About IBM Cloud industry compliance programs

Industry compliance regulations impose additional requirements on organizations handling sensitive data, or those that engage in certain types of commerce. IBM Cloud™ infrastructure and Platform-as-a-Service (PaaS) offerings can help your organization meet sector-specific compliance requirements with services that support key industry programs.

FFIEC

To address emerging threats, the US Federal Financial Institutions Examination Council (FFIEC) requires financial organizations to continuously perform risk assessments, adjust control mechanisms as indicated, and implement a layered approach to security. IBM Cloud infrastructure services identify the controls that are required to meet the FFIEC guidance, identify and address emerging threats, and apply layered security to prevent client fraud.

IBM Cloud platform services that support FFIEC include:

IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

FISC

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance to conduct research on topics that are related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

HIPAA

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information. 

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products to manage or process PHI must enter into a Business Associate Agreement (BAA) with IBM.

To request the list of IBM Cloud services that are HIPAA-ready in addition to the ones listed below: Contact an IBM representative


IBM Cloud platform services ready for use with PHI and HIPAA (BAA required) include:

HIPAA logo

IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis

IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud for VMware Solutions
IBM Cloud Foundry Enterprise Environment
IBM Cloud Functions
IBM Cloud Hardware Security Module
IBM Cloud Kubernetes Service
IBM Cloud Messages for RabbitMQ

IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud SQL Query
IBM Cloud Virtual Servers
IBM Cloudant® Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Key Protect for IBM Cloud
IBM Push Notifications for IBM Cloud

HITRUST

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework, a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent, streamlined manner.

HITRUST logo

IBM Cloud platform services that support HITRUST include:

IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

ITAR

United States International Traffic in Arms Regulations (ITAR) controls the export of defense-related articles from the US. ITAR requires that no non-US person can have physical or logical access to the data stored in ITAR-compliant environments. 

IBM Cloud platform provides both federal and commercial offerings that support ITAR.

ITAR logo

PCI

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA).

To request the IBM Cloud infrastructure PCI DSS attestation of compliance (AOC): Visit the client portal (link resides outside IBM)

To request the IBM PCI DSS AOC for all other cloud services: Contact an IBM representative

PCI Logo

IBM Cloud platform services with a PCI DSS AOC include:

IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Foundry Enterprise Environment
IBM Cloud Hardware Security Module
IBM Cloud Internet Services (via Cloudflare)
IBM Cloud Kubernetes Service
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers
IBM Event Streams for IBM Cloud Enterprise
IBM Key Protect for IBM Cloud

Resources

IBM has the cloud for smarter healthcare

IBM Cloud solutions help healthcare innovators thrive in a hybrid, multicloud world with advanced data security.

Security to safeguard and monitor your apps

Data security and privacy are critical to building solutions to manage PHI compliant with HIPAA on IBM Cloud.

Building GxP regulated systems on IBM Cloud

IBM Cloud provides its clients’ compliance with regulatory and good practice requirements.