IBM® Power® Virtual Server compliance certifications

SOC

The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.

SOC 1 is an audit of the internal controls at a service organization implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

Contact an IBM representative to request the IBM® public cloud (infrastructure, VPC, and PaaS) SOC reports.

The following SOC reports are available for Power Virtual Server:

• SOC 1 Type 2

ISO 27017:2015

The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal is to ensure that products and services are safe, reliable and of good quality.

The Power Virtual Server provides services that are delivered from global data centres that are a component of the IBM Cloud™ IaaS ISO certification. The ISO certification covers a family of 4 standards as follows:

• ISO/IEC 27001:2013
• ISO/IEC 27017:2015
• ISO/IEC 27018:2019
• ISO/IEC 27701:2019

For more information, see ISO 27017 - IBM Cloud® infrastructure certificate and Products in scope of the IBM services information security management system (ISMS)..

PCI-DSS

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established the Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). IBM is a Level 1 Service Provider for PCI DSS.

You are responsible for the storing, processing, and transmission of cardholder data and may create cardholder data environments (CDEs) that can store, transmit, or process cardholder data using IBM Cloud Platform services. You can use the IBM Cloud Attestation of Compliance (AOC) when you seek your own PCI DSS certifications. It is your responsibility to document and operate CDEs and applications built using IBM Cloud Platform services in a PCI DSS-compliant manner.

Contact an IBM representative to request a PCI DSS Attestation of Compliance (AOC) and/or a Service Responsibility Matrix (SRM) guide for Power Virtual Server.

You can build PCI DSS compliant environments and applications using IBM Cloud. For more information, see IBM Cloud PCI DSS Guidance.

HIPAA

The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. Power Virtual Server on IBM Cloud is HIPAA-ready. You can build HIPAA-ready environments and applications using Power Virtual Server. For more information, see the IBM Cloud® compliance: HIPAA.

If you or your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. By using this setting, you can filter on HIPAA Enabled services in the catalog, indicate to IBM that your account stores protected health information (PHI), and digitally accept the IBM Business Associate Addendum for covered entities. For more information, see Enabling HIPAA support for your account.