discovery,&CloudForensics

SEF-03

SEF-03.1

Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,if

Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?

SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservices,includingnetworkdevicesandhostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMisconfiguredwithasetofruleswhichtriggeroffencesbasedonincomingeventsacrossalllogsources.ThoseoffencestriggerpagerdutyalertstotheIBMSOCteamona24x7basis.

IncidentReporting

required,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.

RefertotheIBMSecurityIntelligencedocumentationformoredetails.https://www.ibm.com/security/security-intelligence/QRadar/

SEF-03.2

Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?

ForIBMWatsonservicesdedicatedenvironments,thepotentialincidentactivitiesarealwaysattributedtoaspecificenvironmentbelongingtoacustomer.ForPublic,investigationoftheincidentmayberequiredtodeterminewhichcustomer(s)was(were)impacted.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation

SEF-04

SEF-04.1

Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.

Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?

Specificdetailsregardingchainofcustody,forensics,andlitigationholdsareaddressedbyIBMLegalandtheIBMCybersecurityIncidentResponseTeam(CSIRT).

SEF-04.2

Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?

Thisisavailablewheretechnologicallypossiblewhenithasbeendeemednecessarytocollectandmanageevidence.

SEF-04.3

Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?

ThisisavailableinbothPremiumandDedicateddeliverymodels.

SEF-04.4

Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas? x

ThisisavailableinbothPremiumandDedicateddeliverymodels.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncident

SEF-05

SEF-05.1

Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcosts

Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents? x

SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservicesstackincludingnetworkdevices,hostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMprovidesreportsonthetypesandvolumesofallsecurityeventsandalloffencestriggeredbasedonQRadarrules.AllsecurityincidentstriggeringtheIBMWatsonservicesSecurityincidentresponseplanhavearootcauseanalysiswhichrecordimpactandtriggeractionstomitigateinfuture.

ResponseMetrics

SEF-05.2

ofinformationsecurityincidents.

Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?

Reportswillbegeneratedwheretechnicallypossibleuponrequestshouldasecurityincidentoccur.

SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity

STA-01

STA-01.1

Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.

Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?

IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsonservicescompliancecertificationsdemonstratethecontrolsareinplacetoprovideasecureplatformincludingcontrolsrelatedtosupplychain.

STA-01.2

Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?

Accessmanagementprocessesareinplacetoensureonlyuserswithabusinessneedhaveaccessandthatappropriateroleshavebeendefinedtoensuretheprincipleofleastprivilege.

SupplyChainManagement,Transparency,andAccountabilityIncidentReporting

STA-02

STA-02.1

Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).

Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?

CustomerwillbenotifiedviatheIBMClouddashboardifanissuehasbeenidentifiedthatrequiresactionontheirpart.Dependingontheseverityoftheincidentindividualcustomersmaybecontacteddirectly.Customersmayalsosubscribetovulnerabilitynotificationsasdescribedathttps://www.ibm.com/security/secure-engineering/bulletins.html

SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices

STA-03

STA-03.1

Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewith

Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering? x

IBMCloudandtheWatsonservicesteamsprojecttheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.

STA-03.2

Doyouprovidetenantswithcapacityplanningandusereports?

UsagereportsoftheIBMWatsonservicesareavailableontheIBMCloudconsole.

mutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernanceandservicemanagementpoliciesandprocedures.

SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments

STA-04

STA-04.1

Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.

Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics? x

IBMhasamatureInternalAudit&assessmentprogramwhichperformsaudits&assessmentsatleastannually.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements

STA-05

STA-05.1

Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,

Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?

IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.

STA-05.2

Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?

STA-05.3

Doeslegalcounselreviewallthird-partyagreements? x IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenance

ofsupplierrelationships.STA-05.4

Dothird-partyagreementsincludeprovisionforthesecurityandprotectionofinformationandassets?

STA-05.5

Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?

IBMmaintainsallrequiredsub-processingagreementsandmakesthemavailableasrequiredtoclientsuponrequest.

physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-

anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportabilityrequirementsforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence

SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews

STA-06

STA-06.1

Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.

Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?

IBMhasagreementswithkeythird-partysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.

SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics

STA-07

STA-07.1

Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.

Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?

IBMhasagreementswithkeythirdpartysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.

STA-07.2

Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?

ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.

STA-07.3

Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?

ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.

STA-07.4

Doyoureviewallagreements,policies,andprocessesatleastannually?

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment

STA-08

STA-08.1

Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeall

Doyouassurereasonableinformationsecurityacrossyourinformationsupplychainbyperforminganannualreview?

Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.

STA-08.2

Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?

Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.

partners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits

STA-09

STA-09.1

Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservicedeliveryagreements.

Doyoupermittenantstoperformindependentvulnerabilityassessments?

x PenetrationtestingisallowedbyIBMWatsonservicesontheirownDedicatedenvironments

withapprovalofIBMCloudCISO.

STA-09.2

Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?

PenetrationtestingforIBMWatsonservicesenvironmentsisperformedonanannualbasisusinga3rdpartyvendor.

ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware

TVM-01

TVM-01.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?

AntivirusAntimalwareprotectionisdeployedonallWindowssystemsatthehostlevelandlogsaresenttoIBMQRadarSIEM.Automatedupdatesareinplacefornewmalwareorvirussignatures.

TVM-01.2

Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?

Automatedupdatesareinplacefornewmalwareorvirussignatures.

ThreatandVulnerabilityManagementVulnerability/PatchManagement

TVM-02

TVM-02.1

Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresandidentifiedweaknessesespeciallyifcustomer(tenant)

Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices? x

Networkscanningisconductedataminimumonamonthlybasis.Findingsarereportedonandmanagedthoughnormaloperationalvulnerabilityandriskmanagementprocessesandprocedures.

TVM-02.2

Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

TheIBMSecureEngineeringStandardmandatesvulnerabilityassessmentwhichrequiresautomatedcodeandapplicationscanningatleastonamonthlybasis.DynamicandstaticcodescanningisperformedusingIBMAppscanonamonthlybasisorwheneverthereisamajorchange.

TVM-02.3

Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

OSscanningisconductedatminimumonceamonth.Findingsarereportedonandmanagedthroughnormaloperationalprocesses.

TVM-02.4

Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?

x CustomersofIBMWatsondedicatedservicescanrequestaVulnerabilityassessmentreportfor

theirenvironments.

TVM-02.5

Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?

IBMWatsonservicesautomatingrapidpatchingacrosstheenvironment.ThisprovidesfullvisibilityonwhatispatchedinadditiontoprovidingtheautomationtopushoutthepatchestoallmachinesacrossallWatsonenvironments.

TVM-02.6

Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?

Dedicatedcustomerswillbeincludedinthechangemanagementprocessrequiredtodistributepatcheswithintheirenvironment.

dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

ThreatandVulnerabilityManagementMobileCode

TVM-03

TVM-03.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionoftheWatsoninfrastructure,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.

TVM-03.2

Isallunauthorizedmobilecodepreventedfromexecuting?

WithintheIBMWatsonservicesenvironmentallmobilecodeintheformofscriptsorexecutablesmustbetestedandapprovedfordeployment.EndusersandconsumersofWatsonAPIsshouldprovidefortheirownunauthorizedmobilecodepreventionsolutionasthatisnotwithinscopeforIBMWatsonservicesontheIBMCloud.

©Copyright2014CloudSecurityAlliance-Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktotheCloudSecurityAlliance“ConsensusAssessmentsInitiativeQuestionnaireCAIQVersion3.0.1”athttp://www.cloudsecurityalliance.orgsubjecttothefollowing:(a)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotbemodifiedoralteredinanyway;(c)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsoftheConsensusAssessmentsInitiativeQuestionnairev3.0.1aspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAllianceCloudConsensusAssessmentsInitiativeQuestionnaire3.0.1(2014).Ifyouareinterestedinobtainingalicensetothismaterialforotherusagesnotaddressesinthecopyrightnotice,pleasecontactinfo@cloudsecurityalliance.org.

on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...

Documents

Transcript of on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...

Isms Iso27001

Bsi iso27001-mapping-guide

ISO27001 - A Business View

O-ISM3 vs ISO27001

ISO27001 ProcessImplementation

การพัฒนานโยบายด้านความปลอดภัยภายใต้มาตรฐาน ISO27001¸ารพัฒนานโยบาย... ·

BSi ISO27001 Mapping Guide

ISO27001 - Checklist Capítulo9

ISO27001 Checklist

Consensus Assessment Initiative Questionnaire (CAIQ) for ......CONSENSUS ASSESSMENT INITIATIVE QUESTIONNAIRE (CAIQ) Control Domain Question ID Consensus Assessment Question Oracle

SI_-ISO27001 (1)

ISO27001+Introduction VERY IMP

ISO27001 Case Study

Implementing ISO27001 2013

29 iso27001 isms

Iso27001 Rasci Table v3

Iso27001(tieng anh)

ISO27001 compliance and Privileged Access Monitoring · ISO27001 compliance and Privileged Access Monitoring Author: Unknown Subject: ISO27001:2013 and activity monitoring for privileged

Norma ISO27001

Information Security & ISO27001