on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...
Transcript of on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and...
![Page 1: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/1.jpg)
IBMÒ WatsonÒ on the IBMÒ Cloud
CSA CAIQ V1.0 February 2018
![Page 2: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/2.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
2
Introduction
IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential within unstructured data. Fundamental to providing a strong foundation for companies wanting to leverage Watson services, IBM uses best-in-class security and compliance processes that allow for successful execution of challenging workloads.
The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. This CAIQ document gives detailed responses to those questions for IBM Watson on IBM Cloud and provides additional links where applicable on IBM and Watson security processes, procedures &/or technical controls.
IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated workloads. Compliance of Watson services are maintained though regular reviews by both IBM internal and 3rd party auditors.
Additional information on how Watson is securely deployed on the IBM Cloud can be found below:
• Watson Trust Center: https://ibm.biz/BdjD4r • ISO 27001 certificate: https://ibm.biz/BdjWav • ISO 27017 certificate: https://ibm.biz/BdjWam • ISO 27018 certificate: https://ibm.biz/BdjWaK • Full list of IBM products covered under 27001: https://ibm.biz/BdjWab • IBM Cloud Services data security and privacy principles: https://ibm.biz/Bdsm3x • Additional details around IBM Cloud compliance: https://www.ibm.com/cloud/compliance • How to secure your applications using Watson services:
https://www.ibm.com/cloud/garage/content/architecture/securityArchitecture/overview
![Page 3: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/3.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
3
Control Domain
Control ID
Question ID
Control Specification
Consensus Assessment Questions
Consensus Assessment Answers
Watson Notes Yes No Not Applicable
Application&InterfaceSecurityApplicationSecurity
AIS-01 AIS-01.1
Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.
Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?
x
WatsonservicesontheIBMCloudleveragetheIBMSecureEngineeringStandardwhichisalignedwithOWASPtoensuresecurityaspartofourSDLC.Thosestandardsincludeprocessesforsecurecoding,vulnerabilityassessment,penetrationtesting,education,processesfor3rdpartycodeapprovalandthreatmodelling.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Seehttps://www.ibm.com/security/PenetrationtestingisperformedbybothIBMandthirdpartiesandcoversbothexternalandinternaltestingofendpoints.Vulnerabilityassessmentrequiresautomatedcodeandapplicationscanninginadditiontomanualtesting.SecurecodingmandatesmanualreviewforsecurerelatedcodeandreviewsagainstOWASPtoptenattacks.WatsonserviceshavebeencertifiedbyanindependentauditoragainsttheISO27001certificationstandard.
AIS-01.2
Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
AIS-01.3
Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?
X
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
AIS-01.4
DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?
X
DevelopmentworkforIBMWatsonontheIBMCloudisnotoutsourced.Forall3rdpartycomponentsused,e.g.,librariesoropensourcecode,theIBMSecureEngineeringStandardprohibitstheiruseunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.
AIS-01.5
(SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.
Application&InterfaceSecurityCustomerAccessRequirements
AIS-02 AIS-02.1
Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.
Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?
x
IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsoncompliancecertificationsdemonstratethecontrolsinplacetoprovideasecureplatform.Additionalinformationavailablehere:http://www.ibm.com/watson/watson-security.html
AIS-02.2
Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented? X
RequirementsandtrustlevelsforcustomeraccessareestablishedcontractuallyforeachIBMWatsoncustomer.
![Page 4: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/4.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
4
Application&InterfaceSecurityDataIntegrity
AIS-03 AIS-03.1
Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.
Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata? x
IBMWatsonservicesareonlyavailablethroughAPIcalls,thissignificantlylimitsanattacker’sabilitytointeractandcompromiseaservice.IBMWatsoncustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.ISO27001compliancedemonstratesthecontrolsIBMWatsonhasinplacetosafeguardagainsttheunauthorizedaccess,destruction,lossoralterationofdata.Securitytestingoccurspriortoproductionrollouttoensureinput&outputsfromtheAPIaresecure&meetsdesignspecifications.
Application&InterfaceSecurityDataSecurity/Integrity
AIS-04 AIS-04.1
Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.
IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?
X
IBMWatsonontheIBMCloudDataSecurityArchitectureisdesignedusingindustrystandardsandbestpracticesaligningwithISO27001andNISTframeworks.
AuditAssurance&ComplianceAuditPlanning
AAC-01
AAC-01.1
Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.
Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?
x
IBMWatsonservicesuseexternalandinternalauditorstoconductstructured,industrystandardauditassertionsandreports.Extensiveauditplanning&preparationoccursforeachaudit.Theseareperformedataminimumannually.Seehttp://www.ibm.com/watson/watson-security.html
AuditAssurance&ComplianceIndependentAudits
AAC-02
AAC-02.1
Independentreviewsandassessmentsshallbeperformedatleast
DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?
x
IBMWatsonservicesproviderelevantthird-partyauditattestation,certificationand/orpentestingreportswhereaNon-DisclosureAgreement(NDA)isinplace.
![Page 5: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/5.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
5
AAC-02.2
annuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.
Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
x
PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.
AAC-02.3
Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
x
PenetrationtestingisperformedbyIBMteamsagainsttheIBMWatsonservicesenvironmentsonatleastaquarterlybasis.ThistestingcoversnetworkandapplicationleveltestingandincludestestingforbothSANStop25andOWASPtoptenvulnerabilities.3rd-partyvendors(external)performapplicationandnetworkpenetrationagainsttheIBMWatsonservicesproductionenvironmentsatleastonceannually.Thosetestsincludebothexternaltestingagainstpublicendpointsandinternaltestingwherethevendorisprovidedwithaccesstotheenvironmenttotestforanyinternalnetworkvulnerabilitiesorweaknesses.
AAC-02.4
Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
x
InternalauditsareroutineandvirtuallycontinuousforIBMWatsonontheIBMCloud.Theseareinitiated/conductedatleastonceeachquarter.
AAC-02.5
Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
x
IBMWatsonservicesataminimum,useexternalauditorsannuallytoconductISO27001assessments&audits.
AAC-02.6
Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?
x
IBMWatsonservicesproviderelevantthird-partypentestingattestations&/orreportswhereaNon-DisclosureAgreement(NDA)isinplace.
AAC-02.7
Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?
x IBMWatsonservicesproviderelevantthird-partyauditattestationstocustomersattheir
request.ExecutivelevelreportsordetailsmaybeprovidedwhereaNon-DisclosureAgreement(NDA)isinplace.
AAC-02.8
Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments? x
IBMWatsonservicesusemultipleinternalentitiestoconductcrossfunctionalauditassessments.IBMhasarobustinternalauditorganizationutilizingmatureprocessesthathavebeendevelopedandrefinedtoensurealignmentofallbusinessunitsandinternalorganizationstocorporatestandards.
AuditAssurance&ComplianceInformationSystemRegulatoryMapping
AAC-03
AAC-03.1
Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthe
Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?
x
Dataatrestandintransitisencrypted.AccesscontroltechnologiesareleveragedinallIBMWatsonservicesdeliverymodelstoensurecustomerscanonlyaccesstheirdata&workloads.AdditionallayersoflogicalsegmentationareavailableinPremium&DedicatedmodelsofdeliveryofWatsonservices.
AAC-03.2
Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?
x IBMWatsonservicescustomersareultimatelyresponsiblefortheirdataandtheintegrityofanyworkloadscommunicatingwithWatsonviaAPI.MostIBMWatsonCloudPlatformServicesarestatelesswherebyclientspecificdatadoesnotpersist.
AAC-03.3
Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?
x
IBMWatsonservicesprovidecustomerswithoptionstodeploytheirapplicationsanddataindifferentregions.Thedatawillresideintheregiondefinedintheoriginalsolutiondesignandspecifiedintheservicescontractunlesscustomerelectstomoveitthemselves.
![Page 6: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/6.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
6
AAC-03.4
businessprocessesarereflected.
Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?
x
IBMWatsonservicesmanagement&complianceteamsregularlysurveychangesintheregulatoryenvironment.TheIBMLegalDepartmentalsomonitorsregulatoryrequirementsfortheirimpactuponIBMsecurityprograms.Customersareultimatelyresponsiblefortheircomplianceandtrackinganychangestotheirregulatoryrequirements.
BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning
BCR-01
BCR-01.1
Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusinesscontinuityplansincludethefollowing:•Definedpurposeandscope,alignedwithrelevantdependencies•Accessibletoandunderstoodbythosewhowillusethem•Ownedbyanamedperson(s)whoisresponsiblefortheirreview,update,andapproval•Definedlinesofcommunication,roles,andresponsibilities•Detailedrecoveryprocedures,manual
Doyouprovidetenantswithgeographicallyresilienthostingoptions? x
IBMWatsonservicesencouragecustomerstotakeadvantageofourglobaldeploymentmodeltoaccomplishgeographicresiliency.
BCR-01.2
Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?
x
IBMWatsonservicesaredesigned,implemented&configuredutilizingHAandareexclusivelyhostedbyIBM.
![Page 7: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/7.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
7
work-around,andreferenceinformation•Methodforplaninvocation
BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting
BCR-02
BCR-02.1
Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.
Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?
x
Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.
BusinessContinuityManagement&OperationalResiliencePower/Telecommunications
BCR-03
BCR-03.1
Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorother
Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?
x
IBMWatsonservicesprovidecustomerstheoptiontodeploytheirapplicationsanddataindifferentregions.Forstatefulservicesorspecificcustomerworkloads,thedataremainsinthatregionunlessthecustomermovesit.CustomershavedifferentoptionsonhowtheyconnecttotheirIBMWatsonservices,e.g.overpublicnetworkoroveradedicatedVPNtoadedicatedinstance.
BCR-03.2
Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?
x
Directinternetconnectivityisthepreferredsolution,butotheroptionsareavailablefordedicatedcustomers.AlltrafficintransittoIBMWatsonservicesareencrypted.
![Page 8: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/8.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
8
redundanciesintheeventofplannedorunplanneddisruptions.
BusinessContinuityManagement&OperationalResilienceDocumentation
BCR-04
BCR-04.1
Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures
Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?
x
IBMWatsonservicesproviderobustdocumentationwithineachservicedescriptiontoassistcustomerswithproperlyconfiguringandusageofitsservices.IBMWatsonserviceshaveextensivedocumentationontheinformationsystem,thisdocumentationisavailabletoauthorizedIBMpersonnel.Thisinformationmayalsobedistributedthroughtrainingwhereapplicable.
BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks
BCR-05
BCR-05.1
Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.
Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?
x
IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.
![Page 9: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/9.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
9
BusinessContinuityManagement&OperationalResilienceEquipmentLocation
BCR-06
BCR-06.1
Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.
Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?
x IBMWatsonservicesarehostedinIBMdatacenterswherephysicalandenvironmentalprotectioncontrolsareinplace.Thedatacentersecuritycontrolshavebeendesigned&implementedbasedonNIST-800-53,ISO27001&otherindustrystandardrequirements.Thesecontrolsarevalidatedfrequently,ataminimumannually,bybothinternalauditsandexternalauditorsaspartofSOCandISO27001complianceprograms.
BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance
BCR-07
BCR-07.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.
Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?
x
IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.SpecifichardwarerestoreandrecoveryoptionsaretransparenttocustomersofIBMWatsonservicesastheseareprovidedattheunderlyingIaaSlayer.
BCR-07.2
Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?
x
ThiscanbeavailableinIBMWatsonservicesdedicateddeliverymodel.
BCR-07.3
Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BCR-07.4
Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BCR-07.5
Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?
x IBMWatsonservicesareexclusivelyhostedinIBMdatacenters.
BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures
BCR-08
BCR-08.1
Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.
Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)? x
IBMDataCenterPhysicalandEnvironmentalProtectioncontrolsareinplaceinalldatacenters.ThesecontrolsaremaintainedthroughfrequentinternalauditsandarevalidatedbyexternalauditorsthroughassessmentsincludingbutnotlimitedtoFedRAMP,ISO27001,SOC,PCI,andHIPAA.IBMDataCenterSOCreportsprovideadditionalinsightthesecuritymechanismsimplementedtoprotectagainstoutages.TheSOC3reportisavailabletocustomersandprospectivecustomershere:https://www.ibm.com/cloud-computing/bluemix/sites/default/files/assets/docs/SoftLayer%20SOC%203%201H%202017%20
![Page 10: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/10.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
10
Report_FINAL%20%281%29_0.pdfTheSOC2reportisavailabletocustomersandcanberequestedviathecustomerportalorbycontactingtheirsalesteam.
BusinessContinuityManagement&OperationalResilienceImpactAnalysis
BCR-09
BCR-09.1
Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption•Estimatethe
DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
BCR-09.2
Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
BCR-09.3
DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statusandhttps://status.ng.bluemix.net
![Page 11: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/11.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
11
resourcesrequiredforresumption
BusinessContinuityManagement&OperationalResiliencePolicy
BCR-10
BCR-10.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.
Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?
x
IBMWatsonservicesfollowIBMCoreSecurityPracticescoveringSystems,NetworkingandSecureEngineeringbestpractices.SecurityreadinessfocalpointsareassignedforeachPlatformcomponentandserviceandareresponsibletodriveconformancetothosesecuritypolicies.AllIBMemployeesarerequiredtotakesecurityrelatededucationannually.
BusinessContinuityManagement&OperationalResilienceRetentionPolicy
BCR-11
BCR-11.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodof
Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?
x
SpecificdataretentionconfigurationoptionsareavailabletocustomersutilizingdedicatedIBMWatsonservices.
![Page 12: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/12.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
12
BCR-11.2
anycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.
Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?
x
IBMWatsonservicesdonotsharecustomerdataunlesssubjecttodisclosuretogovernmentagenciespursuanttojudicialproceeding,courtorder,orlegalprocess.Formoredetailsonprivacyandtrust,refertohttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsp,https://www.ibm.com/cloud-computing/bluemix/security-privacy#privacy,https://www-01.ibm.com/software/info/product-privacy/
BCR-11.4
Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?
x
IBMWatsonservicesaredesignedwithHighAvailabilityasakeyrequirement.Theservicesaredeployedwithredundancyaspartofthedesign.Dataretentionpoliciesandproceduresaredefinedandmaintainedinaccordancetotheapplicableregulatoryandcompliancestandard.
BCR-11.5
Doyoutestyourbackuporredundancymechanismsatleastannually? x
IBMWatsonservicesaredesigned,implemented&configuredutilizingHighavailability(HA)andareexclusivelyhostedbyIBM.Businesscontinuityplansareregularlytestedatminimumonanannualbasis.TherelatedcontrolshavebeenverifiedbyanexternalauditoraspartoftheIBMWatsonservices27001certification.Databackupisacustomerretainedresponsibility.
ChangeControl&ConfigurationManagementNewDevelopment/Acquisition
CCC-01
CCC-01.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunction.
Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.AlldeploymentsarecontrolledviaIBMChangeManagementPolicyandassociatedprocedures.https://www.ibm.com/security/secure-engineering/
CCC-01.2
Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?
x
Extensivedocumentationisavailableintheformofproductdocumentation,whitepapers,tutorialsandvideosinIBMCloudDocsandviaIBMdeveloperWorksandIBMCloudGaragesites.https://console.bluemix.net/docs/https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/https://www.ibm.com/cloud-computing/bluemix/garage
![Page 13: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/13.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
13
ChangeControl&ConfigurationManagementOutsourcedDevelopment
CCC-02
CCC-02.1
Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).
Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?
x
DevelopmentworkfortheIBMWatsonservicesisnotoutsourced.TheIBMSecureEngineeringStandardprohibitsuseofall3rdpartycomponentsused,e.g.,librariesoropensourcecodeunlessapprovedbyIBM’sOpenSourceSoftwareProcess.Thatapprovalprocessincludestechnical,legalandmarketingreviews.
CCC-02.2
Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?
x
IBMWatsonservicesutilizemultipletesting,scanning&analysistechniquesbeforethepromotionofcodeintoproduction.Theseincludeautomatedstaticanddynamicscans,manualpenetrationtests,threatmodeling,manualcodereviews,andothertechniques.ThesetestsoccuronallcodethatmakesupIBMWatsonservices.
ChangeControl&ConfigurationManagementQualityTesting
CCC-03
CCC-03.1
Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.
Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?
x
IBMSecureEngineeringstandardprovidespoliciesonthedevelopment,reviewingandscanningofcode,applicationsandsystemspriortodeploymentincludinganychangestriggeredviaacquisition.Thegoalofthesecureengineeringstandardistoassurequalityandminimizeriskstodeployedsystems.ItenforcessecurityeducationforallIBMstaffwithmorespecificsecurityeducationbasedonroleandmandatestheuseofthreatmodellingforalldeploymentswhichincludesariskassessmentphase.Additionaldetailsareavailablehere:https://www.ibm.com/security/secure-engineering/IBMWatsonservicesareISO27001certifiedbyexternalauditors.Thiscertificationisavailabletocustomersandhasseveralcontrolpointswhichfocusonqualityassuranceandriskassessmentmethodology.
CCC-03.2
Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?
x IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotifications
foralltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/status
CCC-03.3
Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?
x
IBMWatsonservicesprovidecustomerswithvisibilityonstatusandmaintenancenotificationsforalltheplatformandservicesviaanumberofpublicstatuspages.Seehttps://console.bluemix.net/statushttps://www.ibm.com/security/secure-engineering/process.html
CCC-03.4
Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?
x
IBMSecureEngineeringstandarddictatesthatcodereviewsmustbeperformedagainstasecurecodingreviewchecklistwhichincludescheckstoremoveanydebugcode.
![Page 14: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/14.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
14
ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations
CCC-04
CCC-04.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionofthesystem,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.
![Page 15: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/15.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
15
ChangeControl&ConfigurationManagementProductionChanges
CCC-05
CCC-05.1
Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.
Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?
x
IBMWatsonservicesareISO27001certifiedandthisincludesreviewofcontrolsonchangemanagement.Reportscanbemadeavailabletocustomersonrequest.Forcustomerdedicatedclouds,thechangeswillonlybemadeduringanagreedchangewindoworwiththeexplicitapprovalofthecustomerandnochangesaremadewithoutinformingthecustomerinadvance.
DataSecurity&InformationLifecycleManagementClassification
DSI-01 DSI-01.1
Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.
Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?
x
IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.
DSI-01.2
Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)? x
Specifichardwareandvirtualmachinesareassignedtocustomerspursuanttotheircontractedspecifications.ThiscapabilityisprovidedtoIBMWatsonservicesandsupportteamsbutistransparenttothecustomer.
![Page 16: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/16.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
16
DSI-01.3
Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?
x IndedicatedIBMWatsonservices,customerscanauthenticatetheirownusersviaSSOandcan
utilizegeography-basedauthenticationfactors.
DSI-01.4
Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?
x IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesof
Watsonservicesaredeployed.Datastoredaspartoftheserviceremaininthatregionunlessthecustomermovesit.
DSI-01.5
Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?
x IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatson
servicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
DSI-01.6
Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?
x
IBMWatsonservicesleveragenamespaces,tags&/orlabelingmethodologies/technologiesforidentificationofcustomerenvironmentsandworkloads.Customersareultimatelyresponsibleforclassifying&managingtheirdata.
DSI-01.7
Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
DataSecurity&InformationLifecycleManagementDataInventory/Flows
DSI-02 DSI-02.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyother
Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?
x
IBMWatsonserviceutilizeanextensiveanddetailedthreatmodelingprocesswherealldataflowsaredocumentedpriortomajorreleases.
DSI-02.2
Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectwhichregioninstancesofWatsonservicesaredeployedin.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.
![Page 17: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/17.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
17
businessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyifcustomerdataisusedaspartoftheservices.
DataSecurity&InformationLifecycleManagementE-commerceTransactions
DSI-03 DSI-03.1
Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.
Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?
x
IBMWatsonservicesleverageopenencryptionmethodologies.DatainmotionandatrestisencryptedusingAESencryption.DatainmotionistransmittedusingTLS1.2.
DSI-03.2
Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?
x
WithinIBMWatsonservices,alldatatransmittedoverpublicnetworkswillbeencryptedperIBMpolicy.http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf
DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy
DSI-04 DSI-04.1
Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.
Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?
x
IBMWatsonservicesfollowIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallassetscontainingIBMandcustomerowneddata.
DSI-04.2
Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?
x
Allcustomerdataisconsideredconfidentialandrequiresdatatobeencryptedatrestandinmotion.
![Page 18: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/18.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
18
DataSecurity&InformationLifecycleManagementNonproductionData
DSI-05 DSI-05.1
Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.
Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?
x
IBMWatsonserviceshaveprocesses&procedurestoaffordsegregateddevelopment,stagingandproductionenvironments.ThesearedeployedindifferentVLANsindifferentIaaSaccounts.EachcustomerenvironmentisconsideredtobeaproductionenvironmentbyIBM,thoughthecustomermayhavemultipleenvironmentsfortheirpurposesaswell.IBMCloudprovidescustomerswiththeabilitytopromoteWatsonserviceinstancesintoproductionandnon-productionspaces.Itisthecustomer'sresponsibilitytorestrictthemovementofworkloadbetweentheirenvironmentsandensureproductiondataisnotreplicatedtonon-productionenvironment.https://www.ibm.com/developerworks/cloud/library/cl-intro4-app/index.html
DataSecurity&InformationLifecycleManagementOwnership/Stewardship
DSI-06 DSI-06.1
Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.
Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?
x
IBMWatsonservicessupportstafffollowsIBMCorporateStandardswhichdictatealabelingandhandlingschemeforallIBMandcustomerowneddata.IBMWatsonservicecustomersareresponsibleformanagingandlabellingtheirowndatawithintheWatsonservice.
DataSecurity&InformationLifecycleManagementSecureDisposal
DSI-07 DSI-07.1
Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.
Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?
x
IBMWatsonservicesemployadecommissioningandreclaimprocessforallhardwarebeingreclaimed.ThereclaimeddriveiswipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.Seehttp://blog.softlayer.com/tag/disposal
![Page 19: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/19.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
19
DSI-07.2
Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?
x
SpecificDataSanitizationoptionsareavailableforcustomersusingdedicatedversionsoftheIBMWatsonservicesandwillbedefinedaspartofthecontractualprocess.
DatacenterSecurityAssetManagement
DCS-01
DCS-01.1
Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.
Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?
x
IBMWatsonservicesrecordallphysicalandvirtualassetsinanIBMassetinventorysystemthatcapturesdetailsincludingassetowner,classesofdatamanaged,andlocationsofhostinginfrastructureandcontactdetails.TheassetinventoryprocesshasbeenassessedbyexternalauditorsaspartofISO27001.
DCS-01.2
Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?
x
IBMWatsonservicesdocumentcriticalsuppliers,alongwithappropriatecontactinformation.
DatacenterSecurityControlledAccessPoints
DCS-02
DCS-02.1
Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.
Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?
x
IBMDatacentersaresecured,withserver-roomaccesslimitedtocertifiedemployees.Physicalsecurityparameterscanincludebutarenotlimitedtofences,walls,barriers,securityguards,gates,electronicsurveillance,videosurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols.Thecontrolshavebeencertifiedbyanexternalauditor.SeeNIST800-53PEandISO27001A11fortherelevantcontrolshttps://www.ibm.com/cloud-computing/bluemix/complianceSeehttps://www.ibm.com/cloud-computing/bluemix/data-centersformoredetailsonIBMDatacentersecurity.
![Page 20: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/20.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
20
DatacenterSecurityEquipmentIdentification
DCS-03
DCS-03.1
Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.
Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?
x
IBMWatsonservicesmanageallassetsfollowinganIBMassetinventoryprocessandthishasbeenassessedbyexternalauditorsaspartofISO27001compliance.https://console.bluemix.net/docs/security/compliance.html#compliance
DatacenterSecurityOffsiteAuthorization
DCS-04
DCS-04.1
Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.
Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,andreplication)?
x
IBMWatsonservicesprovidecustomerswithoptionstodeploytheirservicesanddataindifferentregions.Thatdataisremainsinthatregionunlessthecustomermovesit.
DatacenterSecurityOffsiteEquipment
DCS-05
DCS-05.1
Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.
Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?
x
IBMWatsonservicesleverageanIBMClouddecommissioningandreclaimprocessforallhardwareorsoftwarebeingreclaimedordeterminedtobeendoflife.ReclaimedharddrivesarewipedusingtheDOD5220.22-Malgorithms.Ifadeviceisdeterminedtobeendoflifethehardwareiswipedusingthesamemethoddescribedabove,thenthedeviceisphysicallycrushedonsite.Thesemeasuresaretakentoprotectcustomer’sdata.IBM'sassetmanagementandrepurposingprocessesarevalidatedfrequentlybyexternalauditorsthroughassessmentsincludingbutnotlimitedtoISO27001/17/18,SOC,andHIPAA.
DatacenterSecurityPolicy
DCS-06
DCS-06.1
Policiesandproceduresshallbeestablished,andsupportingbusiness
Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintaininga
x
IBMWatsonservicesengagethirdpartyauditorstovalidateourcompliancewithmanydifferentframeworksincludingbutnotlimitedtoISO27001.TheadditionallayersofthecloudunderlyingIBMWatsonservicesalsogothroughextensivethird-partyauditsthroughouteachyear.Theseinclude,butarenotlimitedto,ISO27001/17/18,SOC,andHIPAA.
![Page 21: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/21.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
21
processesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.
safeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?
DCS-06.2
Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?
x
IBMWatsonserviceemployeescompleteannualrequiredIBMsecurityawarenesstrainingwhichincludestrainingonpolicies,standards&/orprocedures.Securityawarenesstrainingisincludedaspartofexternalandinternalauditsforverification&validation.
DatacenterSecuritySecureAreaAuthorization
DCS-07
DCS-07.1
Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.
Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?
x
IBMWatsonservicesprovidecustomerswithoptionstoselectinwhichregioninstancesofWatsonservicesaredeployed.Datastoredaspartoftheserviceremainsinthatregionunlessthecustomermovesit.Thisisperformedduringtheordering&contractnegotiationprocess.
DatacenterSecurityUnauthorizedPersonsEntry
DCS-08
DCS-08.1
Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.
Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?
x
IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance
DatacenterSecurityUserAccess
DCS-09
DCS-09.1
Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.
Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?
x
IBMDataCenterphysicalsecurityiscontrolledatmanylevelssuchasperimeterandbuildingentrances,thephysicalsecurityisnotlimitedto,professionalsecuritystaff,24/7videosurveillance,securitycheckpoint.Physicalaccesspointstothedatahallsallarerecordedandmonitoredbyonsitesecurity,onlyauthorizedstaffhavetheabilitytoaccessthedatahallsandtheymustauthenticateaminimumof2times.PhysicalSecurityisreviewedbyperiodicinternalandexternalaudits.https://www.ibm.com/cloud-computing/bluemix/compliance
![Page 22: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/22.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
22
Encryption&KeyManagementEntitlement
EKM-01
EKM-01.1
Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.
Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?
x
IBMhasdefinedaKeyManagementpolicytosupportencryptionofdataatrestandintransitforallWatsonplatformcomponents.Encryptionismanagedatthedisklevelandkeysarenottiedtoclients.
Encryption&KeyManagementKeyGeneration
EKM-02
EKM-02.1
Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.
Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?
x ThisisavailableforcustomersusingIBMWatsonservicesdedicatedservicedeliverymodels.
EKM-02.2
Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?
X EncryptionkeysonthebackendoftheIBMWatsonservicesaremanaged&maintainedbyIBM.
EKM-02.3
Doyoumaintainkeymanagementprocedures? X
IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthekeylifecycle,includingkeyaccess,strength,rotation,&revocability.Keymanagementproceduresareintheprocessofbeingdocumented.
EKM-02.4
Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?
X IBMWatsonserviceshavearobustKeyManagementsolutiontoensuresecuritythroughoutthe
keylifecycle,includingkeyownershipateachstageofthelifecycle.
EKM-02.5
Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?
X
IBMWatsonserviceshaveimplementedarobustKeyManagementsolutionthatleveragesopensource,3rdparty&proprietarycomponents.
Encryption&Key
EKM-03
EKM-03.1
Policiesandproceduresshallbeestablished,and
Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?
x IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.
![Page 23: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/23.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
23
ManagementEncryption
EKM-03.2
supportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.
Doyouleverageencryptiontoprotectdataandvirtualmachineimagesduringtransportacrossandbetweennetworksandhypervisorinstances?
x
IBMWatsonservicesencryptdatawithAES&TLS1.2encryptiontechnologies.
EKM-03.3
Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?
x
IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.
EKM-03.4
Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?
x
ThisisincludedaspartoftheDataSecurityandPrivacyPrinciplesthatisincludedasstandardcontractlanguage.Documentationisavailablehere:http://www.ibm.com/cloud/data-security&https://www-05.ibm.com/support/operations/files/pdf/csa_us.pdf
Encryption&KeyManagementStorageandAccess
EKM-04
EKM-04.1
Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.
Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?
x
Allencryptionalgorithmsinuseareopen/validatedformatsandarefollowNIST.SP.800-57pt1standards.Ciphersandprotocolsarereviewedonatleastanannualbasisandupdatedaccordingly.Bydefault,allconnectionsstartatTLS1.2anddataatrestisAES128orbetter.
EKM-04.2
Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?
x
IBMWatsonkeysareownedandmanagedbyIBMWatson.
EKM-04.3
Doyoustoreencryptionkeysinthecloud?
x Yes,keysarestoredwithintheIBMCloudenvironment.
EKM-04.4
Doyouhaveseparatekeymanagementandkeyusageduties?
x IBMrecognizesthatBringYourOwnKey(BYOK)isimportantforsomecustomersandwillworkwiththemtodetermineamutuallyagreeablesolution.
GovernanceandRiskManagement
GRM-01
GRM-01.1
Baselinesecurityrequirementsshallbeestablishedfordevelopedor
Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,
x
IBMmaintainssystembaselinesforallcriticalcomponentsandthishadbeenverifiedbyanindependentauditoraspartofISO27001certification.
![Page 24: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/24.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
24
BaselineRequirements
acquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.
operatingsystems,routers,DNSservers,etc.)?
GRM-01.2
Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?
x
EndpointsareroutinelymonitoredattheOSleveltoensurecompliancewithasetofsecuritystandards.ThosesecuritystandardsfollowtheIBMsecuritypoliciesandchecklistswhichinturnalignwithISO27001standards.
GRM-01.3
Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?
x
IBMWatsonservicesareonlyavailableasaserviceprovidedbyIBM.
GovernanceandRiskManagementRiskAssessments
GRM-02
GRM-02.1
Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedata
DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?
x
SecuritylogsarecreatedforallcriticaloperationsinIBMWatsonservicese.g.authentication,privilegedoperations,etc.TheseareavailableonrequesttoWatsondedicatedcustomersfortheirenvironment.ISO27001reportsareavailableonrequestanddemonstratetheuseofsecuritycontrolsinIBMWatsonservices.CustomersmayleveragetheIBMCloudConsoletomonitorforhealthofservices.https://console.bluemix.net/status
![Page 25: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/25.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
25
GRM-02.2
isstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,andfalsification
Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditors.PartofthecertificationrequiresanISMS(InformationandSecurityManagementSystem)andriskmanagementprocessbeinplaceandapprovedbyIBMseniormanagement.Additionally,regularpenetrationtestingisperformedbybothIBMinternalandexternalteamsaswellasregularnetworkandapplicationscanning.IBMSecureEngineeringstandardrequiresthatthreatmodellingbecarriedoutonatleastanannualbasisandpartofthatmethodologyisriskassessment.Seehttps://www.ibm.com/security/secure-engineering/
GovernanceandRiskManagementManagementOversight
GRM-03
GRM-03.1
Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.
Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?
x
IBMSecuritystandardsrequiremanagerstoownthesecurityandrisksfortheirservices,eachmustappointasecurityfocaltomanagesecurityandcomplianceforallaspectsoftheservice.IBMSecureEngineeringstandardrequiresallemployeestotakesecurityeducationonanannualbasis.ThisareaisreviewedannuallyaspartoftheIS027001certificationforIBMWatsonservices.
GovernanceandRiskManagementManagementProgram
GRM-04
GRM-04.1
AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnot
DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditorsandavailableforreviewbycustomers.ISO27001isfocusedonsecuritymanagementprocessesandvalidatesthatIBMWatsonservicessecurityprocessesconformtotheISO27001controlstandards.IBMSecurityPrinciplesareavailablehere:http://www-03.ibm.com/software/sla/sladb.nsf/pdf/7745WW2/$file/Z126-7745-WW-2_05-2017_en_US.pdf
GRM-04.2
DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?
x
IBMISMS&itsspecificationinregardtoIBMWatsonservicesarereviewedatleastannually.
![Page 26: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/26.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
26
belimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,andmaintenance
GovernanceandRiskManagementManagementSupport/Involvement
GRM-05
GRM-05.1
Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.
Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
x
IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforserviceprovidersarereviewed.
GovernanceandRiskManagementPolicy
GRM-06
GRM-06.1
Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbythe
Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?
x
IBMinformationsecurityandprivacypoliciesarebasedon&alignwithindustrystandardssuchasNIST800-53andISO27001.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.
GRM-06.2
Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
x
Agreementsareinplacetoverifyandmonitorsuppliercompliancewithindustrystandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.
![Page 27: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/27.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
27
GRM-06.3
organization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesandresponsibilitiesforbusinessleadership.
Canyouprovideevidenceofduediligencemappingofyourcontrols,architecture,andprocessestoregulationsand/orstandards?
x
ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.AspartofISO27001certification,controlsandpoliciesforengagingwithserviceprovidersarereviewed.
GRM-06.4
Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith? x
ThiseffortwiththeCSACAIQreflectsamappingtoregulationsandstandards.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththatcertificationbeingavailabletocustomers.Foradditionaldetailsrefertohttps://www.ibm.com/watson/watson-security.html
GovernanceandRiskManagementPolicyEnforcement
GRM-07
GRM-07.1
Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.
Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?
x
Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.
GRM-07.2
Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?
x
Yes,thisisestablishedbyIBMCorporateHRpolicies,standards,training,andprocesses&adheredtowithinIBMWatsonservicesontheIBMCloud.
GovernanceandRiskManagementBusiness/PolicyChangeImpacts
GRM-08
GRM-08.1
Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.
Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective? x
IBMWatsonservicesensureriskassessmentsareconductedatleastquarterly.Policies,proceduresandstandardsaresubjecttorevisionasanoutcomeoftheseassessments.
GovernanceandRiskManagementPolicyReviews
GRM-09
GRM-09.1
Theorganization'sbusinessleadership(orotheraccountable
Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?
x
IBMWatsonservicesdedicatedtenantsarenotifiedofchangestotheirenvironmentincludingthoseresultingfrommodifiedsecuritypolicies.AlldeploymentsarecontrolledviatheChangeManagementPolicyandcustomersareapproversforanychangesthathappenoutsideagreedmaintenancewindows.
![Page 28: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/28.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
28
GRM-09.2
businessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.
Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?
x
Securitypoliciesarereviewedatleastannually.TheprivacypolicyisupdatedandreviewedbytheIBMCorporatePrivacyOffice.Formoredetailsonprivacy&datasecuritypoliciesseehttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dspandhttps://www-01.ibm.com/software/info/product-privacy/
GovernanceandRiskManagementAssessments
GRM-10
GRM-10.1
Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance).
Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?
x
RegularriskassessmentsareconductedquarterlyanddocumentedaspartoftheISMS.Theseincludelikelihoodandimpactforallidentifiedrisksusingqualitativeandquantitativemethods.
GRM-10.2
Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?
x
Resultsfromregular3rdpartyaudits/assessmentsandpenetrationtestingareoneofthemanyfeedsintotheoverallriskmanagementprogram.Additionally,independentinternalIBMcomplianceteamsperformquarterlyreviewstoensureongoingriskidentification&compliance.ThreatmodelingisalsorequiredforeachoftheWatsonservices.
![Page 29: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/29.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
29
GovernanceandRiskManagementProgram
GRM-11
GRM-11.1
Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.
Doyouhaveadocumented,organization-wideprograminplacetomanagerisk? x
IBMrecognizesriskassessmenttobeanimportantfactorinsecurityandhasestablishedaperiodicriskassessmentprocessthatisapplicabletothesystemsthathostWatsonasaService.AssessmentsareenteredintotheIBMGovernance,Risk,andComplianceprogramtodetermine&managethecurrentriskposture.IBMhasawell-establishedriskmanagementprograminplacethatisvalidatedaspartoftheannualISO27001auditandassessment.
GRM-11.2
Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?
x
VariousdocumentsarepublishedexternallyregardingIBMRiskManagementprograms,services,&solutions.RisksidentifiedthatrequirecustomerstotakeanactionarereleasedaspartofthePSIRTprocess.Additionalprograminformationavailablehere:https://www.ibm.com/security/secure-engineering/process.html
HumanResourcesAssetReturns
HRS-01
HRS-01.1
Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.
Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?
x
IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityorprivacyincidentinvolvinganyWatsonorCustomersystemordata.RefertoSecurityIncidentResponseManagementinthe‘SecuringWorkloadsinIBMCloud’whitepaperandIBMincidentresponseprocesshere:https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
HRS-01.2
IsyourPrivacyPolicyalignedwithindustrystandards?
x
IBMprivacypoliciesarealignedwithindustryandcountryrequirementsandiscontinuouslymonitoredforupdatesSeetheselinksformoreinformation:https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/
HumanResourcesBackgroundScreening
HRS-02
HRS-02.1
Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.
Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?
x
IBMCorporateHRpoliciesdictatethatallemploymentcandidatesaresubjecttobackgroundverification.
HumanResourcesEmploymentAgreements
HRS-03
HRS-03.1
Employmentagreementsshallincorporateprovisionsand/ortermsforadherence
Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.AdditionalsecurityeducationisrequiredonaperiodicbasisforIBMWatsonservicesteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
![Page 30: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/30.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
30
HRS-03.2
toestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.
Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted? x
IBMemployeesmustacknowledgecompletionoftrainingandthisacknowledgmentisdocumentedandstored.
HRS-03.3
AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?
x
AllemployeesofIBMsignNDAorconfidentialityagreementsregardingcorporateandclientinformation.
HRS-03.4
Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?
x
Timelycompletionofthetrainingprogramisaprerequisitetogaining/maintainingaccesstoIBMcomputingresources,whichmayincludesensitivesystems&customerdata.
HRS-03.5
Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?
x IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonan
annualbasis.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesEmploymentTermination
HRS-04
HRS-04.1
Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.
Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?
x
IBMCorporateHRpoliciesprovideabaselineofstandardsforchangesin,andterminationofemployment.TheIBMCloudaccesscontrolsolutionqueriestheIBMCorporatesystemtodetectanyemployeeterminationsonadailybasis.
HRS-04.2
Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?
x
IBMCorporateHRpoliciesprovideabaselineofstandardstoensureallemployeesystemaccessisterminatedandassetsarecollectedattimeoftermination.IBMWatsonservicesaremanagedviaanIBMCloudIAMsolutionwhichensuresrole-basedaccesstoanyWatsonsystem.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessownerandtheprocessincludesapproval/continuedbusinessneedandvalidation/revocationonemployeetermination.
![Page 31: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/31.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
31
HumanResourcesPortable/MobileDevices
HRS-05
HRS-05.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).
Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?
x
IBMITSecuritystandardsmandatethatmobiledevicesarenotpermittedaccesstocustomerenvironments.Privilegedlaptopsarerequiredforaccesstocustomerenvironmentsandownersofthoselaptopsarerequiredtoinstallandmaintainfulldiskencryptionandotherincreasedsecuritycontrols.Thisismanagedwithextensiveaccesssecuritycontrolswhicharevalidatedatleastannuallybuy3rdpartyauditors.
HumanResourcesNon-DisclosureAgreements
HRS-06
HRS-06.1
Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.
Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?
x
AllIBMpoliciesandproceduresarereviewedonatleastanannualbasis.Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedataminimumofonceannually.
HumanResourcesRoles/Responsibilities
HRS-07
HRS-07.1
Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.
Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant? x
Allrolesandresponsibilitiesrelatingtoinformationsecurityandenvironmentoperationsaredocumentedfordedicatedenvironments.
![Page 32: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/32.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
32
HumanResourcesAcceptableUse
HRS-08
HRS-08.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.
Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?
x RefertoIBMPrivacy&Datasecuritysitesformoreinformation.
https://www.ibm.com/cloud/privacyhttp://www-03.ibm.com/software/sla/sladb.nsf/sla/dsphttps://www-01.ibm.com/software/info/product-privacy/
HRS-08.2
Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?
x
ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.
HRS-08.3
Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?
x
ThisisenabledbydefaultforallstandardIBMWatsonservices.Customersmayoptoutofdatausageiftheychose.Bydefault,thisisdisabledforPremiumandDedicatedcustomers.
HumanResourcesTraining/Awareness
HRS-09
HRS-09.1
Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswith
Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
![Page 33: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/33.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
33
HRS-09.2
accesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.
Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesUserResponsibility
HRS-10
HRS-10.1
Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment
Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HRS-10.2
Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HRS-10.3
Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?
x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Refertohttps://www.ibm.com/security/secure-engineering/
HumanResourcesWorkspace
HRS-11
HRS-11.1
Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.
Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?
x
Tenantandservicelevelconflictsofinterestareresolvedviaoperationalandmanagementplanning.
![Page 34: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/34.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
34
HRS-11.2
Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?
x
SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEM(SecurityInformationandEventManagement)whichismonitored24x7bytheIBMSOC.TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingWatsonCloudPlatformServicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAM(IdentityandAccessManagement)governancesolution.
HRS-11.3
Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?
x
SecuritylogsforallcriticaloperationsarecollectedandsenttoIBMQRadarSIEMwhichismonitored24x7bytheIBMSOC(SecurityOperationsCenter).TamperingofloggingconfigurationandsecuritylogsareloggedthemselvesandsuchlogsaredeliveredtoQRadar.IBMpersonnelmanagingIBMWatsonservicesQRadararedistinctfromthosehavingprivilegedaccesstotheWatsonPlatformandthisisenforcedusingtheIBMIAMgovernancesolution.
Identity&AccessManagementAuditToolsAccess
IAM-01
IAM-01.1
Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.
Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?
x
Allaccessrequiresapprovalfromboththeemployeemanagerandthesystemaccessowner.Thisprovidestheuserwithrole-basedaccesstotherequestedsystem.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.
IAM-01.2
Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?
x
Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEM.
Identity&AccessManagement
IAM-02
IAM-02.1
Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusiness
Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?
x
InternalaccesstoIBMWatsonservicesarerevokedonemployeetermination.Routineverificationofaccessisalsoperformedwithuser’smanagementtoensurebusinesspurposesalignwithexistingaccess.
![Page 35: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/35.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
35
UserAccessPolicy
IAM-02.2
processesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsof
Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?
x
ManagementofIBMID'sisanIBMretainedresponsibility.Thisinternalprocessisautomatedandtestedthroughourexternalauditsrepeatedlythroughouttheyear.ClientID'saremanagedbyclientandareclientresponsibility.
![Page 36: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/36.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
36
assuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions
![Page 37: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/37.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
37
(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements
Identity&AccessManagementDiagnostic/ConfigurationPortsAccess
IAM-03
IAM-03.1
Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.
Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure? x
IBMCloudmanagementnetworktrafficisprocessedusingmanagementcontrolplanewithstrictaccesscontrol.VPNsareutilizedwhereneededtoprovideadditionallayerofsecurityforsensitivenetworkswithinIBM.
Identity&AccessManagementPoliciesandProcedures
IAM-04
IAM-04.1
PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuseridentity.
DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?
x
IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.
IAM-04.2
Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?
x
IBMWatsonservicesleverageIBMIAMservicestomanageandmaintainidentityandaccesscontrol.
![Page 38: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/38.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
38
Identity&AccessManagementSegregationofDuties
IAM-05
IAM-05.1
Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.
Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
Identity&AccessManagementSourceCodeAccessRestriction
IAM-06
IAM-06.1
Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.
Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
![Page 39: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/39.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
39
IAM-06.2
Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Accessisdecidedbyusingtheprincipleofleastprivilegeasaguide.Managementensuresappropriatelevelsofsegregationofdutieswhenapprovingaccess.
Identity&AccessManagementThirdPartyAccess
IAM-07
IAM-07.1
Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriate
Doyouprovidemulti-failuredisasterrecoverycapability?
X N/A.Customersdesiringmulti-failuredisasterrecoveryshouldconsiderdesignsleveragingmultipleregionsacrosstheIBMGlobalCloudinfrastructure.
![Page 40: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/40.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
40
IAM-07.2
access.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.
Doyoumonitorservicecontinuitywithupstreamprovidersintheeventofproviderfailure?
x
IBMWatsonservicesavailabilityismonitoredandpublishedusingtheIBMCloudconsole.UpstreamprovidersaremonitoredforservicecontinuityandavailabilityattheIBMCloudIaaSlayer.
IAM-07.3
Doyouhavemorethanoneproviderforeachserviceyoudependon?
x TherearemultipleISPproviderswithintheIBMClouddatacenterswhichsupportIBMWatson
services.
IAM-07.4
Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?
x
Aspublishedwithintheexternallyavailableauditreports.
IAM-07.5
Doyouprovidethetenanttheabilitytodeclareadisaster?
x ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.
IAM-07.6
Doyouprovideatenant-triggeredfailoveroption? x
ThiscanbeavailableinIBMWatsonservicesdedicateddeploymentmodels.Asdocumentedwithinthesolutiondesignandcontractualagreement.
IAM-07.7
Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?
x Aspublishedwithintheexternallyavailableauditreportsandasrequiredbycontract.
Identity&AccessManagementUserAccessRestriction/Authorization
IAM-08
IAM-08.1
Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.
Doyoudocumenthowyougrantandapproveaccesstotenantdata? x
Thisisonaneed-to-knowbasisonlyandisonlyeverleveragedintheneedtosupportaclientsupportrequestorrequirement.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.
IAM-08.2
Doyouhaveamethodofaligningproviderandtenantdataclassificationmethodologiesforaccesscontrolpurposes?
x
Allcustomerdataisratedassensitive.DependingonIBMWatsonservicesdeploymentmodel,tenantdataisisolatedbasedonsolutiondesignandcontractualagreement.
![Page 41: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/41.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
41
Identity&AccessManagementUserAccessAuthorization
IAM-09
IAM-09.1
Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedand
Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.
![Page 42: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/42.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
42
IAM-09.2
appropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedaspartoftheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?
x IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Secondarycontrolsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.AccesstosystemsthathosttheWatsonasaServiceofferingisgrantedbymanagementandisbasedonrolerequirements.Tenantsretainresponsibilityfortheiruser’sauthorizationanduseraccessviaIBMIAMservices.BackendsystemaccessisrestrictedtoIBMemployeeswithbusinessneedonly.
Identity&AccessManagementUserAccessReviews
IAM-10
IAM-10.1
Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjob
Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?
x
IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
IAM-10.2
Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?
x
IBMuseraccountsarerevalidatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
![Page 43: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/43.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
43
IAM-10.3
function.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.
Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?
x
RevalidationreportsareforIBMaccess&useonly.
Identity&AccessManagementUserAccessRevocation
IAM-11
IAM-11.1
Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?
x
IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
IAM-11.2
Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?
x
IBMuseraccountsarerevalidated,revoked,modifiedand/orupdatedinaccordancewithIBMpolicy.Controlsareusedtoenforceperiodicrevalidationofusersthatarebasedoncontinuedbusinessneedandemploymentverification.
Identity&AccessManagement
IAM-12
IAM-12.1
Internalcorporateorcustomer(tenant)useraccountcredentialsshallbe
Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.ThisintegrationwithcustomerdirectoryservicesallowsforSSO(SingleSignOn)capabilities.
![Page 44: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/44.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
44
UserIDCredentials
IAM-12.2
restrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)
Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?
x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM
serviceswhichleveragesopenstandardstoallowfordelegationofauthenticationcapabilitiestoIBMWatsonservicestenants.
IAM-12.3
Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?
x
Customerintegration&SAML(SecurityAssertionMarkupLanguage)federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.
IAM-12.4
DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.
IAM-12.5
Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?
x
CustomerintegrationaccessismanagedandsupportedusingtheIBMCloudIAMservicescontrolpoints.
IAM-12.6
Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?
x
Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAMservices.ThisintegrationallowsforclientstoleverageexistingMFA(MultifactorAuthentication)optionsasestablishedwithintheirorganizationanddirectoryservices.
IAM-12.7
Doyouallowtenantstousethird-partyidentityassuranceservices?
x Customerintegration&federatedaccessismanagedandsupportedusingtheIBMCloudIAM
services.Thisintegrationallowsforclientstoleveragethird-partyidentityassuranceservices.Also,thisisoftenaccomplishedusingthird-partycertificate/keyauthorizationservices.
IAM-12.8
Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.9
Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.10
Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon?
x IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimum
passwordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
IAM-12.11
Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?
x
IBMCloudIAMservicessupportsstrongpasswordpolicyenforcementincludingminimumpasswordlength,passwordhistoryandpasswordlockout.IBMCloudcustomersmayenforceanypasswordpolicytheychoosebyusingSAMLfederation.
![Page 45: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/45.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
45
Identity&AccessManagementUtilityProgramsAccess
IAM-13
IAM-13.1
Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.
Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?
x
IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.Thiswouldincludepermissionsandaccesstoutilitiesthatcanmanagevirtualizedpartitions.Privilegedaccessutilizingsuchutilitieswouldbeloggedandsentinnearreal-timetoIBMQRadarSIEM.
IAM-13.2
Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?
x
AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandallaccessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.
IAM-13.3
Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?
x AccesstoVirtualInfrastructureisrestrictedtoonlypersonnelwhorequireaccessandall
accessislogged.MonitoringandcontrolshavebeenreviewedbyindependentauditorsaspartofISOaudits.
Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection
IVS-01 IVS-01.1
Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.
Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?
x ThisisanongoingprojectandcompensatingcontrolsexistusingadvancedloggingandSIEMmonitoring.
IVS-01.2
Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?
x
AuditlogsaresecuredandencryptedusingtheQRadartool.AccesstotheselogswouldfollowtheIBMAccesscontrolpolicies&procedures.IBMWatsonservicesuseaprovisioningsystemwithrobustsecurityattributesthatisusedtomanageaccessforIBMadministratorsandtoretainaudittrailsofaccesscontrolworkflow.
IVS-01.3
Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?
x
ThisisaccomplishedviaIBMComplianceteamsleveragingtheIBMISO27001basedISMS(InformationSecurityManagementSystem)&alsoCSA(CloudServiceAlliance)CloudControlMatrix.IBMWatsonservicesareISO27001/17/18certifiedbyexternalauditorswiththosecertificationsbeingavailabletocustomers.AspartofISO27001auditsandassessments,duediligencemappingtoregulationsandstandardsisreviewed.
IVS-01.4
Areauditlogscentrallystoredandretained?
x IBMWatsonservicessecuritylogsfeedintoaSELM(SecurityEventLogMonitor)service(IBMQRadar)andaremonitoredandmanagedviaaSOC.Logsareretainedaminimumof90days.
IVS-01.5
Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?
x
IBMWatsonservicessecuritylogsfeedintoaSELMserviceandmonitoredutilizingQRadarSIEMandmanagedviaaSOC.
Infrastructure&VirtualizationSecurity
IVS-02 IVS-02.1
Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.
Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?
x
AllchangesandprivilegedactionstoVM(VirtualMachine)imagesareloggedandsenttoIBMQRadarSIEMformonitoringandalerting.
![Page 46: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/46.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
46
ChangeDetection
IVS-02.2
Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).
Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?
x
IBMCloudmanagesthebackendIaaSsupporting/providingallvirtualinfrastructureforthecustomersuchthatallchangestoVMsaretransparenttotheIBMWatsonservicesbeingprovided.
Infrastructure&VirtualizationSecurityClockSynchronization
IVS-03 IVS-03.1
Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.
Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?
x
IBMCloudprovidescentralized,synchronizedNTP(NetworkTimeProtocol)servicesforIBMWatsonservices.
Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning
IVS-04 IVS-04.1
Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuture
Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios? x
ForIBMWatsonservicesthisshouldbetransparenttotheenduser.SLAswillbemetasagreedtointhecustomercontract.SpecificcapacityrequirementscanbenegotiatedanddocumentedinDedicatedservicedeliverymodels.
IVS-04.2
Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?
x
ThisisprovidedbyIBMCloudIaaS.
![Page 47: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/47.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
47
IVS-04.3
capacityrequirementsshallbemadetomitigatetheriskofsystemoverload.
Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?
x
IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.
IVS-04.4
Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?
x
IBMCloudPlatformservicesprojectstheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,network,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.ThisisalsoaddressedwhenbuildingoutadditionalclientsandserviceswithinIBMWatsonservicesasneeded.
Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement
IVS-05 IVS-05.1
Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).
Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)? x
TheIBMSecureEngineeringstandarddictatesmultiplescanningtechniquesbeusedagainstproductionsystems.Theseincludeautomateddynamicscans,manualpenetrationtestsandthreatmodelling.Theseactivitiesincludeboththevirtualizationtechnologiesandallvirtualmachinesandcontainersdeployedonthosevirtualizationtechnologies.Thestandardsusedareregularlyevaluatedandupdatedforinclusionorreplacement.Vulnerabilitytools,processes,&proceduresareassessed&auditedannuallywithinternalandthird-partyauditors.
Infrastructure&VirtualizationSecurityNetworkSecurity
IVS-06 IVS-06.1
Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.
ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?
x
IBMWatsonservicesdonotprovideIaaScapabilitiesdirectlytoclients.IBMCloudmanagestheInfrastructureentirelyforIBMWatsonservicescustomers.
IVS-06.2
Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?
x
IBMWatsonservicesarchitecturesarereviewedaspartofathreatmodelingprocesses,procedures&exercisewhicharemandatedpriortoservicesgoingtogeneralavailabilityandthenwithmajorreleases.Theseincludedocumentingdataflowsanddatamaps.
IVS-06.3
Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?
x
IBMWatsonservicesconductreviewsonallfirewallsonanannualbasis.
IVS-06.4
Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification? x
AllchangestoIBMfirewallsmustfollowthechangemanagementprocesswhichrequiresbusinessjustificationandmultiplelevelsofreviewandapprovalbeforedeployment.
![Page 48: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/48.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
48
Infrastructure&VirtualizationSecurityOSHardeningandBaseControls
IVS-07 IVS-07.1
Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.
Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?
x
AllhostmachinesinIBMWatsonservicesaredeployedasstandardbuildswhichremoveunnecessaryports,protocols,andservices.Authenticatedscanningisperformedonallmachinestovalidatecompliancewithasetofhardeningrulesonaatleastamonthlybasis.
Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments
IVS-08 IVS-08.1
Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.
ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?
x
CustomerscanchoosetoprovisionmultipleinstancesofaserviceandimplementaccesscontrolsthroughIBMCloudPlatformthatwillsupportthisprocess.
IVS-08.2
ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?
x
IBMWatsonservicesareSaaS,IBMmanagesthearchitectureexclusively.
IVS-08.3
Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?
x
IBMWatsonserviceshavemultiplenon-productionenvironmentsthatsupportdevelopmentandstagingforbothPublicandDedicatedsolutions.Theseenvironmentsareusedtoperformanytestingpre-deploymentpriortopushingtoproductionenvironments.Thenon-productionenvironmentsarelogicallysegregatedfromproductionenvironments.
Infrastructure&VirtualizationSecuritySegmentation
IVS-09 IVS-09.1
Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,and
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
IVS-09.2
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
![Page 49: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/49.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
49
IVS-09.3
configuredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?
x
Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.
IVS-09.4
Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?
x
Allsystemsandresourcesareprotectedbyatleastonefirewall.
Infrastructure&VirtualizationSecurityVMSecurity-DataProtection
IVS-10 IVS-10.1
Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.
Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?
x
PerIBMpolicydataisencryptedintransit.IBMWatsonservicesarebuilt&deployedinvirtualizedenvironments.
IVS-10.2
Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers? x
Therearededicateddevelopment,staging,andproductioncloudenvironments.Eachenvironmentcontainsatleastonefirewalltoensureisolation.
![Page 50: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/50.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
50
Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening
IVS-11 IVS-11.1
Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).
Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?
x
IBMWatsonservicesprivilegedusersrequestaccesstoIBMCloudenvironments,includingadministrativetools,hypervisorsandvirtualmachines,viaanIBMUserAccessManagementtool.Approvalisrequiredfromboththeemployeemanagerandthesystemaccessowner.Allsuccessfulandfailedloginsandallprivilegedactionsareloggedandsentinnearreal-timetoIBMQRadarSIEMtopreventunauthorizedaccesstodatabyIBMemployees.Allsystemsandresourcesareprotectedandisolatedbyatleastonefirewall.Allaccesstoadministrativeconsoles,hypervisorsandVirtualMachinesisoverTLSandallIBMCloudPaaSPlatformdataisencryptedintransit.
Infrastructure&VirtualizationSecurityWirelessSecurity
IVS-12 IVS-12.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,
Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?
x IBMWatsonservicesteamdoesnothaveaccesstophysicalEthernetports,anddoesnothavetheabilitytoimplementwirelessintheenvironment.IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
IVS-12.2
Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?
x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
IVS-12.3
Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?
x IBMIaaSdoesnotpermittheuseofwirelessnetworksandscansforandroguedevicesareconductedroutinely.ThesecontrolsareaccessedbyanindependentauditoraspartofISO27001andSOCreviewsandcanbemadeavailabletocustomersuponrequest.
![Page 51: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/51.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
51
passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetwork
Infrastructure&VirtualizationSecurityNetworkArchitecture
IVS-13 IVS-13.1
Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.
Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?
x
IBMWatsonservicesnetworkdiagramsandthreatmodelsclearlydocumenttheboundariesofdifferentenvironmentsandsystemsincludingthedataflowsacrossboundariesanddatastores.
IVS-13.2
Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?
x
AttheIaaSlayeracleanpipesolutionisimplementedtoensureonlyappropriatetrafficispassedthroughtotheFWswhichthenpassesthetrafficbacktoanapplicationproxytoauthenticatethetrafficbeforeallowingittoreachanyoftheWatsonservices.IBMWatsonserviceshaveimplementedaDDoS(DistributedDenialofService)solutiontomitigateDDoSattacks.
![Page 52: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/52.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
52
Interoperability&PortabilityAPIs
IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.
DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?
x
AlistofallavailableAPIsispublishedwithineachservicesdescriptionpage.Additionaldetailsavailablehere:https://www.ibm.com/watson/products-services/
Interoperability&PortabilityDataRequest
IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).
Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?
x
CustomersmayelecttoprovideadditionaltraininginformationtocustomizetheirWatsonservice.Thisdataistypicallyprovidedbythecustomerandistheirresponsibilitytomanage.Someservices,suchasWatsonKnowledgeStudio,doallowcustomerstoexportthecustomizedtrainingmodelstheyhavecreated.
Interoperability&PortabilityPolicy&Legal
IPY-03 IPY-03.1 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence.
Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?
x
PoliciesandproceduresareinplacegoverningtheuseofAPIsbetweenIBMWatsonservicesandthird-partyapplicationsaspartofthestandardcontractlanguage.
IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?
x
IBMWatsonservicescustomersareresponsibleforthedataincludinghowandwhenthatdataismigrated.Pleasechecktheservicedescriptionsforadditionaldetails.
Interoperability&PortabilityStandardizedNetworkProtocols
IPY-04 IPY-04.1 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportand
Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?
x
PerIBMpolicydataisencryptedintransit.
![Page 53: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/53.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
53
IPY-04.2 exportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.
Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved? x
Tenantscanreceivethisdatauponrequest.Pleasechecktheservicedescriptionsforadditionaldetails.
Interoperability&PortabilityVirtualization
IPY-05 IPY-05.1 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.
Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?
x
IBMWatsonservicesuseindustrystandardvirtualizationformatsandtechnologiestohelpensureinteroperability,suchasKubernetes,DockerContainers,andVMWare.
IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?
x
IBMWatsonservicesIaaSdoesnothavesolution-specificvirtualizationhooks.
MobileSecurityAnti-Malware
MOS-01
MOS-01.1
Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.
Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining? x
IBMSecureEngineeringstandardmandatessecurityeducationforallteammembersonanannualbasis.Additionalsecurityeducationisrequiredonaperiodicbasisforteammembersbasedontheirrole.Anti-malwareawarenesstraining,specifictomobiledevices,isincludedinthattraining.
MobileSecurityApplicationStores
MOS-02
MOS-02.1
Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.
Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?
x
Alistofapprovedapplicationstoresisavailableandhasbeencommunicatedtousers.
![Page 54: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/54.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
54
MobileSecurityApprovedApplications
MOS-03
MOS-03.1
Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.
Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?
x
IBMCorporateSecuritymandatestheinstallationofaMobileDeviceManagementclientonallBYODsusedforIBMbusiness.ThatclientensurescompliancewithIBMCorporatesecuritystandardsincludingensuringthatonlyapprovedapplicationstorescanbeused.
MobileSecurityApprovedSoftwareforBYOD
MOS-04
MOS-04.1
TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.
DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?
x
TheIBMCorporatesecuritypolicyclearlystateswhichapplicationsandapplicationstoresareapproved.MobileDeviceManagementisinplacetoblockriskyextensionsandplugins.
MobileSecurityAwarenessandTraining
MOS-05
MOS-05.1
Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.
Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?
x
IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.
MobileSecurityCloudBasedServices
MOS-06
MOS-06.1
Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageof
Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?
x
IBMCorporatesecuritypolicydefinesthepre-approvedvendor(s)forcloudstorageonmobiledeviceswithregardstocompanybusinessdata.
![Page 55: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/55.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
55
companybusinessdata.
MobileSecurityCompatibility
MOS-07
MOS-07.1
Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.
Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues? x
IBMCorporatesecuritypoliciesdefinetheseelements,whichareenforcedbyarequiredmobiledevicemanagementtool.
MobileSecurityDeviceEligibility
MOS-08
MOS-08.1
TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.
DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage? x
IBMCorporatesecuritypoliciesdefinetheeligibilityrequirementstoallowforBYODusage.BYODisnotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.
MobileSecurityDeviceInventory
MOS-09
MOS-09.1
Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.
Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?
x
Mobiledevicesarenotpermittedtoconnecttocustomerenvironmentsortostorecustomerdata.IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.
MobileSecurityDeviceManagement
MOS-10
MOS-10.1
Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.
Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?
x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Nomobiledevicesarepermittedtostore,transmitorprocesscustomerdata.
![Page 56: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/56.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
56
MobileSecurityEncryption
MOS-11
MOS-11.1
Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.
Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices? x
IBMCorporatesecuritypoliciesrequirefulldeviceencryptiononmobiledevicesaswellasBYOD.SensitivedataisnotpermittedonmobiledevicesoronBYOD.
MobileSecurityJailbreakingandRooting
MOS-12
MOS-12.1
Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).
Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?
x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreakingorrootingispreventedandreportedon.
MOS-12.2
Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x
Mobiledevicesarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.
MobileSecurityLegal
MOS-13
MOS-13.1
TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.
DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?
x
IBMCorporateSecurityPoliciesdefinetheseelementsforBYOD.
MOS-13.2
Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols? x
BYODarerequiredtoinstallamobiledevicemanagementtool.Jailbreaking,rooting,orcircumventingrequiredcontrolsispreventedandreportedon.
![Page 57: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/57.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
57
MobileSecurityLockoutScreen
MOS-14
MOS-14.1
BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.
DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?
x
AutomaticlockoutsareconfiguredforBYODandmobiledevices.
MobileSecurityOperatingSystems
MOS-15
MOS-15.1
Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.
Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses? x
IBMCorporateretainscontrolofinventories,forcedpatching,etc.,ofmobiledevices.Changesareimplementedperpolicyandwithmobiledevicechangemanagementprocesses.
MobileSecurityPasswords
MOS-16
MOS-16.1
Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.
Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?
x
AllmobiledevicesandBYODhaverequiredpasswords.
MOS-16.2
Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)? x
Passwordsareenforcedthroughamobiledevicemanagementtool.
MOS-16.3
Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?
x
Authenticationrequirementsforpasswordsresidingonthedevice,e.g.,screenpin,can'tbechangedandthisisenforcedbyamobiledevicemanagementtool.
MobileSecurityPolicy
MOS-17
MOS-17.1
ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).
DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?
x
Dataisstoredonthecloudandenforcedviaamobiledevicemanagementsolutionwhereneeded,thusthecorporatedataisbackedup.Thereisnodeviceresidentdataexceptforauthenticationkeys.
MOS-17.2
DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?
x
BYODmobiledevicesarenotpermittedtouseunapprovedapplicationstores.
MOS-17.3
DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?
x
Anti-malwareisrequiredonBYODandenforcedviamanagementtools.
![Page 58: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/58.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
58
MobileSecurityRemoteWipe
MOS-18
MOS-18.1
AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.
DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?
x
Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.
MOS-18.2
DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?
x
Allmobiledeviceshaveremotewipeconfiguredthroughtherequiredmobiledevicemanagementtools.
MobileSecuritySecurityPatches
MOS-19
MOS-19.1
Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.
Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?
x
AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO.
MOS-19.2
DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?
x
AllmobiledevicesareconfiguredtoforceinstallationofsecuritypatchesdeemedcriticalbytheIBMOfficeoftheCIO,throughtheMobileDeviceManagementTool.
MobileSecurityUsers
MOS-20
MOS-20.1
TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.
DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?
x
ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.
MOS-20.2
DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?
x
ThepolicystatesmobiledevicesandBYODsystemsarenotpermittedtoaccesscustomerenvironments.Userswhoseprimaryroleisaccessingormaintainingcustomerdevicesmustuseacompanyprovidedprivilegedworkstation.
![Page 59: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/59.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
59
SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance
SEF-01
SEF-01.1
Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.
Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?
x
IBMCybersecurityandIBMLegalmaintainrelationshipswiththeproperlocalauthorities.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement
SEF-02
SEF-02.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.
Doyouhaveadocumentedsecurityincidentresponseplan?
x
IBMWatsonserviceshaveasecurityincidentresponseplanwhichalignswithIBMCybersecurityIncidentresponseprocessandtheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedsecurityincidentinvolvinganyIBMWatsonorCustomersystemordata.https://www.ibm.com/security/secure-engineering/process.htmlhttps://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
SEF-02.2
Doyouintegratecustomizedtenantrequirementsintoyoursecurityincidentresponseplans?
x
TheIBMCybersecurityIncidentResponseteam(CSIRT)areengagedwhereverthereisasuspectedasuspectedsecurityincidentinvolvinganyIBMorCustomersystemordata.Oneoftheirresponsibilitiesistoengagewiththecustomerandkeeptheminformedontheinvestigation,findingsandanyrootcauseanalysisactions.
SEF-02.3
Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?
x
RefertoSecurityIncidentResponseandSupportinthe‘SecuringWorkloadsinIBMCloud’whitepaper.https://developer.ibm.com/cloudarchitecture/docs/security/securing-workloads-ibm-cloud/intelligence-monitoring/
SEF-02.4
Haveyoutestedyoursecurityincidentresponseplansinthelastyear?
x TheSecurityincidentresponseplanisreviewedandtestedatleastannually.
SecurityIncidentManagement,E-Discovery,&CloudForensics
SEF-03
SEF-03.1
Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,if
Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?
x
SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservices,includingnetworkdevicesandhostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMisconfiguredwithasetofruleswhichtriggeroffencesbasedonincomingeventsacrossalllogsources.ThoseoffencestriggerpagerdutyalertstotheIBMSOCteamona24x7basis.
![Page 60: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/60.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
60
IncidentReporting
required,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.
RefertotheIBMSecurityIntelligencedocumentationformoredetails.https://www.ibm.com/security/security-intelligence/QRadar/
SEF-03.2
Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?
x
ForIBMWatsonservicesdedicatedenvironments,thepotentialincidentactivitiesarealwaysattributedtoaspecificenvironmentbelongingtoacustomer.ForPublic,investigationoftheincidentmayberequiredtodeterminewhichcustomer(s)was(were)impacted.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation
SEF-04
SEF-04.1
Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.
Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?
x
Specificdetailsregardingchainofcustody,forensics,andlitigationholdsareaddressedbyIBMLegalandtheIBMCybersecurityIncidentResponseTeam(CSIRT).
SEF-04.2
Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?
x
Thisisavailablewheretechnologicallypossiblewhenithasbeendeemednecessarytocollectandmanageevidence.
SEF-04.3
Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?
x
ThisisavailableinbothPremiumandDedicateddeliverymodels.
SEF-04.4
Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas? x
ThisisavailableinbothPremiumandDedicateddeliverymodels.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncident
SEF-05
SEF-05.1
Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcosts
Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents? x
SecuritylogsforallsuccessfulandfailedloginattemptsandallcriticaloperationsintheIBMWatsonservicesstackincludingnetworkdevices,hostmachines,areloggedtoIBMQRadarSIEM.IBMQRadarSIEMprovidesreportsonthetypesandvolumesofallsecurityeventsandalloffencestriggeredbasedonQRadarrules.AllsecurityincidentstriggeringtheIBMWatsonservicesSecurityincidentresponseplanhavearootcauseanalysiswhichrecordimpactandtriggeractionstomitigateinfuture.
![Page 61: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/61.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
61
ResponseMetrics
SEF-05.2
ofinformationsecurityincidents.
Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?
x
Reportswillbegeneratedwheretechnicallypossibleuponrequestshouldasecurityincidentoccur.
SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity
STA-01
STA-01.1
Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.
Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?
x
IBMWatsonservicescustomersareultimatelyresponsibleforthedataintegrityoftheirworkload.IBMWatsonservicescompliancecertificationsdemonstratethecontrolsareinplacetoprovideasecureplatformincludingcontrolsrelatedtosupplychain.
STA-01.2
Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?
x
Accessmanagementprocessesareinplacetoensureonlyuserswithabusinessneedhaveaccessandthatappropriateroleshavebeendefinedtoensuretheprincipleofleastprivilege.
SupplyChainManagement,Transparency,andAccountabilityIncidentReporting
STA-02
STA-02.1
Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).
Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?
x
CustomerwillbenotifiedviatheIBMClouddashboardifanissuehasbeenidentifiedthatrequiresactionontheirpart.Dependingontheseverityoftheincidentindividualcustomersmaybecontacteddirectly.Customersmayalsosubscribetovulnerabilitynotificationsasdescribedathttps://www.ibm.com/security/secure-engineering/bulletins.html
SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices
STA-03
STA-03.1
Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewith
Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering? x
IBMCloudandtheWatsonservicesteamsprojecttheanticipatedcapacityfortheplatformandensuresthereisenoughhardware,memoryandotherresourcestomeetthatanticipatedcapacity.Basedonthecurrentandanticipatedcapacity,warninglimitsareinplacewhichtriggeralertstooperationswhenbreached.Thattriggersanothercycleofcapacityplanningandnewwarninglimits.
STA-03.2
Doyouprovidetenantswithcapacityplanningandusereports?
x
UsagereportsoftheIBMWatsonservicesareavailableontheIBMCloudconsole.
![Page 62: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/62.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
62
mutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernanceandservicemanagementpoliciesandprocedures.
SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments
STA-04
STA-04.1
Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.
Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics? x
IBMhasamatureInternalAudit&assessmentprogramwhichperformsaudits&assessmentsatleastannually.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements
STA-05
STA-05.1
Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,
Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.2
Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.3
Doeslegalcounselreviewallthird-partyagreements? x IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenance
ofsupplierrelationships.STA-05.4
Dothird-partyagreementsincludeprovisionforthesecurityandprotectionofinformationandassets?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
STA-05.5
Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?
x
IBMmaintainsallrequiredsub-processingagreementsandmakesthemavailableasrequiredtoclientsuponrequest.
![Page 63: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/63.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
63
physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-
![Page 64: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/64.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
64
anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportabilityrequirementsforapplicationdevelopmentandinformationexchange,usage,andintegritypersistence
![Page 65: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/65.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
65
SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews
STA-06
STA-06.1
Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.
Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?
x
IBMhasagreementswithkeythird-partysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.
SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics
STA-07
STA-07.1
Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.
Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?
x
IBMhasagreementswithkeythirdpartysupplierswithdefinedexpectationsandimplementsrelationshipmanagementtoolswhereapplicablewiththird-partysuppliers.Thesemanagementmechanismsincludefrequentvalidationthatthesupplierismeetingtheexpectationsasdefinedinagreements.IBMsuppliermanagementprocessesarevalidatedbyexternalauditorsaspartofcompliancewithISO27001.
STA-07.2
Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?
x
ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.
STA-07.3
Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?
x
ThisisaddressedviacontractlanguagemaintainedandmanagedbyIBMLegalandProcurementformaintenanceofsupplierrelationships.
STA-07.4
Doyoureviewallagreements,policies,andprocessesatleastannually?
x
IBMLegalandProcurementdesignatetherequirementsfortheestablishmentandmaintenanceofsupplierrelationships.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment
STA-08
STA-08.1
Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeall
Doyouassurereasonableinformationsecurityacrossyourinformationsupplychainbyperforminganannualreview?
x
Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.
STA-08.2
Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?
x
Externalauditassurancereportsarereviewedforkeysuppliersonatleastanannualbasis.
![Page 66: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/66.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
66
partners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits
STA-09
STA-09.1
Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservicedeliveryagreements.
Doyoupermittenantstoperformindependentvulnerabilityassessments?
x PenetrationtestingisallowedbyIBMWatsonservicesontheirownDedicatedenvironments
withapprovalofIBMCloudCISO.
STA-09.2
Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?
x
PenetrationtestingforIBMWatsonservicesenvironmentsisperformedonanannualbasisusinga3rdpartyvendor.
ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware
TVM-01
TVM-01.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?
x
AntivirusAntimalwareprotectionisdeployedonallWindowssystemsatthehostlevelandlogsaresenttoIBMQRadarSIEM.Automatedupdatesareinplacefornewmalwareorvirussignatures.
TVM-01.2
Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?
x
Automatedupdatesareinplacefornewmalwareorvirussignatures.
![Page 67: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/67.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
67
ThreatandVulnerabilityManagementVulnerability/PatchManagement
TVM-02
TVM-02.1
Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresandidentifiedweaknessesespeciallyifcustomer(tenant)
Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices? x
Networkscanningisconductedataminimumonamonthlybasis.Findingsarereportedonandmanagedthoughnormaloperationalvulnerabilityandriskmanagementprocessesandprocedures.
TVM-02.2
Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
x
TheIBMSecureEngineeringStandardmandatesvulnerabilityassessmentwhichrequiresautomatedcodeandapplicationscanningatleastonamonthlybasis.DynamicandstaticcodescanningisperformedusingIBMAppscanonamonthlybasisorwheneverthereisamajorchange.
TVM-02.3
Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
x
OSscanningisconductedatminimumonceamonth.Findingsarereportedonandmanagedthroughnormaloperationalprocesses.
TVM-02.4
Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?
x CustomersofIBMWatsondedicatedservicescanrequestaVulnerabilityassessmentreportfor
theirenvironments.
TVM-02.5
Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?
x
IBMWatsonservicesautomatingrapidpatchingacrosstheenvironment.ThisprovidesfullvisibilityonwhatispatchedinadditiontoprovidingtheautomationtopushoutthepatchestoallmachinesacrossallWatsonenvironments.
TVM-02.6
Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?
x
Dedicatedcustomerswillbeincludedinthechangemanagementprocessrequiredtodistributepatcheswithintheirenvironment.
![Page 68: on the IBMÒ Cloud CSA CAIQ V1.0 February 2018 · IBM Watson services are ISO27001, ISO27017, and ISO27018 compliant, and are rapidly evolving to support other types of regulated](https://reader034.fdocuments.in/reader034/viewer/2022042108/5e87ce28b9425423c41ae83f/html5/thumbnails/68.jpg)
CONSENSUSASSESSMENTSINITIATIVEQUESTIONNAIREv3.0.1|IBMWatsonontheIBMCloud|February2018
68
dataisusedasparttheserviceand/orcustomer(tenant)hassomesharedresponsibilityoverimplementationofcontrol.
ThreatandVulnerabilityManagementMobileCode
TVM-03
TVM-03.1
Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?
x
IBMWatsonserviceshaveaChangeControlprocesstomanageandtrackchangestoanyportionoftheWatsoninfrastructure,regardlessofitsmaturitylevel(Experimental,BetaorGA).Thechangecontrolprocessrequiresmultiplelevelsofreviewapprovalincludingcomponentownersandmanagement.
TVM-03.2
Isallunauthorizedmobilecodepreventedfromexecuting?
X
WithintheIBMWatsonservicesenvironmentallmobilecodeintheformofscriptsorexecutablesmustbetestedandapprovedfordeployment.EndusersandconsumersofWatsonAPIsshouldprovidefortheirownunauthorizedmobilecodepreventionsolutionasthatisnotwithinscopeforIBMWatsonservicesontheIBMCloud.
©Copyright2014CloudSecurityAlliance-Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktotheCloudSecurityAlliance“ConsensusAssessmentsInitiativeQuestionnaireCAIQVersion3.0.1”athttp://www.cloudsecurityalliance.orgsubjecttothefollowing:(a)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotbemodifiedoralteredinanyway;(c)theConsensusAssessmentsInitiativeQuestionnairev3.0.1maynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsoftheConsensusAssessmentsInitiativeQuestionnairev3.0.1aspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAllianceCloudConsensusAssessmentsInitiativeQuestionnaire3.0.1(2014).Ifyouareinterestedinobtainingalicensetothismaterialforotherusagesnotaddressesinthecopyrightnotice,[email protected].