IBM Blueworks Live Security Overview

Security Policy

IBM Blueworks Live development is done in accordance with the IBM secure engineering framework.IBM maintains privacy and security policies that are published and communicated to IBM employees through IBM’s intranet site. Employees are required to re-certify annually.

IBM and its data center host each require privacy and security education training for individuals who support the data center where IBM Blueworks Live is hosted.

IBM Blueworks Live security policies and standards are re-evaluated annually.

IBM Blueworks Live security incidents are handled in accordance with the incident response management program of the data center where IBM Blueworks Live is hosted.

IBM Blueworks Live has a documented Disaster Recovery response plan and incident management plan.

IBM Blueworks Live has annual security audits. IBM Blueworks Live allows customers to perform penetration testing and security assessments. Please request a penetration test by opening a support ticket through the Blueworks Live support portal or emailing support@blueworkslive.com.

Access Control

IBM employees do not have direct access to customer data, except as necessary for maintenance, backups, and upon customer requests for support. IBM does not monitor, evaluate, or share information entered into IBM Blueworks Live by customers.

Remote management of the IBM Blueworks Live production servers is performed by authorized IBM Blueworks Live operations team personnel via an encrypted VPN link. Access is logged.

There is no usage of Wi-Fi on the production data systems network of the data center where IBM Blueworks Live is hosted. Wi-Fi technology is used in the same facility, but on a separate network from the IBM Blueworks Live production network.

Users access IBM Blueworks Live with their email addresses and a unique password, via a SAML 2.0 integration with the customer’s identity provider, or via an IBMid. A customer’s IBM Blueworks Live administrator may select password rule settings for users based on its security policy.

Communication with the IBM Blueworks Live Servers – including names and passwords – is encrypted in transit via SSL. IBM Blueworks Live’s architecture includes authentication checks at the application server and database levels. Passwords are hashed and salted.

Service Integrity & Availability

Modifications to operating system resources (OSRs) and application software are governed by IBM Blueworks Live change management process.

The IBM Blueworks Live servers use a stateful firewall that is configured to block incoming traffic on ports other than 80 or 443 (HTTP and HTTPS). Port 80 is automatically redirected to port 443. Changes to firewall rules are governed by the IBM Blueworks Live change management process.

The IBM Blueworks Live operations team periodically monitors and analyzes firewall logs for suspicious behavior or unauthorized access. IBM performs regular vulnerability scans. A third party performs vulnerability assessments.

An intrusion detection system is used to protect the Blueworks Live service from malicious attacks. Antivirus software runs continuously, and virus definitions are evaluated and updated regularly.

IBM Blueworks Live uses 256-bit Secure Socket Layer (TLS 1.2) technology, which provides both server authentication and data encryption.

IBM Blueworks Live production servers use Red Hat Enterprise Linux. Operating system user accounts are unique and associated with specific members of the IBM Blueworks Live operations team. Users, protocols, and processes that are identified as unnecessary for IBM Blueworks Live operation are disabled.

A full backup is taken once per day, encrypted, signed, and stored at an offsite facility.

IBM Blueworks Live has emergency response plans in place and tests them annually.

Activity Logging

Where technically available, the IBM Blueworks Live operations team maintains activity logs for systems, applications, data repositories, middleware and network infrastructure devices.

To help enable central analysis, alerting, and reporting, activity logging is done to central log repositories.

Physical Security

The IBM facility where IBM Blueworks Live is hosted maintains physical security standards designed to restrict unauthorized physical access to data center resources.

Entrances to the data center facility are monitored by security cameras and production server rooms employ biometric locks. The facility is staffed 24x7.

The data center facility has redundant power, cooling, and external network connections. Customer data is stored on a RAID 10 disk array.

The data center facility security policy provides that visitors will be registered upon entering the premises and will be escorted when they are on the premises.

The IBM facility where IBM Blueworks Live is located scans for rogue wireless signals.

Compliance

IBM Blueworks Live is ISO/IEC 27001:2013 certified. This standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system. It also includes requirements for the assessment and treatment of information security risks.

SOC 2 audits are performed annually on the IBM data center facility to ensure the facility is equipped to protect customer data.

The IBM Blueworks Live team reviews security and privacy-related activities for compliance with IBM requirements.

Assessments and audits are conducted annually by the IBM Blueworks Live team to confirm compliance with its information security policies.

Workforce security education and awareness training is completed by the IBM Blueworks Live team on an annual basis. IBM personnel are reminded of their job objectives, and their responsibility to meet ethical business conduct and IBM Blueworks Live security obligations.