Assign the appropriate classification and controls to information, data and assets categories. Apply appropriate access controls to restrict access on a business need-to-know basis.

Register and inventory assets. Establish an acceptable use policy for each asset or group of assets.

-Access Control Policy

Establish an Access Control Policy for every application or system that describes how to manage risks from user account management, access enforcement and monitoring, separation of duties, and remote access.

-User Access Management

Assign access rights based on a business need-to-know basis. Privileged access should be assigned carefully and with the least amount of privilege required. Revoke rights when there is no longer a business need for the employee or contractor to have the access. 

-Application and System Access Control

Use secure logon procedures to control access to applications and systems, including multi-factor authentication.

Use encryption based on risk criteria, such as information sensitivity or classification:

• To protect data in transit on public and private networks, and
• How data is stored in applications or systems to mitigate threats.

Maintain operating procedures and make these available to relevant users. Operating procedures may include:

• Installation and configuration of applications and systems
• Startup and close-down procedures
• Authentication and authorization management
• Maintenance and backup procedures
• Information handling procedures, both automated and manual activities
• Problem determination and handling
• Logging and monitoring
• Communication with support and escalation contacts
• Security incident handling
• Security testing
• Vulnerability and patch management

Design and operate networks with the following objectives:

• To limit access to IBM networks to authorize parties.
• To be resilient when confronted with external threats such as intrusion and disruption.

Place infrastructure assets in controlled access areas, with the exception of those intended for public use.

Apply risk-based access controls, which may include locking or guarding areas to:

• Allow access only to authorized individuals
• Maintain physical security during power outages
• Maintain access logging

Evaluate suppliers based on their ability to meet business and security requirements. The supplier must demonstrate security and privacy practices, for example, through certifications or third-party attestations.

The IBM Cybersecurity Incident Response Team (CSIRT) is an internal team staffed with incident responders and forensic analysts. In-scope cybersecurity incidents include:

• A potential security breach of data or information technology assets and systems owned or managed by IBM.
• A potential compromise of customer data or information technology assets and systems when the incident might involve IBM personnel, systems, products, or services.

IBM's IT security management structure is influenced by several industry security standards and frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). IBM’s security policy and standards are reviewed regularly through a combination of frameworks, and assessment activities such as SOC 1, SOC 2, SOX, FedRAMP, HIPAA, and other internal and external audits, as appropriate.

- Security and Use Standards for IBM Personnel

IBM has established security and use standards for IBM personnel and their workstations and mobile devices used to conduct IBM business or that connect to the IBM internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. IBM’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting IBM Confidential information and provide security and appropriate use requirements.

- Physical Security

IBM employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.

- Logical Security

Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.

- Safe Use and Education

IBM employees receive guidance and education regarding the safe use of information technology assets. Further, IBM has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on IBM’s Business Conduct Guidelines (BCGs). The BCGs require that IBM employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, IBM employees are required to read and agree to comply with the BCGs as a condition of employment.

- Incident Reporting

IBM maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.

IBM has a dedicated CISO whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes. The CISO is part of IBM’s Enterprise & Technology Security group, which works across all of the organizations within the Company to protect IBM, its brand and its customers against cybersecurity risks. Cybersecurity oversight consists of the Board and Audit Committee each receiving regular updates from senior management, including the CISO, as well as from cybersecurity experts in areas such as rapidly evolving cybersecurity threats, cybersecurity technologies and solutions deployed internally and with IBM customers, major cyber risks areas and policies and procedures to addresses those risks, and cybersecurity incidents.