+ All Categories
Home > Documents > on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...

on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...

Date post: 26-Mar-2020
Category:
Upload: others
View: 0 times
Download: 0 times
Share this document with a friend
68
IBM Ò Watson Ò on the IBM Ò Cloud CSA CAIQ V1.0 February 2018
Transcript
Page 1: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

IBMÒ WatsonÒ on the IBMÒ Cloud

CSA CAIQ V1.0 February 2018

Page 2: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

2

Introduction

IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential within unstructured data. Fundamental to providing a strong foundation for companies wanting to leverage Watson services, IBM uses best-in-class security and compliance processes that allow for successful execution of challenging workloads.

The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. This CAIQ document gives detailed responses to those questions for IBM Watson on IBM Cloud and provides additional links where applicable on IBM and Watson security processes, procedures &/or technical controls.

IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated workloads. Compliance of Watson services are maintained though regular reviews by both IBM internal and 3rd party auditors.

Additional information on how Watson is securely deployed on the IBM Cloud can be found below:

• Watson Trust Center: https://ibm.biz/BdjD4r • ISO 27001 certificate: https://ibm.biz/BdjWav • ISO 27017 certificate: https://ibm.biz/BdjWam • ISO 27018 certificate: https://ibm.biz/BdjWaK • Full list of IBM products covered under 27001: https://ibm.biz/BdjWab • IBM Cloud Services data security and privacy principles: https://ibm.biz/Bdsm3x • Additional details around IBM Cloud compliance: https://www.ibm.com/cloud/compliance • How to secure your applications using Watson services:

https://www.ibm.com/cloud/garage/content/architecture/securityArchitecture/overview

Page 3: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

3

Control Domain

Control ID

Question ID

Control Specification

Consensus Assessment Questions

Consensus Assessment Answers

Watson Notes Yes No Not Applicable

Application&InterfaceSecurityApplicationSecurity

AIS-01 AIS-01.1

Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.

Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?

x

WatsonservicesontheIBMCloudleveragetheIBMSecureEngineeringStandardwhichisalignedwithOWASPtoensuresecurityaspartofourSDLC.Thosestandardsincludeprocessesforsecurecoding,vulnerabilityassessment,penetrationtesting,education,processesfor3rdpartycodeapprovalandthreatmodelling.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Seehttps://www.ibm.com/security/PenetrationtestingisperformedbybothIBMandthirdpartiesandcoversbothexternalandinternaltestingofendpoints.Vulnerabilityassessmentrequiresautomatedcodeandapplicationscanninginadditiontomanualtesting.SecurecodingmandatesmanualreviewforsecurerelatedcodeandreviewsagainstOWASPtoptenattacks.WatsonserviceshavebeencertifiedbyanindependentauditoragainsttheISO27001certificationstandard.

AIS-01.2

Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?

x

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.

AIS-01.3

Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?

X

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.

AIS-01.4

DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?

X

DevelopmentworkforIBMWatsonontheIBMCloudisnotoutsourced.Forall3rdpartycomponentsused,e.g.,librariesoropensourcecode,theIBMSecureEngineeringStandardprohibitstheiruseunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.

AIS-01.5

(SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?

x

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.

Application&InterfaceSecurityCustomerAccessRequirements

AIS-02 AIS-02.1

Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.

Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?

x

IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsoncompliancecertificationsdemonstratethecontrolsinplacetoprovideasecureplatform.Additionalinformationavailablehere:http://www.ibm.com/watson/watson-security.html

AIS-02.2

Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented? X

RequirementsandtrustlevelsforcustomeraccessareestablishedcontractuallyforeachIBMWatsoncustomer.

Page 4: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

4

Application&InterfaceSecurityDataIntegrity

AIS-03 AIS-03.1

Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.

Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata? x

IBMWatsonservicesareonlyavailablethroughAPIcalls,thissignificantlylimitsanattacker’sabilitytointeractandcompromiseaservice.IBMWatsoncustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.ISO27001compliancedemonstratesthecontrolsIBMWatsonhasinplacetosafeguardagainsttheunauthorizedaccess,destruction,lossoralterationofdata.Securitytestingoccurspriortoproductionrollouttoensureinput&outputsfromtheAPIaresecure&meetsdesignspecifications.

Application&InterfaceSecurityDataSecurity/Integrity

AIS-04 AIS-04.1

Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.

IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?

X

IBMWatsonontheIBMCloudDataSecurityArchitectureisdesignedusingindustrystandardsandbestpracticesaligningwithISO27001andNISTframeworks.

AuditAssurance&ComplianceAuditPlanning

AAC-01

AAC-01.1

Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.

Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?

x

IBMWatsonservicesuseexternalandinternalauditorstoconductstructured,industrystandardauditassertionsandreports.Extensiveauditplanning&preparationoccursforeachaudit.Theseareperformedataminimumannually.Seehttp://www.ibm.com/watson/watson-security.html

AuditAssurance&ComplianceIndependentAudits

AAC-02

AAC-02.1

Independentreviewsandassessmentsshallbeperformedatleast

DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?

x

IBMWatsonservicesproviderelevantthird-partyauditattestation,certificationand/orpentestingreportswhereaNon-DisclosureAgreement(NDA)isinplace.

Page 5: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

5

AAC-02.2

annuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.

Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

x

PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.

AAC-02.3

Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

x

PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.

AAC-02.4

Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

x

InternalauditsareroutineandvirtuallycontinuousforIBMWatsonontheIBMCloud.Theseareinitiated/conductedatleastonceeachquarter.

AAC-02.5

Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

x

IBMWatsonservicesataminimum,useexternalauditorsannuallytoconductISO27001assessments&audits.

AAC-02.6

Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?

x

IBMWatsonservicesproviderelevantthird-partypentestingattestations&/orreportswhereaNon-DisclosureAgreement(NDA)isinplace.

AAC-02.7

Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?

x IBMWatsonservicesproviderelevantthird-partyauditattestationstocustomersattheir

request.ExecutivelevelreportsordetailsmaybeprovidedwhereaNon-DisclosureAgreement(NDA)isinplace.

AAC-02.8

Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments? x

IBMWatsonservicesusemultipleinternalentitiestoconductcrossfunctionalauditassessments.IBMhasarobustinternalauditorganizationutilizingmatureprocessesthathavebeendevelopedandrefinedtoensurealignmentofallbusinessunitsandinternalorganizationstocorporatestandards.

AuditAssurance&ComplianceInformationSystemRegulatoryMapping

AAC-03

AAC-03.1

Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthe

Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?

x

Dataatrestandintransitisencrypted.AccesscontroltechnologiesareleveragedinallIBMWatsonservicesdeliverymodelstoensurecustomerscanonlyaccesstheirdata&workloads.AdditionallayersoflogicalsegmentationareavailableinPremium&DedicatedmodelsofdeliveryofWatsonservices.

AAC-03.2

Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?

x IBMWatsonservicescustomersareultimatelyresponsiblefortheirdataandtheintegrityofanyworkloadscommunicatingwithWatsonviaAPI.MostIBMWatsonCloudPlatformServicesarestatelesswherebyclientspecificdatadoesnotpersist.

AAC-03.3

Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?

x

IBMWatsonservicesprovidecustomerswithoptionstodeploytheirapplicationsanddataindifferentregions.Thedatawillresideintheregiondefinedintheoriginalsolutiondesignandspecifiedintheservicescontractunlesscustomerelectstomoveitthemselves.

Page 6: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

6

AAC-03.4

businessprocessesarereflected.

Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?

x

IBMWatsonservicesmanagement&complianceteamsregularlysurveychangesintheregulatoryenvironment.TheIBMLegalDepartmentalsomonitorsregulatoryrequirementsfortheirimpactuponIBMsecurityprograms.Customersareultimatelyresponsiblefortheircomplianceandtrackinganychangestotheirregulatoryrequirements.

BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning

BCR-01

BCR-01.1

Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusinesscontinuityplansincludethefollowing:•Definedpurposeandscope,alignedwithrelevantdependencies•Accessibletoandunderstoodbythosewhowillusethem•Ownedbyanamedperson(s)whoisresponsiblefortheirreview,update,andapproval•Definedlinesofcommunication,roles,andresponsibilities•Detailedrecoveryprocedures,manual

Doyouprovidetenantswithgeographicallyresilienthostingoptions? x

IBMWatsonservicesencouragecustomerstotakeadvantageofourglobaldeploymentmodeltoaccomplishgeographicresiliency.

BCR-01.2

Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?

x

IBMWatsonservicesaredesigned,implemented&configuredutilizingHAandareexclusivelyhostedbyIBM.

Page 7: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

7

work-around,andreferenceinformation•Methodforplaninvocation

BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting

BCR-02

BCR-02.1

Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.

Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?

x

Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.

BusinessContinuityManagement&OperationalResiliencePower/Telecommunications

BCR-03

BCR-03.1

Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorother

Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?

x

IBMWatsonservicesprovidecustomerstheoptiontodeploytheirapplicationsanddataindifferentregions.Forstatefulservicesorspecificcustomerworkloads,thedataremainsinthatregionunlessthecustomermovesit.CustomershavedifferentoptionsonhowtheyconnecttotheirIBMWatsonservices,e.g.overpublicnetworkoroveradedicatedVPNtoadedicatedinstance.

BCR-03.2

Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?

x

Directinternetconnectivityisthepreferredsolution,butotheroptionsareavailablefordedicatedcustomers.AlltrafficintransittoIBMWatsonservicesareencrypted.

Page 8: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

8

redundanciesintheeventofplannedorunplanneddisruptions.

BusinessContinuityManagement&OperationalResilienceDocumentation

BCR-04

BCR-04.1

Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures

Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?

x

IBMWatsonservicesproviderobustdocumentationwithineachservicedescriptiontoassistcustomerswithproperlyconfiguringandusageofitsservices.IBMWatsonserviceshaveextensivedocumentationontheinformationsystem,thisdocumentationisavailabletoauthorizedIBMpersonnel.Thisinformationmayalsobedistributedthroughtrainingwhereapplicable.

BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks

BCR-05

BCR-05.1

Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.

Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?

x

IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.

Page 9: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

9

BusinessContinuityManagement&OperationalResilienceEquipmentLocation

BCR-06

BCR-06.1

Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.

Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?

x IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.

BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance

BCR-07

BCR-07.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.

Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?

x

IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.SpecifichardwarerestoreandrecoveryoptionsaretransparenttocustomersofIBMWatsonservicesastheseareprovidedattheunderlyingIaaSlayer.

BCR-07.2

Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?

x

ThiscanbeavailableinIBMWatsonservicesdedicateddeliverymodel.

BCR-07.3

Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?

x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.

BCR-07.4

Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?

x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.

BCR-07.5

Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?

x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.

BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures

BCR-08

BCR-08.1

Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.

Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)? x

IBMDataCenterPhysicalandEnvironmentalProtectioncontrolsareinplaceinalldatacenters.ThesecontrolsaremaintainedthroughfrequentinternalauditsandarevalidatedbyexternalauditorsthroughassessmentsincludingbutnotlimitedtoFedRAMP,ISO27001,SOC,PCI,andHIPAA.IBMDataCenterSOCreportsprovideadditionalinsightthesecuritymechanismsimplementedtoprotectagainstoutages.TheSOC3reportisavailabletocustomersandprospectivecustomershere:https://www.ibm.com/cloud-computing/bluemix/sites/default/files/assets/docs/SoftLayer%20SOC%203%201H%202017%20

Page 10: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

10

Report_FINAL%20%281%29_0.pdfTheSOC2reportisavailabletocustomersandcanberequestedviathecustomerportalorbycontactingtheirsalesteam.

BusinessContinuityManagement&OperationalResilienceImpactAnalysis

BCR-09

BCR-09.1

Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption•Estimatethe

DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net

BCR-09.2

Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net

BCR-09.3

DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net

Page 11: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

11

resourcesrequiredforresumption

BusinessContinuityManagement&OperationalResiliencePolicy

BCR-10

BCR-10.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.

Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?

x

IBMWatsonservicesfollowIBMCoreSecurityPracticescoveringSystems,NetworkingandSecureEngineeringbestpractices.SecurityreadinessfocalpointsareassignedforeachPlatformcomponentandserviceandareresponsibletodriveconformancetothosesecuritypolicies.AllIBMemployeesarerequiredtotakesecurityrelatededucationannually.

BusinessContinuityManagement&OperationalResilienceRetentionPolicy

BCR-11

BCR-11.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodof

Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?

x

SpecificdataretentionconfigurationoptionsareavailabletocustomersutilizingdedicatedIBMWatsonservices.

Page 12: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

12

BCR-11.2

anycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.

Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?

x

IBMWatsonservicesdonotsharecustomerdataunlesssubjecttodisclosuretogovernmentagenciespursuanttojudicialproceeding,courtorder,orlegalprocess.Formoredetailsonprivacyandtrust,refertohttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsp,https://www.ibm.com/cloud-computing/bluemix/security-privacy#privacy,https://www-01.ibm.com/software/info/product-privacy/

BCR-11.4

Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?

x

IBMWatsonservicesaredesignedwithHighAvailabilityasakeyrequirement.Theservicesaredeployedwithredundancyaspartofthedesign.Dataretentionpoliciesandproceduresaredefinedandmaintainedinaccordancetotheapplicableregulatoryandcompliancestandard.

BCR-11.5

Doyoutestyourbackuporredundancymechanismsatleastannually? x

IBMWatsonservicesaredesigned,implemented&configuredutilizingHighavailability(HA)andareexclusivelyhostedbyIBM.Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.Databackupisacustomerretainedresponsibility.

ChangeControl&ConfigurationManagementNewDevelopment/Acquisition

CCC-01

CCC-01.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunction.

Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?

x

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.AlldeploymentsarecontrolledviaIBMChangeManagementPolicyandassociatedprocedures.https://www.ibm.com/security/secure-engineering/

CCC-01.2

Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?

x

Extensivedocumentationisavailableintheformofproductdocumentation,whitepapers,tutorialsandvideosinIBMCloudDocsandviaIBMdeveloperWorksandIBMCloudGaragesites.https://console.bluemix.net/docs/https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/https://www.ibm.com/cloud-computing/bluemix/garage

Page 13: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

13

ChangeControl&ConfigurationManagementOutsourcedDevelopment

CCC-02

CCC-02.1

Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).

Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?

x

DevelopmentworkfortheIBMWatsonservicesisnotoutsourced.TheIBMSecureEngineeringStandardprohibitsuseofall3rdpartycomponentsused,e.g.,librariesoropensourcecodeunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.

CCC-02.2

Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?

x

IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.ThesetestsoccuronallcodethatmakesupIBMWatsonservices.

ChangeControl&ConfigurationManagementQualityTesting

CCC-03

CCC-03.1

Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.

Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?

x

IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.Thegoalofthesecureengineeringstandardistoassurequalityandminimizeriskstodeployedsystems.ItenforcessecurityeducationforallIBMstaffwithmorespecificsecurityeducationbasedonroleandmandatestheuseofthreatmodellingforalldeploymentswhichincludesariskassessmentphase.Additionaldetailsareavailablehere:https://www.ibm.com/security/secure-engineering/IBMWatsonservicesareISO27001certifiedbyexternalauditors.Thiscertificationisavailabletocustomersandhasseveralcontrolpointswhichfocusonqualityassuranceandriskassessmentmethodology.

CCC-03.2

Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?

x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotifications

foralltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/status

CCC-03.3

Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?

x

IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statushttps://www.ibm.com/security/secure-engineering/process.html

CCC-03.4

Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?

x

IBMSecureEngineeringstandarddictatesthatcodereviewsmustbeperformedagainstasecurecodingreviewchecklistwhichincludescheckstoremoveanydebugcode.

Page 14: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

14

ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations

CCC-04

CCC-04.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?

x

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.

Page 15: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

15

ChangeControl&ConfigurationManagementProductionChanges

CCC-05

CCC-05.1

Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.

Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?

x

IBMWatsonservicesareISO27001certifiedandthisincludesreviewofcontrolsonchangemanagement.Reportscanbemadeavailabletocustomersonrequest.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.

DataSecurity&InformationLifecycleManagementClassification

DSI-01 DSI-01.1

Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.

Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?

x

IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.

DSI-01.2

Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)? x

Specifichardwareandvirtualmachinesareassignedtocustomerspursuanttotheircontractedspecifications.ThiscapabilityisprovidedtoIBMWatsonservicesandsupportteamsbutistransparenttothecustomer.

Page 16: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

16

DSI-01.3

Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?

x IndedicatedIBMWatsonservices,customerscanauthenticatetheirownusersviaSSOandcan

utilizegeography-basedauthenticationfactors.

DSI-01.4

Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?

x IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesof

Watsonservicesaredeployed.Datastoredaspartoftheserviceremaininthatregionunlessthecustomermovesit.

DSI-01.5

Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?

x IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatson

servicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

DSI-01.6

Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?

x

IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.Customersareultimatelyresponsibleforclassifying&managingtheirdata.

DSI-01.7

Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?

x

IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

DataSecurity&InformationLifecycleManagementDataInventory/Flows

DSI-02 DSI-02.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyother

Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?

x

IBMWatsonserviceutilizeanextensiveanddetailedthreatmodelingprocesswherealldataflowsaredocumentedpriortomajorreleases.

DSI-02.2

Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?

x

IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.

Page 17: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

17

businessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyifcustomerdataisusedaspartoftheservices.

DataSecurity&InformationLifecycleManagementE-commerceTransactions

DSI-03 DSI-03.1

Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.

Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?

x

IBMWatsonservicesleverageopenencryptionmethodologies.DatainmotionandatrestisencryptedusingAESencryption.DatainmotionistransmittedusingTLS1.2.

DSI-03.2

Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?

x

WithinIBMWatsonservices,alldatatransmittedoverpublicnetworkswillbeencryptedperIBMpolicy.http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf

DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy

DSI-04 DSI-04.1

Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.

Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?

x

IBMWatsonservicesfollowIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallassetscontainingIBMandcustomerowneddata.

DSI-04.2

Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?

x

Allcustomerdataisconsideredconfidentialandrequiresdatatobeencryptedatrestandinmotion.

Page 18: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

18

DataSecurity&InformationLifecycleManagementNonproductionData

DSI-05 DSI-05.1

Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.

Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?

x

IBMWatsonserviceshaveprocesses&procedurestoaffordsegregateddevelopment,stagingandproductionenvironments.ThesearedeployedindifferentVLANsindifferentIaaSaccounts.EachcustomerenvironmentisconsideredtobeaproductionenvironmentbyIBM,thoughthecustomermayhavemultipleenvironmentsfortheirpurposesaswell.IBMCloudprovidescustomerswiththeabilitytopromoteWatsonserviceinstancesintoproductionandnon-productionspaces.Itisthecustomer'sresponsibilitytorestrictthemovementofworkloadbetweentheirenvironmentsandensureproductiondataisnotreplicatedtonon-productionenvironment.https://www.ibm.com/developerworks/cloud/library/cl-intro4-app/index.html

DataSecurity&InformationLifecycleManagementOwnership/Stewardship

DSI-06 DSI-06.1

Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.

Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?

x

IBMWatsonservicessupportstafffollowsIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallIBMandcustomerowneddata.IBMWatsonservicecustomersareresponsibleformanagingandlabellingtheirowndatawithintheWatsonservice.

DataSecurity&InformationLifecycleManagementSecureDisposal

DSI-07 DSI-07.1

Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.

Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?

x

IBMWatsonservicesemployadecommissioningandreclaimprocessforallhardwarebeingreclaimed.ThereclaimeddriveiswipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.Seehttp://blog.softlayer.com/tag/disposal

Page 19: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

19

DSI-07.2

Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?

x

SpecificDataSanitizationoptionsareavailableforcustomersusingdedicatedversionsoftheIBMWatsonservicesandwillbedefinedaspartofthecontractualprocess.

DatacenterSecurityAssetManagement

DCS-01

DCS-01.1

Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.

Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?

x

IBMWatsonservicesrecordallphysicalandvirtualassetsinanIBMassetinventorysystemthatcapturesdetailsincludingassetowner,classesofdatamanaged,andlocationsofhostinginfrastructureandcontactdetails.TheassetinventoryprocesshasbeenassessedbyexternalauditorsaspartofISO27001.

DCS-01.2

Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?

x

IBMWatsonservicesdocumentcriticalsuppliers,alongwithappropriatecontactinformation.

DatacenterSecurityControlledAccessPoints

DCS-02

DCS-02.1

Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.

Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?

x

IBMDatacentersaresecured,withserver-roomaccesslimitedtocertifiedemployees.Physicalsecurityparameterscanincludebutarenotlimitedtofences,walls,barriers,securityguards,gates,electronicsurveillance,videosurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols.Thecontrolshavebeencertifiedbyanexternalauditor.SeeNIST800-53PEandISO27001A11fortherelevantcontrolshttps://www.ibm.com/cloud-computing/bluemix/complianceSeehttps://www.ibm.com/cloud-computing/bluemix/data-centersformoredetailsonIBMDatacentersecurity.

Page 20: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

20

DatacenterSecurityEquipmentIdentification

DCS-03

DCS-03.1

Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.

Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?

x

IBMWatsonservicesmanageallassetsfollowinganIBMassetinventoryprocessandthishasbeenassessedbyexternalauditorsaspartofISO27001compliance.https://console.bluemix.net/docs/security/compliance.html#compliance

DatacenterSecurityOffsiteAuthorization

DCS-04

DCS-04.1

Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.

Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,andreplication)?

x

IBMWatsonservicesprovidecustomerswithoptionstodeploytheirservicesanddataindifferentregions.Thatdataisremainsinthatregionunlessthecustomermovesit.

DatacenterSecurityOffsiteEquipment

DCS-05

DCS-05.1

Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.

Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?

x

IBMWatsonservicesleverageanIBMClouddecommissioningandreclaimprocessforallhardwareorsoftwarebeingreclaimedordeterminedtobeendoflife.ReclaimedharddrivesarewipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.IBM'sassetmanagementandrepurposingprocessesarevalidatedfrequentlybyexternalauditorsthroughassessmentsincludingbutnotlimitedtoISO27001/17/18,SOC,andHIPAA.

DatacenterSecurityPolicy

DCS-06

DCS-06.1

Policiesandproceduresshallbeestablished,andsupportingbusiness

Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintaininga

x

IBMWatsonservicesengagethirdpartyauditorstovalidateourcompliancewithmanydifferentframeworksincludingbutnotlimitedtoISO27001.TheadditionallayersofthecloudunderlyingIBMWatsonservicesalsogothroughextensivethird-partyauditsthroughouteachyear.Theseinclude,butarenotlimitedto,ISO27001/17/18,SOC,andHIPAA.

Page 21: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

21

processesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.

safeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?

DCS-06.2

Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?

x

IBMWatsonserviceemployeescompleteannualrequiredIBMsecurityawarenesstrainingwhichincludestrainingonpolicies,standards&/orprocedures.Securityawarenesstrainingisincludedaspartofexternalandinternalauditsforverification&validation.

DatacenterSecuritySecureAreaAuthorization

DCS-07

DCS-07.1

Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.

Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?

x

IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesofWatsonservicesaredeployed.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.Thisisperformedduringtheordering&contractnegotiationprocess.

DatacenterSecurityUnauthorizedPersonsEntry

DCS-08

DCS-08.1

Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.

Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?

x

IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance

DatacenterSecurityUserAccess

DCS-09

DCS-09.1

Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.

Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?

x

IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance

Page 22: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

22

Encryption&KeyManagementEntitlement

EKM-01

EKM-01.1

Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.

Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?

x

IBMhasdefinedaKeyManagementpolicytosupportencryptionofdataatrestandintransitforallWatsonplatformcomponents.Encryptionismanagedatthedisklevelandkeysarenottiedtoclients.

Encryption&KeyManagementKeyGeneration

EKM-02

EKM-02.1

Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.

Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?

x ThisisavailableforcustomersusingIBMWatsonservicesdedicatedservicedeliverymodels.

EKM-02.2

Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?

X EncryptionkeysonthebackendoftheIBMWatsonservicesaremanaged&maintainedbyIBM.

EKM-02.3

Doyoumaintainkeymanagementprocedures? X

IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthekeylifecycle,includingkeyaccess,strength,rotation,&revocability.Keymanagementproceduresareintheprocessofbeingdocumented.

EKM-02.4

Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?

X IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthe

keylifecycle,includingkeyownershipateachstageofthelifecycle.

EKM-02.5

Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?

X

IBMWatsonserviceshaveimplementedarobustKeyManagementsolutionthatleveragesopensource,3rdparty&proprietarycomponents.

Encryption&Key

EKM-03

EKM-03.1

Policiesandproceduresshallbeestablished,and

Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?

x IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.

Page 23: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

23

ManagementEncryption

EKM-03.2

supportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.

Doyouleverageencryptiontoprotectdataandvirtualmachineimagesduringtransportacrossandbetweennetworksandhypervisorinstances?

x

IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.

EKM-03.3

Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?

x

IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.

EKM-03.4

Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?

x

ThisisincludedaspartoftheDataSecurityandPrivacyPrinciplesthatisincludedasstandardcontractlanguage.Documentationisavailablehere:http://www.ibm.com/cloud/data-security&https://www-05.ibm.com/support/operations/files/pdf/csa_us.pdf

Encryption&KeyManagementStorageandAccess

EKM-04

EKM-04.1

Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.

Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?

x

Allencryptionalgorithmsinuseareopen/validatedformatsandarefollowNIST.SP.800-57pt1standards.Ciphersandprotocolsarereviewedonatleastanannualbasisandupdatedaccordingly.Bydefault,allconnectionsstartatTLS1.2anddataatrestisAES128orbetter.

EKM-04.2

Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?

x

IBMWatsonkeysareownedandmanagedbyIBMWatson.

EKM-04.3

Doyoustoreencryptionkeysinthecloud?

x Yes,keysarestoredwithintheIBMCloudenvironment.

EKM-04.4

Doyouhaveseparatekeymanagementandkeyusageduties?

x IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.

GovernanceandRiskManagement

GRM-01

GRM-01.1

Baselinesecurityrequirementsshallbeestablishedfordevelopedor

Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,

x

IBMmaintainssystembaselinesforallcriticalcomponentsandthishadbeenverifiedbyanindependentauditoraspartofISO27001certification.

Page 24: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

24

BaselineRequirements

acquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.

operatingsystems,routers,DNSservers,etc.)?

GRM-01.2

Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?

x

EndpointsareroutinelymonitoredattheOSleveltoensurecompliancewithasetofsecuritystandards.ThosesecuritystandardsfollowtheIBMsecuritypoliciesandchecklistswhichinturnalignwithISO27001standards.

GRM-01.3

Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?

x

IBMWatsonservicesareonlyavailableasaserviceprovidedbyIBM.

GovernanceandRiskManagementRiskAssessments

GRM-02

GRM-02.1

Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedata

DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?

x

SecuritylogsarecreatedforallcriticaloperationsinIBMWatsonservicese.g.authentication,privilegedoperations,etc.TheseareavailableonrequesttoWatsondedicatedcustomersfortheirenvironment.ISO27001reportsareavailableonrequestanddemonstratetheuseofsecuritycontrolsinIBMWatsonservices.CustomersmayleveragetheIBMCloudConsoletomonitorforhealthofservices.https://console.bluemix.net/status

Page 25: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

25

GRM-02.2

isstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,andfalsification

Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?

x

IBMWatsonservicesareISO27001certifiedbyexternalauditors.PartofthecertificationrequiresanISMS(InformationandSecurityManagementSystem)andriskmanagementprocessbeinplaceandapprovedbyIBMseniormanagement.Additionally,regularpenetrationtestingisperformedbybothIBMinternalandexternalteamsaswellasregularnetworkandapplicationscanning.IBMSecureEngineeringstandardrequiresthatthreatmodellingbecarriedoutonatleastanannualbasisandpartofthatmethodologyisriskassessment.Seehttps://www.ibm.com/security/secure-engineering/

GovernanceandRiskManagementManagementOversight

GRM-03

GRM-03.1

Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.

Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?

x

IBMSecuritystandardsrequiremanagerstoownthesecurityandrisksfortheirservices,eachmustappointasecurityfocaltomanagesecurityandcomplianceforallaspectsoftheservice.IBMSecureEngineeringstandardrequiresallemployeestotakesecurityeducationonanannualbasis.ThisareaisreviewedannuallyaspartoftheIS027001certificationforIBMWatsonservices.

GovernanceandRiskManagementManagementProgram

GRM-04

GRM-04.1

AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnot

DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?

x

IBMWatsonservicesareISO27001certifiedbyexternalauditorsandavailableforreviewbycustomers.ISO27001isfocusedonsecuritymanagementprocessesandvalidatesthatIBMWatsonservicessecurityprocessesconformtotheISO27001controlstandards.IBMSecurityPrinciplesareavailablehere:http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf

GRM-04.2

DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?

x

IBMISMS&itsspecificationinregardtoIBMWatsonservicesarereviewedatleastannually.

Page 26: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

26

belimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,andmaintenance

GovernanceandRiskManagementManagementSupport/Involvement

GRM-05

GRM-05.1

Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.

Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

x

IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforserviceprovidersarereviewed.

GovernanceandRiskManagementPolicy

GRM-06

GRM-06.1

Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbythe

Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?

x

IBMinformationsecurityandprivacypoliciesarebasedon&alignwithindustrystandardssuchasNIST800-53andISO27001.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.

GRM-06.2

Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

x

Agreementsareinplacetoverifyandmonitorsuppliercompliancewithindustrystandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.

Page 27: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

27

GRM-06.3

organization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesandresponsibilitiesforbusinessleadership.

Canyouprovideevidenceofduediligencemappingofyourcontrols,architecture,andprocessestoregulationsand/orstandards?

x

ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.

GRM-06.4

Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith? x

ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.Foradditionaldetailsrefertohttps://www.ibm.com/watson/watson-security.html

GovernanceandRiskManagementPolicyEnforcement

GRM-07

GRM-07.1

Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.

Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?

x

Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.

GRM-07.2

Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?

x

Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.

GovernanceandRiskManagementBusiness/PolicyChangeImpacts

GRM-08

GRM-08.1

Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.

Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective? x

IBMWatsonservicesensureriskassessmentsareconductedatleastquarterly.Policies,proceduresandstandardsaresubjecttorevisionasanoutcomeoftheseassessments.

GovernanceandRiskManagementPolicyReviews

GRM-09

GRM-09.1

Theorganization'sbusinessleadership(orotheraccountable

Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?

x

IBMWatsonservicesdedicatedtenantsarenotifiedofchangestotheirenvironmentincludingthoseresultingfrommodifiedsecuritypolicies.AlldeploymentsarecontrolledviatheChangeManagementPolicyandcustomersareapproversforanychangesthathappenoutsideagreedmaintenancewindows.

Page 28: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

28

GRM-09.2

businessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.

Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?

x

Securitypoliciesarereviewedatleastannually.TheprivacypolicyisupdatedandreviewedbytheIBMCorporatePrivacyOffice.Formoredetailsonprivacy&datasecuritypoliciesseehttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dspandhttps://www-01.ibm.com/software/info/product-privacy/

GovernanceandRiskManagementAssessments

GRM-10

GRM-10.1

Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance).

Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?

x

RegularriskassessmentsareconductedquarterlyanddocumentedaspartoftheISMS.Theseincludelikelihoodandimpactforallidentifiedrisksusingqualitativeandquantitativemethods.

GRM-10.2

Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?

x

Resultsfromregular3rdpartyaudits/assessmentsandpenetrationtestingareoneofthemanyfeedsintotheoverallriskmanagementprogram.Additionally,independentinternalIBMcomplianceteamsperformquarterlyreviewstoensureongoingriskidentification&compliance.ThreatmodelingisalsorequiredforeachoftheWatsonservices.

Page 29: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

29

GovernanceandRiskManagementProgram

GRM-11

GRM-11.1

Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.

Doyouhaveadocumented,organization-wideprograminplacetomanagerisk? x

IBMrecognizesriskassessmenttobeanimportantfactorinsecurityandhasestablishedaperiodicriskassessmentprocessthatisapplicabletothesystemsthathostWatsonasaService.AssessmentsareenteredintotheIBMGovernance,Risk,andComplianceprogramtodetermine&managethecurrentriskposture.IBMhasawell-establishedriskmanagementprograminplacethatisvalidatedaspartoftheannualISO27001auditandassessment.

GRM-11.2

Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?

x

VariousdocumentsarepublishedexternallyregardingIBMRiskManagementprograms,services,&solutions.RisksidentifiedthatrequirecustomerstotakeanactionarereleasedaspartofthePSIRTprocess.Additionalprograminformationavailablehere:https://www.ibm.com/security/secure-engineering/process.html

HumanResourcesAssetReturns

HRS-01

HRS-01.1

Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.

Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?

x

IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityorprivacyincidentinvolvinganyWatsonorCustomersystemordata.RefertoSecurityIncidentResponseManagementinthe‘SecuringWorkloadsinIBMCloud’whitepaperandIBMincidentresponseprocesshere:https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

HRS-01.2

IsyourPrivacyPolicyalignedwithindustrystandards?

x

IBMprivacypoliciesarealignedwithindustryandcountryrequirementsandiscontinuouslymonitoredforupdatesSeetheselinksformoreinformation:https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/

HumanResourcesBackgroundScreening

HRS-02

HRS-02.1

Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.

Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?

x

IBMCorporateHRpoliciesdictatethatallemploymentcandidatesaresubjecttobackgroundverification.

HumanResourcesEmploymentAgreements

HRS-03

HRS-03.1

Employmentagreementsshallincorporateprovisionsand/ortermsforadherence

Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.AdditionalsecurityeducationisrequiredonaperiodicbasisforIBMWatsonservicesteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

Page 30: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

30

HRS-03.2

toestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.

Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted? x

IBMemployeesmustacknowledgecompletionoftrainingandthisacknowledgmentisdocumentedandstored.

HRS-03.3

AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?

x

AllemployeesofIBMsignNDAorconfidentialityagreementsregardingcorporateandclientinformation.

HRS-03.4

Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?

x

Timelycompletionofthetrainingprogramisaprerequisitetogaining/maintainingaccesstoIBMcomputingresources,whichmayincludesensitivesystems&customerdata.

HRS-03.5

Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?

x IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonan

annualbasis.Refertohttps://www.ibm.com/security/secure-engineering/

HumanResourcesEmploymentTermination

HRS-04

HRS-04.1

Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.

Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?

x

IBMCorporateHRpoliciesprovideabaselineofstandardsforchangesin,andterminationofemployment.TheIBMCloudaccesscontrolsolutionqueriestheIBMCorporatesystemtodetectanyemployeeterminationsonadailybasis.

HRS-04.2

Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?

x

IBMCorporateHRpoliciesprovideabaselineofstandardstoensureallemployeesystemaccessisterminatedandassetsarecollectedattimeoftermination.IBMWatsonservicesaremanagedviaanIBMCloudIAMsolutionwhichensuresrole-basedaccesstoanyWatsonsystem.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessownerandtheprocessincludesapproval/continuedbusinessneedandvalidation/revocationonemployeetermination.

Page 31: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

31

HumanResourcesPortable/MobileDevices

HRS-05

HRS-05.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).

Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?

x

IBMITSecuritystandardsmandatethatmobiledevicesarenotpermittedaccesstocustomerenvironments.Privilegedlaptopsarerequiredforaccesstocustomerenvironmentsandownersofthoselaptopsarerequiredtoinstallandmaintainfulldiskencryptionandotherincreasedsecuritycontrols.Thisismanagedwithextensiveaccesssecuritycontrolswhicharevalidatedatleastannuallybuy3rdpartyauditors.

HumanResourcesNon-DisclosureAgreements

HRS-06

HRS-06.1

Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.

Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?

x

AllIBMpoliciesandproceduresarereviewedonatleastanannualbasis.Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedataminimumofonceannually.

HumanResourcesRoles/Responsibilities

HRS-07

HRS-07.1

Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.

Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant? x

Allrolesandresponsibilitiesrelatingtoinformationsecurityandenvironmentoperationsaredocumentedfordedicatedenvironments.

Page 32: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

32

HumanResourcesAcceptableUse

HRS-08

HRS-08.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.

Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?

x RefertoIBMPrivacy&Datasecuritysitesformoreinformation.

https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/

HRS-08.2

Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?

x

ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.

HRS-08.3

Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?

x

ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.

HumanResourcesTraining/Awareness

HRS-09

HRS-09.1

Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswith

Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

Page 33: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

33

HRS-09.2

accesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.

Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HumanResourcesUserResponsibility

HRS-10

HRS-10.1

Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment

Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HRS-10.2

Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HRS-10.3

Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?

x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/

HumanResourcesWorkspace

HRS-11

HRS-11.1

Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.

Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?

x

Tenantandservicelevelconflictsofinterestareresolvedviaoperationalandmanagementplanning.

Page 34: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

34

HRS-11.2

Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?

x

SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEM(SecurityInformationandEventManagement)whichismonitored24x7bytheIBMSOC.TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingWatsonCloudPlatformServicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAM(IdentityandAccessManagement)governancesolution.

HRS-11.3

Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?

x

SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEMwhichismonitored24x7bytheIBMSOC(SecurityOperationsCenter).TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingIBMWatsonservicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAMgovernancesolution.

Identity&AccessManagementAuditToolsAccess

IAM-01

IAM-01.1

Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.

Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?

x

Allaccessrequiresapprovalfromboththeemployeemanagerandthesystemaccessowner.Thisprovidestheuserwithrole-basedaccesstotherequestedsystem.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.

IAM-01.2

Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?

x

Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.

Identity&AccessManagement

IAM-02

IAM-02.1

Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusiness

Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?

x

InternalaccesstoIBMWatsonservicesarerevokedonemployeetermination.Routineverificationofaccessisalsoperformedwithuser’smanagementtoensurebusinesspurposesalignwithexistingaccess.

Page 35: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

35

UserAccessPolicy

IAM-02.2

processesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsof

Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?

x

ManagementofIBMID'sisanIBMretainedresponsibility.Thisinternalprocessisautomatedandtestedthroughourexternalauditsrepeatedlythroughouttheyear.ClientID'saremanagedbyclientandareclientresponsibility.

Page 36: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

36

assuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions

Page 37: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

37

(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements

Identity&AccessManagementDiagnostic/ConfigurationPortsAccess

IAM-03

IAM-03.1

Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.

Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure? x

IBMCloudmanagementnetworktrafficisprocessedusingmanagementcontrolplanewithstrictaccesscontrol.VPNsareutilizedwhereneededtoprovideadditionallayerofsecurityforsensitivenetworkswithinIBM.

Identity&AccessManagementPoliciesandProcedures

IAM-04

IAM-04.1

PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuseridentity.

DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?

x

IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.

IAM-04.2

Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?

x

IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.

Page 38: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

38

Identity&AccessManagementSegregationofDuties

IAM-05

IAM-05.1

Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.

Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?

x

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.

Identity&AccessManagementSourceCodeAccessRestriction

IAM-06

IAM-06.1

Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.

Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

x

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.

Page 39: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

39

IAM-06.2

Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

x

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.

Identity&AccessManagementThirdPartyAccess

IAM-07

IAM-07.1

Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriate

Doyouprovidemulti-failuredisasterrecoverycapability?

X N/A.Customersdesiringmulti-failuredisasterrecoveryshouldconsiderdesignsleveragingmultipleregionsacrosstheIBMGlobalCloudinfrastructure.

Page 40: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

40

IAM-07.2

access.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.

Doyoumonitorservicecontinuitywithupstreamprovidersintheeventofproviderfailure?

x

IBMWatsonservicesavailabilityismonitoredandpublishedusingtheIBMCloudconsole.UpstreamprovidersaremonitoredforservicecontinuityandavailabilityattheIBMCloudIaaSlayer.

IAM-07.3

Doyouhavemorethanoneproviderforeachserviceyoudependon?

x TherearemultipleISPproviderswithintheIBMClouddatacenterswhichsupportIBMWatson

services.

IAM-07.4

Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?

x

Aspublishedwithintheexternallyavailableauditreports.

IAM-07.5

Doyouprovidethetenanttheabilitytodeclareadisaster?

x ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.

IAM-07.6

Doyouprovideatenant-triggeredfailoveroption? x

ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.

IAM-07.7

Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?

x Aspublishedwithintheexternallyavailableauditreportsandasrequiredbycontract.

Identity&AccessManagementUserAccessRestriction/Authorization

IAM-08

IAM-08.1

Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.

Doyoudocumenthowyougrantandapproveaccesstotenantdata? x

Thisisonaneed-to-knowbasisonlyandisonlyeverleveragedintheneedtosupportaclientsupportrequestorrequirement.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.

IAM-08.2

Doyouhaveamethodofaligningproviderandtenantdataclassificationmethodologiesforaccesscontrolpurposes?

x

Allcustomerdataisratedassensitive.DependingonIBMWatsonservicesdeploymentmodel,tenantdataisisolatedbasedonsolutiondesignandcontractualagreement.

Page 41: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

41

Identity&AccessManagementUserAccessAuthorization

IAM-09

IAM-09.1

Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedand

Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?

x

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.

Page 42: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

42

IAM-09.2

appropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedaspartoftheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?

x IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.BackendsystemaccessisrestrictedtoIBMemployeeswithbusinessneedonly.

Identity&AccessManagementUserAccessReviews

IAM-10

IAM-10.1

Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjob

Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?

x

IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

IAM-10.2

Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?

x

IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

Page 43: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

43

IAM-10.3

function.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.

Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?

x

RevalidationreportsareforIBMaccess&useonly.

Identity&AccessManagementUserAccessRevocation

IAM-11

IAM-11.1

Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?

x

IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

IAM-11.2

Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?

x

IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.

Identity&AccessManagement

IAM-12

IAM-12.1

Internalcorporateorcustomer(tenant)useraccountcredentialsshallbe

Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?

x

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.ThisintegrationwithcustomerdirectoryservicesallowsforSSO(SingleSignOn)capabilities.

Page 44: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

44

UserIDCredentials

IAM-12.2

restrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)

Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?

x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM

serviceswhichleveragesopenstandardstoallowfordelegationofauthenticationcapabilitiestoIBMWatsonservicestenants.

IAM-12.3

Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?

x

Customerintegration&SAML(SecurityAssertionMarkupLanguage)federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.

IAM-12.4

DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?

x

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.

IAM-12.5

Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?

x

CustomerintegrationaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.

IAM-12.6

Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?

x

Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.ThisintegrationallowsforclientstoleverageexistingMFA(MultifactorAuthentication)optionsasestablishedwithintheirorganizationanddirectoryservices.

IAM-12.7

Doyouallowtenantstousethird-partyidentityassuranceservices?

x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM

services.Thisintegrationallowsforclientstoleveragethird-partyidentityassuranceservices.Also,thisisoftenaccomplishedusingthird-partycertificate/keyauthorizationservices.

IAM-12.8

Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?

x

IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

IAM-12.9

Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?

x

IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

IAM-12.10

Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon?

x IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimum

passwordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

IAM-12.11

Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?

x

IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.

Page 45: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

45

Identity&AccessManagementUtilityProgramsAccess

IAM-13

IAM-13.1

Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.

Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?

x

IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Thiswouldincludepermissionsandaccesstoutilitiesthatcanmanagevirtualizedpartitions.Privilegedaccessutilizingsuchutilitieswouldbeloggedandsentinnearreal-timetoIBMQRadarSIEM.

IAM-13.2

Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?

x

AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandallaccessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.

IAM-13.3

Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?

x AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandall

accessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.

Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection

IVS-01 IVS-01.1

Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.

Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?

x ThisisanongoingprojectandcompensatingcontrolsexistusingadvancedloggingandSIEMmonitoring.

IVS-01.2

Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?

x

AuditlogsaresecuredandencryptedusingtheQRadartool.AccesstotheselogswouldfollowtheIBMAccesscontrolpolicies&procedures.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.

IVS-01.3

Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?

x

ThisisaccomplishedviaIBMComplianceteamsleveragingtheIBMISO27001basedISMS(InformationSecurityManagementSystem)&alsoCSA(CloudServiceAlliance)CloudControlMatrix.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththosecertificationsbeingavailabletocustomers.AspartofISO27001auditsandassessments,duediligencemappingtoregulationsandstandardsisreviewed.

IVS-01.4

Areauditlogscentrallystoredandretained?

x IBMWatsonservicessecuritylogsfeedintoaSELM(SecurityEventLogMonitor)service(IBMQRadar)andaremonitoredandmanagedviaaSOC.Logsareretainedaminimumof90days.

IVS-01.5

Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?

x

IBMWatsonservicessecuritylogsfeedintoaSELMserviceandmonitoredutilizingQRadarSIEMandmanagedviaaSOC.

Infrastructure&VirtualizationSecurity

IVS-02 IVS-02.1

Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.

Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?

x

AllchangesandprivilegedactionstoVM(VirtualMachine)imagesareloggedandsenttoIBMQRadarSIEMformonitoringandalerting.

Page 46: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

46

ChangeDetection

IVS-02.2

Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).

Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?

x

IBMCloudmanagesthebackendIaaSsupporting/providingallvirtualinfrastructureforthecustomersuchthatallchangestoVMsaretransparenttotheIBMWatsonservicesbeingprovided.

Infrastructure&VirtualizationSecurityClockSynchronization

IVS-03 IVS-03.1

Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.

Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?

x

IBMCloudprovidescentralized,synchronizedNTP(NetworkTimeProtocol)servicesforIBMWatsonservices.

Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning

IVS-04 IVS-04.1

Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuture

Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios? x

ForIBMWatsonservicesthisshouldbetransparenttotheenduser.SLAswillbemetasagreedtointhecustomercontract.SpecificcapacityrequirementscanbenegotiatedanddocumentedinDedicatedservicedeliverymodels.

IVS-04.2

Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?

x

ThisisprovidedbyIBMCloudIaaS.

Page 47: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

47

IVS-04.3

capacityrequirementsshallbemadetomitigatetheriskofsystemoverload.

Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?

x

IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.

IVS-04.4

Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?

x

IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.

Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement

IVS-05 IVS-05.1

Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).

Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)? x

TheIBMSecureEngineeringstandarddictatesmultiplescanningtechniquesbeusedagainstproductionsystems.Theseincludeautomateddynamicscans,manualpenetrationtestsandthreatmodelling.Theseactivitiesincludeboththevirtualizationtechnologiesandallvirtualmachinesandcontainersdeployedonthosevirtualizationtechnologies.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Vulnerabilitytools,processes,&proceduresareassessed&auditedannuallywithinternalandthird-partyauditors.

Infrastructure&VirtualizationSecurityNetworkSecurity

IVS-06 IVS-06.1

Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.

ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?

x

IBMWatsonservicesdonotprovideIaaScapabilitiesdirectlytoclients.IBMCloudmanagestheInfrastructureentirelyforIBMWatsonservicescustomers.

IVS-06.2

Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?

x

IBMWatsonservicesarchitecturesarereviewedaspartofathreatmodelingprocesses,procedures&exercisewhicharemandatedpriortoservicesgoingtogeneralavailabilityandthenwithmajorreleases.Theseincludedocumentingdataflowsanddatamaps.

IVS-06.3

Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?

x

IBMWatsonservicesconductreviewsonallfirewallsonanannualbasis.

IVS-06.4

Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification? x

AllchangestoIBMfirewallsmustfollowthechangemanagementprocesswhichrequiresbusinessjustificationandmultiplelevelsofreviewandapprovalbeforedeployment.

Page 48: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

48

Infrastructure&VirtualizationSecurityOSHardeningandBaseControls

IVS-07 IVS-07.1

Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.

Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?

x

AllhostmachinesinIBMWatsonservicesaredeployedasstandardbuildswhichremoveunnecessaryports,protocols,andservices.Authenticatedscanningisperformedonallmachinestovalidatecompliancewithasetofhardeningrulesonaatleastamonthlybasis.

Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments

IVS-08 IVS-08.1

Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.

ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?

x

CustomerscanchoosetoprovisionmultipleinstancesofaserviceandimplementaccesscontrolsthroughIBMCloudPlatformthatwillsupportthisprocess.

IVS-08.2

ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?

x

IBMWatsonservicesareSaaS,IBMmanagesthearchitectureexclusively.

IVS-08.3

Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?

x

IBMWatsonserviceshavemultiplenon-productionenvironmentsthatsupportdevelopmentandstagingforbothPublicandDedicatedsolutions.Theseenvironmentsareusedtoperformanytestingpre-deploymentpriortopushingtoproductionenvironments.Thenon-productionenvironmentsarelogicallysegregatedfromproductionenvironments.

Infrastructure&VirtualizationSecuritySegmentation

IVS-09 IVS-09.1

Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,and

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?

x

Allsystemsandresourcesareprotectedbyatleastonefirewall.

IVS-09.2

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?

x

Allsystemsandresourcesareprotectedbyatleastonefirewall.

Page 49: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

49

IVS-09.3

configuredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?

x

Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.

IVS-09.4

Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?

x

Allsystemsandresourcesareprotectedbyatleastonefirewall.

Infrastructure&VirtualizationSecurityVMSecurity-DataProtection

IVS-10 IVS-10.1

Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.

Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?

x

PerIBMpolicydataisencryptedintransit.IBMWatsonservicesarebuilt&deployedinvirtualizedenvironments.

IVS-10.2

Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers? x

Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.

Page 50: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

50

Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening

IVS-11 IVS-11.1

Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).

Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?

x

IBMWatsonservicesprivilegedusersrequestaccesstoIBMCloudenvironments,includingadministrativetools,hypervisorsandvirtualmachines,viaanIBMUserAccessManagementtool.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessowner.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEMtopreventunauthorizedaccesstodatabyIBMemployees.Allsystemsandresourcesareprotectedandisolatedbyatleastonefirewall.Allaccesstoadministrativeconsoles,hypervisorsandVirtualMachinesisoverTLSandallIBMCloudPaaSPlatformdataisencryptedintransit.

Infrastructure&VirtualizationSecurityWirelessSecurity

IVS-12 IVS-12.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,

Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?

x IBMWatsonservicesteamdoesnothaveaccesstophysicalEthernetports,anddoesnothavetheabilitytoimplementwirelessintheenvironment.IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

IVS-12.2

Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?

x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

IVS-12.3

Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?

x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.

Page 51: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

51

passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetwork

Infrastructure&VirtualizationSecurityNetworkArchitecture

IVS-13 IVS-13.1

Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.

Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?

x

IBMWatsonservicesnetworkdiagramsandthreatmodelsclearlydocumenttheboundariesofdifferentenvironmentsandsystemsincludingthedataflowsacrossboundariesanddatastores.

IVS-13.2

Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?

x

AttheIaaSlayeracleanpipesolutionisimplementedtoensureonlyappropriatetrafficispassedthroughtotheFWswhichthenpassesthetrafficbacktoanapplicationproxytoauthenticatethetrafficbeforeallowingittoreachanyoftheWatsonservices.IBMWatsonserviceshaveimplementedaDDoS(DistributedDenialofService)solutiontomitigateDDoSattacks.

Page 52: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

52

Interoperability&PortabilityAPIs

IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.

DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?

x

AlistofallavailableAPIsispublishedwithineachservicesdescriptionpage.Additionaldetailsavailablehere:https://www.ibm.com/watson/products-services/

Interoperability&PortabilityDataRequest

IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).

Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?

x

CustomersmayelecttoprovideadditionaltraininginformationtocustomizetheirWatsonservice.Thisdataistypicallyprovidedbythecustomerandistheirresponsibilitytomanage.Someservices,suchasWatsonKnowledgeStudio,doallowcustomerstoexportthecustomizedtrainingmodelstheyhavecreated.

Interoperability&PortabilityPolicy&Legal

IPY-03 IPY-03.1 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence.

Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?

x

PoliciesandproceduresareinplacegoverningtheuseofAPIsbetweenIBMWatsonservicesandthird-partyapplicationsaspartofthestandardcontractlanguage.

IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?

x

IBMWatsonservicescustomersareresponsibleforthedataincludinghowandwhenthatdataismigrated.Pleasechecktheservicedescriptionsforadditionaldetails.

Interoperability&PortabilityStandardizedNetworkProtocols

IPY-04 IPY-04.1 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportand

Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?

x

PerIBMpolicydataisencryptedintransit.

Page 53: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

53

IPY-04.2 exportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.

Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved? x

Tenantscanreceivethisdatauponrequest.Pleasechecktheservicedescriptionsforadditionaldetails.

Interoperability&PortabilityVirtualization

IPY-05 IPY-05.1 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.

Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?

x

IBMWatsonservicesuseindustrystandardvirtualizationformatsandtechnologiestohelpensureinteroperability,suchasKubernetes,DockerContainers,andVMWare.

IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?

x

IBMWatsonservicesIaaSdoesnothavesolution-specificvirtualizationhooks.

MobileSecurityAnti-Malware

MOS-01

MOS-01.1

Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.

Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining? x

IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Anti-malwareawarenesstraining,specifictomobiledevices,isincludedinthattraining.

MobileSecurityApplicationStores

MOS-02

MOS-02.1

Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.

Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?

x

Alistofapprovedapplicationstoresisavailableandhasbeencommunicatedtousers.

Page 54: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

54

MobileSecurityApprovedApplications

MOS-03

MOS-03.1

Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.

Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?

x

IBMCorporateSecuritymandatestheinstallationofaMobileDeviceManagementclientonallBYODsusedforIBMbusiness.ThatclientensurescompliancewithIBMCorporatesecuritystandardsincludingensuringthatonlyapprovedapplicationstorescanbeused.

MobileSecurityApprovedSoftwareforBYOD

MOS-04

MOS-04.1

TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.

DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?

x

TheIBMCorporatesecuritypolicyclearlystateswhichapplicationsandapplicationstoresareapproved.MobileDeviceManagementisinplacetoblockriskyextensionsandplugins.

MobileSecurityAwarenessandTraining

MOS-05

MOS-05.1

Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.

Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?

x

IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.

MobileSecurityCloudBasedServices

MOS-06

MOS-06.1

Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageof

Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?

x

IBMCorporatesecuritypolicydefinesthepre-approvedvendor(s)forcloudstorageonmobiledeviceswithregardstocompanybusinessdata.

Page 55: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

55

companybusinessdata.

MobileSecurityCompatibility

MOS-07

MOS-07.1

Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.

Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues? x

IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.

MobileSecurityDeviceEligibility

MOS-08

MOS-08.1

TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.

DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage? x

IBMCorporatesecuritypoliciesdefinetheeligibilityrequirementstoallowforBYODusage.BYODisnotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.

MobileSecurityDeviceInventory

MOS-09

MOS-09.1

Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.

Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?

x

Mobiledevicesarenotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.

MobileSecurityDeviceManagement

MOS-10

MOS-10.1

Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.

Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?

x

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Nomobiledevicesarepermittedtostore,transmitorprocesscustomerdata.

Page 56: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

56

MobileSecurityEncryption

MOS-11

MOS-11.1

Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.

Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices? x

IBMCorporatesecuritypoliciesrequirefulldeviceencryptiononmobiledevicesaswellasBYOD.SensitivedataisnotpermittedonmobiledevicesoronBYOD.

MobileSecurityJailbreakingandRooting

MOS-12

MOS-12.1

Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).

Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?

x

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreakingorrootingispreventedandreportedon.

MOS-12.2

Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x

Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.

MobileSecurityLegal

MOS-13

MOS-13.1

TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.

DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?

x

IBMCorporateSecurityPoliciesdefinetheseelementsforBYOD.

MOS-13.2

Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x

BYODarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.

Page 57: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

57

MobileSecurityLockoutScreen

MOS-14

MOS-14.1

BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.

DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?

x

AutomaticlockoutsareconfiguredforBYODandmobiledevices.

MobileSecurityOperatingSystems

MOS-15

MOS-15.1

Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.

Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses? x

IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.Changesareimplementedperpolicyandwithmobiledevicechangemanagementprocesses.

MobileSecurityPasswords

MOS-16

MOS-16.1

Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.

Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?

x

AllmobiledevicesandBYODhaverequiredpasswords.

MOS-16.2

Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)? x

Passwordsareenforcedthroughamobiledevicemanagementtool.

MOS-16.3

Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?

x

Authenticationrequirementsforpasswordsresidingonthedevice,e.g.,screenpin,can'tbechangedandthisisenforcedbyamobiledevicemanagementtool.

MobileSecurityPolicy

MOS-17

MOS-17.1

ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).

DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?

x

Dataisstoredonthecloudandenforcedviaamobiledevicemanagementsolutionwhereneeded,thusthecorporatedataisbackedup.Thereisnodeviceresidentdataexceptforauthenticationkeys.

MOS-17.2

DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?

x

BYODmobiledevicesarenotpermittedtouseunapprovedapplicationstores.

MOS-17.3

DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?

x

Anti-malwareisrequiredonBYODandenforcedviamanagementtools.

Page 58: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

58

MobileSecurityRemoteWipe

MOS-18

MOS-18.1

AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.

DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?

x

Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.

MOS-18.2

DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?

x

Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.

MobileSecuritySecurityPatches

MOS-19

MOS-19.1

Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.

Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?

x

AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO.

MOS-19.2

DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?

x

AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO,throughtheMobileDeviceManagementTool.

MobileSecurityUsers

MOS-20

MOS-20.1

TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.

DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?

x

ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.

MOS-20.2

DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?

x

ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.Userswhoseprimaryroleisaccessingormaintainingcustomerdevicesmustuseacompanyprovidedprivilegedworkstation.

Page 59: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

59

SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance

SEF-01

SEF-01.1

Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.

Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?

x

IBMCybersecurityandIBMLegalmaintainrelationshipswiththeproperlocalauthorities.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement

SEF-02

SEF-02.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.

Doyouhaveadocumentedsecurityincidentresponseplan?

x

IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityincidentinvolvinganyIBMWatsonorCustomersystemordata.https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

SEF-02.2

Doyouintegratecustomizedtenantrequirementsintoyoursecurityincidentresponseplans?

x

TheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedasuspectedsecurityincidentinvolvinganyIBMorCustomersystemordata.Oneoftheirresponsibilitiesistoengagewiththecustomerandkeeptheminformedontheinvestigation,findingsandanyrootcauseanalysisactions.

SEF-02.3

Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?

x

RefertoSecurityIncidentResponseandSupportinthe‘SecuringWorkloadsinIBMCloud’whitepaper.https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/

SEF-02.4

Haveyoutestedyoursecurityincidentresponseplansinthelastyear?

x TheSecurityincidentresponseplanisreviewedandtestedatleastannually.

SecurityIncidentManagement,E-Discovery,&CloudForensics

SEF-03

SEF-03.1

Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,if

Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?

x

SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservices,includingnetworkdevicesandhostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMisconfiguredwithasetofruleswhichtriggeroffencesbasedonincomingeventsacrossalllogsources.ThoseoffencestriggerpagerdutyalertstotheIBMSOCteamona24x7basis.

Page 60: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

60

IncidentReporting

required,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.

RefertotheIBMSecurityIntelligencedocumentationformoredetails.https://www.ibm.com/security/security-intelligence/QRadar/

SEF-03.2

Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?

x

ForIBMWatsonservicesdedicatedenvironments,thepotentialincidentactivitiesarealwaysattributedtoaspecificenvironmentbelongingtoacustomer.ForPublic,investigationoftheincidentmayberequiredtodeterminewhichcustomer(s)was(were)impacted.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation

SEF-04

SEF-04.1

Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.

Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?

x

Specificdetailsregardingchainofcustody,forensics,andlitigationholdsareaddressedbyIBMLegalandtheIBMCybersecurityIncidentResponseTeam(CSIRT).

SEF-04.2

Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?

x

Thisisavailablewheretechnologicallypossiblewhenithasbeendeemednecessarytocollectandmanageevidence.

SEF-04.3

Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?

x

ThisisavailableinbothPremiumandDedicateddeliverymodels.

SEF-04.4

Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas? x

ThisisavailableinbothPremiumandDedicateddeliverymodels.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncident

SEF-05

SEF-05.1

Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcosts

Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents? x

SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservicesstackincludingnetworkdevices,hostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMprovidesreportsonthetypesandvolumesofallsecurityeventsandalloffencestriggeredbasedonQRadarrules.AllsecurityincidentstriggeringtheIBMWatsonservicesSecurityincidentresponseplanhavearootcauseanalysiswhichrecordimpactandtriggeractionstomitigateinfuture.

Page 61: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

61

ResponseMetrics

SEF-05.2

ofinformationsecurityincidents.

Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?

x

Reportswillbegeneratedwheretechnicallypossibleuponrequestshouldasecurityincidentoccur.

SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity

STA-01

STA-01.1

Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.

Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?

x

IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsonservicescompliancecertificationsdemonstratethecontrolsareinplacetoprovideasecureplatformincludingcontrolsrelatedtosupplychain.

STA-01.2

Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?

x

Accessmanagementprocessesareinplacetoensureonlyuserswithabusinessneedhaveaccessandthatappropriateroleshavebeendefinedtoensuretheprincipleofleastprivilege.

SupplyChainManagement,Transparency,andAccountabilityIncidentReporting

STA-02

STA-02.1

Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).

Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?

x

CustomerwillbenotifiedviatheIBMClouddashboardifanissuehasbeenidentifiedthatrequiresactionontheirpart.Dependingontheseverityoftheincidentindividualcustomersmaybecontacteddirectly.Customersmayalsosubscribetovulnerabilitynotificationsasdescribedathttps://www.ibm.com/security/secure-engineering/bulletins.html

SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices

STA-03

STA-03.1

Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewith

Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering? x

IBMCloudandtheWatsonservicesteamsprojecttheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.

STA-03.2

Doyouprovidetenantswithcapacityplanningandusereports?

x

UsagereportsoftheIBMWatsonservicesareavailableontheIBMCloudconsole.

Page 62: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

62

mutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernanceandservicemanagementpoliciesandprocedures.

SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments

STA-04

STA-04.1

Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.

Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics? x

IBMhasamatureInternalAudit&assessmentprogramwhichperformsaudits&assessmentsatleastannually.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements

STA-05

STA-05.1

Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,

Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?

x

IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.

STA-05.2

Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?

x

IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.

STA-05.3

Doeslegalcounselreviewallthird-partyagreements? x IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenance

ofsupplierrelationships.STA-05.4

Dothird-partyagreementsincludeprovisionforthesecurityandprotectionofinformationandassets?

x

IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.

STA-05.5

Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?

x

IBMmaintainsallrequiredsub-processingagreementsandmakesthemavailableasrequiredtoclientsuponrequest.

Page 63: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

63

physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-

Page 64: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

64

anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportabilityrequirementsforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence

Page 65: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

65

SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews

STA-06

STA-06.1

Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.

Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?

x

IBMhasagreementswithkeythird-partysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.

SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics

STA-07

STA-07.1

Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.

Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?

x

IBMhasagreementswithkeythirdpartysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.

STA-07.2

Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?

x

ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.

STA-07.3

Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?

x

ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.

STA-07.4

Doyoureviewallagreements,policies,andprocessesatleastannually?

x

IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment

STA-08

STA-08.1

Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeall

Doyouassurereasonableinformationsecurityacrossyourinformationsupplychainbyperforminganannualreview?

x

Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.

STA-08.2

Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?

x

Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.

Page 66: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

66

partners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits

STA-09

STA-09.1

Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservicedeliveryagreements.

Doyoupermittenantstoperformindependentvulnerabilityassessments?

x PenetrationtestingisallowedbyIBMWatsonservicesontheirownDedicatedenvironments

withapprovalofIBMCloudCISO.

STA-09.2

Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?

x

PenetrationtestingforIBMWatsonservicesenvironmentsisperformedonanannualbasisusinga3rdpartyvendor.

ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware

TVM-01

TVM-01.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?

x

AntivirusAntimalwareprotectionisdeployedonallWindowssystemsatthehostlevelandlogsaresenttoIBMQRadarSIEM.Automatedupdatesareinplacefornewmalwareorvirussignatures.

TVM-01.2

Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?

x

Automatedupdatesareinplacefornewmalwareorvirussignatures.

Page 67: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

67

ThreatandVulnerabilityManagementVulnerability/PatchManagement

TVM-02

TVM-02.1

Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresandidentifiedweaknessesespeciallyifcustomer(tenant)

Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices? x

Networkscanningisconductedataminimumonamonthlybasis.Findingsarereportedonandmanagedthoughnormaloperationalvulnerabilityandriskmanagementprocessesandprocedures.

TVM-02.2

Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

x

TheIBMSecureEngineeringStandardmandatesvulnerabilityassessmentwhichrequiresautomatedcodeandapplicationscanningatleastonamonthlybasis.DynamicandstaticcodescanningisperformedusingIBMAppscanonamonthlybasisorwheneverthereisamajorchange.

TVM-02.3

Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

x

OSscanningisconductedatminimumonceamonth.Findingsarereportedonandmanagedthroughnormaloperationalprocesses.

TVM-02.4

Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?

x CustomersofIBMWatsondedicatedservicescanrequestaVulnerabilityassessmentreportfor

theirenvironments.

TVM-02.5

Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?

x

IBMWatsonservicesautomatingrapidpatchingacrosstheenvironment.ThisprovidesfullvisibilityonwhatispatchedinadditiontoprovidingtheautomationtopushoutthepatchestoallmachinesacrossallWatsonenvironments.

TVM-02.6

Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?

x

Dedicatedcustomerswillbeincludedinthechangemanagementprocessrequiredtodistributepatcheswithintheirenvironment.

Page 68: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated

CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018

68

dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.

ThreatandVulnerabilityManagementMobileCode

TVM-03

TVM-03.1

Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?

x

IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionoftheWatsoninfrastructure,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.

TVM-03.2

Isallunauthorizedmobilecodepreventedfromexecuting?

X

WithintheIBMWatsonservicesenvironmentallmobilecodeintheformofscriptsorexecutablesmustbetestedandapprovedfordeployment.EndusersandconsumersofWatsonAPIsshouldprovidefortheirownunauthorizedmobilecodepreventionsolutionasthatisnotwithinscopeforIBMWatsonservicesontheIBMCloud.

©Copyright2014CloudSecurityAlliance-Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktotheCloudSecurityAlliance“ConsensusAssessmentsInitiativeQuestionnaireCAIQVersion3.0.1”athttp://www.cloudsecurityalliance.orgsubjecttothefollowing:(a)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotbemodifiedoralteredinanyway;(c)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsoftheConsensusAssessmentsInitiativeQuestionnairev3.0.1aspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAllianceCloudConsensusAssessmentsInitiativeQuestionnaire3.0.1(2014).Ifyouareinterestedinobtainingalicensetothismaterialforotherusagesnotaddressesinthecopyrightnotice,[email protected].


Recommended