{:shortdesc: .shortdesc} {:screen: .screen} {:codeblock: .codeblock} {:pre: .pre} {:tip: .tip} {:note: .note} {:attention: .attention} {:external: target="_blank" .external}

{: #Security}

{: #client-security-concerns}

Should a customer suspect a Cyber Security issue with their system, client should open a Severity 1 case containing as much detail as possible.

{: #client-security-questionnaires}

Before submitting questionnaires, IBMers and clients should first refer to the security information, links and certifications that are available on this page. Existing customers who need a security questionnaire or assessment completed should submit a case to the IBM Support Community Portal and attach the document or link. This will be routed to the proper SRE security resource for review / completion. Please note there is a 2-3 week turnaround time required for the SRE security team to respond to client provided security forms or questionnaires; additional time may also be required for Watson IoT Security team review.

Although IBM will fill out security questionairres as above, client led audit of the MAS Dedicated offering is not supported or allowed. This includes onsite audit visits or performing validation tasks for individual clients. IBM will provide certifications as below only. {: note}

{: #security-management}

IBM maintains and follows standard mandatory employment verification requirements for all hires. In accordance with IBM internal process and procedures, these requirements are periodically reviewed and include, but may not be limited to, criminal background check, proof of identity validation, and additional checks as deemed necessary by IBM.

• All IBMers are required to complete mandatory Cyber Security & Privacy training annually

• All IBMers are required to complete GDPR training annually

• All IBMers are required to complete mandatory Business Conduct Guidelines training annually

• Only IBM Maximo Application Suite Dedicated Service personnel are permitted access to customer systems

• IBM Maximo Application Suite Dedicated Service personnel are required to use privileged access workstations to connect and work with our customer's IBM systems. These workstations meet IBM's highest and most stringent security guidelines.

IBM Maximo Application Suite Dedicated Service personnel who are granted O/S or console level access to customer servers are required to use multi-factor authentication. Unique 2048-bit ssh keys are issued to each IBM user in order to connect to the IBM Cloud VPN. Phone based authentication via PIN is also required each time an IBMer connects. These factoring mechanisms are maintained, managed and issued by IBM Cloud Security and the IBM Maximo Application Suite Dedicated Environment Operations Manager.

IBM's internal network prevents employees from accessing malicious websites using Symantec Bluecoat and ProofPoint Targeted Attack Protection (TAP).

IBM Maximo Application Suite Dedicated Service personal access credentials are role based and managed using an IBM internal access management system.

Access is based by job duties (least privilege principal) in accordance with IBM IT Security Policy. The IBM SRE security team performs the following processes to ensure only those individuals who require access to systems have it, and to ensure the right privileges are in place.

Every quarter, a separation of duties review is performed by the IBM Maximo Application Suite Dedicated Service management team to ensure no one individual has a conflict of roles without adequate safeguards beings in place.

Every quarter, a review of user access is performed to ensure existing users and privileges are still required.

A defined process is in place to ensure individuals who leave the IBM SRE team, even if to other areas within IBM, have their UserID and privileges revoked.

The IBM Maximo Application Suite Dedicated team performs proactive management and deployment of patches, updates and fixes to the Application, Middleware, Database and O/S layers via a planned Maintenance & Outage Calendar

IBM SRE team employs a defense in depth strategy (DiD) for boundary protection that includes firewalls and encrypted communications for remote connectivity to access the environment. All communications that cross this boundary are controlled and monitored.

The IBM Cloud network ports are protected with firewalls, which serve as intrusion detection (IDS) and intrusion prevention (IPS) agents. Details regarding on IBM Cloud intrusion detection management is IBM Confidential information and covered under IBM Cloud SOC2 compliance (see compliance section below).

All IBM Maximo environments are configured for Anti-Malware (Anti-Virus) protection and Endpoint Detection and Response (EDR) technology with associated telemetry. Status and alerts are monitored continuously.

IBM Trust Center - Enterprise IT Security and Trust: https://www.ibm.com/trust/security

Physical Security for IBM Cloud:

https://www.ibm.com/cloud/architecture/architectures/physical-security-arch/

On site customer visits to IBM Cloud data centers are not allowed for security reasons. Street address locations of data centers are not disclosed. This is in accordance to IBM's NIST guidelines and AICPA Trust Services criteria.

Physical Security for AWS Cloud:

https://aws.amazon.com/compliance/data-center/controls/

{: #customer-access}

IBM Maximo Application Suite Dedicated Service are public internet based offerings. Customers connect to IBM Cloud using HTTPS encryption over the internet.

There is no direct link, peering or private cloud option available for the IBM Maximo Application Suite Dedicated Service offering.

Every IBM Maximo Application Suite Dedicated customer environment is delivered in a single tenant instance of the application, running on the Openshift platform.

All IBM Maximo Application Suite Dedicated customers use HTTPS (SSL) encryption (256 bit) at the browser level to access IBM hosted applications. Connections are SHA-2 and TLS v1.2 compatible.

IBM obtains and implements externally facing SSL certificates from a trusted Certificate Authority (CA).

All databases use native AES-256 encryption (data is encrypted at rest).

Customers will not have direct access to the operating system, file system, or web application server. Changes need to be requested through a Support ticket.

Customers will not have DBAdmin access to any database. Updates are allowed to NON-PROD databases. Updates to PROD databases need to be requested through a support ticket.

{: #single-sign-on}

IBM Maximo Application Suite Dedicated supports Single Sign On (SSO). Details can be found here:

https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=configuring-users-identity

LDAP and SAML (2.0) is supported.

IBM does not certify any specific tool a client has implemented within their environment. If the tool supports SAML 2.0 then it will work within the MAS MS environment.

Customers will be responsible to ensure the appropriate user setup and mapping is correct and configured.

{: #penetration-and-vulnerability-testing}

IBM’s Product Transformation Center (PTC) conducts penetration testing on the IBM Maximo Application Suite as a Service offering annually.

IBM performs external and internal vulnerability scanning and subsequent remediation in all IBM Maximo Application Suite SaaS environments on a quarterly basis per IBM IT Security Standards (ITSS). This includes Operating System, Middleware, Application and TCP/IP vulnerability scanning.

Vulnerabilities are assigned individual vulnerability ratings and exploitation categories (Critical, High, Medium or Low). These ratings are used to determine an IBM mandated time requirement to remediate and resolve the vulnerability.

Vulnerability scanning results and logs are considered IBM Confidential Information and are not disclosed to customers or prospects.

IBM does not permit external penetration tests on MAS offerings for security and compliance reasons. However, IBM can provide comprehensive penetration test reports conducted by IBM’s Product Transformation Center (PTC). These reports are thorough and should address the objectives and concerns of external parties, ensuring they have a clear understanding of IBM MAS system security posture and the measures we have in place to safeguard our offerings.

{: #sql-injection}

Please see FAQ link below regarding how Maximo protects against SQL injection: https://www-01.ibm.com/support/docview.wss?uid=swg21419049

{: #security-ervices}

The IBM Maximo Application Suite Dedicated team provides the following security and system access services. These services are included as part of IBM Maximo Application Suite Dedicated:

Setup of SSL certificates and DNS registration. This is standard by default and allows for secure browser based HTTPS (encrypted) access IBM Maximo Application Suite Dedicated end users.

Setup of IPsec Virtual Private Network (VPN) between client locations and IBM Cloud data center(s). VPN setup is optional, and is used to provide the following:

• Direct read-only access to IBM on Cloud databases
• LDAP authentication

Other uses are not currently available using VPN.

Setup and configuration of SSO including OIDC (default), SAML and LDAP user authentication for IBM Maximo Application Suite applications. SSO configuration is optional but is included as part of the IBM on Cloud subscription.

{: #compliance-ibm-cloud-infrastructure}

All IBM Maximo Application Suite Dedicated customer environments are managed to IBM IT Security Standards (ITSS) defined by IBM’s Chief Information Security Officer (CISO). This includes vulnerability scanning and subsequent remediation.

IBM Cloud holds ISO-27001 certification and can provide SOC 1, 2 and 3 reports to customers

IBM Cloud (IaaS) ISO certificates:

• ISO-27001:2013 - https://www.ibm.com/downloads/cas/KDMPXMKA
• ISO-27017:2015 - https://www.ibm.com/downloads/cas/GLL9ZBZX
• ISO-27018:2019 - https://www.ibm.com/downloads/cas/DNM7GMKY

IBM Enterprise & Technology Security ISO certificates:

• ISO 27017: 2015 - https://www.ibm.com/downloads/cas/QV8Q6ZVY
• ISO 27018: 2019 - https://www.ibm.com/downloads/cas/BKGPEYLQ
• ISO 27701: 2019 - https://www.ibm.com/downloads/cas/X42E0VBD

There are 3 different SOC reports prepared by external auditors that attest that IBM Cloud has the appropriate security and compliance, financial, and operational controls and procedures in place:

SOC3: The SOC 3 report is publicly available and can be downloaded here: https://www.ibm.com/downloads/cas/MVN9G536

SOC2: The SOC 2 report is intended for both current and prospective clients. It outlines IBM Cloud's policies and processes regarding security and compliance in our data centers. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer or prospect.

SOC1: The SOC 1 (SSAE16) report outlines an organization's internal control over financial reporting. This is a controlled distribution report managed by IBM Cloud compliance for business controls purposes. The SOC 1 report is intended for current IBM Cloud clients and/or their compliance auditors only and can be requested by IBM. SOC1 reports are not available if a client is currently a prospect. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer.

The following information is required in order for SRE to send a SOC1 or SOC2 report:

Type of Report Requested: (SOC1 or SOC2)

• Company Name:
• Requestor First Name:
• Requestor Last Name:
• Requestor Title:
• Email:
• Reason for Request:

Once submitted by the IBM Maximo Application Suite Dedicated Service team, customer identified as the requestor will receive an email from [email protected] through which they can download the SOC 1 or 2 report.

IBM Cloud data centers are not Tier certified, but are built to Uptime Tier 3 specifications

Additional IBM Cloud compliance and reports information can be found here:

https://www.ibm.com/cloud/compliance

{: #compliance-aws-infrastructure}

All IBM Maximo Application Suite SaaS customer environments are managed to IBM IT Security Standards (ITSS) defined by IBM’s Chief Information Security Officer (CISO). This includes vulnerability scanning and subsequent remediation

AWS holds ISO-27001 certification and can provide SOC 1, 2 and 3 reports to customers

AWS (IaaS) ISO information:

https://aws.amazon.com/compliance/iso-27001-faqs/

AWS SOC information:

https://aws.amazon.com/compliance/soc-faqs/

{: #industry-and-regulatory-compliance}

AWS Security Controls:

https://aws.amazon.com/compliance/data-center/controls/

IBM Maximo Application Suite Dedicated environments are ISO-27001 certified. This certificate is publicly available and can be viewed / downloaded via the link below.

ISO-27001:

https://www.ibm.com/downloads/cas/EEO0NVLK

Details regarding specific Industry and Regulatory compliance can be found in the IBM Enterprise & Technology Security Community (this is accessible to IBMers only).

All IBM Maximo Application Suite Dedicated servers are hardened using Center for Internet Security (CIS) Benchmarks. For further details, please visit: https://www.cisecurity.org/cis-benchmarks/

An IBM SaaS-wide central health checking service is used to automatically maintain baseline (hardened) configurations of systems against standard IBM policy.

IBM Maximo development follow IBM Secure Engineering practices for application development. IBM Secure Engineering is outlined publicly at the following link: https://www.ibm.com/security/secure-engineering/index.html

IBM Maximo developers are required to follow secure coding practices, and complete education in the SANS top 25 and OWASP top 10. In addition, static (source) and web application scanning using IBM (HCL) AppScan product suite must be performed. These products check for SANS Top 25 and OWASP top 10 issues. Any vulnerabilities found by these scans must be resolved before product release or submitted through IBM's Product Security Incident Response Team (PSIRT) process for resolution via defect (IBM Authorized Program Analysis Report or APAR).

IBM Maximo development uses Rational Team Concert for development (management of tasks, stories, epics, version control, test management, etc) Selenium and TestNG for test automation, Jenkins for deployment automation, and Rational Performance Tester (RPT) for performance load testing.

IBM Maximo Software Development Life Cycle (SDLC): https://www.ibm.com/support/pages/ibm-maximo-software-development-life-cycle

{: #data-security-privacy-dsp}

Manage application logging when configured with certain verbose options can allow for extensive information being gathered. This logging could include Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). This information is generated and stored in plain text files on the application server. These logs are often made available to the customer upon request via SFTP. Application administration, including the logging configuration, are the responsibility of the customer, and it is highly recommended that logging PII/SPI not be configured unless absolutely required. The following document describes how to configure logs to exclude any data classified as PII or SPI:

https://www.ibm.com/support/pages/node/2801463

IBM Data Security and Privacy Principles for IBM Cloud services can be found at the link below: https://www.ibm.com/support/customer/csol/terms/?cat=data-security

IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services can be found below. This is applicable to EU-US and Swiss-US customers: https://www.ibm.com/privacy/details/us/en/privacy_shield.html

Data Responsibility at IBM https://www.ibm.com/blogs/policy/dataresponsibility-at-ibm/ If a government wants access to data held by IBM on behalf of a MAS-Dedicated client, IBM would expect that government to deal directly with that client

Data Processing Addendum (GDPR) https://www.ibm.com/support/customer/csol/terms/?id=Z126-7870&lc=en#detail-document

{: #data-privacy-and-subject-rights}

IBM Privacy Statement IBM's Privacy Statement describes IBM's general privacy practices and subject rights that apply to personal information. For complete statement details click on the link below. https://www.ibm.com/privacy/us/en/

Right to Lodge a Complaint In the event a client or customer considers our processing of personal information not to be compliant with applicable data protection laws, a complaint can be submitted directly with IBM by using the form in the link below. https://www.ibm.com/scripts/contact/contact/us/en/privacy/

{: #nist}

IBM Maximo Application Suite Manage Servers (commercial public offerings) follow NIST guidelines and assess against NIST controls, but claim no specific NIST compliance(s).

{: #data-leakage-prevention-data-loss-prevention-dlp}

IBM SRE team does not use DLP monitoring. Access controls are implemented on all databases restricted to privileged users only. Database auditing is enabled and logs are retained for 365 days. Customers configure and manage the data their users can view, update and export within the Maximo Application Sutie applications, as well as determine which of their users is permitted direct read-only access to their database(s).

IBM purchases Professional Errors and Omissions including cyber risk insurance (see below) for IBM's liability arising out of actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission committed in the conduct of IBM’s professional services. This includes coverage for loss of intangible property, such as customer data, due to IBM’s negligence. This coverage is global in scope.

{: #ddos-protection}

IBM Cloud provides DDoS (Distributed Denial of Service) protection for its environment, designed to protect the entire network. IBM Cloud uses automated DDoS mitigation controls and an in-house Network Operations Center (NOC) team to monitor network performance and security 24x7.

{: #media-sanitization}

IBM securely sanitizes physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for media sanitization (see link below). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

{: #cyber-insurance}

IBM carries standard cyber risk insurance under its Professional Errors & Omissions policy. PE&O insurance provides coverage for actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission, solely for acts or omissions committed by IBM in providing professional services to our client(s). Coverage includes network security, unauthorized access, unauthorized use, receipt or transmission of a malicious code, denial of service attack, unauthorized disclosure or misappropriation of private information, privacy liability, notification costs, credit card monitoring, and fine & penalties incurred by the customer.

The PE&O Policy itself is IBM Confidential information. Further details on this subject can be accessed (IBMers only) here: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wc0a20474fb23_478a_8f6d_1c6dfd3d680f/page/IBM%20cyber%20insurance%20details

{: #regulated-content}

IBM Maximo Application Suite offerings are not intended to host government regulated content. Please see the Cloud Services Agreement (link below) Section 2c for details.

{: #clock-synchronization}

All customer MAS-Dedicated environments leverage IBM Cloud's internal NTP service as single reference time source for information system processing clocks and security domains.

Customers are responsible or synchronizing their local environments (workstations, on premise servers) with an authoritative time source.

{: #terms-of-use}

General Terms of Use for IBM Cloud Offerings: https://www.ibm.com/software/sla/sladb.nsf/sla/tou-gen-terms

{: #cloud-service-agreement}

IBM Cloud Services Agreement (CSA) https://www.ibm.com/support/customer/csol/terms/?id=Z126-6304&cc=us&lc=en

For more on IBM Cloud security, privacy and compliance: https://www.ibm.com/cloud/security