IT Security Management Program

IBM has an enterprise-level, IT security management program, including policies, practices, controls, employee education, incident reporting, and reviews, that endeavors to mitigate the risk of loss and misuse of IBM critical information and help prevent the disruption of IBM's business operations.  The program takes a broad range of potential security risks into consideration such as, technological, human, and natural.  The program’s structure is influenced by several industry security standards and frameworks, such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). 

As IBM Chief Security Officer, I direct the company’s cybersecurity policy and oversee the governance, compliance and efficacy of our security controls. The CISO mission is to provide IBMers world class tools, services, and education to strengthen IBM's cyber security posture, protecting IBM and IBM customer data.

Koos Lodewijkx, VP, IBM Chief Information Security Officer

Security Principles for Protecting Our Enterprise

Data and Asset Classification and Protection

Assign the appropriate classification and controls to information, data and assets categories. Apply appropriate access controls to restrict access on a business need-to-know basis.

Asset Management

Register and inventory assets. Establish an acceptable use policy for each asset or group of assets.

Access Control

-Access Control Policy

Establish an Access Control Policy for every application or system that describes how to manage risks from user account management, access enforcement and monitoring, separation of duties, and remote access.

-User Access Management

Assign access rights based on a business need-to-know basis. Privileged access should be assigned carefully and with the least amount of privilege required. Revoke rights when there is no longer a business need for the employee or contractor to have the access. 

-Application and System Access Control

Use secure logon procedures to control access to applications and systems, including multi-factor authentication.

Use of Encryption

Use encryption based on risk criteria, such as information sensitivity or classification:

  • To protect data in transit on public and private networks, and
  • How data is stored in applications or systems to mitigate threats.

Operations Security

Maintain operating procedures and make these available to relevant users. Operating procedures may include:

  • Installation and configuration of applications and systems
  • Startup and close-down procedures
  • Authentication and authorization management
  • Maintenance and backup procedures
  • Information handling procedures, both automated and manual activities
  • Problem determination and handling
  • Logging and monitoring
  • Communication with support and escalation contacts
  • Security incident handling
  • Security testing
  • Vulnerability and patch management

Network Security

Design and operate networks with the following objectives:

  • To limit access to IBM networks to authorize parties.
  • To be resilient when confronted with external threats such as intrusion and disruption.

Physical and Environmental Security

Place infrastructure assets in controlled access areas, with the exception of those intended for public use.

Apply risk-based access controls, which may include locking or guarding areas to:

  • Allow access only to authorized individuals
  • Maintain physical security during power outages
  • Maintain access logging

Supplier Management

Evaluate suppliers based on their ability to meet business and security requirements. The supplier must demonstrate security and privacy practices, for example, through certifications or third-party attestations.

Security Incidents

The IBM Cybersecurity Incident Response Team (CSIRT) is an internal team staffed with incident responders and forensic analysts. In-scope cybersecurity incidents include:

  • A potential security breach of data or information technology assets and systems owned or managed by IBM.
  • A potential compromise of customer data or information technology assets and systems when the incident might involve IBM personnel, systems, products, or services.

Compliance and Certifications

IBM's IT security management structure is influenced by several industry security standards and frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). IBM’s security policy and standards are reviewed regularly through a combination of frameworks, and assessment activities such as SOC 1, SOC 2, SOX, FedRAMP, HIPAA, and other internal and external audits, as appropriate.

Security and Use Standards for IBM Personnel

- Security and Use Standards for IBM Personnel

IBM has established security and use standards for IBM personnel and their workstations and mobile devices used to conduct IBM business or that connect to the IBM internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. IBM’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting IBM Confidential information and provide security and appropriate use requirements.

- Physical Security

IBM employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.

- Logical Security

Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.

- Safe Use and Education

IBM employees receive guidance and education regarding the safe use of information technology assets. Further, IBM has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on IBM’s Business Conduct Guidelines (BCGs). The BCGs require that IBM employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, IBM employees are required to read and agree to comply with the BCGs as a condition of employment.

- Incident Reporting

IBM maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.

Organization and Governance

IBM has a dedicated CISO whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes. The CISO is part of IBM’s Enterprise & Technology Security group, which works across all of the organizations within the Company to protect IBM, its brand and its customers against cybersecurity risks. Cybersecurity oversight consists of the Board and Audit Committee each receiving regular updates from senior management, including the CISO, as well as from cybersecurity experts in areas such as rapidly evolving cybersecurity threats, cybersecurity technologies and solutions deployed internally and with IBM customers, major cyber risks areas and policies and procedures to addresses those risks, and cybersecurity incidents.

Securing IBM Products

IBM Security and Privacy by Design (SPbD@IBM)

Designing security and privacy into the core of IBM products.

IBM Security Vulnerability Management

Comprehensively addressing security vulnerabilities in IBM products and websites.

Protect your business and data

IBM Security

IBM Cloud Security

IBM Z for Enterprise Security


This webpage describes IBM’s security management program objectives for IBM’s internal operations.  Security of IBM commercial products are described in the terms and conditions associated with those specific products and services.  Services dedicated to a single IBM customer are governed by requirements established by contract with the customer. The information is provided “as-is” and for informational purposes only and must not be included in any contracts or agreements.  IBM may modify the information contained on this webpage from time to time at IBM’s sole discretion without prior notice and such modifications will supersede prior versions.