cloud smarter infrastructure legal security data privacy for saas offerings for partners n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners PowerPoint Presentation
Download Presentation
Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners

Loading in 2 Seconds...

play fullscreen
1 / 11

Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners - PowerPoint PPT Presentation


  • 162 Views
  • Uploaded on

Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners. Agenda. Legal Contracts Key terms Compliance Overview Service Level Agreement Data Privacy Overview EU Safe Harbor Hosting locations Security C&SI SaaS Security Practices

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cloud & Smarter Infrastructure Legal, Security & Data Privacy for SaaS offerings for Partners' - ghada


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Legal
    • Contracts
    • Key terms
    • Compliance Overview
    • Service Level Agreement
  • Data Privacy
    • Overview
    • EU Safe Harbor
    • Hosting locations
  • Security
    • C&SI SaaS Security Practices
    • IBM Standard ITCS104 & Industry Standards Certifications
legal c si saas contract options

Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums.

Legal - C&SI SaaS Contract Options
  • IBM International Passport Advantage Agreement (IPAA) – includes SaaS terms regarding ownership, customer’s right to use, subscription to SaaS, SaaS technical support, content and termination of SaaS
  • Option 1 (Passport Advantage customers using direct or e-Commerce to purchase)
    • Terms of Use (TOU) B – standard terms of use for IBM SaaS offerings. This is in addition to IBM or IBM IPPA Express Agreement
    • TOU A – terms of use specific to a SaaS offering (e.g charge metrics, renewal)
    • Service Level Agreement (SLA) – specific to a SaaS offering
  • Option 2 (Non-Passport Advantage customers using direct to purchase)
    • Cloud Service Agreement (CSA)– simplified agreement for SaaS that benefits legacy customers from acquisitions, new customers and eCommerce (future).
    • Services Description - similar to TOU A, specific T’s &Cs for each SaaS offering
    • SLA – specific to a SaaS offering

Applies to IBM Software Value Plus

legal key terms

Kimi - verify that these only apply to IBM Software Value Plus because SSP has its own set of contracts unless SSP contracts are addendums.

Legal - Key Terms
  • Automatic renewal – contract is automatically renewed unless customer cancels.
    • Example: Customer purchases a 12 month term with monthly billing and on month 15 decides they no longer need the service they DO NOT have the option to terminate and will be responsible for the remaining 9 months of coverage (the full 12 month term).
  • Indemnity - Customer agrees to hold IBM harmless against any third party claim arising out of or relating to: 1) violation of the IBM Acceptable Use Policy by Customer or any of Customer’s IBM SaaS Users; or 2) Content made available to the IBM SaaS.
  • Non-disclosure of Customer Content – TOU B indicates that IBM will not use client data for any reason but to operate SaaS and will be kept confidential

Applies to IBM Software Value Plus

legal compliance overview
Legal - Compliance Overview

Compliance = Softlayer Compliance + C&SI SaaS Compliance

Unless both are compliant we can’t claim compliance.

  • Payment Card Industry Data Security Standard (PCI DSS) - Compliant
    • Set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. 
    • C&SI processes credit card information through IBM Payment Systems which is PCI compliant
  • Federal Risk and Authorization Management Program (FedRAMP) - Not Compliant (in progress)
    • Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
    • One of the key requirements is  Federal Information Security Management Act of 2002 (FISMA)
  • EU Safe Harbor (See EU Safe Harbor section) – Certification in process
legal service level agreements one per csi saas offering no charge
Legal - Service Level AgreementsOne per CSI SaaS Offering (no charge)

Terms found in TOU A or Cloud Services Agreement Services Description

  • “Availability” percentage is calculated as: (a) the total number of minutes in a Contracted Month, minus (b) the total number of minutes of Downtime in a Contracted Month, divided by (c) the total number of minutes in a Contracted Month, with the resulting fraction expressed as a percentage.
  • Example: 432 minutes total Downtime during Contracted Month
slide7

Data Privacy - What you need to know

Personal datagenerallyincludes information relating to an individual -think business card (e.g. names, email addresses, home address) In some countries, also includes information about identified partnerships, associations, or corporations.

IBM is a data processor, entity that processes personal data on behalf of the data controller, who would be the client responsible for entering the data.

In most cases, Passport Advantage agreement covers data privacy for personal data.

EU and Switzerland have additional data privacy regulations but have established the ability to create a framework with the U.S for accessing personal data.

C&SI SaaS is in the process of obtaining EU Safe Harbor certification. This requires a risk assessment after we Go Live. In the meantime, we have security measures in place to restrict access to EU client data and for IBM non-U.S. employee access to Amsterdam hosting center in order to comply.

IBM has an Online Privacy Statement which is another EU Safe Harbor requirement

slide8

Data Privacy - EU Safe Harbor Certification

  • EU and Switzerland have specific data privacy regulations and have established the ability to create a framework with the U.S for accessing personal data called EU Safe Harbor. to prevent accidental information disclosure or loss
  • C&SI SaaS is in the process of obtaining EU Safe Harbor certification
  • Benefits:
  • Ability to assert Safe Harbor to clients and prospects.
  • Facilitates selling in the EU and Switzerland.
  • Makes us competitive in selling situations.
data privacy where are the c si saas solutions hosted
Data Privacy - Where are the C&SI SaaS solutions hosted?

Active Data Centers - SoftLayer

Amsterdam

Dallas

Singapore

  • Working with local partners to expand into additional regions
security c si saas security practices
Security - C&SI SaaS Security Practices
  • Data Security – each offering has a Security Practices document
    • Security Policy – states that IBM has published privacy and security policies and that employees are trained in security
    • Access Control
      • Only authorized employees can access client data
      • Support staff for the Cloud Offering use multi-factor authentication and encrypted channels when accessing client data
      • Data transfers are logged
    • Service Integrity & Availability
      • Change Management process governs changes to O/S, application s/w and firewall
      • Data center resources are monitored 24x7
      • Internal and external vulnerability scanning and malware detection
      • Information delivery protocols for transmission of data over public networks (e.g HTTPS, VPN)
    • Physical Security
      • Designed to restrict unauthorized physical access to data center resources.
      • Entry and removal of equipment is logged
    • Compliance
      • Assessments and audits are conducted regularly by IBM’s team to confirm compliance with its information security policies.
      • Conduct workforce security education and awareness training

Note: The Security Practices are also included in the Cloud Service Agreement Service Description for each offering.

security itcs104 industry standards certifications
Security – ITCS104 & Industry Standards Certifications

C&SI SaaS offerings adhere to the rigorous standards of ITCS104 security

There are many industry standards that require certification. C&SI is evaluating the priority order based on client demand

  • Health Insurance Portability and Accountability Act (HIPAA) – Not Certified
    • Requires certification through HIPAA Program Office (HPO)
    • Data Centers do not get certified in HIPPA – SoftLayer Internal HIPPA whitepaper
  • SSAE 16 - Not Certified
  • SOC2 Type II Compliance - Not Certified
  • Cloud Security Alliance STAR Self Assessment - Not Certified
  • EU Safe Harbor (See EU Safe Harbor section) – Certification in process