About IBM Cloud industry compliance programs

Industry compliance regulations impose additional requirements on organizations handling sensitive data, or those that engage in certain types of commerce. IBM Cloud® infrastructure and platform-as-a-service (PaaS) offerings can help your organization meet sector-specific compliance requirements with services that support key industry programs.

IBM Cloud for Financial Services

IBM Cloud for Financial Services™ is a first-of-its-kind cloud designed to help financial institutions (FIs) modernize faster by mitigating risk and accelerating cloud adoption for even the most sensitive workloads. With security and controls built into the platform, not just offered as tools or DIY features, FIs can automate their security and compliance posture, making it easier for them and their digital supply chain partners to simplify risk management, demonstrate regulatory compliance and speed innovation.

Central to IBM Cloud for Financial Services is the IBM Cloud Framework for Financial Services, which provides a common set of automated, preconfigured controls that are applied across IBM Cloud services, third-party applications and financial institution workloads.  Created in collaboration with major FI experts, the controls are designed to align with industry standards and global regulatory bodies. The framework is frequently validated with advice from the IBM Financial Services Cloud Council, and guidance from Promontory Financial Group®, an IBM Company and a global leader in regulatory compliance consulting.

The IBM Cloud for Financial Services European Regulatory Guide (PDF, 2.7 MB) maps selected EBA, EIOPA, and ESMA provisions to IBM references that indicate how IBM supports clients in meeting featured guidelines.

AUP Report

The IBM Cloud for Financial Services Agreed Upon Procedures (AUP) Report was commissioned by IBM and completed by a big four public accounting firm in accordance with the American Institute of Certified Public Accountants (AICPA). The report demonstrates to IBM Cloud for Financial Services clients that IBM Cloud services have been implemented against, and adhere to, the IBM Cloud Framework for Financial Services technical, administrative and physical control requirements.

To request a copy of the report, please contact your IBM Representative. 

FFIEC

To address emerging threats, the US Federal Financial Institutions Examination Council (FFIEC) requires financial organizations to continuously perform risk assessments, adjust control mechanisms as indicated, and implement a layered approach to security. IBM Cloud infrastructure services identify the controls that are required to meet the FFIEC guidance, identify and address emerging threats, and apply layered security to prevent client fraud.

FISC

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance to conduct research on topics that are related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

GxP

GxP refers to the collective set of globally accepted good practices with respect to quality. This includes good manufacturing practices (GMPs), good clinical practices (GCPs), good laboratory practices (GLPs), good pharmacovigilance practices (GPVPs), good engineering practices (GEPs) and other quality guidelines in regulated industries such as food, drugs, medical devices and cosmetics.

IBM Cloud adheres to these standards and has implemented control frameworks integral to clients deploying regulated GxP workloads. These include ISO 9001 and ISO 27001 certifications, and functionality such as quality management systems.

IBM Cloud can deliver a secured, controlled global cloud using documented control of users, processes, data centers, suppliers, service management, change management, and incident response.

Read the white paper "Building GxP Regulated Systems on IBM Cloud" (PDF, 527 KB)

HIPAA

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information. 

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products to manage or process PHI must enter into a Business Associate Agreement (BAA) with IBM.

To request the list of IBM Cloud services that are HIPAA-ready in addition to the ones listed below: Contact an IBM representative

Clients can build HIPAA-ready environments and applications using IBM Cloud. Read the guide (PDF, 1.7 MB).


IBM Cloud platform services ready for use with PHI and HIPAA (BAA required) include:

HIPAA logo

IBM Cloud Activity Tracker (via Mezmo)
IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Databases for Datastax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for MySQL
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis

IBM Cloud Data Engine
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud Functions
IBM Cloud Hardware Security Module
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS for MongoDB
IBM Cloud Hyper Protect DBaaS for PostgreSQL
IBM Cloud Hyper Protect Virtual Servers
IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)

IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
IBM Cloud Virtual Private Cloud - VPN for VPC – Site-to-site gateway
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Server for VPC - Auto Scale for VPC
IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
IBM Cloud Virtual Servers
IBM Cloudant® Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud (Enterprise)
IBM Key Protect for IBM Cloud
IBM Log Analysis (via Mezmo)

HITRUST

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework, a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent, streamlined manner.

View the IBM Cloud infrastructure HITRUST letter of certification (PDF, 64 KB)

HITRUST logo

IBM Cloud platform services that support HITRUST include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers
IPSec VPN
SAP-Certified Cloud Infrastructure

ITAR

United States International Traffic in Arms Regulations (ITAR) controls the export of defense-related articles from the US. ITAR requires that no non-US person can have physical or logical access to the data stored in ITAR-compliant environments. 

IBM Cloud platform provides both federal and commercial offerings that support ITAR.

ITAR logo

IBM Cloud platform services that support ITAR include:


IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Virtual Servers
IPSec VPN
SAP-Certified Cloud Infrastructure
SSL VPN
 

PCI

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established the Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM is a Level 1 Service Provider for PCI DSS.

Contact an IBM representative to request a PCI DSS Attestation of Compliance (AOC) and/or a Service Responsibility Matrix (SRM) guide for any of the services listed below.

Clients can build PCI DSS compliant environments and applications using IBM Cloud. Read the guide (PDF, 2.3 MB).


IBM Cloud platform services with a PCI DSS AOC include:

PCI Logo

IBM Cloud Activity Tracker (via Mezmo)
IBM Cloud App ID
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for Virtual Private Cloud
IBM Cloud Block Storage Snapshots for VPC
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Direct Link
IBM Cloud File Storage

IBM Cloud Flow Logs for VPC
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud Hardware Security Module
IBM Cloud Internet Services Enterprise Package (via Cloudflare)
IBM Cloud Internet Services Enterprise Usage (via Cloudflare)
IBM Cloud Internet Services Standard (via Cloudflare)
IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
IBM Cloud Load Balancer
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform Public - IBM Cloud Identity and Access Management
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer

IBM Cloud Virtual Private Cloud – VPN for VPC – Site-to-site gateway
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Servers
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Server for VPC - Auto Scale for VPC
IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
IBM Cloudant for IBM Cloud
IBM Cloudant on Transaction Engine
IBM Event Streams for IBM Cloud (Enterprise)
IBM Event Streams for IBM Cloud (Standard)
IBM Key Protect for IBM Cloud
IBM Log Analysis (via Mezmo)
IPSec VPN
SAP-Certified Cloud Infrastructure

SEC Rule 17a-4(f)

The United States Securities and Exchange Commission (SEC) is a government agency that enforces federal securities laws, proposes new regulations and regulates the security exchange. SEC Rule 17 CFR 240.17a-4(f) outlines electronic storage media, data retention, and preservation requirements for broker-dealer books and records.  This rule requires that broker-dealer records are stored in a manner that prevents the alteration or deletion of records for required retention periods.

Independent assessor Cohasset Associates has validated that IBM Cloud Object Storage, when Immutable Object Storage features are appropriately configured and applied, retains records in non-rewriteable, non-erasable format and meets the relevant storage requirements of SEC Rule 17a-4(f), Financial Industry Regulatory Authority (FINRA) Rule 4511 (c), and Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).

View the Cohasset Associates SEC 17-a4(f) Assessment Report (PDF, 613 KB)

Resources

IBM has the cloud for smarter healthcare

IBM Cloud solutions help healthcare innovators thrive in a hybrid, multicloud world with advanced data security.

Security to safeguard and monitor your apps

Data security and privacy are critical to building solutions to manage PHI compliant with HIPAA on IBM Cloud.