IBM Cloud account setup

An IBM Cloud account is needed to provision and manage IBM Cloud services that make up the reference architectures of the IBM Cloud for Financial Services. Along with the high-level steps to follow, we describe some of the best practices for account setup that will help you satisfy the requirements of the IBM Cloud Framework for Financial Services. In addition, the most relevant control requirements are provided.

1. Create an IBM Cloud account. For more information, see Create your account.

   It is highly recommended that you use a functional ID that is owned by your company rather than an employee's personal ID. A functional ID is a company-owned email address (such as ibm-cloud-admin@domain.com) used to represent a functional user. This allows for uninterrupted administrative access by the account owner as employees leave the company or are reassigned to other projects.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for account creation [FSv2.0]

   Family	Control
   Access Control (AC)	AC-2 Account Management

   Related controls in IBM Cloud Framework for Financial Services for account creation [FSv1.1]

   Family	Control
   Access Control (AC)	AC-2 Account Management

2. Set up the Activity Tracker Event Routing service as described in Audit logging for IBM Cloud events. This enables IBM Cloud platform events to be recorded for auditing purposes. Setting this up early in the process is important so that all platform events that occur during the rest of these steps are available in the audit logs.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for audit logging [FSv2.0]

   Family	Control
   Access Control (AC)	AC-2 Account Management AC-2 (1) Account Management | Automated System Account Management AC-2 (4) Account Management | Automated Audit Actions AC-2 (7) Account Management | Privileged User Accounts
   Audit and Accountability (AU)	AU-3 Content of Audit Records AU-4 Audit Log Storage Capacity AU-5 Response to Audit Logging Process Failures AU-6 Audit Record Review, Analysis, and Reporting AU-6 (1) Audit Record Review, Analysis, and Reporting | Automated Process Integration AU-7 Audit Record Reduction and Report Generation AU-10 Non-repudiation AU-11 Audit Record Retention

   Related controls in IBM Cloud Framework for Financial Services for audit logging [FSv1.1]

   Family	Control
   Access Control (AC)	AC-2 Account Management AC-2 (1) Account Management | Automated System Account Management AC-2 (4) Account Management | Automated Audit Actions AC-2 (7) Account Management | Privileged User Accounts
   Audit and Accountability (AU)	AU-3 Content of Audit Records AU-4 Audit Log Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Record Review, Analysis. and Reporting AU-6 (1) Audit Record Review, Analysis. and Reporting | Automated Process Integration AU-7 Audit Record Reduction and Report Generation AU-10 Non-repudiation AU-11 Audit Record Retention

3. Upgrade your account to either Pay-As-You-Go or Subscription. For more information, see Upgrading your account.

   It is highly recommended to upgrade to a Subscription account so that you can set up an enterprise. Enterprises offer significant advantages in your ability to scale your environment over time as described in Enterprise account architecture.

4. Enable multi-factor authentication (MFA) for all users in your account. Choose MFA devices that align with the defined requirements. This can include hardware tokens (U2F), like FIDO2-compliant security keys, smart cards, or software tokens (TOTP). FIDO U2F standard offers the highest level of security.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for multi-factor authentication [FSv2.0]

   Family	Control
   Identification and Authentication (IA)	IA-2 (1) Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts IA-2 (6) Access to Accounts — Separate Device

   Related controls in IBM Cloud Framework for Financial Services for multi-factor authentication [FSv1.1]

   Family	Control
   Identification and Authentication (IA)	IA-2 (1) Identification and Authentication (Organizational Users) | Multi-factor Authentication To Privileged Accounts IA-2 (11) Identification and Authentication (Organizational Users) | Remote Access - Separate Device

5. Restrict IP addresses from which a user can access the IBM Cloud account. For more information, see Allowing specific IP addresses for an account for more information.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for restricting IP addresses [FSv2.0]

   Family	Control
   Access Control (AC)	AC-4 Information Flow Enforcement
   System and Communications Protection (SC)	SC-7 Boundary Protection SC-7 (5) Boundary Protection | Deny by Default - Allow by Exception

   Related controls in IBM Cloud Framework for Financial Services for restricting IP addresses [FSv1.1]

   Family	Control
   Access Control (AC)	AC-4 Information Flow Enforcement
   System and Communications Protection (SC)	SC-7 Boundary Protection SC-7 (5) Boundary Protection | Deny By Default - Allow By Exception

6. While optional, it is recommended that you enable authentication from an external identity provider (IdP) to securely authenticate external users to your IBM Cloud account. This provides a way for your employees to use your company's single sign-on (SSO) solution.

7. Enable the IBM Cloud for Financial Services Validated setting in your account. With this setting, you can filter the catalog for services that are designated as Financial Services Validated and indicates that your account stores regulated financial services information. If you enable Financial Services Validated, your account still has access to the full public catalog. For more information, see Enabling your account to use Financial Services Validated products.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for using only Financial Services Validated services [FSv2.0]

   Family	Control
   Access Control (AC)	AC-20 Use of External Systems
   System and Services Acquisition (SA)	SA-4 Acquisition Process SA-9 External System Services
   Enterprise System and Services Acquisition (ESA)	ESA-5 Subcontractor Risk Management
   Security Assessment and Authorization (CA)	CA-3 Information Exchange

   Related controls in IBM Cloud Framework for Financial Services for using only Financial Services Validated services [FSv1.1]

   Family	Control
   Access Control (AC)	AC-20 Use of External Information Systems
   System and Services Acquisition (SA)	SA-4 Acquisitions Process SA-9 External Information System Services
   Enterprise System and Services Acquisition (ESA)	ESA-5 Subcontractor Risk Management
   Security Assessment and Authorization (CA)	CA-3 System Interconnections

8. Set the session inactivity timeout to 15 minutes. For more information, see Setting the sign-out due to inactivity duration.

   The following table shows the controls that are most related to this step.

   Related controls in IBM Cloud Framework for Financial Services for using only session inactivity timeout [FSv2.0]

   Family	Control
   Access Control (AC)	AC-11 Device Lock

   Related controls in IBM Cloud Framework for Financial Services for using only session inactivity timeout [FSv1.1]

   Family	Control
   Access Control (AC)	AC-11 Session Lock

9. Update company profile details.

   The following table shows the controls that are most related to this step.

   Related IBM Cloud Framework for Financial Services controls for updating company profile details [FSv2.0]

   Family	Control
   Configuration Management (CM)	CM-8 (4) System Component Inventory | Accountability Information

   Related IBM Cloud Framework for Financial Services controls for updating company profile details [FSv1.1]

   Family	Control
   Configuration Management (CM)	CM-8 (4) Information System Component Inventory | Accountability Information

10. Set email preferences for notifications. You can receive email notifications about IBM Cloud platform-related items, such as announcements, critical events, security notices, billing and usage, and ordering.

    The following table shows the controls that are most related to this step.

    Related IBM Cloud Framework for Financial Services controls for configuring notifications [FSv2.0]

    Family	Control
    System and Information Integrity (SI)	SI-2 Flaw Remediation SI-5 Security Alerts, Advisories, and Directives

    Related IBM Cloud Framework for Financial Services controls for configuring notifications [FSv1.1]

    Family	Control
    System and Information Integrity (SI)	SI-2 Flaw Remediation SI-5 Security Alerts & Advisories

11. Choose a support plan. For more information, see Basic, Advanced, and Premium Support plans.