IBM Enterprise IT Security
IBM’s internal IT security management program demonstrates the principles to help protect our enterprise.
Data and Asset Classification and Protection
Assign the appropriate classification and controls to information, data and assets categories. Apply appropriate access controls to restrict access on a business need-to-know basis.
Asset Management
Register and inventory assets. Establish an acceptable use policy for each asset or group of assets.
Access Control
-Access Control Policy
Establish an Access Control Policy for every application or system that describes how to manage risks from user account management, access enforcement and monitoring, separation of duties, and remote access.
-User Access Management
Assign access rights based on a business need-to-know basis. Privileged access should be assigned carefully and with the least amount of privilege required. Revoke rights when there is no longer a business need for the employee or contractor to have the access.
-Application and System Access Control
Use secure logon procedures to control access to applications and systems, including multi-factor authentication.
Use of Encryption
Use encryption based on risk criteria, such as information sensitivity or classification:
- To protect data in transit on public and private networks, and
- How data is stored in applications or systems to mitigate threats.
Operations Security
Maintain operating procedures and make these available to relevant users. Operating procedures may include:
- Installation and configuration of applications and systems
- Startup and close-down procedures
- Authentication and authorization management
- Maintenance and backup procedures
- Information handling procedures, both automated and manual activities
- Problem determination and handling
- Logging and monitoring
- Communication with support and escalation contacts
- Security incident handling
- Security testing
- Vulnerability and patch management
Network Security
Design and operate networks with the following objectives:
- To limit access to IBM networks to authorize parties.
- To be resilient when confronted with external threats such as intrusion and disruption.
Physical and Environmental Security
Place infrastructure assets in controlled access areas, with the exception of those intended for public use.
Apply risk-based access controls, which may include locking or guarding areas to:
- Allow access only to authorized individuals
- Maintain physical security during power outages
- Maintain access logging
Supplier Management
Evaluate suppliers based on their ability to meet business and security requirements. The supplier must demonstrate security and privacy practices, for example, through certifications or third-party attestations.
Security Incidents
The IBM Cybersecurity Incident Response Team (CSIRT) is an internal team staffed with incident responders and forensic analysts. In-scope cybersecurity incidents include:
- A potential security breach of data or information technology assets and systems owned or managed by IBM.
- A potential compromise of customer data or information technology assets and systems when the incident might involve IBM personnel, systems, products, or services.
Compliance and Certifications
IBM's IT security management structure is influenced by several industry security standards and frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). IBM’s security policy and standards are reviewed regularly through a combination of frameworks, and assessment activities such as SOC 1, SOC 2, SOX, FedRAMP, HIPAA, and other internal and external audits, as appropriate.
Security and Use Standards for IBM Personnel
- Security and Use Standards for IBM Personnel
IBM has established security and use standards for IBM personnel and their workstations and mobile devices used to conduct IBM business or that connect to the IBM internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. IBM’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting IBM Confidential information and provide security and appropriate use requirements.
- Physical Security
IBM employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.
- Logical Security
Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.
- Safe Use and Education
IBM employees receive guidance and education regarding the safe use of information technology assets. Further, IBM has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on IBM’s Business Conduct Guidelines (BCGs). The BCGs require that IBM employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, IBM employees are required to read and agree to comply with the BCGs as a condition of employment.
- Incident Reporting
IBM maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.
Organization and Governance
IBM has a dedicated CISO whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes. The CISO is part of IBM’s Enterprise & Technology Security group, which works across all of the organizations within the Company to protect IBM, its brand and its customers against cybersecurity risks. Cybersecurity oversight consists of the Board and Audit Committee each receiving regular updates from senior management, including the CISO, as well as from cybersecurity experts in areas such as rapidly evolving cybersecurity threats, cybersecurity technologies and solutions deployed internally and with IBM customers, major cyber risks areas and policies and procedures to addresses those risks, and cybersecurity incidents.
IBM Security and Privacy by Design (SPbD@IBM)
Designing security and privacy into the core of IBM products.
IBM Security Vulnerability Management
Comprehensively addressing security vulnerabilities in IBM products.
This webpage describes IBM’s security management program objectives for IBM’s internal operations. Security of IBM commercial products are described in the terms and conditions associated with those specific products and services. Services dedicated to a single IBM customer are governed by requirements established by contract with the customer. The information is provided “as-is” and for informational purposes only and must not be included in any contracts or agreements. IBM may modify the information contained on this webpage from time to time at IBM’s sole discretion without prior notice and such modifications will supersede prior versions.