About IBM Cloud industry compliance programs

Industry compliance regulations impose additional requirements on organizations handling sensitive data, or those that engage in certain types of commerce. IBM Cloud® infrastructure and Platform-as-a-Service (PaaS) offerings can help your organization meet sector-specific compliance requirements with services that support key industry programs.

FFIEC

To address emerging threats, the US Federal Financial Institutions Examination Council (FFIEC) requires financial organizations to continuously perform risk assessments, adjust control mechanisms as indicated, and implement a layered approach to security. IBM Cloud infrastructure services identify the controls that are required to meet the FFIEC guidance, identify and address emerging threats, and apply layered security to prevent client fraud.

FISC

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance to conduct research on topics that are related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

GxP

GxP refers to the collective set of globally accepted good practices with respect to quality. This includes good manufacturing practices (GMPs), good clinical practices (GCPs), good laboratory practices (GLPs), good pharmacovigilance practices (GPVPs), good engineering practices (GEPs) and other quality guidelines in regulated industries such as food, drugs, medical devices and cosmetics.

IBM Cloud adheres to these standards and has implemented control frameworks integral to clients deploying regulated GxP workloads. These include ISO 9001 and ISO 27001 certifications, and functionality such as quality management systems.

IBM Cloud can deliver a secured, controlled global cloud using documented control of users, processes, data centers, suppliers, service management, change management, and incident response.

Read the white paper "Building GxP Regulated Systems on IBM Cloud" (PDF, 514 KB)

HIPAA

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information. 

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products to manage or process PHI must enter into a Business Associate Agreement (BAA) with IBM.

To request the list of IBM Cloud services that are HIPAA-ready in addition to the ones listed below: Contact an IBM representative


IBM Cloud platform services ready for use with PHI and HIPAA (BAA required) include:

HIPAA logo

IBM Cloud Activity Tracker with LogDNA (via LogDNA)
IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Dedicated
IBM Cloud Direct Link

IBM Cloud File Storage
IBM Cloud for VMware Solutions
IBM Cloud Foundry Enterprise Environment
IBM Cloud Functions
IBM Cloud Hardware Security Module
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS for MongoDB
IBM Cloud Hyper Protect DBaaS for PostgreSQL
IBM Cloud Hyper Protect Virtual Servers
IBM Cloud Kubernetes Service
IBM Cloud Kubernetes Service — Red Hat® OpenShift® Kubernetes Service
IBM Cloud Messages for RabbitMQ

IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud SQL Query
IBM Cloud Virtual Servers
IBM Cloudant® Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Key Protect for IBM Cloud
IBM Log Analysis with LogDNA (via LogDNA)
IBM Push Notifications for IBM Cloud

HITRUST

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework, a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent, streamlined manner.

View the IBM Cloud infrastructure HITRUST letter of certification (PDF, 256 KB)

HITRUST logo

IBM Cloud platform services that support HITRUST include:

IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

ITAR

United States International Traffic in Arms Regulations (ITAR) controls the export of defense-related articles from the US. ITAR requires that no non-US person can have physical or logical access to the data stored in ITAR-compliant environments. 

IBM Cloud platform provides both federal and commercial offerings that support ITAR.

ITAR logo

PCI

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established the Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM is a Level 1 Service Provider for PCI DSS.

To request the IBM Cloud infrastructure PCI DSS attestation of compliance (AOC), the Service Responsibility Matrix (SRM), or both, visit the client portal (link resides outside IBM).

To request the IBM PCI DSS AOC, the SRM, or both for all other cloud services, contact an IBM representative.

Clients can build PCI DSS compliant environments and applications using IBM Cloud. Read the guide (PDF, 2.2 MB).


IBM Cloud platform services with a PCI DSS AOC include:

PCI Logo

IBM Cloud Activity Tracker with LogDNA (via LogDNA)
IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud for VMware Solutions
IBM Cloud Foundry Enterprise Environment
IBM Cloud Hardware Security Module

IBM Cloud Internet Services (using Cloudflare)
IBM Cloud Kubernetes Service — Red Hat OpenShift Kubernetes Service
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform - Public
IBM Cloud Virtual Servers
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Key Protect for IBM Cloud
IBM Log Analysis with LogDNA (via LogDNA)

Resources

IBM has the cloud for smarter healthcare

IBM Cloud solutions help healthcare innovators thrive in a hybrid, multicloud world with advanced data security.

Security to safeguard and monitor your apps

Data security and privacy are critical to building solutions to manage PHI compliant with HIPAA on IBM Cloud.