Compliance certifications

ENS High

Power Virtual Server is Esquema Nacional de Seguridad (ENS) High certified. Spain’s National Security Framework is a set of basic principles and minimum requirements for information security and data protection established by the Spanish government. The ENS was established by Royal Decree 311/2022, of 3 May. That royal decree was intended to modernize Spain’s information security policy for both public sector agencies and private sector entities that provide services to the government agencies.

For more information about ENS High and the list of validated IBM Cloud services, see Esquema Nacional de Seguridad (ENS).

Protected B

The Canadian Centre for Cyber Security (CCCS) established the Government of Canada Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Program, a framework that is designed to evaluate the security of cloud services. The primary objective of this program is to assure the Government of Canada (GC) departments and agencies that cloud offerings meet the GC’s public cloud security requirements for handling information and services that are classified up to the Protected B level.

Federal government contracts contain clauses with security requirements. These requirements specify the levels of security needed to safeguard sensitive information, assets, and work sites. Protected B is one of the classified security levels that applies to information or assets that, if compromised, could cause serious injury to an individual, organization or government. Systems that handles Protected B data must meet enhanced security controls, covering access management, encryption, incident response, and physical protection to ensure the confidentiality, integrity, and availability of the information. For more information about Protected B, see IBM Cloud® compliance: Protected B.

For more information about IBM Cloud Protected B Compliant services, see GC Cloud Framework Agreements catalogue.

ISMAP

The Information System Security Management and Assessment Program (ISMAP) is a Japanese government program to assess the security of public cloud service providers (CSP). ISMAP approves independent third-party auditors who evaluate and register CSPs and their services to ensure they meet specific security requirements set by the Japanese government, enabling agency usage without the added burden and cost of agency-led assessments. Power Virtual Server is ISMAP compliant and is registered on the ISMAP Website (Listing is in Japanese). The listing contains all Power Virtual Server ISMAP documents available for download in the Japanese Language. For more information about IBM Cloud® ISMAP compliance certification, see IBM Cloud® compliance: ISMAP.

HITRUST

The HITRUST CSF® is a framework for assessing and managing cybersecurity threats and safeguarding sensitive data such as protected health information (PHI). Power Virtual Server is HITRUST CSF® compliant. Contact an IBM representative to request HITRUST certification letters for Power Virtual Server with more detailed scope descriptions for IBM Cloud infrastructure services.

For more information, see What is HITRUST?.

Financial Services® Validated

IBM designates IBM Cloud services as IBM Cloud for Financial Services Validated when the services are determined to materially implement the IBM Cloud framework for financial services control requirements.

For more information and the list of validated IBM Cloud services, see IBM Cloud® for Financial Services®.

SOC

The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information that is stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks that are associated with an outsourced service.

SOC 1 is an audit of the internal controls at a service organization that is implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

Contact an IBM representative to request the IBM public cloud (infrastructure, VPC, and PaaS) SOC reports.

The following SOC reports are available for Power Virtual Server:

• SOC 1 Type II
• SOC 2 Type II

ISO 27017:2015

The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based, and market relevant. The goal is to ensure that products and services are safe, reliable and of good quality.

The Power Virtual Server provides services that are delivered from global data centers that are a component of the IBM Cloud™ IaaS ISO certification. The ISO certification covers a family of 4 standards as follows:

• ISO/IEC 27001:2013
• ISO/IEC 27017:2015
• ISO/IEC 27018:2019
• ISO/IEC 27701:2019

For more information, see IBM Cloud® compliance: ISO 27017 and Products in the scope of the IBM services information security management system (ISMS)..

PCI-DSS

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established the Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM is a Level 1 Service Provider for PCI DSS.

You are responsible for the storing, processing, and transmission of cardholder data and might create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using IBM Cloud Platform services. You can use the IBM Cloud Attestation of Compliance (AOC) when you seek your own PCI DSS certifications. It is your responsibility to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.

Contact an IBM representative to request a PCI DSS Attestation of Compliance (AOC) or a Service Responsibility Matrix (SRM) guide for Power Virtual Server.

You can build PCI-DSS compliant environments and applications by using IBM Cloud. For more information, see IBM Cloud PCI DSS Guidance.

HIPAA

The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. Power Virtual Server on IBM Cloud is HIPAA-ready. You can build HIPAA-ready environments and applications by using Power Virtual Server. For more information, see the IBM Cloud® compliance: HIPAA.

If your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. By using this setting, you can filter on HIPAA Enabled services in the catalog, indicate to IBM that your account stores protected health information (PHI), and digitally accept the IBM Business Associate Addendum for covered entities. For more information, see Enabling HIPAA support for your account.