Control requirements

Additional IBM Cloud for Financial Services specifications

The organization shall ensure their resources do not conduct customer business using non-customer accounts unless approved by the customer (e.g. personal email, social media, and blogs).

Customer consent must be obtained prior to releasing any data outside its intended use.

Rules of behavior must include data handling requirements according to customer’s security classification, including but not limited to:

• Clear desk policy to safeguard sensitive information
• Customer data may not be stored on laptops or mobile devices
• When users stop work and move away from the immediate vicinity of the system, screen locks must be used to conceal information previously visible on the display with a publicly viewable image
• Credentials must not be shared and must be rotated and stored in accordance with authentication and encryption policies
• Collaboration spaces must be secured and data only shared with authorized individuals granted permissions to access the data.

Rules of behavior must include customer required restrictions on sending external emails, including but not limited to:

• Only sending external emails for authorized business purposes
• Never sending or forwarding customer-related content to personal email addresses
• All email exchanges with the customer must be encrypted via customer-approved solutions

NIST supplemental guidance

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.