Security

Client security concerns

  • If a customer suspects a cybersecurity issue with their system, the client must open a Severity 1 case containing as much detail as possible. Please refer to the page How To Create A Case

Client security questionnaires

  • Before submitting questionnaires, IBMers and clients should first refer to the security information, links, and certifications that are available on this page.
  • Existing Maximo® or TRIRIGA® SaaS customers who need a security questionnaire or assessment that is completed should submit a case to the IBM® Support Community Portal and attach the document or link. This is routed to the proper IBM SRE security resource for review / completion.
  • There is a 2-3 week turnaround time that is required for the IBM security team to respond to client provided security forms or questionnaires; more time may also be required for Watson IoT® Security team review.

Security management

  • IBM maintains and follows standard mandatory employment verification requirements for all hires. In accordance with IBM internal process and procedures, these requirements are periodically reviewed and include, but may not be limited to, criminal background check, proof of identity validation, and additional checks as deemed necessary by IBM.
  • All IBMers are required to complete mandatory cybersecurity and Privacy training annually.
  • All IBMers are required to complete GDPR training annually.
  • All IBMers are required to complete mandatory Business Conduct Guidelines training annually.
  • Only IBM SRE personnel are permitted access to customer Maximo and TRIRIGA SaaS systems.
  • IBM SRE personnel are required to use privileged access workstations to connect and work with our customer's IBM SaaS systems. These workstations meet IBM's highest and most stringent security guidelines.
  • IBM SRE personnel who are granted O/S or console level access to customer Maximo or TRIRIGA SaaS servers are required to use multi-factor authentication. Unique 2048-bit ssh keys are issued to each IBM user in order to connect to the IBM Cloud® VPN. Phone-based authentication by using PIN® is also required each time an IBMer connects. These factoring mechanisms are maintained, managed, and issued by IBM Cloud Security and the SRE Environment Operations Manager.
  • IBM's internal network prevents employees from accessing malicious websites by using Symantec Bluecoat and ProofPoint Targeted Attack Protection (TAP).
  • IBM SRE personal access credentials are role based and managed by using an IBM internal access management system.
  • Access is based by job duties (least privilege principal) in accordance with IBM IT Security Policy. The IBM SRE security team performs the following processes to help ensure only those individuals who require access to systems have it, and to ensure that the right privileges are in place:
    • Every quarter, a separation of duties review is performed by the SRE management team to ensure that no one individual has a conflict of roles without adequate safeguards beings in place.
    • Every quarter, a review of user access is performed to ensure that existing users and privileges are still required.
    • A defined process is in place to help ensure individuals who leave the IBM SRE team, even if to other areas within IBM, have their user ID and privileges revoked.
  • IBM SRE security performs proactive management and deployment of patches, updates and fixes to the Application, Middleware, Database and O/S layers via a planned maintenance and outage calendar.
  • IBM SRE security performs proactive management and deployment of patches, updates and fixes to the Application, Middleware, Database, and O/S layers via a planned Maintenance & Outage Calendar.
  • Activity Logging/Auditing is monitored for suspicious activity on IBM SaaS systems by using IBM's QRadar® SIEM (Security Information and Event Management) system. O/S Activity is logged by SIEM and monitored 24/7 by the IBM Cloud Security Operations Center (CloudSOC).
  • Security impact analysis is part of the SRE change management process. Once a potential change to customer's or TRIRIGA SaaS environment is identified, the change approver reviews the proposed change for potential security impacts. The change approver incorporates members of SRE Security team and provide review guidance and advisory support to changes that may have a security impact.
  • The IBM SRE team conducts an annual risk assessment, as part of the ISO27001 recertification process that provides a consistent approach to risk management, prioritizes and directs the security teams risk management activities.
  • IBM SRE security employs a defense-in-depth strategy (DiD) for boundary protection that includes firewalls and encrypted communications for remote connectivity to access the environment. All communications that cross this boundary are controlled and monitored.
  • All IBM Maximo and TRIRIGA SaaS environments are configured for Anti-Malware (Anti-Virus) protection and Endpoint Detection and Response (EDR) technology with associated telemetry.

    Status and alerts are monitored continuously.

  • IBM Trust Center - Enterprise IT Security and Trust: https://www.ibm.com/trust/security

Customer access

  • Maximo and TRIRIGA SaaS are public internet-based offerings. Customers connect to IBM Cloud using HTTPS encryption over the internet.
  • There is no direct link, peering or private cloud option available for Maximo or TRIRIGA SaaS offerings.
  • Every IBM SRE customer is provisioned on single tenant, separate, dedicated servers (virtual or bare metal) that only the customer (and IBM) can access.
  • All IBM SRE Maximo and TRIRIGA SaaS customers use HTTPS (SSL) encryption (256 bit) at the browser level to access IBM hosted applications. Connections are SHA-2 and TLS v1.2 compatible.
  • IBM obtains and implements externally facing SSL certificates from a trusted Certificate Authority (CA).
  • All databases (IBM Db2®, Oracle) use native AES-256 encryption (data is encrypted at rest).

    Link describing IBM Db2 native encryption is below:

    https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html

Penetration and vulnerability testing

  • IBM’s Product Transformation Center (PTC) conducts “black box” penetration testing on Maximo and TRIRIGA SaaS annually. An executive summary report can be provided to customers on a per-request basis.

    A signed IBM AECI (Agreement for Exchange of Confidential Information) or NDA (nondisclosure agreement) must be in place to share this report.

    IBM’s AECI can be found using the following link.

    Go to Document Type > Standard Agreements https://www.ibm.com/support/customer/csol/terms/

  • IBM performs external and internal vulnerability scanning and subsequent remediation in all Maximo and TRIRIGA SaaS environments on a quarterly basis per IBM IT Security Standards (ITSS). This includes Operating System, Middleware, Application, and TCP/IP vulnerability scanning.
  • Vulnerabilities are assigned individual vulnerability ratings and exploitation categories (Critical, High, Medium, or Low). These ratings are used to determine an IBM mandated time requirement to remediate and resolve the vulnerability.
  • Vulnerability scanning results and logs are considered IBM Confidential Information and are not disclosed to customers or prospects.
  • IBM does not permit external penetration tests on MAS offerings for security and compliance reasons. However, IBM can provide comprehensive penetration test reports conducted by IBM’s Product Transformation Center (PTC). These reports are thorough and should address the objectives and concerns of external parties, ensuring they have a clear understanding of IBM MAS system security posture and the measures we have in place to safeguard our offerings. Failure to properly notify IBM of such testing may result in your environment being disconnected from the network, or IPs being blocked as such activity may be recognized as malicious. Also, any unauthorized testing resulting in potential findings may require an extended time frame for analysis as this was not properly communicated.

  • How to request the Penetration Test Executive summary

    https://w3.ibm.com/w3publisher/ssw-grc/asr/penetration-test-summary-reports

    • Select Report Request Button.
  • SQL Injection - see FAQ link below regarding how Maximo protects against SQL injection:

    https://www-01.ibm.com/support/docview.wss?uid=swg21419049

Security services

IBM SRE provides the following security and system access services. These services are included as part of the IBM SaaS subscription:

  • Setup of SSL certificates and DNS registration. This is standard by default and allows for secure browser based HTTPS (encrypted) access for Maximo and TRIRIGA users.
  • Configuration of secure FTP (SFTP) access. Setup of SFTP is optional and is typically used to support file-based integrations and file transfers to/from client sites or other external systems. SFTP can also be used to view Maximo or TRIRIGA Application Server log files (read only). All SFTP accounts require use of unique private keys that are issued by IBM.
  • Setup of IPsec Virtual Private Network (VPN) between client locations and IBM Cloud data center(s). VPN setup is optional, and is typically used to provide the following:
    • Direct read-only access to IBM on Cloud databases.
    • Support for integrations that cannot use HTTPS or SFTP (such as jdbc).
    • Maximo LDAP authentication.
  • Setup and configuration of SSO (via SAML or OpenID) both Maximo and TRIRIGA with the customer’s Identity Provider (IdP). LDAP Authentication is also supported (under Maximo only).

    SSO configuration is optional, but is included as part of the IBM on Cloud subscription.

Compliance - IBM Cloud (Infrastructure)

  • Maximo and TRIRIGA SaaS offerings run exclusively on IBM Cloud infrastructure (IaaS).
  • All SRE customer environments are managed to IBM IT Security Standards (ITSS) defined by IBM’s Chief Information Security Officer (CISO). This includes vulnerability scanning and subsequent remediation.
  • IBM Cloud holds ISO-27001, 27017 and 27018 certifications and can provide SOC 1, 2 and 3 reports to customers.
  • ISO Reports are considered IBM confidential and are not provided. An ISO 27001 SOA (Statement of Applicability) for IBM Cloud can be provided on a per-request basis (as detailed below). This document states ISO 27001 controls and policies that have been applied.
  • IBM Cloud (IaaS) ISO certificates:

    ISO-27001:2013 - https://www.ibm.com/downloads/cas/KDMPXMKA

    ISO-27017:2015 - https://www.ibm.com/downloads/cas/GLL9ZBZX

    ISO-27018:2019 - https://www.ibm.com/downloads/cas/DNM7GMKY

  • IBM Enterprise & Technology Security ISO certificates:

    ISO 27017: 2015 - https://www.ibm.com/downloads/cas/QV8Q6ZVY

    ISO 27018: 2019 - https://www.ibm.com/downloads/cas/BKGPEYLQ

    ISO 27701: 2019 - https://www.ibm.com/downloads/cas/X42E0VBD

  • There are 3 different SOC reports that are prepared by external auditors that attest that IBM Cloud has the appropriate security and compliance, financial, and operational controls and procedures in place:
    SOC3
    The SOC 3 report is publicly available and can be downloaded here: https://www.ibm.com/downloads/cas/MVN9G536
    SOC2
    The SOC 2 report is intended for both current and prospective clients. It outlines IBM Cloud's policies and processes regarding security and compliance in our data centers. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer or prospect.
    SOC1:
    The SOC 1 - type II (SSAE18) report outlines an organization's internal control over financial reporting. This is a controlled distribution report that is managed by IBM Cloud compliance for business controls purposes.

    The SOC 1 report is intended for current IBM Cloud clients and/or their compliance auditors only and can be requested by IBM. SOC1 reports are not available if a client is currently a prospect. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer.

    The following information is required for SRE to send a SOC1, SOC2, or ISO 27001 SOA report:
    • Type of Report Requested: (SOC1 or SOC2)
    • Company Name
    • Requester First Name
    • Requester Last Name
    • Requester Title
    • Email:
    • Reason for Request

    Once submitted by the SRE team, customer who is identified as the requester receives an email from trust_and_assurance@wwpdl.vnet.ibm.com through which they can download the SOC 1 or 2 report.

  • IBM Cloud data centers are not Tier that is certified, but are built to Uptime Tier 3 specifications.
  • Additional SOC compliance information can be found here:

    https://w3.ibm.com/w3publisher/ssw-grc(internal to IBM information only)

  • Additional IBM Cloud compliance and reports information can be found here:

    https://www.ibm.com/cloud/compliance

CSAE 3416 or ISAE 3402

  • SSAE 18 report is available, which is a U.S. standard for evaluating and reporting on controls at service organizations. It provides assurance similar to the Canadian CSAE 3416 and the international ISAE 3402 standards. However, we do not have CSAE 3416 or ISAE 3402 reports.

Compliance- IBM Maximo and TRIRIGA Saas Offerings

  • IBM Maximo and TRIRIGA SaaS environments are ISO-27001 certified. This certificate is publicly available and can be viewed / downloaded via the following link.

    ISO-27001:

    https://www.ibm.com/downloads/cas/EEO0NVLK

  • Industry and Regulatory Compliance

    Details regarding specific Industry and Regulatory compliance can be found in the IBM Enterprise & Technology Security Community (this is accessible to IBMers only).

  • All IBM Maximo and TRIRIGA SaaS servers are hardened by using Center for Internet Security (CIS) Benchmarks. For further details, visit: https://www.cisecurity.org/cis-benchmarks/.

  • An IBM SaaS-wide central health checking service is used to automatically maintain baseline (hardened) configurations of systems against standard IBM policy.
  • IBM Maximo and TRIRIGA SaaS development follow IBM Secure Engineering practices for application development. IBM Secure Engineering is outlined publicly at the following link: https://www.ibm.com/security/secure-engineering/index.html.
  • IBM Maximo and TRIRIGA developers are required to follow secure coding practices, and complete education in the SANS top 25 and OWASP top 10. In addition, static (source) and web application scanning by using IBM (HCL) AppScan product suite must be performed. These products check for SANS Top 25 and OWASP top 10 issues. Any vulnerabilities that are found by these scans must be resolved before product release or submitted through IBM's Product Security Incident Response Team (PSIRT) process for resolution via defect (IBM Authorized Program Analysis Report or APAR).
  • IBM Maximo and TRIRIGA development uses Rational® Team Concert® for development (management of tasks, stories, epics, version control, test management, and so on) Selenium and TestNG for test automation, Jenkins for deployment automation, and Rational Performance Tester (RPT) for performance load testing.
  • IBM Maximo Software Development Life Cycle (SDLC):

    https://www.ibm.com/support/pages/ibm-maximo-software-development-life-cycle.

IRAP assessment for IBM Cloud

  • TRIRIGA SaaS is provisioned in IBM Cloud, which was validated by an IRAP assessment completed in 2023.

CSA STAR Assurance Level

TRIRIGA SaaS is included as part of CSA-STAR Level 2. CSA-STAR Level 2 is based on the CISO ISO 27k program and therefore the CSA cert includes everything that is in their ISO program

For more information , see https://cloudsecurityalliance.org/star/registry/ibm-cloud/

Data security and privacy (DS&P)

Data privacy and subject rights

  • IBM Privacy Statement

    IBM's Privacy Statement describes IBM's general privacy practices and subject rights that apply to personal information. For complete statement details, click the following link .

    https://www.ibm.com/privacy/us/en/

  • Right to Lodge a Complaint

    If a client or customer considers our processing of personal information not to be compliant with applicable data protection laws, a complaint can be submitted directly with IBM by using the form in the following link.

    https://www.ibm.com/scripts/contact/contact/us/en/privacy/

NIST

  • IBM Maximo and TRIRIGA SaaS (commercial public offerings) follow NIST guidelines and assess against NIST controls, but claim no specific NIST compliance(s).

Data leakage prevention / data loss prevention (DLP)

  • IBM SRE does not use DLP monitoring. Access controls are implemented on all databases restricted to privileged users only. Database auditing is enabled and logs are retained for 365 days. Customers configure and manage the data that their users can view, update, and export within the Maximo and TRIRIGA applications, as well as determine which of their users is permitted direct read-only access to their database(s).
  • IBM purchases Professional Errors and Omissions including cyber risk insurance (see below) for IBM's liability arising out of actual or alleged breach of duty, neglect, error, misstatement, misleading statements, or omission committed in the conduct of IBM’s professional services. This includes coverage for loss of intangible property, such as customer data, due to IBM’s negligence. This coverage is global in scope. The PE&O Policy itself is IBM Confidential information.

Encryption keys

  • All encryption keys are managed by the IBM SRE team internally, except those for SFTP and OpenVPN accounts, which are provided to end customer(s). IBM SRE follows an established Key Lifecycle Management Security Policy that is compliant with ITSS (IBM Corporate) requirements and ISO standards 27001, 27017 and 27018. Key access is specified via a dedicated access control group only accessible to SRE system admin and database admin teams. Segregation of duties procedure is in place and monitored internally; specifics of the policy and procedures key management are IBM Confidential.

DDoS protection

  • IBM Cloud provides DDoS (Distributed Denial of Service)protection for its environment, which is designed to protect the entire network. IBM Cloud uses automated DDoS mitigation controls and an in-house Network Operations Center (NOC) team to monitor network performance and security 24 x 7.

Media sanitization

  • IBM securely sanitizes physical media that are intended for reuse before such reuse, and will destroy physical media that are not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for media sanitization (see link below)

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

Cyber insurance

  • IBM carries standard cyber risk insurance under its Professional Errors & Omissions policy. PE&O insurance provides coverage for actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission, solely for acts or omissions committed by IBM in providing professional services to our client(s). Coverage includes network security, unauthorized access, unauthorized use, receipt, or transmission of a malicious code, denial of service attack, unauthorized disclosure or misappropriation of private information, privacy liability, notification costs, credit card monitoring, and fine and penalties incurred by the customer.

Regulated content

  • IBM Maximo and TRIRIGA SaaS offerings are not intended to host government-regulated content. see the Cloud Services Agreement (link below) Section 2c for details.

Clock synchronization

  • All customer Maximo EAM SaaS Flex and TRIRIGA SaaS Flex Application and Database servers use IBM Cloud's internal NTP service as a single reference time source for information system processing clocks and security domains.
  • Customers are responsible or synchronizing their local environments (workstations, on-premise servers) with an authoritative time source.

Terms of use

Cloud Service Agreement