Details about security compliance

More detailed information about the security compliances for Db2 on Cloud are provided here.

HIPAA

The Db2 on Cloud managed service plans have implemented the required controls commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements.

The controls include appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

For information about how to order a HIPAA-ready Db2 managed service, contact your IBM® sales representative or send email to: CloudDigitalSales@us.ibm.com.

International Organization for Standardization (ISO)

ISO 27001:2013 certification logo.

Db2 on Cloud is certified, when provisioned on IBM Cloud®, under the International Organization for Standardization (ISO) 27001 and 27002 standards, which define the best practices for information security management processes. The ISO 27001:2013 standard specifies the requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) and the requirements for implementing security controls, according to the needs of individual organizations. The ISO 27002:2013 standard explains each security control of ISO 27001 in detail. The ISO 27000 family of standards incorporates a process of scaling risk and valuation of assets, with the goal of safeguarding the confidentiality, integrity, and availability of the written, oral, and electronic information.

Db2 managed services are audited by a third-party security firm and meets all of the requirements for ISO 27001:2013 certification. See: IBM Cloud ISO 27001:2013 Certificate of Registration.

Db2 on Cloud is also certified, when provisioned on IBM Cloud and Amazon Web Services (AWS), under the International Organization for Standardization (ISO) 27017 and 27018 standards. ISO 27017:2015 defines a code of practice for information security controls for cloud services based on ISO 27002 and provides controls and implementation guidance for both cloud service providers and cloud service customers. ISO 27018:2014 defines a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors and establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

To request a copy of the latest Db2 managed services ISO 27001, 27017, and 27018 certificates, contact your IBM representative: Connect with an IBM representative.

Service Organization Controls (SOC)

AICPA Service Organization Control Reports certification logo that links to the AICPA Service Organization website.
IBM provides the following Service Organization Control (SOC) report for Db2 managed services:
  • SOC 2 Type 2
The report evaluates IBM operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as IBM Cloud to safeguard customer data and information.

Customers can request the report by contacting an IBM representative: Connect with an IBM representative.

Data security and privacy

For a summary of the data security and privacy measures that IBM implements for its cloud services, see: Cloud Services data security and privacy.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

Db2 on Cloud is certified, when provisioned on IBM Cloud, to comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.

For more information about the privacy shield frameworks, see: Privacy Shield: Framework.

Considerations for GDPR compliance

The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those that are hosting and processing this data, anywhere in the world.

IBM is committed to providing our clients and IBM Business Partners with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness. Data and its protection are becoming increasingly important to individuals and society. Enterprises must earn the client’s trust in their ability to steward information.

IBM Cloud is agile and scalable with built-in data security and privacy services and solutions that can be consumed on premises or through public cloud. Our comprehensive data security platform helps safeguard sensitive data wherever it resides and provides a full range of data protection capabilities.

For more information about GDPR readiness at IBM, see:

Cryptographic standards

Db2 managed services use one or more of the following FIPS 140-2 approved cryptographic providers:
  • IBMJCEFIPS (certificate 376)
  • IBMJSSEFIPS (certificate 409)
  • IBM Crypto for C (ICC (certificate 384) for cryptography

Db2 managed services are compliant with NIST SP 800-131A and provide enhanced and stronger cryptographic keys along with more robust algorithms. The certificates are listed on the NIST website: Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules.