- Security and Use Standards for IBM Personnel
IBM has established security and use standards for IBM personnel and their workstations and mobile devices used to conduct IBM business or that connect to the IBM internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. IBM’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting IBM Confidential information and provide security and appropriate use requirements.
- Physical Security
IBM employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.
- Logical Security
Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.
- Safe Use and Education
IBM employees receive guidance and education regarding the safe use of information technology assets. Further, IBM has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on IBM’s Business Conduct Guidelines (BCGs). The BCGs require that IBM employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, IBM employees are required to read and agree to comply with the BCGs as a condition of employment.
- Incident Reporting
IBM maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.