IBM Blueworks Live security policy

This topic describes the security policy followed by IBM Blueworks Live.

Development and engineering standards

IBM Blueworks Live development is done in accordance with the IBM® secure engineering framework External link opens a new window or tab to ensure that security is embedded throughout the software development lifecycle.

Privacy and security policies

IBM maintains privacy and security policies that are published and communicated to IBM employees through IBM's intranet site. Employees are required to re-certify annually.

IBM and its data center host each require privacy and security education training for individuals who support the data center where Blueworks Live is hosted.

Blueworks Live security policies and standards are re-evaluated annually to ensure they remain effective and up to date.

Incident management and business continuity

Blueworks Live security incidents are handled in accordance with the incident response management program of the data center where Blueworks Live is hosted.

Blueworks Live has a documented Disaster Recovery response plan and incident management plan to ensure business continuity and effective response to emergencies.

Business Continuity and Disaster Recovery testing is performed yearly with the following objectives:

  • Recovery Point Objective (RPO): 24 hours (maximum acceptable amount of time for data loss)
  • Recovery Time Objective (RTO): 24 hours (maximum acceptable amount of time for the system to be unavailable)
  • Backups (local and remote) are performed nightly
Note: There is no warranty for RPO / RTO.

In the event of a disaster where the primary data center location becomes unavailable, Blueworks Live would be recovered from backup to another data center in the same geography to remain compliant with applicable laws.

Capacity management

Monitoring tools are used for both proactive and reactive situations. Defined thresholds are used to identify any needed updates to resource allocations as new releases are deployed.

Key management

Blueworks Live maintains documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use. Blueworks Live does not hold any customer-owned keys.

Multi-tenant architecture

Blueworks Live ensures tenant data isolation through logical segmentation at the database level, where each tenant's data, settings, and users are securely isolated. Access is strictly controlled by using role-based permissions, which ensures that only authenticated and authorized users or services can interact with tenant data. All data is encrypted at the infrastructure level to maintain security.

Security audits and penetration testing

Blueworks Live has annual security audits and penetration tests. Penetration testing, or pen testing, is the practice of testing a computer system, network, or web application for potential security vulnerabilities that an attacker might exploit.

Blueworks Live also allows customers to perform their own penetration testing and security assessments on public URLs but this requires coordination with support to limit the possibility of IP addresses being blocked.

To request a penetration test, open a support ticket through the Blueworks Live support portal External link opens a new window or tab.

For more information, see IBM Trust Center External link opens a new window or tab.