Business Condoct Guidelines Exam Introduction

talkassistantSoftware and s/w Development

Oct 30, 2013 (4 years and 13 days ago)

134 views

Business Condoct Guidelines Exam



Introduction




As a vital part of our culture, the Business Conduct Guidelines embody the high
standard of ethics and integrity expected of all of us at IBM. In our dynamic and
complex business environment, the ethical is
sues we face can be challenging.
More than ever, IBM counts on you to be alert and use sound judgment.

Protecting IBM Assets




IBM has a large variety of assets. Many are of great value to IBM’s
competitiveness and success as a business. They include not
only our extremely
valuable proprietary information, but also our physical assets. IBM proprietary
information pertains to intellectual property, typically the product of the ideas and
hard work of many talented IBM people.




confidential data entrusted to

many employees in connection with their
jobs




protecting all of these assets is very important




their loss, theft or misuse jeopardizes the future of IBM




For this reason, you are personally responsible not only for protecting IBM
property entrusted to

you, but also for helping to protect the company’s assets in
general.



What is Personal Information (PI) and Sensitive Personal Information (SPI)




In our daily activities, many IBMers come across Personal Information
(PI) and in some cases Sensitive Pe
rsonal Information (SPI). It is
important to understand what constitutes PI and SPI so they can be
handled appropriately.

What is Personal Information (PI).




Personal Information includes information that relates to
individuals in their personal capacity

(e.g. an individual's
home address) as well as information that relates to
individuals in their professional or business capacity (e.g.
an individual's business address)




Personal Information includes publicly available data
about an individual, such as
name, home telephone number
and address and business contact information.

What is Sensitive Personal Information (SPI).




IBM considers some types of Personal Information as
being "sensitive", due to the risks that such information
could be misused to sig
nificantly harm an individual in a
financial, employment or social way. IBM should not
collect or retain such information unless it is necessary to
achieve a valid business purpose.



Sensitive Personal Inf ormation (SPI) (cont…)




The following are some im
portant data elements that are always considered Sensitive Personal Information (SPI) within IBM.



Country identification number (e.g. Social Insurance Number (SIN), Social Security Number (SSN)) or other
governmentally issued identification number such a
s driver's license or passport number.



Bank account number



Credit card or debit card number



Health and medical information, including health insurance identification numbers.



Sexual orientation, gender identity or gender expression (this does not i
nclude "male" or "female" gender status)




SPI and Service Desk.




Sensitive Personal Information must receive a higher level of protection than mere Personal Information that is not sensitive
. It should be
classified as
IBM Confidential

information and h
andled and controlled accordingly.




Protecting Sensitive Personal Information (SPI) is important to IBM and the Service Desk. Especially for the service desk whe
n handling
information from IBM clients (i.e. Encana).




As a Service Desk analyst, the follow
ing important actions are to be followed at all times when dealing with IBM clients/users and SPI.

1.


Tickets should not include Encana client confidential information as Confidentiality laws prevent us from attaching such
information in a ticket in any for
m




Example: Passwords and Security questions and/or answer.

2.


Always ask for permission to remote onto clients/users machines and advise client/user to close out any confidential
information before remoting on.
.

Clean Desk





Clean Desk is the process to
ensure that access to information or valuable goods is limited to persons that have the proper
ownership or business need to it. In order to achieve clean desk, it requires that all of us contribute to the following.




When you leave your desk, you should
ensure your laptop is secured and that you have locked the screen
protection




When you leave your desk or at the end of the day, remember to put work related information and work related
assets (computers, keys, CDs, USB
-
Sticks, print outs, folders etc) i
n locked cabinets




When you print something, ensure to collect it as soon as possible. Confidential Information must be picked up
immediately




The purpose of the Clean Desk policy is to reduce/eliminate the risk of loss or misuse of work related to physi
cal and
intellectual assets, confidential information, and sensitive business/professional information.



Summary




IBM has stressed the importance of these instructions, as the failure to protect IBM Confidential and other sensitive
information in the w
orkplace could result in the loss of competitive advantage through the release of proprietary information. It
could also result in embarrassment and certain liabilities if information of a sensitive or personal nature is released witho
ut
authorization.





P
ortable high
-
value assets must be secured by the employee entrusted with custody (i.e. tools, portable PCs, Mobile devices
and software)




ThinkPad's require special protection as follows:





(a) Must be cable locked to desks / furniture during working h
ours





(b) Must be locked away out of sight or taken home during the after
-
hours




All material classified IBM confidential must be cleared from work areas and

placed in locked storage when unattended, especially after normal work hours


including:





IBM confidential information on transparencies, whiteboards, flipcharts, etc.





Information on hard drives, diskettes.




NOTE: IBM information that is not classified still has value to IBM and should not be disclosed unless it would benefit IBM t
o
do so
.




Personal property is the responsibility of the employee




Security and Use Standards for IBM Employees


AS Security Standard

All units must comply with this Security standard


Scope

This document describes the basic computer security measures tha
t must be
followed:



By all individuals who make up the IBM regular and complementary
workforce (i.e., includes employees as well as contractors)



On all workstations
(desktops and laptops)

and mobile devices used to
conduct IBM business.


Business Value

Legal or regulatory compliance; Safeguards IBM's image; security


IBM's information and computing assets are critical to the company's success, and
as a result, must be protected from loss, modification or destruction.


Compliance criteria

Mandatory com
pliance criteria are specified within the standard.


Noncompliance with the principles described in this document may result in
disciplinary action, as deemed appropriate by your management team
.


In conjunction with the CIO Office, IBM country or geograph
ic Human Resources
and Legal functions, will determine ITCS300 deviations necessitated by local laws or
industrial relations agreements, and will provide appropriate guidance to the
managers/employees in countries affected by the deviations.


Compliance V
alidation Approach

Automated Tool(s)


The IBM Workstation Security Tool (WST) is provided to assist employees in
ensuring compliance with key workstation security items defined in Section 1 of this
document. The tool is distributed automatically through

IBM SAM (ISAM) to all
supported
workstations
registered
in the Worldwide Asset Management (WAM)
database.


Use of Tivoli Endpoint Manager is required on all workstations (desktops and
laptops)
and mobile devices
being used for IBM business, regardless of

ownership,
as the required security agent. You must allow TEM actions to complete and not
cancel or prevent completion of those actions.


Note: Installation and use of Tivoli Endpoint Manager is required only if it is
supported for your device.


Detaile
d description

Security and Use Standards for IBM Employees



ITCS300
-

Version
13.2

October
15, 2012


Office of the IBM Chief Information Officer

Route 100, Building 3

Somers, New York 10589



Introduction


IBM's information and computing assets are cri
tical to the company's success, and
as a result, must be protected from loss, modification or destruction.


This document includes two major sections: the first summarizes the most critical
steps employees must take to protect personal workstations
and mob
ile devices
and
to defend IBM's systems against harmful code; the second summarizes employee
responsibilities for protecting IBM Confidential information, and lists security and
appropriate usage requirements in a number of other circumstances that employe
es
are likely to encounter.


Detailed instructions for implementing these requirements on particular computers
and operating systems may be found in
IT Help Central

and other referenced
documents or websites.


Notes:



References to "workstations" includes any workstation used to conduct IBM
business, regardless of ownership.



A
workstation definition table

is available on the IT Security web site that
describes different classifications of workstations and the applicable security
standard governing security control requirements.



Individuals who

operate multi
-
user systems and applications which support
IBM production

business

services, Inter
-
Enterprise Services,
local/departmental services, workstations used as kiosks, or workstations
made available for general use in classrooms, visitor centers
and customer
briefing centers, and those supporting development processes, must also
refer to
Information Technology Security Standards

for additional securi
ty
control measures required for those systems and services.



Participation in authorized grids or other similar resource pools does not
change the categorization of the device or security standard governance of
the device.



Refer to the
ITCS300 FAQs

for guidance related to appropriate Internet
usage.



Virtualized client operating systems are required to comply with ITCS300.
Virtual clients are

exempt from the hard drive password requirement and full
disk encryption requirements provided the workstation uses one of those
options to protect the entire hard drive.


Document availability:

This document and all other IBM CIO Security documents are
available on
-
line from
the
Architecture and Standards Home
.


Document control and change history:


This is an IBM proprietary document. Distribution in whole or in par
t
outside of IBM or its subsidiaries requires the approval of the IBM CIO
Office.


This document will be reviewed annually, and will be re
-
issued when revisions are
necessary. Obsolete copies should be destroyed as soon as practical, and shall be
the resp
onsibility of the holder. Changes introduced in the most recent version are
itemized below.


Version 13.2


October 15, 2012


General



ITCS300 generally applies also to mobile devices. The prior specific section
on mobile devices has been removed and refer
ences to mobile devices are
placed throughout ITCS300, as appropriate.



The device references more consistently use the terminology in the Glossary


workstation, desktop, laptop, and mobile device.



Due to the removal of the specific section on mobile dev
ices, some sections
have been renumbered.


General
-

Compliance Validation



Tivoli Endpoint Manager (TEM) is also required on mobile devices, where
supported.



Section 1.1 Security of your personal workstation



Hard disk password and encryption requiremen
ts also apply to mobile
devices, where supported. Encryption requirements may be satisfied by full
disk encryption or by an approved application encryption solution as specified
in Section 1.6. Screenlock requirements apply to mobile devices


Section 1.2 W
hen leaving your office or work area



Requirements to secure your device when leaving your office or work area
also apply to mobile devices


Section 1.3 When traveling or working away from your office or work area



Requirements to secure your device when t
raveling or working away from
your office or work area also apply to mobile devices


Section 1.4 Computer viruses and other harmful code



Requirements for antivirus protection also apply to mobile devices. This was
previously noted in the mobile device spe
cific section


Section 1.5 Security firewalls



Requirements for device firewalls also apply to mobile devices. This was
previously noted in the mobile device specific section


Section 1.6 Encryption



Encryption requirements also apply to mobile devices. An

approved
application encryption solution is an acceptable option to full disk encryption,
where provided.


Section 1.7 File sharing



Mobile devices are also included in the prohibition against peer to peer file
sharing.


Section 1.8 Currency



Currency req
uirements also apply to mobile devices


Section 1.8.1 Operating System currency



Added a new section for operating system currency. Windows primary
workstations and mobile devices using Lotus Traveler must be running
Operating systems that the vendor is co
ntinuing to support with security
patches.


Section 1.9 Workstation and Mobile Device registration



Clarified in the section title that registration also includes mobile devices. The
body of the section already referenced mobile devices.


Section 2.1.3 Res
idual information



Mobile devices must also comply with residual information requirements. The
referenced Device Secure Disposal FAQ already addressed several mobile
devices but they weren’t referenced in the body of the section.


Section 2.1.4 Liability



IBM’s lack of liability for use of non
-
IBM assets includes all devices and not
just workstations.


Section 2.2.3 Protecting IBM Confidential information



Requirements for reporting lost or stolen Sensitive Personal Information
(SPI) also includes SPI on mo
bile devices.


Section 2.3.2 Remote connections to IBM networks and systems



Information about mobile device synchronization has been moved to this
section from the prior mobile device specific section.


Section 3


Security incident reporting



Emphasized
the requirement to assist Security personnel in an investigation
when requested to do so.


General
-

Tools and Support



Tivoli Endpoint Manager (TEM) is also required on mobile devices, where
supported.


General


Glossary



Added a definition for primary w
orkstation





Section 1: Workstation
and mobile device

security requirements


1.1 Security of your personal workstation

or mobile device

The following security controls, if available, must be activated on all workstations
and mobile devices
to help prot
ect against theft of sensitive IBM information
contained on the device:



Activate a hard disk password for each drive in the device's BIOS settings.



A separate hard disk password is not required for drives protected by
approved full disk encryption
or app
roved application encryption
solutions (see Section 1.6).




If the workstation
or mobile device
does not support a hard drive
password in the BIOS, an approved encryption
solution
, such as PGP
Whole Disk Encryption with Preboot authentication, must be used.

As
noted in Section 1.
6
,
an approved
encryption
solution
is also required
if the workstation
or mobile device
contains sensitive personal
information (SPI) or customer information (e.g., workstations used in
services organizations). However if those condi
tions do not apply and
the workstation
or mobile device
resides on IBM premises and does
not leave IBM premises, then
an approved
encryption

solution

is not
required.



Set a password protected keyboard/screen lock for each active account that
is automatical
ly activated by a period of inactivity, and when the workstation
or mobile device
resumes from standby or hibernate. The inactivity time
interval should be no more than 30 minutes.



Note: Employees who store, process or transmit payment card data
are to se
t the keyboard/screen lock inactivity time interval to no more
than 15 minutes in accordance with
Payment Card Industry (PCI)
standards
.

IT Help Central has information

on the setting of
hard drive

and
Windows screen
saver

passwords.


Notes:




You are not required to periodically change your workstation's
or mobile
device's
hard disk password.



Desktop workstations located in Controlled Access Areas or in offices,

which
are locked when unattended, are not required to have keyboard/screen lock
passwords applied.


1.2 When leaving your office or work area

If you do not work in an office that can be locked:



Activate the password protected keyboard/screen lock when yo
u leave. (i.e.,
do not leave the workstation

or mobile device

exposed for the 30
-
minute
inactivity period required for the automated screenlock activation.)


Your
laptop or mobile device must

be physically secured (i.e., locked in a desk
drawer or filing c
abinet, locked in an office, or taken with you).
If this is not possible
and the device supports the use of a cable lock
, a cable lock must be used to secure
the
device
to a fixed object.

Note: Refer to the IT Security web site for recommended
cable lock

solutions.


Note:

If additional security controls are required, you will be notified by your
location Security department.


1.3 When

traveling or working away from your office or work area

Keep
laptops or mobile devices
in your possession if at all possible.



When traveling by air, do not put
laptops or mobile devices
in checked
baggage, and be alert to the possibility of theft when go
ing through security
checkpoints at airports.


Laptops or mobile devices
should not be left for an extended period of time in an
unoccupied vehicle.



If
you cannot keep the device in your possession and
you must leave your
device
in an unoccupied vehicle,
then consider securing the
device where it is
out of sight and locked up (inside the glove compartment or trunk, for
example).
Information regarding how to best secure
devices
in a vehicle can
be obtained from your location Security department.


If
you can
not keep the device in your possession and
you must leave the
device

in a
hotel, lock it in the hotel safe if one is available.



If a safe is not available and
the device supports the use of a cable lock
, use
that mechanism.


If you are traveling with IBM
Confidential material recorded on portable media such
as paper

or on portable storage media devices
, you must protect this media
according to the same guidelines listed above for protecting your
laptop or mobile
device
.


If you are traveling internationall
y with technology (e.g. technical data, product
design, development, or production specifications, etc.) stored on laptop hard drives
or portable storage media devices (e.g. external hard drive, memory sticks, etc.),
you must adhere to US export restrictio
ns as well as foreign country export
restrictions. Contact your location
Export Regulation Coordinator (ERC)

prior to
traveling

internationally if technology is present on your workstation's hard drive or
portable storage media device.


Note
: If your
laptop, mobile device,
or IBM Confidential information, is stolen or
lost, you must report the loss to your IBM location Security or
ganization and your
manager.


1.4

Computer viruses and other harmful code

Install and run an IBM
-
approved antivirus program on your workstation

or mobile
device
. Refer to the
IBM Vi
rus CERT

website to determine which antivirus program
is available for your workstation

or mobile device
.


If you discover a virus, complete the on
-
line form available on the
IBM Vi
rus CERT

website.


If you are contractually obligated to use an antivirus program not provided by IBM,
the antivirus program must meet the following basic criteria:

1.

detect and block attempted action by viral software in real time.

2.

periodically scan for
and detect viral software stored on the workstation

or
mobile device
.

3.

check for virus signature control file updates on at least a daily basis.

4.

must be a fully licensed product.


Notes:




If an approved antivirus program is not available for your workstat
ion's
or
mobile device's
operating system, you are not required to take any additional
action to obtain and install an antivirus program.



Managed antivirus clients are configured to receive updates on an "as
needed" basis. All other antivirus clients are
configured to check for updated
signatures at least daily.



IBM will only provide technical and Help Desk support for antivirus products
provided by IBM.


1.5

Security firewalls

Install and run an IBM
-
approved client firewall program on your workstation

o
r
mobile device
. Refer to the
IBM Virus CERT

website to determine which client
firewall program is available for your workstation.


If you are contractually obligated to use a clie
nt firewall product not provided by
IBM, the client firewall product must meet the following basic criteria:

1.

detected networks should be treated as unknown and NOT trusted.

2.

alert users to new programs requesting access to the network.

3.

deny access from u
nauthorized systems.

4.

client firewall software has the latest updates available.

5.

must be a fully licensed product.


Notes:




If an approved client firewall program is not available for your workstation's
or mobile device's
operating system, you are not req
uired to take any
additional action to obtain and install a client firewall.



IBM will only provide technical and Help Desk support for firewall products
provided by IBM.

1.6

Encryption

IBM Confidential information related to unannounced technology or bus
iness plans,
non
-
public financial information, and personal information such as credit card
numbers or financial or medical information, must be encrypted if sent electronically
across the Internet.


An approved full disk
encryption

solution or approved ap
plication encryption solution

(see the
encryption solutions

page)
is required for workstations
or mobile devices
that:



store se
nsitive personal information (SPI)
-
or
-




store customer information (i.e., services organizations)
-
or
-




are physically
removed from
IBM premises.


Encryption is required for portable storage media when:



sensitive personal information (SPI) is stored
-
or
-




customer information is stored
-
or
-




the media is created for backup purposes.


Encrypt local Lotus Notes databases (those residing on your workstation) that
contain IBM Confidential information, including mail files, archives, "my attachments
repository
", and database replicas.


If you attach your workstation
or mobile device
to a non
-
IBM network where
administrative level access on the workstation is not controlled by IBM (for example,
you are working on an external customer's network and are required
to login to a
Windows domain administered by the customer), all IBM confidential information
must be encrypted.


Notes:




Refer to IT Help Central for information on
encryption of Lotus Notes
databases
.



Refer to the
S/
MIME digital certificates

page on the IT Security web site for
more information about encryption solutions when transmitting IBM
Confidential information over the Internet.



Refer to the
encryption solutions

page on the IT Security web site for
approved cryptographic methods when storing information locally on your
workstation.



Refer to the
Worldwide backup guidelines

page on the IT Tools web site for
approved cryptographic methods when storing information on portable
storage media or other network at
tached backup destinations.

1.7

File sharing

Access to your workstation by other users is only allowed if the following
precautions are taken:



The software that allows access is provided by IBM.



Unauthenticated access is prevented.



If you allow access t
o IBM Confidential information, grant access explicitly
and only to users with a need to know.



Access is revoked when it is no longer needed.

Note:

The use of Internet
-
based
peer to peer file sharing

services on workstations
or mobile devices
is prohibited unless explicitly approved by the IBM CIO security
staff.


1.8

Workstation
and Mobile Device

Currency


1.8.1 Operating System


Emplo
yees running a Windows operating system on their primary workstation or
using Lotus Traveler on their mobile device must be running a supported operating
system (i.e. one the vendor continues to support with security patches). These
devices must be upgrade
d to a supported operating system level prior to the end of
vendor support.

1.8.2

Major Service Releases


Employees must install major service releases (called Service Packs) and/or
upgrade to supported versions by the CIO
-
directed date noted in the
security
patches

page for their respective version.


Automated delivery solutions

are available for both Windows and non
-
Windows
operating systems.

1.8.3

Security Patches


Employees must install CIO
-
required
security patches

for their respective version
within 15 days of the publication date in the matrix.


Automated delivery solutions

are available for both Windows and non
-
Windows
operating systems.


1.9

Workstation
and Mobile Device

Registration

Registration is required for all workstations and mobile devices which are

used for
IBM business regardless of ownership. Registration is either manual

at the
IBM
WAM Asset Center

or by installation of the ISAM client
,

or enroll
ment in the
Traveler
Program

(for mobile devices).


Note:

Devices that obtain a dynamic address from a business unit administered IP
address domain are exempt from this r
equirement, but may be required by the
business unit's address domain administration procedures to register.





Section 2: General security & use requirements


2.1 Legal considerations


2.1.1 Copyright and intellectual property

Most information and softw
are (programs, audio, video, data files, etc.) that is
publicly available, including on the Internet, is subject to copyright or other
intellectual property right protection. When obtaining material for use inside IBM:



Do not obtain software from such sou
rces for use within IBM unless express
permission to do so is stated by the material owner.



You must read and understand any software copyright restrictions. If you
think that IBM will not be able to comply with any part of the terms, do not
download or u
se the material.



Ensure that you comply with any expressed requirements or limitations
attached to the use of such software (for example: not to be used for
commercial purposes; can not charge others for use or distribution; subject
to a copyright or attr
ibution notice being affixed to each copy; must
distribute source code; etc.).



If you are unsure about the meaning of the restrictive language or have
questions about it, you should contact an IBM attorney to review it before
downloading or using the mate
rial.



You must obtain assistance and approval from IBM Legal or Intellectual
Property Law counsel before incorporating any material that is not IBM
proprietary into a product or material IBM intends to distribute externally.


2.1.2 Publishing IBM software

Seek advice from IBM Intellectual Property Law counsel before uploading any IBM
software to the Internet. You must ensure that any IBM copyright documents clearly
indicate IBM as holder of the copyright.


2.1.3 Residual information

In the event a workstat
ion or
mobile device
is to be transferred to an asset return
center, the owner of the device is to wipe the hard drive in a manner that renders
the information unreadable prior to shipping the device. Please refer to the
Device
secure disposal FAQ

web page for tools and techniques that can satisfy this
requirement.


In situations where an IBM or contract employee is using a
workstation or mobile
device
o
wned by a business other than IBM, the management owner of the
equipment will retrieve IBM data from specified
equipment
and inspect designated
machines, upon request from IBM. Contractor and non
-
IBM management will take
necessary actions to protect IBM co
nfidential information.


All IBM data and applications, including access information and passwords, must be
deleted from workstations
and mobile devices
not provided by IBM when there is no
longer a legitimate need and authorization for access.


2.1.4 Liab
ility

In situations where non
-
IBM assets are being used for IBM business, IBM is released
of all liability in the event of loss/damage to the equipment and/or information. In
cases where the non
-
IBM
assets are

used as part of a contractual relationship,
ap
propriate releases must be signed as part of the agreement between IBM and the
contract company.


2.2 Protecting IBM information



2.2.1 Passwords


The password associated with a computer access userid is the primary means of
verifying your identity, and s
ubsequently allowing you access to the computer and
to IBM information. For your own protection, and for the protection of IBM's
resources, you must keep your identity verification password secret and not share it
with anyone else.


Note:
The hard disk pas
sword you use to help protect against unauthorized access
to your workstation
or mobile device
is not an identity verification password. This
password is not associated with your identity, but rather, can be managed like
doorlock keys or safe combinations.

It is not a violation of security policy for you to
notify your manager of this password.


Information protection and data privacy laws in various countries include specific
requirements for the selection of secure identity verification passwords, and
com
pliance with these password rules is a legal obligation. The IBM password rules
listed below are consistent with current international requirements.


Identity verification passwords must not be trivial or predictable, and must:



Be at least 8 positions in

length



Contain a mix of alphabetic and non
-
alphabetic characters (numbers,
punctuation or special characters) or a mix of at least two types of non
-
alphabetic characters
.




Not contain your userid as part of the password


IBM internal business systems and

applications containing IBM Confidential
information require you to change your password at least once every three months
(90 days). In cases where the system or application does not use technical control
measures to force you to change your password, it
is your responsibility to comply
with the password change requirement. When changing your password, you must
select a new password, i.e., do not change the password to one that you used in the
past two years. You are not to change your password multiple ti
mes a day in order
to re
-
establish a previously used password. The use of "automatic logon" to the
operating system, except for PGP Single Sign
-
on, is prohibited.


IBM password rules must be followed not only when you access internal IBM
systems, but also
on systems you may access in support of a commercial customer
unless the client's policy and practices as defined in the contract agreement are
more stringent.


Note:
If you access computer systems that are not under IBM control, do not

select
the same pas
sword on external systems that you selected for use on IBM internal
systems.


2.2.2 Lotus notes calendars

You must ensure that your Lotus Notes Calendar can only be viewed by authorized
individuals such as your department/team members and/or your administr
ative
assistants.



For instructions on how to set your Lotus Notes calendar to only allow
authorized individuals to view your calendar, refer to the
IT Help Central
.


2.2.3 Protecting IBM Confidential information

The primary requirement for protecting IBM Confidential information is that it must
be protected from access or viewing except by people who have a business need to
know the information.


IBM Confidential i
nformation must be properly labeled in accordance with Corporate
Instruction Legal 116.


When you store IBM Confidential information on computer systems

(e.g.
group web sites, Lotus Notes databases, or other shared data repositories), you
must use software

security controls to manage and limit access to the information.
Security controls must never be set to allow unrestricted access (e.g., World
-
readable, "public") to IBM Confidential information. Applicable controls include not
just access lists to the da
ta itself, but also to user managed remote access to id's
which have such access. If you do not understand how to correctly set or use the
security controls, you should ask for advice or assistance from your Provider of
Service.


When you store IBM Confide
ntial information on removable computer
media
, such as diskettes, tapes, compact disks (CDs), mobile device storage, etc.,
you must protect the information against theft and unauthorized access. Label the
media IBM Confidential and keep them in a locked ar
ea or storage device when they
are not in use. Never leave them exposed in unattended areas.


Sensitive personal information (SPI)

about IBM's employee
s, our customers, or
other individuals is to be classified IBM Confidential.



Do not store sensitive personal information without a valid business need to
do so.



If you have a valid business need to store sensitive personal information on
your workstation
, mobile device,

or portable storage media (such as a
CD/DVD, a removable HDD, a USB storage device, or a data backup tape),
refer to section 1.
6

for
encryption requirements
.



If your workstation
, mobile device,

or portable media containing sensitive
personal information is lost or stolen, or if you suspect that somebody has
compromised its security, you must imm
ediately report the incident and
specify that sensitive personal information may have been exposed. Follow
the instructions provided in Section 3:
Security incident reporting
.


Only computing devices (computers, mobile devices, smartphones, media
players, netbooks, set
-
top devices, etc.,) which meet all of the following
requirements may be used to store,
access, or process IBM Confidential
information:




The device must be owned by IBM or an IBM employee. For contract
personnel, the device may be owned by the company providing the contract
services.

Note: for a device at a customer site issued/owned by the

IBM
customer, if there is a need to share specific confidential information
with the customer and the normal confidentiality/nondisclosure
agreements are in place, the specific confidential information
exchanged with the customer and covered by those agre
ements may
be stored/accessed/processed by the customer
-
owned workstation.
However, the workstation
or mobile device
may not be used to store,
access, or process other confidential information.



The device must be maintained per the requirements in this sta
ndard and
any other applicable IBM standards.



Confidential information on the device must be protected such that only the
authorized IBM employee(s) are able to access the information. For example,
if a personally owned home computer
or mobile device
is u
sed, other family
members must be technologically prevented from accessing the confidential
information through encryption, access control settings, or other equivalent
mechanisms.


When an asset (e.g., workstation,
mobile device
,
hard drive) containing
IB
M Confidential information must be shipped to a service center

(including
Deskside Support) using an overnight carrier, you must ensure the hard drive
password is enabled or the disk is encrypted. The hard drive password or password
protecting the encrypti
on key is not to be written down and sent with the device in
the same box. Passwords are to be sent electronically to the service center in a
secure manner.


When printing IBM Confidential information

you must protect the information
against theft and unau
thorized viewing. (The term "printer" includes printers,
plotters, and any other device used to create hard copy output). IBM Confidential
information may only be printed:



in a controlled access area, with access based on "need to know", or



in an attende
d IBM printer facility, where the output is given only to its
owner, or



on a printer with capture/release facility that you control, or



on a printer that you are personally attending, or



if InfoPrint Manager, or an equivalent function, is available in t
he location
where you are working, use it to control printing.



If none of these options are available at your location, you may use a printer
located within an open area in IBM internal office space, but you must pick
up your IBM Confidential printout mat
erial within 30 minutes.


2.2.4 Using teleconferencing systems

When chairing an IBM Confidential teleconference, confirm that all participants are
authorized to participate, before starting any discussion.


2.3.1 IBM internal networks

When connected to and

using IBM internal networks,

including Local Area
Networks (LANs):



Do not allow other individuals to use your remote access login credentials.



Do not store your remote access login credentials in the remote
access client on any computer; unless you are
the only user of that
computer; or you have restricted access to the remote access client
on the computer so that only you can use it.



Do not misrepresent yourself (i.e., masquerade) as someone else on the
network.



Do not monitor network traffic (i.e., us
e a "sniffer" or similar device) without
first obtaining explicit management approval and permission from the
network administrator.



Do not run security testing tools/programs against any Intranet system or
server, other than those that you directly contr
ol, without first obtaining
explicit management approval.



Do not add any network device that extends the IBM infrastructure (e.g.
devices or devices functioning as: Switches, Bridges, Routers, Hubs,
modems, wireless access points, etc) for any reason with
out first obtaining
permission from the network administrator.



Wireless network adapters and desktop firewalls must only "trust" safe
networks, such as the IBM Corporate wireless LAN or your secure home
network. Use of public networks is permitted provide
d your desktop firewall
is configured for those connections as "untrusted", therefore you will be
prompted to allow a connection from hotels, airports and other hotspots.
Workstations
or mobile devices
within isolated lab networks are prohibited
from simul
taneously connecting to the IBM corporate wireless lan
infrastructure and the isolated lab networks.



Do not install software or tools that will connect your workstation to the
Internet and remain actively connected allowing you to remotely access the
syst
em inside the internal network.


Visitors at IBM locations are not allowed to connect to the IBM internal network.
They may only use services that allow them Internet access such as
Wireless
Internet Access for IBM Visitors
.


2.3.2 Remote connections to IBM networks and systems

When connected to a non
-
IBM network,

an IBM approved remote access
solution must be used to establish connectivity with IBM.


The foll
owing remote access solutions are considered strategic and should be used
when available:



AT&T Network Client



IBM Connect


Other IBM approved remote access solutions (e.g., SINE) are also acceptable to
satisfy this requirement. If you are not sure the so
lution you use is approved,
contact the solution provider to verify the solution is approved by the IES OMT.


For mobile devices, remote access for synchronization of data or access to IBM
infrastructure must go through an IBM authorized remote access gate
way. Devices
must support the required security authentication needed to securely access these
gateways.



Local synchronization may be performed using direct USB, Infrared,
Bluetooth, IBM Corporate WLAN infrastructure or "safe" wireless (such as
your secur
e home network) connections. If Bluetooth is used, configure
Bluetooth so that it is not discoverable and it will only connect with paired
devices on all mobile devices supporting these features.


2.3.3 Using public systems and services

Public systems and

services are not owned or controlled by IBM

and are not
subject to comply with IBM directives. Therefore certain restrictions are needed in
order to protect IBM information.



Access to IBM internal resources (such as your email) is not allowed from
public

systems. You may only access the IBM infrastructure and internal
resources with an ITCS300 compliant system using an approved remote
access solution.



IBM information is not to be stored, copied or forwarded to a public system,
such as a kiosk.



It is not

permitted to boot a public system with bootable OS Media (CD, USB,
etc) to use for IBM business purposes.



IBM information is not to be stored, copied, or forwarded to a public service
or your Internet service provider's email, calendar or storage space.
This
restriction applies to public cloud services providing online storage
and file sharing capabilities.




Automatic forwarding of mail (by agent, mail rules, or script) is prohibited
from IBM internal mail infrastructure to external mail addresses via the

public Internet. Mail may be manually forwarded by the recipient of the email
if controls are in place per ITCS104 to protect the data as deemed
appropriate for the data classification. Mail may be forwarded by
infrastructure solutions that ensure protect
ion of the email if the solution is
approved by CIO security. Approved solutions include IBM Blackberry
Enterprise solution and Lotus Traveler.

Note: the terms "public systems" and "public services" are defined and described
with examples in the Glossary u
nder Additional Information below.



2.4 Computer conferencing

IBM internal computer conferencing (Newsgroups, Forums, Discussion Databases)
provide company
-
wide databases for sharing information and discussing ideas about
a wide range of business related
topics, as approved by the conference owners.
Information and discussions on IBM internal conferences must meet the following
criteria:



If the conference is set up to allow open participation within IBM, or to allow
participation by IBM customers or other

external parties, IBM Confidential
information must not be included or discussed.



Nontechnical information and comments which are more appropriate for an
official IBM communications channel (e.g., speaking to one's manager, the
Speak
-
Up Program, the Open

Door Program, etc.) must not be included.



Participants are to avoid giving legal opinions or medical advice.



Secure computer conferencing services must be used when IBM Confidential,
personal or sensitive information is discussed. (IBM's
electronic meetings

service provides secure computer conferencing services.)


2.5 Privileged users:

The follow
ing requirements apply to privileged individuals with specific authorities:
such as if you are a security or system administrator for any IBM internal
production

system/application, or if you have similar privileged authorities for an
external client's sys
tems/applications, you are a privileged user. Refer to the
Glossary in Additional Information for the definition of a "privileged user".


Privileged users with an IBM
-
provided asset




If you have an
IBM
-
provided asset
that will be used with privileged
crede
ntials
,

you can use that asset only for IBM business and very limited
personal use in the event of an emergency. Note: if you have more than one
IBM provided asset, you can use one for work necessitating the use of
privileges (restrictions do apply) and th
e other asset for work that does not
involve the use of privileges (restrictions do not apply).



You must not attach portable
-
storage media (e.g., USB, external hard drive,
etc.) to an
IBM provided asset

unless it was purchased through normal
IBM procureme
nt channels, and you must use the media only for business
purposes. All exceptions require written approval from your manager.



When performing work for a client using
an IBM provided asset,
you must
comply with IBM's IT security policies and procedures un
less the client's
security policies and processes as defined in the contract agreement are
more stringent.


Privileged users with a client
-
provided asset




Use of a
client
-
provided asset

for any type of personal use is not allowed.
No exceptions.



If you h
ave a
client
-
provided asset
, you can use that asset only for client
business.



You must not store IBM information on a
client
-
provided asset

unless it is
necessary for the work you are performing for the client relationship and
there is a confidentiality a
greement in place with the client.



You must not attach portable
-
storage media (e.g., USB, external hard drive,
etc.) to a

client
-
provided asset

unless it was purchased through normal
IBM procurement channels or provided by the client, and you must use the

media only for business purposes. All exceptions require written approval
from your manager.



When performing work for a client using a
client
-
provided asset,
you must
comply with client security policies and procedures as per the contract
agreement with
the client.


Privileged users: use of a personally owned asset




When providing support or services for a client or IBM, you must not use a
personally owned device

for any activity where you would need to use
your privileged authority. No exceptions.




S
ection 3: Security incident reporting

Security incidents must be reported to the
Incident Contact Center
.



Employee
s are
not
to attempt to investigate or take action against the
offender
.
Security staff
are
qualified and trained to properly contain
exposures, mitigate potential impact to IBM, and conduct investigations, up
to and including gathering evidence for possib
le legal action.

If directed to do
so by Security personnel, employees must provide whatever assistance is
required for an investigation.

Incidents involving violations of IBM's Business Conduct Guidelines can be referred
to your manager or HR for resoluti
on.



end of ITCS300





Implementation & migration


Migration path

Actions
to achieve compliance with the changes made in this release must be
completed by
January 15, 2013
.


Key dates
-


All existing

projects/applications must comply by:

01/15/2013

All projects implemented after this date must comply:

01/15/2013

Any project

which has not exited the Plan phase by this date must comply:

01/15/2013


Geographic considerations

In conjunction with the CIO Office, IBM country or geographic Human Resources
and Legal functions, will determine ITCS300 deviations necessitated by loc
al laws or
industrial relations agreements, and will provide appropriate guidance to the
managers/employees in countries affected by the deviations.


Tools & support

The IBM Workstation Security Tool (WST) is provided to assist employees in
ensuring comp
liance with key workstation security items defined in Section 1 of this
document. The tool is distributed automatically through IBM SAM (ISAM) to all
supported
workstations
registered

in the Worldwide Asset Management (WAM)
database.


Use of Tivoli Endpoin
t Manager is required on all workstations (desktops and
laptops)
and mobile devices
being used for IBM business, regardless of ownership,
as the required security agent. You must allow TEM actions to complete and not
cancel or prevent completion of those a
ctions.


Note: Installation and use of Tivoli Endpoint Manager is required only if it is
supported for your device.


Related material

Related architectures and corporate instructions

IBM Corporate Instruction CIO104: Information Technology Security

IBM Corporate Instruction LEG116: Classification and Control of IBM Information

IBM Business Conduct Guidelines

Related proje
cts

N/A


Additional information

IBM IT Security web site

IBM Corporate
Security web site

IT Help Central


Glossary


Desktop:
A workstation that is not portable.


Laptop:
A portable workstation.


Mobile device:

Mobile computing device
s such as Smartphones (including
iPhone,
Android
, RIM BlackBerry, Windows Mobile & Symbian devices), Personal Digital
Assistants, mobile phones with data access, etc.


Portable computer:
Includes laptops and mobile devices.


Portable storage media:
Include
s CD/DVD, a external hard drive, a USB storage
device, or a data backup tape


Primary workstation:

A primary workstation is a desktop or laptop PC which is
used as an office productivity platform for normal office work (e
-
mail, web
browsing/applications, i
nstant messaging, documentation, etc.), and which are not
used for multiple user capabilities (e.g. server functions).


Privileged user:
Individuals who have been assigned security or system
administrative authorities are considered privileged and is defin
ed as follows:

Privileged users are distinguished from general users by assignment of security
administrative authorities or system authorities on network devices, computer
systems, middleware components or applications. Examples of privileged level
acces
s include:



Setting and administering security controls and configurations



Performing installation or upgrades of software or applications including
patches/fixes



Starting or stopping processes, services, functions and features



Managing access rights of

other users for production systems, domain
controllers or LDAP, middleware products or production applications
governed by ITCS104. Managing access rights includes tasks such as adding
new user accounts, deleting user accounts and modifying access rights
for
existing user accounts.



Security administrative authority to code management systems/libraries,
production build systems, production file servers or back up systems (e.g
TSM).



Authority to modify/create packages for final distribution as official pro
duct
releases from production final build system(s) (e.g version, release, mod
release, interim feature, fix pack etc).



Authority to install/promote new or modified production applications into
production or steady state.


Public services:
Examples of pu
blic services include online document storage (such
as DropBox, SugarSync, Carbonite, Box.net, iCloud, MobileMe, etc.), editing, and
sharing services, translation services, collaboration services, and hosted file,
calendar, and email services.


Public sys
tems:
Examples of public systems are systems which are provided at
libraries, hotel business centers, hot spots and cyber cafes, such as kiosks.


Security incident:

A security incident can originate within or outside of IBM, can
involve IBM internal or ext
ernal

sites, and can range in severity
.
Security incidents
include matters such as unauthorized access to classified or otherwise sensitive data
(such as information about products or customers), alteration or compromising the
integrity of a system/server/
application, disruption or denial of service availability,
alteration or defacement of an Internet website, system penetrations, destruction of
data, fraud, crime, theft, etc. Incidents involving violations of IBM's Business
Conduct Guidelines can be refer
red to your manager or HR for resolution.


Workstation:
Includes desktops and laptops.