{:shortdesc: .shortdesc}

{: #security}

Designed with secure engineering practices, the {{site.data.keyword.cloud_notm}} platform has layered security controls across network and infrastructure. {{site.data.keyword.cloud_notm}} provides a group of security services that can be used by application developers to secure their mobile and web apps. These elements combine to make {{site.data.keyword.cloud_notm}} a platform with clear choices for secure application development.

{{site.data.keyword.cloud_notm}} ensures security readiness by adhering to security policies that are driven by best practices in IBM for systems, networking, and secure engineering. These policies include practices such as source code scanning, dynamic scanning, threat modeling, and penetration testing. {{site.data.keyword.cloud_notm}} follows the IBM Product Security Incident Response Team (PSIRT) process for security incident management. See the IBM Security Vulnerability Management (PSIRT) {: new_window} site for details.

{{site.data.keyword.cloud_notm}} Public and Dedicated use classic infrastructure-as-a-service (IaaS) cloud services and take full advantage of its security architecture. Classic IaaS provides multiple, overlapping tiers of protection for your applications and data. For {{site.data.keyword.cloud_notm}} Local, you own the physical security, and provide the infrastructure by hosting {{site.data.keyword.cloud_notm}} Local in your own data center behind a company firewall. In addition, {{site.data.keyword.cloud_notm}} adds security capabilities at the platform as a service (PaaS) layer in different categories: platform, data, and application. For further security details on your environment and apps in the {{site.data.keyword.Bluemix_notm}}, see Securing applications and environments on cloud {: new_window}.

{: #compliance}

{{site.data.keyword.Bluemix}} provides a secure cloud platform that you can trust. {{site.data.keyword.Bluemix_notm}} compliance results from a platform and services that are built on best-in-industry security standards, including ISO 27001 and ISO 27002. {:shortdesc}

Agreements incorporating the European Union (EU) Model Clauses protect personal data that is transferred from the EU or European Economic Area (EEA) to a third country. The EU Model Clause is signed between the client that is located in the EU or EEA as the data exporter, and the IBM data processor that is located in the third country as the data importer. The IBM Data Processing Addendum (with EU Standard Contractual Clauses {: new_window} contains the rights and obligations of the data exporter and the data importer, and the rights of the data subjects. The IBM Data Processing Addendum provides protections similar to those available in the EU or EEA for personal data that is processed in a third country.

For banking and related financial institutions in Japan, computer systems must have security procedures in place that are based on the Center for Financial Industry Information Systems (FISC) security guidelines. FISC security guidelines are enforced by the Japan Financial Services Agency (FSA), Bank of Japan (BOJ), and FISC.

{{site.data.keyword.Bluemix_notm}} is certified under the International Organization for Standardization (ISO) 27001 and 27002 standards, which define the best practices for information security management processes. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information based on periodic risk assessments. The latest standard, ISO/IEC 27001:2013, was published on September 25, 2013 by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee. The ISO 27001 standard specifies the requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) and the requirements for implementing security controls, according to the needs of individual organizations. The ISO 27002 standard explains each security control of ISO 27001 in detail. The ISO 27000 family of standards incorporates a process of scaling risk and valuation of assets, with the goal of safeguarding the confidentiality, integrity, and availability of the written, oral, and electronic information.

To achieve ISO 27001:2013 certification, a company must show that it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This standard emphasizes the measurement and evaluation of how well an organization’s Information Security Management System (ISMS) is performing and also includes information security-related controls that are based on system requirements and other requirements.

{{site.data.keyword.Bluemix_notm}} is audited by a third-party security firm and meets all of the requirements for ISO 27001: Bluemix ISO 27001:2013 Certificate of Registration {: new_window}.

The Payment Card Industry (PCI) Data Security Standards (DSS) is an information security standard that is designed to protect credit card data. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, issuers, and service providers. It also applies to all other entities that store, process, or transmit cardholder data or sensitive authentication data.

If you store or process credit card data, Payment Card Industry (PCI) compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established PCI data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM helps customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent QSA. The Attestation on Compliance can be used along with the SOC 2 report and ISO 27001 certification to demonstrate that the infrastructure meets the PCI controls.

{{site.data.keyword.Bluemix}} completes an annual PCI DSS assessment by using an approved Qualified Security Assessor (QSA). For information about and assistance in complying with PCI DSS for your {{site.data.keyword.Bluemix_notm}} environment, contact sales at Contact Us {: new_window}.

Service Organization Controls (SOC) reports define the evaluation of the leading internal control practices that relate to security, availability, processing integrity, confidentiality, and privacy at a service organization. The reports that are generated by using the American Institute of Certified Public Accountants (AICPA) Guide include the following items:

• Organization oversight
• Vendor management program
• Internal corporate governance and risk management processes
• Regulatory oversight

{{site.data.keyword.Bluemix_notm}} provides SOC 1, SOC 2, and SOC 3 reports. For more information, contact the {{site.data.keyword.Bluemix_notm}} sales {:new_window} team.

The Health Insurance Portability and Accountability Act (HIPAA), enacted by the US Congress in 1996, protects health insurance coverage for employees after job loss. HIPAA is regulated and enforced by the Office of Civil Rights and Department of Health and Human Services in the US. HIPAA encompasses regulations from the 1996 act, as well as privacy requirements from the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. {{site.data.keyword.Bluemix_notm}} meets all of the requirements for HIPAA on the data center or service provider side.

There can be issues arising from the merging of {{site.data.keyword.Bluemix_notm}} Public with classic infrastructure. For more information or assistance to achieve, certify, and maintain HIPAA compliance for your {{site.data.keyword.Bluemix_notm}} environment, contact the {{site.data.keyword.Bluemix_notm}} sales {:new_window} team.

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud services. In addition, it gives implementation guidance for both cloud service providers and cloud service customers. ISO 27017 provides implementation guidance for relevant controls that are specified in ISO/IEC 27002 as well as additional controls and guidance that specifically relate to cloud services.

The {{site.data.keyword.Bluemix_notm}} alignment with ISO 27017:2015 demonstrates that IBM has a sophisticated system of cloud-specific controls in place. In addition, it shows a commitment to being the best in IaaS, domestically and across the globe.

ISO 27018:2014 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII). These measures are in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

In particular, ISO 27018:2014 specifies guidelines that are based on ISO 27002. The guidelines consider the regulatory requirements for the protection of PII, which might be applicable within the context of the information security risk environments of a provider of public cloud services.

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR). STAR is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

The Criminal Justice Information Systems (CJIS) Division is a division of the United States Department of Justice Federal Bureau of Investigation. CJIS Division created and published a Security Policy (CJISD-ITS-DOC-08140-5.4). This Security Policy contains minimum information security requirements, guidelines, and agreements that reflect the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

{: #compliancetable}

The following table displays which services in {{site.data.keyword.Bluemix_notm}} are compliant for each of the standards.

{: #gdpr}

The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those hosting and processing this data, anywhere in the world.

{{site.data.keyword.IBM_notm}} is committed to providing our clients and {{site.data.keyword.IBM_notm}} Business Partners with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness. Data and its protection are becoming increasingly important to individuals and society. Enterprises must earn the client’s trust in their ability to steward information.

{{site.data.keyword.Bluemix_notm}} is agile and scalable with built-in data security, and privacy services and solutions that can be consumed on premises or through public cloud. Our comprehensive data security platform helps safeguard sensitive data wherever it resides and provides a full range of data protection capabilities.