Security
Below are topics that typically fall under security, as well as how IBM Cloud and the SRE team manage and address them.
Client Security Concerns
Should a customer suspect a Cyber Security issue with their system, client should open a Severity 1 case containing as much detail as possible. Please refer to the page How To Create A Case
Client Security Questionnaires
Prior to submitting questionnaires, IBMers and clients should first refer to the security information, links and certifications that are available on this page.
Existing Maximo or TRIRIGA SaaS customers who need a security questionnaire or assessment completed should submit a case to the IBM Support Community Portal and attach the document or link. This will be routed to the proper IBM SRE security resource for review / completion.
Please note there is a 2-3 week turnaround time required for the IBM security team to respond to client provided security forms or questionnaires; additional time may also be required for Watson IoT Security team review.
Security Management
IBM maintains and follows standard mandatory employment verification requirements for all hires. In accordance with IBM internal process and procedures, these requirements are periodically reviewed and include, but may not be limited to, criminal background check, proof of identity validation, and additional checks as deemed necessary by IBM.
All IBMers are required to complete mandatory Cybersecurity & Privacy training annually
All IBMers are required to complete GDPR training annually
All IBMers are required to complete mandatory Business Conduct Guidelines training annually
Only IBM SRE personnel are permitted access to customer Maximo and TRIRIGA SaaS systems
IBM SRE personnel are required to use privileged access workstations to connect and work with our customer's IBM SaaS systems. These workstations meet IBM's highest and most stringent security guidelines.
IBM SRE personnel who are granted O/S or console level access to customer Maximo or TRIRIGA SaaS servers are required to use multi-factor authentication. Unique 2048-bit ssh keys are issued to each IBM user in order to connect to the IBM Cloud VPN. Phone based authentication via PIN is also required each time an IBMer connects. These factoring mechanisms are maintained, managed and issued by IBM Cloud Security and the SRE Environment Operations Manager.
IBM's internal network prevents employees from accessing malicious websites using Symantec Bluecoat and ProofPoint Targeted Attack Protection (TAP)
IBM SRE personal access credentials are role based and managed using an IBM internal access management system.
Access is based by job duties (least privilege principal) in accordance with IBM IT Security Policy. The IBM SRE security team performs the following processes to ensure only those individuals who require access to systems have it, and to ensure the right privileges are in place:
Every quarter, a separation of duties review is performed by the SRE management team to ensure no one individual has a conflict of roles without adequate safeguards beings in place
Every quarter, a review of user access is performed to ensure existing users and privileges are still required
A defined process is in place to ensure individuals who leave the IBM SRE team, even if to other areas within IBM, have their UserID and privileges revoked
IBM SRE security performs proactive management and deployment of patches, updates and fixes to the Application, Middleware, Database and O/S layers via a planned Maintenance & Outage Calendar
Activity Logging/Auditing is monitored for suspicious activity on IBM SaaS systems using IBM's QRadar SIEM (Security Information and Event Management) system. O/S Activity is logged by SIEM and monitored 24/7 by the IBM Cloud Security Operations Center (CloudSOC).
Security impact analysis is part of the SRE change management process. Once a potential change to customer's Maximo or TRIRIGA SaaS environment is identified, the change approver reviews the proposed change for potential security impacts. The change approver incorporates members of SRE Security Team and provide review guidance and advisory support to changes that may have a security impact.
The IBM SRE team conducts an annual risk assessment, as part of the ISO27001 re-certification process, that provides a consistent approach to risk management, prioritizes and directs the security teams risk management activities.
IBM SRE security employs a defense in depth strategy (DiD) for boundary protection that includes firewalls and encrypted communications for remote connectivity to access the environment.
All communications that cross this boundary are controlled and monitored.All IBM Maximo and TRIRIGA SaaS environments are configured for Anti-Malware (Anti-Virus) protection and Endpoint Detection and Response (EDR) technology with associated telemetry.
Status and alerts are monitored continuously.IBM Trust Center - Enterprise IT Security and Trust:
https://www.ibm.com/trust/security
Customer Access
Maximo and TRIRIGA SaaS are public internet based offerings. Customers connect to IBM Cloud using HTTPS encryption over the internet
There is no direct link, peering or private cloud option available for Maximo or TRIRIGA SaaS offerings
Every IBM SRE customer is provisioned on single tenant, separate, dedicated servers (virtual or bare metal) that only the customer (and IBM) can access
All IBM SRE Maximo and TRIRIGA SaaS customers use HTTPS (SSL) encryption (256 bit) at the browser level to access IBM hosted applications. Connections are SHA-2 and TLS v1.2 compatible
IBM obtains and implements externally facing SSL certificates from a trusted Certificate Authority (CA)
All databases (IBM DB2, Oracle) use native AES-256 encryption (data is encrypted at rest)
Link describing IBM DB2 native encryption is below:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html
Penetration and Vulnerability Testing
IBM’s Product Transformation Center (PTC) conducts “black box” penetration testing on Maximo and TRIRIGA SaaS annually. An executive summary report can be provided to customers on a per-request basis.
A signed IBM AECI (Agreement for Exchange of Confidential Information) or NDA (non-disclosure agreement) must be in place in order to share this report. IBM’s AECI can be found using the link below. Navigate to “Document Type > Standard Agreements”:
https://www.ibm.com/support/customer/csol/terms/IBM performs external and internal vulnerability scanning and subsequent remediation in all Maximo and TRIRIGA SaaS environments on a quarterly basis per IBM IT Security Standards (ITSS). This includes Operating System, Middleware, Application and TCP/IP vulnerability scanning.
Vulnerabilities are assigned individual vulnerability ratings and exploitation categories (Critical, High, Medium or Low). These ratings are used to determine an IBM mandated time requirement to remediate and resolve the vulnerability.
Vulnerability scanning results and logs are considered IBM Confidential Information and are not disclosed to customers or prospects.
Customers may perform limited Penetration Tests/Vulnerabilty scans of their environments under special agreement with the IBM SRE and Security teams only. This includes an agreed-upon test scope, timeframe, and testing IP addresses. Testing will be limited to external facing IPs/Ports only (ie. HTTPS). Internal systems and network access will not be granted for client initiated testing. DDoS testing and network attack testing is not authorized under any circumstances. To perform a client-initiated Penetration Test, please open a case with IBM Support and a form will be sent with additional information and agreement. A minimum of 5 business days notice is required. Failure to properly notify IBM of such testing may result in your environment being disconnected from the network, or IPs being blocked as such activity may be recognized as malicious. Additionally, any unauthorized testing resulting in potential findings may require an extended timeframe for analysis as this was not properly communicated.
SQL Injection - please see FAQ link below regarding how Maximo protects against SQL injection:
https://www-01.ibm.com/support/docview.wss?uid=swg21419049
Security Services
IBM SRE provides the following security and system access services. These services are included as part of the IBM SaaS subscription:
Setup of SSL certificates and DNS registration. This is standard by default and allows for secure browser based HTTPS (encrypted) access for Maximo and TRIRIGA end users.
Configuration of secure FTP (SFTP) access. Setup of SFTP is optional and is typically used to support file based integrations and file transfers to/from client sites or other external systems.
SFTP can also be used to view Maximo or TRIRIGA Application Server log files (read only). All SFTP accounts require use of unique private keys issued by IBM.Setup of IPsec Virtual Private Network (VPN) between client locations and IBM Cloud data center(s). VPN setup is optional, and is typically used to provide the following:
Direct read-only access to IBM on Cloud databases
Support for integrations that cannot use HTTPS or SFTP (such as jdbc)
Maximo LDAP authentication
Setup and configuration of SSO (via SAML or OpenID) both Maximo and TRIRIGA with the customer’s Identity Provider (IdP). LDAP Authentication is also supported (under Maximo only).
SSO configuration is optional, but is included as part of the IBM on Cloud subscription.
Compliance - IBM Cloud (Infrastructure)
Maximo and TRIRIGA SaaS offerings run exclusively on IBM Cloud infrastructure (IaaS)
All SRE customer environments are managed to IBM IT Security Standards (ITSS) defined by IBM’s Chief Information Security Officer (CISO). This includes vulnerability scanning and subsequent remediation
IBM Cloud holds ISO-27001, 27017 and 27018 certifications and can provide SOC 1, 2 and 3 reports to customers
IBM Cloud (IaaS) ISO certificates:
ISO-27001:2013 - https://www.ibm.com/downloads/cas/KDMPXMKA
ISO-27017:2015 - https://www.ibm.com/downloads/cas/GLL9ZBZX
ISO-27018:2019 - https://www.ibm.com/downloads/cas/DNM7GMKYIBM Enterprise & Technology Security ISO certificates:
ISO 27017: 2015 - https://www.ibm.com/downloads/cas/QV8Q6ZVY
ISO 27018: 2019 - https://www.ibm.com/downloads/cas/BKGPEYLQ
ISO 27701: 2019 - https://www.ibm.com/downloads/cas/X42E0VBDISO Reports are considered IBM confidential and are not provided. An ISO 27001 SOA (Statement of Applicability) for IBM Cloud can be provided on a per-request basis (as detailed below). This document states ISO 27001 controls and policies that have been applied.
There are 3 different SOC reports prepared by external auditors that attest that IBM Cloud has the appropriate security and compliance, financial, and operational controls and procedures in place:
SOC3:
The SOC 3 report is publicly available and can be downloaded here:
https://www.ibm.com/downloads/cas/MVN9G536SOC2:
The SOC 2 report is intended for both current and prospective clients. It outlines IBM Cloud's policies and processes regarding security and compliance in our data centers. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer or prospect.SOC1:
The SOC 1 (SSAE16) report outlines an organization's internal control over financial reporting. This is a controlled distribution report managed by IBM Cloud compliance for business controls purposes. The SOC 1 report is intended for current IBM Cloud clients and/or their compliance auditors only and can be requested by IBM. SOC1 reports are not available if a client is currently a prospect. A member of the IBM SRE team can request this report on behalf of an IBM Salesperson for their customer.The following information is required in order for SRE to send a SOC1, SOC2 or ISO 27001 SOA report:
Type of Report Requested: (SOC1 or SOC2)
Company Name:
Requestor First Name:
Requestor Last Name:
Requestor Title:
Email:
Reason for Request:
Once submitted by the SRE team, customer identified as the requestor will receive an email from trust_and_assurance@wwpdl.vnet.ibm.com through which they can download the SOC 1 or 2 report.
IBM Cloud data centers are not Tier certified, but are built to Uptime Tier 3 specifications
Additional IBM Cloud compliance and reports information can be found here:
Compliance - IBM Maximo and TRIRIGA SaaS Offerings
IBM Maximo and TRIRIGA SaaS environments are ISO-27001 certified. This certificate is publicly available and can be viewed / downloaded via the link below.
ISO-27001:
https://www.ibm.com/downloads/cas/EEO0NVLKIndustry and Regulatory Compliance
Details regarding specific Industry and Regulatory compliance can be found in the IBM Enterprise & Technology Security Community (this is accessible to IBMers only)All IBM Maximo and TRIRIGA SaaS servers are hardened using Center for Internet Security (CIS) Benchmarks. For further details, please visit:
https://www.cisecurity.org/cis-benchmarks/An IBM SaaS-wide central health checking service is used to automatically maintain baseline (hardened) configurations of systems against standard IBM policy.
IBM Maximo and TRIRIGA SaaS development follow IBM Secure Engineering practices for application development. IBM Secure Engineering is outlined publicly at the following link:
https://www.ibm.com/security/secure-engineering/index.htmlIBM Maximo and TRIRIGA developers are required to follow secure coding practices, and complete education in the SANS top 25 and OWASP top 10. In addition, static (source) and web application scanning using IBM (HCL) AppScan product suite must be performed. These products check for SANS Top 25 and OWASP top 10 issues. Any vulnerabilities found by these scans must be resolved before product release or submitted through IBM's Product Security Incident Response Team (PSIRT) process for resolution via defect (IBM Authorized Program Analysis Report or APAR)
IBM Maximo and TRIRIGA development uses Rational Team Concert for development (management of tasks, stories, epics, version control, test management, etc) Selenium and TestNG for test automation, Jenkins for deployment automation, and Rational Performance Tester (RPT) for performance load testing.
IBM Maximo Software Development Life Cycle (SDLC):
https://www.ibm.com/support/pages/ibm-maximo-software-development-life-cycle
IRAP assessment for IBM Cloud
TRIRIGA SaaS is provisioned in IBM Cloud , which was validated by an IRAP assessment completed in 2023.
Data Security & Privacy (DS&P)
Maximo application logging when configured with certain verbose options can allow for extensive information being gathered. This logging could include Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). This information is generated and stored in plain text files on the application server. These logs are often made available to the customer upon request via SFTP. Application administration, including the logging configuration, are the responsibility of the customer, and it is highly recommended that logging PII/SPI not be configured unless absolutely required. The following document describes how to configure logs to exclude any data classified as PII or SPI:
https://www.ibm.com/support/pages/node/2801463IBM Data Security and Privacy Principles for IBM Cloud services can be found at the link below:
https://www.ibm.com/support/customer/csol/terms/?cat=data-securityIBM Privacy Shield Privacy Policy for Certified IBM Cloud Services can be found below. This is applicable to EU-US and Swiss-US customers:
https://www.ibm.com/privacy/details/us/en/privacy_shield.htmlData Responsibility at IBM
https://www.ibm.com/blogs/policy/dataresponsibility-at-ibm/
If a government wants access to data held by IBM on behalf of a SaaS client, IBM would expect that government to deal directly with that clientPersonal Data - please see IBM Software Product Compatibility Reports below for details on personal data processing and protection
Maximo SaaS:
https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=91E58490BC4911E499F1528B5A128231
TRIRIGA SaaS:
https://www.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1410822896601Data Processing Addendum (GDPR)
https://www.ibm.com/support/customer/zz/en/dpa.html
Data Privacy and Subject Rights
IBM Privacy Statement
IBM's Privacy Statement describes IBM's general privacy practices and subject rights that apply to personal information. For complete statement details click on the link below.
https://www.ibm.com/privacy/us/en/Right to Lodge a Complaint
In the event a client or customer considers our processing of personal information not to be compliant with applicable data protection laws, a complaint can be submitted directly with IBM by using the form in the link below.
https://www.ibm.com/scripts/contact/contact/us/en/privacy/
NIST
IBM Maximo and TRIRIGA SaaS (commercial public offerings) follow NIST guidelines and assess against NIST controls, but claim no specific NIST compliance(s).
Data Leakage Prevention / Data Loss Prevention (DLP)
IBM SRE does not use DLP monitoring. Access controls are implemented on all databases restricted to privileged users only. Database auditing is enabled and logs are retained for 365 days. Customers configure and manage the data their users can view, update and export within the Maximo and TRIRIGA applications, as well as determine which of their users is permitted direct read-only access to their database(s).
IBM purchases Professional Errors and Omissions including cyber risk insurance (see below) for IBM's liability arising out of actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission committed in the conduct of IBM’s professional services. This includes coverage for loss of intangible property, such as customer data, due to IBM’s negligence. This coverage is global in scope.
Encryption Keys
All encryption keys are managed by the IBM SRE team internally, except those for SFTP and OpenVPN accounts, which are provided to end customer(s). IBM SRE follows an established Key Lifecycle Management Security Policy that is compliant with ITSS (IBM Corporate) requirements and ISO standards 27001, 27017 and 27018. Key access is specified via a dedicated access control group only accessible to SRE system admin and database admin teams. Segregation of duties procedure is in place and monitored internally; specifics of the policy and procedures key management are IBM Confidential.
DDoS Protection
IBM Cloud provides DDoS (Distributed Denial of Service) protection for its environment, designed to protect the entire network. IBM Cloud uses automated DDoS mitigation controls and an in-house Network Operations Center (NOC) team to monitor network performance and security 24x7.
Media Sanitization
IBM securely sanitizes physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for media sanitization (see link below)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Cyber Insurance
IBM carries standard cyber risk insurance under its Professional Errors & Omissions policy. PE&O insurance provides coverage for actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission, solely for acts or omissions committed by IBM in providing professional services to our client(s). Coverage includes network security, unauthorized access, unauthorized use, receipt or transmission of a malicious code, denial of service attack, unauthorized disclosure or misappropriation of private information, privacy liability, notification costs, credit card monitoring, and fine & penalties incurred by the customer.
The PE&O Policy itself is IBM Confidential information. Further details on this subject can be accessed (IBMers only) here:
https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Wc0a20474fb23_478a_8f6d_1c6dfd3d680f/page/IBM%20cyber%20insurance%20details
Regulated Content
IBM Maximo and TRIRIGA SaaS offerings are not intended to host government regulated content. Please see the Cloud Services Agreement (link below) Section 2c for details
Clock synchronization
All customer Maximo EAM SaaS Flex and TRIRIGA SaaS Flex Application and Database servers leverage IBM Cloud's internal NTP service as single reference time source for information system processing clocks and security domains.
Customers are responsible or synchronizing their local environments (workstations, on premise servers) with an authoritative time source.
Terms of Use
General Terms of Use for IBM Cloud Offerings:
https://www.ibm.com/software/sla/sladb.nsf/sla/tou-gen-terms
Cloud Service Agreement
IBM Cloud Services Agreement (CSA)
https://www.ibm.com/support/customer/pdf/csa_us.pdf
For more on IBM Cloud security, privacy and compliance:
https://www.ibm.com/cloud/security
Disclaimer: Information provided in this wiki is for informational purposes only. Content is not to be considered part of any existing IBM®️ Maximo or TRIRIGA customer subscription, agreement, license or contract. From time to time, this site may contain technical inaccuracies or typographical errors, and IBM do not warrant the accuracy of any posted information. The information contained in this wiki is subject to change without notice. By visiting this wiki, you consent to use of cookies and other tracking technologies by IBM’s subcontractor, Atlassian, in accordance with the Atlassian Cookies & Tracking Notice found at https://www.atlassian.com/legal/cookies. If you do not consent to the collection of your data by Atlassian at any time, please leave the wiki and delete the cookies and other web-tracking technologies through your browser.