IBMÒ WatsonÒ on the IBMÒ Cloud
CSA CAIQ V1.0 February 2018
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
2
Introduction
IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential within unstructured data. Fundamental to providing a strong foundation for companies wanting to leverage Watson services, IBM uses best-in-class security and compliance processes that allow for successful execution of challenging workloads.
The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. This CAIQ document gives detailed responses to those questions for IBM Watson on IBM Cloud and provides additional links where applicable on IBM and Watson security processes, procedures &/or technical controls.
IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated workloads. Compliance of Watson services are maintained though regular reviews by both IBM internal and 3rd party auditors.
Additional information on how Watson is securely deployed on the IBM Cloud can be found below:
• Watson Trust Center: https://ibm.biz/BdjD4r • ISO 27001 certificate: https://ibm.biz/BdjWav • ISO 27017 certificate: https://ibm.biz/BdjWam • ISO 27018 certificate: https://ibm.biz/BdjWaK • Full list of IBM products covered under 27001: https://ibm.biz/BdjWab • IBM Cloud Services data security and privacy principles: https://ibm.biz/Bdsm3x • Additional details around IBM Cloud compliance: https://www.ibm.com/cloud/compliance • How to secure your applications using Watson services:
https://www.ibm.com/cloud/garage/content/architecture/securityArchitecture/overview
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
3
Control Domain
Control ID
Question ID
Control Specification
Consensus Assessment Questions
Consensus Assessment Answers
Watson Notes Yes No Not Applicable
Application&InterfaceSecurityApplicationSecurity
AIS-01 AIS-01.1
Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.
Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?
x
WatsonservicesontheIBMCloudleveragetheIBMSecureEngineeringStandardwhichisalignedwithOWASPtoensuresecurityaspartofourSDLC.Thosestandardsincludeprocessesforsecurecoding,vulnerabilityassessment,penetrationtesting,education,processesfor3rdpartycodeapprovalandthreatmodelling.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Seehttps://www.ibm.com/security/PenetrationtestingisperformedbybothIBMandthirdpartiesandcoversbothexternalandinternaltestingofendpoints.Vulnerabilityassessmentrequiresautomatedcodeandapplicationscanninginadditiontomanualtesting.SecurecodingmandatesmanualreviewforsecurerelatedcodeandreviewsagainstOWASPtoptenattacks.WatsonserviceshavebeencertifiedbyanindependentauditoragainsttheISO27001certificationstandard.
AIS-01.2
Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
AIS-01.3
Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?
X
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
AIS-01.4
DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?
X
DevelopmentworkforIBMWatsonontheIBMCloudisnotoutsourced.Forall3rdpartycomponentsused,e.g.,librariesoropensourcecode,theIBMSecureEngineeringStandardprohibitstheiruseunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.
AIS-01.5
(SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
Application&InterfaceSecurityCustomerAccessRequirements
AIS-02 AIS-02.1
Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.
Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?
x
IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsoncompliancecertificationsdemonstratethecontrolsinplacetoprovideasecureplatform.Additionalinformationavailablehere:http://www.ibm.com/watson/watson-security.html
AIS-02.2
Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented? X
RequirementsandtrustlevelsforcustomeraccessareestablishedcontractuallyforeachIBMWatsoncustomer.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
4
Application&InterfaceSecurityDataIntegrity
AIS-03 AIS-03.1
Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.
Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata? x
IBMWatsonservicesareonlyavailablethroughAPIcalls,thissignificantlylimitsanattacker’sabilitytointeractandcompromiseaservice.IBMWatsoncustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.ISO27001compliancedemonstratesthecontrolsIBMWatsonhasinplacetosafeguardagainsttheunauthorizedaccess,destruction,lossoralterationofdata.Securitytestingoccurspriortoproductionrollouttoensureinput&outputsfromtheAPIaresecure&meetsdesignspecifications.
Application&InterfaceSecurityDataSecurity/Integrity
AIS-04 AIS-04.1
Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.
IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?
X
IBMWatsonontheIBMCloudDataSecurityArchitectureisdesignedusingindustrystandardsandbestpracticesaligningwithISO27001andNISTframeworks.
AuditAssurance&ComplianceAuditPlanning
AAC-01
AAC-01.1
Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.
Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?
x
IBMWatsonservicesuseexternalandinternalauditorstoconductstructured,industrystandardauditassertionsandreports.Extensiveauditplanning&preparationoccursforeachaudit.Theseareperformedataminimumannually.Seehttp://www.ibm.com/watson/watson-security.html
AuditAssurance&ComplianceIndependentAudits
AAC-02
AAC-02.1
Independentreviewsandassessmentsshallbeperformedatleast
DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?
x
IBMWatsonservicesproviderelevantthird-partyauditattestation,certificationand/orpentestingreportswhereaNon-DisclosureAgreement(NDA)isinplace.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
5
AAC-02.2
annuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.
Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
x
PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.
AAC-02.3
Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
x
PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.
AAC-02.4
Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
x
InternalauditsareroutineandvirtuallycontinuousforIBMWatsonontheIBMCloud.Theseareinitiated/conductedatleastonceeachquarter.
AAC-02.5
Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
x
IBMWatsonservicesataminimum,useexternalauditorsannuallytoconductISO27001assessments&audits.
AAC-02.6
Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?
x
IBMWatsonservicesproviderelevantthird-partypentestingattestations&/orreportswhereaNon-DisclosureAgreement(NDA)isinplace.
AAC-02.7
Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?
x IBMWatsonservicesproviderelevantthird-partyauditattestationstocustomersattheir
request.ExecutivelevelreportsordetailsmaybeprovidedwhereaNon-DisclosureAgreement(NDA)isinplace.
AAC-02.8
Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments? x
IBMWatsonservicesusemultipleinternalentitiestoconductcrossfunctionalauditassessments.IBMhasarobustinternalauditorganizationutilizingmatureprocessesthathavebeendevelopedandrefinedtoensurealignmentofallbusinessunitsandinternalorganizationstocorporatestandards.
AuditAssurance&ComplianceInformationSystemRegulatoryMapping
AAC-03
AAC-03.1
Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthe
Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?
x
Dataatrestandintransitisencrypted.AccesscontroltechnologiesareleveragedinallIBMWatsonservicesdeliverymodelstoensurecustomerscanonlyaccesstheirdata&workloads.AdditionallayersoflogicalsegmentationareavailableinPremium&DedicatedmodelsofdeliveryofWatsonservices.
AAC-03.2
Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?
x IBMWatsonservicescustomersareultimatelyresponsiblefortheirdataandtheintegrityofanyworkloadscommunicatingwithWatsonviaAPI.MostIBMWatsonCloudPlatformServicesarestatelesswherebyclientspecificdatadoesnotpersist.
AAC-03.3
Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?
x
IBMWatsonservicesprovidecustomerswithoptionstodeploytheirapplicationsanddataindifferentregions.Thedatawillresideintheregiondefinedintheoriginalsolutiondesignandspecifiedintheservicescontractunlesscustomerelectstomoveitthemselves.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
6
AAC-03.4
businessprocessesarereflected.
Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?
x
IBMWatsonservicesmanagement&complianceteamsregularlysurveychangesintheregulatoryenvironment.TheIBMLegalDepartmentalsomonitorsregulatoryrequirementsfortheirimpactuponIBMsecurityprograms.Customersareultimatelyresponsiblefortheircomplianceandtrackinganychangestotheirregulatoryrequirements.
BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning
BCR-01
BCR-01.1
Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusinesscontinuityplansincludethefollowing:•Definedpurposeandscope,alignedwithrelevantdependencies•Accessibletoandunderstoodbythosewhowillusethem•Ownedbyanamedperson(s)whoisresponsiblefortheirreview,update,andapproval•Definedlinesofcommunication,roles,andresponsibilities•Detailedrecoveryprocedures,manual
Doyouprovidetenantswithgeographicallyresilienthostingoptions? x
IBMWatsonservicesencouragecustomerstotakeadvantageofourglobaldeploymentmodeltoaccomplishgeographicresiliency.
BCR-01.2
Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?
x
IBMWatsonservicesaredesigned,implemented&configuredutilizingHAandareexclusivelyhostedbyIBM.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
7
work-around,andreferenceinformation•Methodforplaninvocation
BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting
BCR-02
BCR-02.1
Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.
Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?
x
Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.
BusinessContinuityManagement&OperationalResiliencePower/Telecommunications
BCR-03
BCR-03.1
Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorother
Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?
x
IBMWatsonservicesprovidecustomerstheoptiontodeploytheirapplicationsanddataindifferentregions.Forstatefulservicesorspecificcustomerworkloads,thedataremainsinthatregionunlessthecustomermovesit.CustomershavedifferentoptionsonhowtheyconnecttotheirIBMWatsonservices,e.g.overpublicnetworkoroveradedicatedVPNtoadedicatedinstance.
BCR-03.2
Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?
x
Directinternetconnectivityisthepreferredsolution,butotheroptionsareavailablefordedicatedcustomers.AlltrafficintransittoIBMWatsonservicesareencrypted.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
8
redundanciesintheeventofplannedorunplanneddisruptions.
BusinessContinuityManagement&OperationalResilienceDocumentation
BCR-04
BCR-04.1
Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures
Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?
x
IBMWatsonservicesproviderobustdocumentationwithineachservicedescriptiontoassistcustomerswithproperlyconfiguringandusageofitsservices.IBMWatsonserviceshaveextensivedocumentationontheinformationsystem,thisdocumentationisavailabletoauthorizedIBMpersonnel.Thisinformationmayalsobedistributedthroughtrainingwhereapplicable.
BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks
BCR-05
BCR-05.1
Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.
Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?
x
IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
9
BusinessContinuityManagement&OperationalResilienceEquipmentLocation
BCR-06
BCR-06.1
Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.
Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?
x IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.
BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance
BCR-07
BCR-07.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.
Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?
x
IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.SpecifichardwarerestoreandrecoveryoptionsaretransparenttocustomersofIBMWatsonservicesastheseareprovidedattheunderlyingIaaSlayer.
BCR-07.2
Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?
x
ThiscanbeavailableinIBMWatsonservicesdedicateddeliverymodel.
BCR-07.3
Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BCR-07.4
Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BCR-07.5
Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures
BCR-08
BCR-08.1
Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.
Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)? x
IBMDataCenterPhysicalandEnvironmentalProtectioncontrolsareinplaceinalldatacenters.ThesecontrolsaremaintainedthroughfrequentinternalauditsandarevalidatedbyexternalauditorsthroughassessmentsincludingbutnotlimitedtoFedRAMP,ISO27001,SOC,PCI,andHIPAA.IBMDataCenterSOCreportsprovideadditionalinsightthesecuritymechanismsimplementedtoprotectagainstoutages.TheSOC3reportisavailabletocustomersandprospectivecustomershere:https://www.ibm.com/cloud-computing/bluemix/sites/default/files/assets/docs/SoftLayer%20SOC%203%201H%202017%20
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
10
Report_FINAL%20%281%29_0.pdfTheSOC2reportisavailabletocustomersandcanberequestedviathecustomerportalorbycontactingtheirsalesteam.
BusinessContinuityManagement&OperationalResilienceImpactAnalysis
BCR-09
BCR-09.1
Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption•Estimatethe
DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
BCR-09.2
Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
BCR-09.3
DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
11
resourcesrequiredforresumption
BusinessContinuityManagement&OperationalResiliencePolicy
BCR-10
BCR-10.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.
Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?
x
IBMWatsonservicesfollowIBMCoreSecurityPracticescoveringSystems,NetworkingandSecureEngineeringbestpractices.SecurityreadinessfocalpointsareassignedforeachPlatformcomponentandserviceandareresponsibletodriveconformancetothosesecuritypolicies.AllIBMemployeesarerequiredtotakesecurityrelatededucationannually.
BusinessContinuityManagement&OperationalResilienceRetentionPolicy
BCR-11
BCR-11.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodof
Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?
x
SpecificdataretentionconfigurationoptionsareavailabletocustomersutilizingdedicatedIBMWatsonservices.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
12
BCR-11.2
anycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.
Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?
x
IBMWatsonservicesdonotsharecustomerdataunlesssubjecttodisclosuretogovernmentagenciespursuanttojudicialproceeding,courtorder,orlegalprocess.Formoredetailsonprivacyandtrust,refertohttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsp,https://www.ibm.com/cloud-computing/bluemix/security-privacy#privacy,https://www-01.ibm.com/software/info/product-privacy/
BCR-11.4
Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?
x
IBMWatsonservicesaredesignedwithHighAvailabilityasakeyrequirement.Theservicesaredeployedwithredundancyaspartofthedesign.Dataretentionpoliciesandproceduresaredefinedandmaintainedinaccordancetotheapplicableregulatoryandcompliancestandard.
BCR-11.5
Doyoutestyourbackuporredundancymechanismsatleastannually? x
IBMWatsonservicesaredesigned,implemented&configuredutilizingHighavailability(HA)andareexclusivelyhostedbyIBM.Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.Databackupisacustomerretainedresponsibility.
ChangeControl&ConfigurationManagementNewDevelopment/Acquisition
CCC-01
CCC-01.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunction.
Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.AlldeploymentsarecontrolledviaIBMChangeManagementPolicyandassociatedprocedures.https://www.ibm.com/security/secure-engineering/
CCC-01.2
Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?
x
Extensivedocumentationisavailableintheformofproductdocumentation,whitepapers,tutorialsandvideosinIBMCloudDocsandviaIBMdeveloperWorksandIBMCloudGaragesites.https://console.bluemix.net/docs/https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/https://www.ibm.com/cloud-computing/bluemix/garage
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
13
ChangeControl&ConfigurationManagementOutsourcedDevelopment
CCC-02
CCC-02.1
Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).
Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?
x
DevelopmentworkfortheIBMWatsonservicesisnotoutsourced.TheIBMSecureEngineeringStandardprohibitsuseofall3rdpartycomponentsused,e.g.,librariesoropensourcecodeunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.
CCC-02.2
Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.ThesetestsoccuronallcodethatmakesupIBMWatsonservices.
ChangeControl&ConfigurationManagementQualityTesting
CCC-03
CCC-03.1
Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.
Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?
x
IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.Thegoalofthesecureengineeringstandardistoassurequalityandminimizeriskstodeployedsystems.ItenforcessecurityeducationforallIBMstaffwithmorespecificsecurityeducationbasedonroleandmandatestheuseofthreatmodellingforalldeploymentswhichincludesariskassessmentphase.Additionaldetailsareavailablehere:https://www.ibm.com/security/secure-engineering/IBMWatsonservicesareISO27001certifiedbyexternalauditors.Thiscertificationisavailabletocustomersandhasseveralcontrolpointswhichfocusonqualityassuranceandriskassessmentmethodology.
CCC-03.2
Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotifications
foralltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/status
CCC-03.3
Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?
x
IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statushttps://www.ibm.com/security/secure-engineering/process.html
CCC-03.4
Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?
x
IBMSecureEngineeringstandarddictatesthatcodereviewsmustbeperformedagainstasecurecodingreviewchecklistwhichincludescheckstoremoveanydebugcode.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
14
ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations
CCC-04
CCC-04.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
15
ChangeControl&ConfigurationManagementProductionChanges
CCC-05
CCC-05.1
Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.
Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?
x
IBMWatsonservicesareISO27001certifiedandthisincludesreviewofcontrolsonchangemanagement.Reportscanbemadeavailabletocustomersonrequest.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.
DataSecurity&InformationLifecycleManagementClassification
DSI-01 DSI-01.1
Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.
Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?
x
IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.
DSI-01.2
Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)? x
Specifichardwareandvirtualmachinesareassignedtocustomerspursuanttotheircontractedspecifications.ThiscapabilityisprovidedtoIBMWatsonservicesandsupportteamsbutistransparenttothecustomer.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
16
DSI-01.3
Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?
x IndedicatedIBMWatsonservices,customerscanauthenticatetheirownusersviaSSOandcan
utilizegeography-basedauthenticationfactors.
DSI-01.4
Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?
x IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesof
Watsonservicesaredeployed.Datastoredaspartoftheserviceremaininthatregionunlessthecustomermovesit.
DSI-01.5
Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?
x IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatson
servicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
DSI-01.6
Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?
x
IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.Customersareultimatelyresponsibleforclassifying&managingtheirdata.
DSI-01.7
Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
DataSecurity&InformationLifecycleManagementDataInventory/Flows
DSI-02 DSI-02.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyother
Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?
x
IBMWatsonserviceutilizeanextensiveanddetailedthreatmodelingprocesswherealldataflowsaredocumentedpriortomajorreleases.
DSI-02.2
Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
17
businessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyifcustomerdataisusedaspartoftheservices.
DataSecurity&InformationLifecycleManagementE-commerceTransactions
DSI-03 DSI-03.1
Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.
Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?
x
IBMWatsonservicesleverageopenencryptionmethodologies.DatainmotionandatrestisencryptedusingAESencryption.DatainmotionistransmittedusingTLS1.2.
DSI-03.2
Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?
x
WithinIBMWatsonservices,alldatatransmittedoverpublicnetworkswillbeencryptedperIBMpolicy.http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf
DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy
DSI-04 DSI-04.1
Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.
Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?
x
IBMWatsonservicesfollowIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallassetscontainingIBMandcustomerowneddata.
DSI-04.2
Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?
x
Allcustomerdataisconsideredconfidentialandrequiresdatatobeencryptedatrestandinmotion.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
18
DataSecurity&InformationLifecycleManagementNonproductionData
DSI-05 DSI-05.1
Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.
Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?
x
IBMWatsonserviceshaveprocesses&procedurestoaffordsegregateddevelopment,stagingandproductionenvironments.ThesearedeployedindifferentVLANsindifferentIaaSaccounts.EachcustomerenvironmentisconsideredtobeaproductionenvironmentbyIBM,thoughthecustomermayhavemultipleenvironmentsfortheirpurposesaswell.IBMCloudprovidescustomerswiththeabilitytopromoteWatsonserviceinstancesintoproductionandnon-productionspaces.Itisthecustomer'sresponsibilitytorestrictthemovementofworkloadbetweentheirenvironmentsandensureproductiondataisnotreplicatedtonon-productionenvironment.https://www.ibm.com/developerworks/cloud/library/cl-intro4-app/index.html
DataSecurity&InformationLifecycleManagementOwnership/Stewardship
DSI-06 DSI-06.1
Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.
Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?
x
IBMWatsonservicessupportstafffollowsIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallIBMandcustomerowneddata.IBMWatsonservicecustomersareresponsibleformanagingandlabellingtheirowndatawithintheWatsonservice.
DataSecurity&InformationLifecycleManagementSecureDisposal
DSI-07 DSI-07.1
Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.
Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?
x
IBMWatsonservicesemployadecommissioningandreclaimprocessforallhardwarebeingreclaimed.ThereclaimeddriveiswipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.Seehttp://blog.softlayer.com/tag/disposal
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
19
DSI-07.2
Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?
x
SpecificDataSanitizationoptionsareavailableforcustomersusingdedicatedversionsoftheIBMWatsonservicesandwillbedefinedaspartofthecontractualprocess.
DatacenterSecurityAssetManagement
DCS-01
DCS-01.1
Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.
Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?
x
IBMWatsonservicesrecordallphysicalandvirtualassetsinanIBMassetinventorysystemthatcapturesdetailsincludingassetowner,classesofdatamanaged,andlocationsofhostinginfrastructureandcontactdetails.TheassetinventoryprocesshasbeenassessedbyexternalauditorsaspartofISO27001.
DCS-01.2
Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?
x
IBMWatsonservicesdocumentcriticalsuppliers,alongwithappropriatecontactinformation.
DatacenterSecurityControlledAccessPoints
DCS-02
DCS-02.1
Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.
Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?
x
IBMDatacentersaresecured,withserver-roomaccesslimitedtocertifiedemployees.Physicalsecurityparameterscanincludebutarenotlimitedtofences,walls,barriers,securityguards,gates,electronicsurveillance,videosurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols.Thecontrolshavebeencertifiedbyanexternalauditor.SeeNIST800-53PEandISO27001A11fortherelevantcontrolshttps://www.ibm.com/cloud-computing/bluemix/complianceSeehttps://www.ibm.com/cloud-computing/bluemix/data-centersformoredetailsonIBMDatacentersecurity.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
20
DatacenterSecurityEquipmentIdentification
DCS-03
DCS-03.1
Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.
Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?
x
IBMWatsonservicesmanageallassetsfollowinganIBMassetinventoryprocessandthishasbeenassessedbyexternalauditorsaspartofISO27001compliance.https://console.bluemix.net/docs/security/compliance.html#compliance
DatacenterSecurityOffsiteAuthorization
DCS-04
DCS-04.1
Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.
Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,andreplication)?
x
IBMWatsonservicesprovidecustomerswithoptionstodeploytheirservicesanddataindifferentregions.Thatdataisremainsinthatregionunlessthecustomermovesit.
DatacenterSecurityOffsiteEquipment
DCS-05
DCS-05.1
Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.
Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?
x
IBMWatsonservicesleverageanIBMClouddecommissioningandreclaimprocessforallhardwareorsoftwarebeingreclaimedordeterminedtobeendoflife.ReclaimedharddrivesarewipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.IBM'sassetmanagementandrepurposingprocessesarevalidatedfrequentlybyexternalauditorsthroughassessmentsincludingbutnotlimitedtoISO27001/17/18,SOC,andHIPAA.
DatacenterSecurityPolicy
DCS-06
DCS-06.1
Policiesandproceduresshallbeestablished,andsupportingbusiness
Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintaininga
x
IBMWatsonservicesengagethirdpartyauditorstovalidateourcompliancewithmanydifferentframeworksincludingbutnotlimitedtoISO27001.TheadditionallayersofthecloudunderlyingIBMWatsonservicesalsogothroughextensivethird-partyauditsthroughouteachyear.Theseinclude,butarenotlimitedto,ISO27001/17/18,SOC,andHIPAA.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
21
processesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.
safeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?
DCS-06.2
Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?
x
IBMWatsonserviceemployeescompleteannualrequiredIBMsecurityawarenesstrainingwhichincludestrainingonpolicies,standards&/orprocedures.Securityawarenesstrainingisincludedaspartofexternalandinternalauditsforverification&validation.
DatacenterSecuritySecureAreaAuthorization
DCS-07
DCS-07.1
Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.
Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesofWatsonservicesaredeployed.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.Thisisperformedduringtheordering&contractnegotiationprocess.
DatacenterSecurityUnauthorizedPersonsEntry
DCS-08
DCS-08.1
Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.
Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?
x
IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance
DatacenterSecurityUserAccess
DCS-09
DCS-09.1
Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.
Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?
x
IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
22
Encryption&KeyManagementEntitlement
EKM-01
EKM-01.1
Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.
Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?
x
IBMhasdefinedaKeyManagementpolicytosupportencryptionofdataatrestandintransitforallWatsonplatformcomponents.Encryptionismanagedatthedisklevelandkeysarenottiedtoclients.
Encryption&KeyManagementKeyGeneration
EKM-02
EKM-02.1
Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.
Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?
x ThisisavailableforcustomersusingIBMWatsonservicesdedicatedservicedeliverymodels.
EKM-02.2
Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?
X EncryptionkeysonthebackendoftheIBMWatsonservicesaremanaged&maintainedbyIBM.
EKM-02.3
Doyoumaintainkeymanagementprocedures? X
IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthekeylifecycle,includingkeyaccess,strength,rotation,&revocability.Keymanagementproceduresareintheprocessofbeingdocumented.
EKM-02.4
Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?
X IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthe
keylifecycle,includingkeyownershipateachstageofthelifecycle.
EKM-02.5
Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?
X
IBMWatsonserviceshaveimplementedarobustKeyManagementsolutionthatleveragesopensource,3rdparty&proprietarycomponents.
Encryption&Key
EKM-03
EKM-03.1
Policiesandproceduresshallbeestablished,and
Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?
x IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
23
ManagementEncryption
EKM-03.2
supportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.
Doyouleverageencryptiontoprotectdataandvirtualmachineimagesduringtransportacrossandbetweennetworksandhypervisorinstances?
x
IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.
EKM-03.3
Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?
x
IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.
EKM-03.4
Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?
x
ThisisincludedaspartoftheDataSecurityandPrivacyPrinciplesthatisincludedasstandardcontractlanguage.Documentationisavailablehere:http://www.ibm.com/cloud/data-security&https://www-05.ibm.com/support/operations/files/pdf/csa_us.pdf
Encryption&KeyManagementStorageandAccess
EKM-04
EKM-04.1
Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.
Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?
x
Allencryptionalgorithmsinuseareopen/validatedformatsandarefollowNIST.SP.800-57pt1standards.Ciphersandprotocolsarereviewedonatleastanannualbasisandupdatedaccordingly.Bydefault,allconnectionsstartatTLS1.2anddataatrestisAES128orbetter.
EKM-04.2
Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?
x
IBMWatsonkeysareownedandmanagedbyIBMWatson.
EKM-04.3
Doyoustoreencryptionkeysinthecloud?
x Yes,keysarestoredwithintheIBMCloudenvironment.
EKM-04.4
Doyouhaveseparatekeymanagementandkeyusageduties?
x IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.
GovernanceandRiskManagement
GRM-01
GRM-01.1
Baselinesecurityrequirementsshallbeestablishedfordevelopedor
Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,
x
IBMmaintainssystembaselinesforallcriticalcomponentsandthishadbeenverifiedbyanindependentauditoraspartofISO27001certification.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
24
BaselineRequirements
acquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.
operatingsystems,routers,DNSservers,etc.)?
GRM-01.2
Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?
x
EndpointsareroutinelymonitoredattheOSleveltoensurecompliancewithasetofsecuritystandards.ThosesecuritystandardsfollowtheIBMsecuritypoliciesandchecklistswhichinturnalignwithISO27001standards.
GRM-01.3
Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?
x
IBMWatsonservicesareonlyavailableasaserviceprovidedbyIBM.
GovernanceandRiskManagementRiskAssessments
GRM-02
GRM-02.1
Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedata
DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?
x
SecuritylogsarecreatedforallcriticaloperationsinIBMWatsonservicese.g.authentication,privilegedoperations,etc.TheseareavailableonrequesttoWatsondedicatedcustomersfortheirenvironment.ISO27001reportsareavailableonrequestanddemonstratetheuseofsecuritycontrolsinIBMWatsonservices.CustomersmayleveragetheIBMCloudConsoletomonitorforhealthofservices.https://console.bluemix.net/status
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
25
GRM-02.2
isstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,andfalsification
Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditors.PartofthecertificationrequiresanISMS(InformationandSecurityManagementSystem)andriskmanagementprocessbeinplaceandapprovedbyIBMseniormanagement.Additionally,regularpenetrationtestingisperformedbybothIBMinternalandexternalteamsaswellasregularnetworkandapplicationscanning.IBMSecureEngineeringstandardrequiresthatthreatmodellingbecarriedoutonatleastanannualbasisandpartofthatmethodologyisriskassessment.Seehttps://www.ibm.com/security/secure-engineering/
GovernanceandRiskManagementManagementOversight
GRM-03
GRM-03.1
Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.
Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?
x
IBMSecuritystandardsrequiremanagerstoownthesecurityandrisksfortheirservices,eachmustappointasecurityfocaltomanagesecurityandcomplianceforallaspectsoftheservice.IBMSecureEngineeringstandardrequiresallemployeestotakesecurityeducationonanannualbasis.ThisareaisreviewedannuallyaspartoftheIS027001certificationforIBMWatsonservices.
GovernanceandRiskManagementManagementProgram
GRM-04
GRM-04.1
AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnot
DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditorsandavailableforreviewbycustomers.ISO27001isfocusedonsecuritymanagementprocessesandvalidatesthatIBMWatsonservicessecurityprocessesconformtotheISO27001controlstandards.IBMSecurityPrinciplesareavailablehere:http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf
GRM-04.2
DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?
x
IBMISMS&itsspecificationinregardtoIBMWatsonservicesarereviewedatleastannually.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
26
belimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,andmaintenance
GovernanceandRiskManagementManagementSupport/Involvement
GRM-05
GRM-05.1
Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.
Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforserviceprovidersarereviewed.
GovernanceandRiskManagementPolicy
GRM-06
GRM-06.1
Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbythe
Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?
x
IBMinformationsecurityandprivacypoliciesarebasedon&alignwithindustrystandardssuchasNIST800-53andISO27001.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.
GRM-06.2
Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
x
Agreementsareinplacetoverifyandmonitorsuppliercompliancewithindustrystandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
27
GRM-06.3
organization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesandresponsibilitiesforbusinessleadership.
Canyouprovideevidenceofduediligencemappingofyourcontrols,architecture,andprocessestoregulationsand/orstandards?
x
ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.
GRM-06.4
Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith? x
ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.Foradditionaldetailsrefertohttps://www.ibm.com/watson/watson-security.html
GovernanceandRiskManagementPolicyEnforcement
GRM-07
GRM-07.1
Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.
Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?
x
Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.
GRM-07.2
Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?
x
Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.
GovernanceandRiskManagementBusiness/PolicyChangeImpacts
GRM-08
GRM-08.1
Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.
Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective? x
IBMWatsonservicesensureriskassessmentsareconductedatleastquarterly.Policies,proceduresandstandardsaresubjecttorevisionasanoutcomeoftheseassessments.
GovernanceandRiskManagementPolicyReviews
GRM-09
GRM-09.1
Theorganization'sbusinessleadership(orotheraccountable
Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?
x
IBMWatsonservicesdedicatedtenantsarenotifiedofchangestotheirenvironmentincludingthoseresultingfrommodifiedsecuritypolicies.AlldeploymentsarecontrolledviatheChangeManagementPolicyandcustomersareapproversforanychangesthathappenoutsideagreedmaintenancewindows.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
28
GRM-09.2
businessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.
Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?
x
Securitypoliciesarereviewedatleastannually.TheprivacypolicyisupdatedandreviewedbytheIBMCorporatePrivacyOffice.Formoredetailsonprivacy&datasecuritypoliciesseehttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dspandhttps://www-01.ibm.com/software/info/product-privacy/
GovernanceandRiskManagementAssessments
GRM-10
GRM-10.1
Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance).
Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?
x
RegularriskassessmentsareconductedquarterlyanddocumentedaspartoftheISMS.Theseincludelikelihoodandimpactforallidentifiedrisksusingqualitativeandquantitativemethods.
GRM-10.2
Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?
x
Resultsfromregular3rdpartyaudits/assessmentsandpenetrationtestingareoneofthemanyfeedsintotheoverallriskmanagementprogram.Additionally,independentinternalIBMcomplianceteamsperformquarterlyreviewstoensureongoingriskidentification&compliance.ThreatmodelingisalsorequiredforeachoftheWatsonservices.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
29
GovernanceandRiskManagementProgram
GRM-11
GRM-11.1
Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.
Doyouhaveadocumented,organization-wideprograminplacetomanagerisk? x
IBMrecognizesriskassessmenttobeanimportantfactorinsecurityandhasestablishedaperiodicriskassessmentprocessthatisapplicabletothesystemsthathostWatsonasaService.AssessmentsareenteredintotheIBMGovernance,Risk,andComplianceprogramtodetermine&managethecurrentriskposture.IBMhasawell-establishedriskmanagementprograminplacethatisvalidatedaspartoftheannualISO27001auditandassessment.
GRM-11.2
Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?
x
VariousdocumentsarepublishedexternallyregardingIBMRiskManagementprograms,services,&solutions.RisksidentifiedthatrequirecustomerstotakeanactionarereleasedaspartofthePSIRTprocess.Additionalprograminformationavailablehere:https://www.ibm.com/security/secure-engineering/process.html
HumanResourcesAssetReturns
HRS-01
HRS-01.1
Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.
Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?
x
IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityorprivacyincidentinvolvinganyWatsonorCustomersystemordata.RefertoSecurityIncidentResponseManagementinthe‘SecuringWorkloadsinIBMCloud’whitepaperandIBMincidentresponseprocesshere:https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
HRS-01.2
IsyourPrivacyPolicyalignedwithindustrystandards?
x
IBMprivacypoliciesarealignedwithindustryandcountryrequirementsandiscontinuouslymonitoredforupdatesSeetheselinksformoreinformation:https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/
HumanResourcesBackgroundScreening
HRS-02
HRS-02.1
Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.
Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?
x
IBMCorporateHRpoliciesdictatethatallemploymentcandidatesaresubjecttobackgroundverification.
HumanResourcesEmploymentAgreements
HRS-03
HRS-03.1
Employmentagreementsshallincorporateprovisionsand/ortermsforadherence
Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.AdditionalsecurityeducationisrequiredonaperiodicbasisforIBMWatsonservicesteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
30
HRS-03.2
toestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.
Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted? x
IBMemployeesmustacknowledgecompletionoftrainingandthisacknowledgmentisdocumentedandstored.
HRS-03.3
AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?
x
AllemployeesofIBMsignNDAorconfidentialityagreementsregardingcorporateandclientinformation.
HRS-03.4
Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?
x
Timelycompletionofthetrainingprogramisaprerequisitetogaining/maintainingaccesstoIBMcomputingresources,whichmayincludesensitivesystems&customerdata.
HRS-03.5
Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?
x IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonan
annualbasis.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesEmploymentTermination
HRS-04
HRS-04.1
Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.
Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?
x
IBMCorporateHRpoliciesprovideabaselineofstandardsforchangesin,andterminationofemployment.TheIBMCloudaccesscontrolsolutionqueriestheIBMCorporatesystemtodetectanyemployeeterminationsonadailybasis.
HRS-04.2
Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?
x
IBMCorporateHRpoliciesprovideabaselineofstandardstoensureallemployeesystemaccessisterminatedandassetsarecollectedattimeoftermination.IBMWatsonservicesaremanagedviaanIBMCloudIAMsolutionwhichensuresrole-basedaccesstoanyWatsonsystem.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessownerandtheprocessincludesapproval/continuedbusinessneedandvalidation/revocationonemployeetermination.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
31
HumanResourcesPortable/MobileDevices
HRS-05
HRS-05.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).
Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?
x
IBMITSecuritystandardsmandatethatmobiledevicesarenotpermittedaccesstocustomerenvironments.Privilegedlaptopsarerequiredforaccesstocustomerenvironmentsandownersofthoselaptopsarerequiredtoinstallandmaintainfulldiskencryptionandotherincreasedsecuritycontrols.Thisismanagedwithextensiveaccesssecuritycontrolswhicharevalidatedatleastannuallybuy3rdpartyauditors.
HumanResourcesNon-DisclosureAgreements
HRS-06
HRS-06.1
Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.
Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?
x
AllIBMpoliciesandproceduresarereviewedonatleastanannualbasis.Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedataminimumofonceannually.
HumanResourcesRoles/Responsibilities
HRS-07
HRS-07.1
Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.
Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant? x
Allrolesandresponsibilitiesrelatingtoinformationsecurityandenvironmentoperationsaredocumentedfordedicatedenvironments.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
32
HumanResourcesAcceptableUse
HRS-08
HRS-08.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.
Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?
x RefertoIBMPrivacy&Datasecuritysitesformoreinformation.
https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/
HRS-08.2
Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?
x
ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.
HRS-08.3
Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?
x
ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.
HumanResourcesTraining/Awareness
HRS-09
HRS-09.1
Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswith
Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
33
HRS-09.2
accesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.
Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesUserResponsibility
HRS-10
HRS-10.1
Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment
Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HRS-10.2
Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HRS-10.3
Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesWorkspace
HRS-11
HRS-11.1
Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.
Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?
x
Tenantandservicelevelconflictsofinterestareresolvedviaoperationalandmanagementplanning.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
34
HRS-11.2
Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?
x
SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEM(SecurityInformationandEventManagement)whichismonitored24x7bytheIBMSOC.TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingWatsonCloudPlatformServicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAM(IdentityandAccessManagement)governancesolution.
HRS-11.3
Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?
x
SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEMwhichismonitored24x7bytheIBMSOC(SecurityOperationsCenter).TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingIBMWatsonservicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAMgovernancesolution.
Identity&AccessManagementAuditToolsAccess
IAM-01
IAM-01.1
Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.
Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?
x
Allaccessrequiresapprovalfromboththeemployeemanagerandthesystemaccessowner.Thisprovidestheuserwithrole-basedaccesstotherequestedsystem.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.
IAM-01.2
Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?
x
Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.
Identity&AccessManagement
IAM-02
IAM-02.1
Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusiness
Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?
x
InternalaccesstoIBMWatsonservicesarerevokedonemployeetermination.Routineverificationofaccessisalsoperformedwithuser’smanagementtoensurebusinesspurposesalignwithexistingaccess.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
35
UserAccessPolicy
IAM-02.2
processesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsof
Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?
x
ManagementofIBMID'sisanIBMretainedresponsibility.Thisinternalprocessisautomatedandtestedthroughourexternalauditsrepeatedlythroughouttheyear.ClientID'saremanagedbyclientandareclientresponsibility.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
36
assuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
37
(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements
Identity&AccessManagementDiagnostic/ConfigurationPortsAccess
IAM-03
IAM-03.1
Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.
Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure? x
IBMCloudmanagementnetworktrafficisprocessedusingmanagementcontrolplanewithstrictaccesscontrol.VPNsareutilizedwhereneededtoprovideadditionallayerofsecurityforsensitivenetworkswithinIBM.
Identity&AccessManagementPoliciesandProcedures
IAM-04
IAM-04.1
PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuseridentity.
DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?
x
IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.
IAM-04.2
Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?
x
IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
38
Identity&AccessManagementSegregationofDuties
IAM-05
IAM-05.1
Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.
Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
Identity&AccessManagementSourceCodeAccessRestriction
IAM-06
IAM-06.1
Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.
Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
39
IAM-06.2
Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
Identity&AccessManagementThirdPartyAccess
IAM-07
IAM-07.1
Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriate
Doyouprovidemulti-failuredisasterrecoverycapability?
X N/A.Customersdesiringmulti-failuredisasterrecoveryshouldconsiderdesignsleveragingmultipleregionsacrosstheIBMGlobalCloudinfrastructure.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
40
IAM-07.2
access.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.
Doyoumonitorservicecontinuitywithupstreamprovidersintheeventofproviderfailure?
x
IBMWatsonservicesavailabilityismonitoredandpublishedusingtheIBMCloudconsole.UpstreamprovidersaremonitoredforservicecontinuityandavailabilityattheIBMCloudIaaSlayer.
IAM-07.3
Doyouhavemorethanoneproviderforeachserviceyoudependon?
x TherearemultipleISPproviderswithintheIBMClouddatacenterswhichsupportIBMWatson
services.
IAM-07.4
Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?
x
Aspublishedwithintheexternallyavailableauditreports.
IAM-07.5
Doyouprovidethetenanttheabilitytodeclareadisaster?
x ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.
IAM-07.6
Doyouprovideatenant-triggeredfailoveroption? x
ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.
IAM-07.7
Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?
x Aspublishedwithintheexternallyavailableauditreportsandasrequiredbycontract.
Identity&AccessManagementUserAccessRestriction/Authorization
IAM-08
IAM-08.1
Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.
Doyoudocumenthowyougrantandapproveaccesstotenantdata? x
Thisisonaneed-to-knowbasisonlyandisonlyeverleveragedintheneedtosupportaclientsupportrequestorrequirement.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.
IAM-08.2
Doyouhaveamethodofaligningproviderandtenantdataclassificationmethodologiesforaccesscontrolpurposes?
x
Allcustomerdataisratedassensitive.DependingonIBMWatsonservicesdeploymentmodel,tenantdataisisolatedbasedonsolutiondesignandcontractualagreement.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
41
Identity&AccessManagementUserAccessAuthorization
IAM-09
IAM-09.1
Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedand
Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
42
IAM-09.2
appropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedaspartoftheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?
x IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.BackendsystemaccessisrestrictedtoIBMemployeeswithbusinessneedonly.
Identity&AccessManagementUserAccessReviews
IAM-10
IAM-10.1
Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjob
Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?
x
IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
IAM-10.2
Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?
x
IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
43
IAM-10.3
function.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.
Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?
x
RevalidationreportsareforIBMaccess&useonly.
Identity&AccessManagementUserAccessRevocation
IAM-11
IAM-11.1
Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?
x
IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
IAM-11.2
Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?
x
IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
Identity&AccessManagement
IAM-12
IAM-12.1
Internalcorporateorcustomer(tenant)useraccountcredentialsshallbe
Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.ThisintegrationwithcustomerdirectoryservicesallowsforSSO(SingleSignOn)capabilities.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
44
UserIDCredentials
IAM-12.2
restrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)
Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?
x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM
serviceswhichleveragesopenstandardstoallowfordelegationofauthenticationcapabilitiestoIBMWatsonservicestenants.
IAM-12.3
Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?
x
Customerintegration&SAML(SecurityAssertionMarkupLanguage)federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.
IAM-12.4
DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.
IAM-12.5
Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?
x
CustomerintegrationaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.
IAM-12.6
Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.ThisintegrationallowsforclientstoleverageexistingMFA(MultifactorAuthentication)optionsasestablishedwithintheirorganizationanddirectoryservices.
IAM-12.7
Doyouallowtenantstousethird-partyidentityassuranceservices?
x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM
services.Thisintegrationallowsforclientstoleveragethird-partyidentityassuranceservices.Also,thisisoftenaccomplishedusingthird-partycertificate/keyauthorizationservices.
IAM-12.8
Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.9
Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.10
Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon?
x IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimum
passwordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.11
Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
45
Identity&AccessManagementUtilityProgramsAccess
IAM-13
IAM-13.1
Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.
Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Thiswouldincludepermissionsandaccesstoutilitiesthatcanmanagevirtualizedpartitions.Privilegedaccessutilizingsuchutilitieswouldbeloggedandsentinnearreal-timetoIBMQRadarSIEM.
IAM-13.2
Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?
x
AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandallaccessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.
IAM-13.3
Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?
x AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandall
accessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.
Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection
IVS-01 IVS-01.1
Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.
Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?
x ThisisanongoingprojectandcompensatingcontrolsexistusingadvancedloggingandSIEMmonitoring.
IVS-01.2
Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?
x
AuditlogsaresecuredandencryptedusingtheQRadartool.AccesstotheselogswouldfollowtheIBMAccesscontrolpolicies&procedures.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.
IVS-01.3
Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?
x
ThisisaccomplishedviaIBMComplianceteamsleveragingtheIBMISO27001basedISMS(InformationSecurityManagementSystem)&alsoCSA(CloudServiceAlliance)CloudControlMatrix.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththosecertificationsbeingavailabletocustomers.AspartofISO27001auditsandassessments,duediligencemappingtoregulationsandstandardsisreviewed.
IVS-01.4
Areauditlogscentrallystoredandretained?
x IBMWatsonservicessecuritylogsfeedintoaSELM(SecurityEventLogMonitor)service(IBMQRadar)andaremonitoredandmanagedviaaSOC.Logsareretainedaminimumof90days.
IVS-01.5
Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?
x
IBMWatsonservicessecuritylogsfeedintoaSELMserviceandmonitoredutilizingQRadarSIEMandmanagedviaaSOC.
Infrastructure&VirtualizationSecurity
IVS-02 IVS-02.1
Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.
Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?
x
AllchangesandprivilegedactionstoVM(VirtualMachine)imagesareloggedandsenttoIBMQRadarSIEMformonitoringandalerting.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
46
ChangeDetection
IVS-02.2
Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).
Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?
x
IBMCloudmanagesthebackendIaaSsupporting/providingallvirtualinfrastructureforthecustomersuchthatallchangestoVMsaretransparenttotheIBMWatsonservicesbeingprovided.
Infrastructure&VirtualizationSecurityClockSynchronization
IVS-03 IVS-03.1
Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.
Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?
x
IBMCloudprovidescentralized,synchronizedNTP(NetworkTimeProtocol)servicesforIBMWatsonservices.
Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning
IVS-04 IVS-04.1
Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuture
Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios? x
ForIBMWatsonservicesthisshouldbetransparenttotheenduser.SLAswillbemetasagreedtointhecustomercontract.SpecificcapacityrequirementscanbenegotiatedanddocumentedinDedicatedservicedeliverymodels.
IVS-04.2
Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?
x
ThisisprovidedbyIBMCloudIaaS.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
47
IVS-04.3
capacityrequirementsshallbemadetomitigatetheriskofsystemoverload.
Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?
x
IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.
IVS-04.4
Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?
x
IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.
Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement
IVS-05 IVS-05.1
Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).
Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)? x
TheIBMSecureEngineeringstandarddictatesmultiplescanningtechniquesbeusedagainstproductionsystems.Theseincludeautomateddynamicscans,manualpenetrationtestsandthreatmodelling.Theseactivitiesincludeboththevirtualizationtechnologiesandallvirtualmachinesandcontainersdeployedonthosevirtualizationtechnologies.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Vulnerabilitytools,processes,&proceduresareassessed&auditedannuallywithinternalandthird-partyauditors.
Infrastructure&VirtualizationSecurityNetworkSecurity
IVS-06 IVS-06.1
Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.
ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?
x
IBMWatsonservicesdonotprovideIaaScapabilitiesdirectlytoclients.IBMCloudmanagestheInfrastructureentirelyforIBMWatsonservicescustomers.
IVS-06.2
Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?
x
IBMWatsonservicesarchitecturesarereviewedaspartofathreatmodelingprocesses,procedures&exercisewhicharemandatedpriortoservicesgoingtogeneralavailabilityandthenwithmajorreleases.Theseincludedocumentingdataflowsanddatamaps.
IVS-06.3
Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?
x
IBMWatsonservicesconductreviewsonallfirewallsonanannualbasis.
IVS-06.4
Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification? x
AllchangestoIBMfirewallsmustfollowthechangemanagementprocesswhichrequiresbusinessjustificationandmultiplelevelsofreviewandapprovalbeforedeployment.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
48
Infrastructure&VirtualizationSecurityOSHardeningandBaseControls
IVS-07 IVS-07.1
Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.
Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?
x
AllhostmachinesinIBMWatsonservicesaredeployedasstandardbuildswhichremoveunnecessaryports,protocols,andservices.Authenticatedscanningisperformedonallmachinestovalidatecompliancewithasetofhardeningrulesonaatleastamonthlybasis.
Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments
IVS-08 IVS-08.1
Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.
ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?
x
CustomerscanchoosetoprovisionmultipleinstancesofaserviceandimplementaccesscontrolsthroughIBMCloudPlatformthatwillsupportthisprocess.
IVS-08.2
ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?
x
IBMWatsonservicesareSaaS,IBMmanagesthearchitectureexclusively.
IVS-08.3
Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?
x
IBMWatsonserviceshavemultiplenon-productionenvironmentsthatsupportdevelopmentandstagingforbothPublicandDedicatedsolutions.Theseenvironmentsareusedtoperformanytestingpre-deploymentpriortopushingtoproductionenvironments.Thenon-productionenvironmentsarelogicallysegregatedfromproductionenvironments.
Infrastructure&VirtualizationSecuritySegmentation
IVS-09 IVS-09.1
Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,and
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
IVS-09.2
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
49
IVS-09.3
configuredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?
x
Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.
IVS-09.4
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
Infrastructure&VirtualizationSecurityVMSecurity-DataProtection
IVS-10 IVS-10.1
Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.
Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?
x
PerIBMpolicydataisencryptedintransit.IBMWatsonservicesarebuilt&deployedinvirtualizedenvironments.
IVS-10.2
Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers? x
Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
50
Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening
IVS-11 IVS-11.1
Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).
Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?
x
IBMWatsonservicesprivilegedusersrequestaccesstoIBMCloudenvironments,includingadministrativetools,hypervisorsandvirtualmachines,viaanIBMUserAccessManagementtool.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessowner.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEMtopreventunauthorizedaccesstodatabyIBMemployees.Allsystemsandresourcesareprotectedandisolatedbyatleastonefirewall.Allaccesstoadministrativeconsoles,hypervisorsandVirtualMachinesisoverTLSandallIBMCloudPaaSPlatformdataisencryptedintransit.
Infrastructure&VirtualizationSecurityWirelessSecurity
IVS-12 IVS-12.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,
Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?
x IBMWatsonservicesteamdoesnothaveaccesstophysicalEthernetports,anddoesnothavetheabilitytoimplementwirelessintheenvironment.IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
IVS-12.2
Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?
x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
IVS-12.3
Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?
x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
51
passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetwork
Infrastructure&VirtualizationSecurityNetworkArchitecture
IVS-13 IVS-13.1
Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.
Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?
x
IBMWatsonservicesnetworkdiagramsandthreatmodelsclearlydocumenttheboundariesofdifferentenvironmentsandsystemsincludingthedataflowsacrossboundariesanddatastores.
IVS-13.2
Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?
x
AttheIaaSlayeracleanpipesolutionisimplementedtoensureonlyappropriatetrafficispassedthroughtotheFWswhichthenpassesthetrafficbacktoanapplicationproxytoauthenticatethetrafficbeforeallowingittoreachanyoftheWatsonservices.IBMWatsonserviceshaveimplementedaDDoS(DistributedDenialofService)solutiontomitigateDDoSattacks.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
52
Interoperability&PortabilityAPIs
IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.
DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?
x
AlistofallavailableAPIsispublishedwithineachservicesdescriptionpage.Additionaldetailsavailablehere:https://www.ibm.com/watson/products-services/
Interoperability&PortabilityDataRequest
IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).
Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?
x
CustomersmayelecttoprovideadditionaltraininginformationtocustomizetheirWatsonservice.Thisdataistypicallyprovidedbythecustomerandistheirresponsibilitytomanage.Someservices,suchasWatsonKnowledgeStudio,doallowcustomerstoexportthecustomizedtrainingmodelstheyhavecreated.
Interoperability&PortabilityPolicy&Legal
IPY-03 IPY-03.1 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence.
Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?
x
PoliciesandproceduresareinplacegoverningtheuseofAPIsbetweenIBMWatsonservicesandthird-partyapplicationsaspartofthestandardcontractlanguage.
IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?
x
IBMWatsonservicescustomersareresponsibleforthedataincludinghowandwhenthatdataismigrated.Pleasechecktheservicedescriptionsforadditionaldetails.
Interoperability&PortabilityStandardizedNetworkProtocols
IPY-04 IPY-04.1 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportand
Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?
x
PerIBMpolicydataisencryptedintransit.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
53
IPY-04.2 exportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.
Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved? x
Tenantscanreceivethisdatauponrequest.Pleasechecktheservicedescriptionsforadditionaldetails.
Interoperability&PortabilityVirtualization
IPY-05 IPY-05.1 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.
Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?
x
IBMWatsonservicesuseindustrystandardvirtualizationformatsandtechnologiestohelpensureinteroperability,suchasKubernetes,DockerContainers,andVMWare.
IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?
x
IBMWatsonservicesIaaSdoesnothavesolution-specificvirtualizationhooks.
MobileSecurityAnti-Malware
MOS-01
MOS-01.1
Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.
Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining? x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Anti-malwareawarenesstraining,specifictomobiledevices,isincludedinthattraining.
MobileSecurityApplicationStores
MOS-02
MOS-02.1
Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.
Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?
x
Alistofapprovedapplicationstoresisavailableandhasbeencommunicatedtousers.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
54
MobileSecurityApprovedApplications
MOS-03
MOS-03.1
Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.
Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?
x
IBMCorporateSecuritymandatestheinstallationofaMobileDeviceManagementclientonallBYODsusedforIBMbusiness.ThatclientensurescompliancewithIBMCorporatesecuritystandardsincludingensuringthatonlyapprovedapplicationstorescanbeused.
MobileSecurityApprovedSoftwareforBYOD
MOS-04
MOS-04.1
TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.
DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?
x
TheIBMCorporatesecuritypolicyclearlystateswhichapplicationsandapplicationstoresareapproved.MobileDeviceManagementisinplacetoblockriskyextensionsandplugins.
MobileSecurityAwarenessandTraining
MOS-05
MOS-05.1
Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.
Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?
x
IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.
MobileSecurityCloudBasedServices
MOS-06
MOS-06.1
Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageof
Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?
x
IBMCorporatesecuritypolicydefinesthepre-approvedvendor(s)forcloudstorageonmobiledeviceswithregardstocompanybusinessdata.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
55
companybusinessdata.
MobileSecurityCompatibility
MOS-07
MOS-07.1
Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.
Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues? x
IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.
MobileSecurityDeviceEligibility
MOS-08
MOS-08.1
TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.
DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage? x
IBMCorporatesecuritypoliciesdefinetheeligibilityrequirementstoallowforBYODusage.BYODisnotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.
MobileSecurityDeviceInventory
MOS-09
MOS-09.1
Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.
Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?
x
Mobiledevicesarenotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.
MobileSecurityDeviceManagement
MOS-10
MOS-10.1
Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.
Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?
x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Nomobiledevicesarepermittedtostore,transmitorprocesscustomerdata.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
56
MobileSecurityEncryption
MOS-11
MOS-11.1
Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.
Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices? x
IBMCorporatesecuritypoliciesrequirefulldeviceencryptiononmobiledevicesaswellasBYOD.SensitivedataisnotpermittedonmobiledevicesoronBYOD.
MobileSecurityJailbreakingandRooting
MOS-12
MOS-12.1
Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).
Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?
x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreakingorrootingispreventedandreportedon.
MOS-12.2
Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.
MobileSecurityLegal
MOS-13
MOS-13.1
TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.
DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?
x
IBMCorporateSecurityPoliciesdefinetheseelementsforBYOD.
MOS-13.2
Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x
BYODarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
57
MobileSecurityLockoutScreen
MOS-14
MOS-14.1
BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.
DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?
x
AutomaticlockoutsareconfiguredforBYODandmobiledevices.
MobileSecurityOperatingSystems
MOS-15
MOS-15.1
Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.
Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses? x
IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.Changesareimplementedperpolicyandwithmobiledevicechangemanagementprocesses.
MobileSecurityPasswords
MOS-16
MOS-16.1
Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.
Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?
x
AllmobiledevicesandBYODhaverequiredpasswords.
MOS-16.2
Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)? x
Passwordsareenforcedthroughamobiledevicemanagementtool.
MOS-16.3
Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?
x
Authenticationrequirementsforpasswordsresidingonthedevice,e.g.,screenpin,can'tbechangedandthisisenforcedbyamobiledevicemanagementtool.
MobileSecurityPolicy
MOS-17
MOS-17.1
ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).
DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?
x
Dataisstoredonthecloudandenforcedviaamobiledevicemanagementsolutionwhereneeded,thusthecorporatedataisbackedup.Thereisnodeviceresidentdataexceptforauthenticationkeys.
MOS-17.2
DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?
x
BYODmobiledevicesarenotpermittedtouseunapprovedapplicationstores.
MOS-17.3
DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?
x
Anti-malwareisrequiredonBYODandenforcedviamanagementtools.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
58
MobileSecurityRemoteWipe
MOS-18
MOS-18.1
AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.
DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?
x
Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.
MOS-18.2
DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?
x
Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.
MobileSecuritySecurityPatches
MOS-19
MOS-19.1
Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.
Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?
x
AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO.
MOS-19.2
DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?
x
AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO,throughtheMobileDeviceManagementTool.
MobileSecurityUsers
MOS-20
MOS-20.1
TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.
DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?
x
ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.
MOS-20.2
DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?
x
ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.Userswhoseprimaryroleisaccessingormaintainingcustomerdevicesmustuseacompanyprovidedprivilegedworkstation.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
59
SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance
SEF-01
SEF-01.1
Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.
Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?
x
IBMCybersecurityandIBMLegalmaintainrelationshipswiththeproperlocalauthorities.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement
SEF-02
SEF-02.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.
Doyouhaveadocumentedsecurityincidentresponseplan?
x
IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityincidentinvolvinganyIBMWatsonorCustomersystemordata.https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
SEF-02.2
Doyouintegratecustomizedtenantrequirementsintoyoursecurityincidentresponseplans?
x
TheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedasuspectedsecurityincidentinvolvinganyIBMorCustomersystemordata.Oneoftheirresponsibilitiesistoengagewiththecustomerandkeeptheminformedontheinvestigation,findingsandanyrootcauseanalysisactions.
SEF-02.3
Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?
x
RefertoSecurityIncidentResponseandSupportinthe‘SecuringWorkloadsinIBMCloud’whitepaper.https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
SEF-02.4
Haveyoutestedyoursecurityincidentresponseplansinthelastyear?
x TheSecurityincidentresponseplanisreviewedandtestedatleastannually.
SecurityIncidentManagement,E-Discovery,&CloudForensics
SEF-03
SEF-03.1
Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,if
Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?
x
SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservices,includingnetworkdevicesandhostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMisconfiguredwithasetofruleswhichtriggeroffencesbasedonincomingeventsacrossalllogsources.ThoseoffencestriggerpagerdutyalertstotheIBMSOCteamona24x7basis.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
60
IncidentReporting
required,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.
RefertotheIBMSecurityIntelligencedocumentationformoredetails.https://www.ibm.com/security/security-intelligence/QRadar/
SEF-03.2
Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?
x
ForIBMWatsonservicesdedicatedenvironments,thepotentialincidentactivitiesarealwaysattributedtoaspecificenvironmentbelongingtoacustomer.ForPublic,investigationoftheincidentmayberequiredtodeterminewhichcustomer(s)was(were)impacted.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation
SEF-04
SEF-04.1
Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.
Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?
x
Specificdetailsregardingchainofcustody,forensics,andlitigationholdsareaddressedbyIBMLegalandtheIBMCybersecurityIncidentResponseTeam(CSIRT).
SEF-04.2
Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?
x
Thisisavailablewheretechnologicallypossiblewhenithasbeendeemednecessarytocollectandmanageevidence.
SEF-04.3
Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?
x
ThisisavailableinbothPremiumandDedicateddeliverymodels.
SEF-04.4
Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas? x
ThisisavailableinbothPremiumandDedicateddeliverymodels.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncident
SEF-05
SEF-05.1
Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcosts
Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents? x
SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservicesstackincludingnetworkdevices,hostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMprovidesreportsonthetypesandvolumesofallsecurityeventsandalloffencestriggeredbasedonQRadarrules.AllsecurityincidentstriggeringtheIBMWatsonservicesSecurityincidentresponseplanhavearootcauseanalysiswhichrecordimpactandtriggeractionstomitigateinfuture.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
61
ResponseMetrics
SEF-05.2
ofinformationsecurityincidents.
Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?
x
Reportswillbegeneratedwheretechnicallypossibleuponrequestshouldasecurityincidentoccur.
SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity
STA-01
STA-01.1
Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.
Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?
x
IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsonservicescompliancecertificationsdemonstratethecontrolsareinplacetoprovideasecureplatformincludingcontrolsrelatedtosupplychain.
STA-01.2
Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?
x
Accessmanagementprocessesareinplacetoensureonlyuserswithabusinessneedhaveaccessandthatappropriateroleshavebeendefinedtoensuretheprincipleofleastprivilege.
SupplyChainManagement,Transparency,andAccountabilityIncidentReporting
STA-02
STA-02.1
Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).
Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?
x
CustomerwillbenotifiedviatheIBMClouddashboardifanissuehasbeenidentifiedthatrequiresactionontheirpart.Dependingontheseverityoftheincidentindividualcustomersmaybecontacteddirectly.Customersmayalsosubscribetovulnerabilitynotificationsasdescribedathttps://www.ibm.com/security/secure-engineering/bulletins.html
SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices
STA-03
STA-03.1
Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewith
Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering? x
IBMCloudandtheWatsonservicesteamsprojecttheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.
STA-03.2
Doyouprovidetenantswithcapacityplanningandusereports?
x
UsagereportsoftheIBMWatsonservicesareavailableontheIBMCloudconsole.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
62
mutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernanceandservicemanagementpoliciesandprocedures.
SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments
STA-04
STA-04.1
Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.
Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics? x
IBMhasamatureInternalAudit&assessmentprogramwhichperformsaudits&assessmentsatleastannually.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements
STA-05
STA-05.1
Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,
Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.2
Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.3
Doeslegalcounselreviewallthird-partyagreements? x IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenance
ofsupplierrelationships.STA-05.4
Dothird-partyagreementsincludeprovisionforthesecurityandprotectionofinformationandassets?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.5
Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?
x
IBMmaintainsallrequiredsub-processingagreementsandmakesthemavailableasrequiredtoclientsuponrequest.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
63
physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
64
anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportabilityrequirementsforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
65
SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews
STA-06
STA-06.1
Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.
Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?
x
IBMhasagreementswithkeythird-partysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.
SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics
STA-07
STA-07.1
Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.
Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?
x
IBMhasagreementswithkeythirdpartysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.
STA-07.2
Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?
x
ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.
STA-07.3
Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?
x
ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.
STA-07.4
Doyoureviewallagreements,policies,andprocessesatleastannually?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment
STA-08
STA-08.1
Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeall
Doyouassurereasonableinformationsecurityacrossyourinformationsupplychainbyperforminganannualreview?
x
Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.
STA-08.2
Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?
x
Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
66
partners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits
STA-09
STA-09.1
Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservicedeliveryagreements.
Doyoupermittenantstoperformindependentvulnerabilityassessments?
x PenetrationtestingisallowedbyIBMWatsonservicesontheirownDedicatedenvironments
withapprovalofIBMCloudCISO.
STA-09.2
Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?
x
PenetrationtestingforIBMWatsonservicesenvironmentsisperformedonanannualbasisusinga3rdpartyvendor.
ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware
TVM-01
TVM-01.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?
x
AntivirusAntimalwareprotectionisdeployedonallWindowssystemsatthehostlevelandlogsaresenttoIBMQRadarSIEM.Automatedupdatesareinplacefornewmalwareorvirussignatures.
TVM-01.2
Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?
x
Automatedupdatesareinplacefornewmalwareorvirussignatures.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
67
ThreatandVulnerabilityManagementVulnerability/PatchManagement
TVM-02
TVM-02.1
Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresandidentifiedweaknessesespeciallyifcustomer(tenant)
Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices? x
Networkscanningisconductedataminimumonamonthlybasis.Findingsarereportedonandmanagedthoughnormaloperationalvulnerabilityandriskmanagementprocessesandprocedures.
TVM-02.2
Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
x
TheIBMSecureEngineeringStandardmandatesvulnerabilityassessmentwhichrequiresautomatedcodeandapplicationscanningatleastonamonthlybasis.DynamicandstaticcodescanningisperformedusingIBMAppscanonamonthlybasisorwheneverthereisamajorchange.
TVM-02.3
Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
x
OSscanningisconductedatminimumonceamonth.Findingsarereportedonandmanagedthroughnormaloperationalprocesses.
TVM-02.4
Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?
x CustomersofIBMWatsondedicatedservicescanrequestaVulnerabilityassessmentreportfor
theirenvironments.
TVM-02.5
Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?
x
IBMWatsonservicesautomatingrapidpatchingacrosstheenvironment.ThisprovidesfullvisibilityonwhatispatchedinadditiontoprovidingtheautomationtopushoutthepatchestoallmachinesacrossallWatsonenvironments.
TVM-02.6
Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?
x
Dedicatedcustomerswillbeincludedinthechangemanagementprocessrequiredtodistributepatcheswithintheirenvironment.
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
68
dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
ThreatandVulnerabilityManagementMobileCode
TVM-03
TVM-03.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionoftheWatsoninfrastructure,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.
TVM-03.2
Isallunauthorizedmobilecodepreventedfromexecuting?
X
WithintheIBMWatsonservicesenvironmentallmobilecodeintheformofscriptsorexecutablesmustbetestedandapprovedfordeployment.EndusersandconsumersofWatsonAPIsshouldprovidefortheirownunauthorizedmobilecodepreventionsolutionasthatisnotwithinscopeforIBMWatsonservicesontheIBMCloud.
©Copyright2014CloudSecurityAlliance-Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktotheCloudSecurityAlliance“ConsensusAssessmentsInitiativeQuestionnaireCAIQVersion3.0.1”athttp://www.cloudsecurityalliance.orgsubjecttothefollowing:(a)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotbemodifiedoralteredinanyway;(c)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsoftheConsensusAssessmentsInitiativeQuestionnairev3.0.1aspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAllianceCloudConsensusAssessmentsInitiativeQuestionnaire3.0.1(2014).Ifyouareinterestedinobtainingalicensetothismaterialforotherusagesnotaddressesinthecopyrightnotice,[email protected].