IT Security Management Program
Kyndryl has an enterprise-level, IT security management program, including policies, practices, controls, employee education, incident reporting, and reviews, that endeavors to mitigate the risk of loss and misuse of Kyndryl critical information and help prevent the disruption of Kyndryl's business operations. The program takes a broad range of potential security risks into consideration such as, technological, human, and natural. The program’s structure is influenced by several industry security standards and frameworks, such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO).
“In the world of Cyber Security, to prevent an attack, we in Kyndryl have to ensure we have comprehensive protection in place, because we need to be right 100% of the time, while a cyber criminal only needs to be right once to gain access to our customers environments. We commit to ensuring the infrastructure we place in our customer environments are secure. At the same time, Kyndryl must comply with additional regulatory and legal requirements from around the world. Our Kyndryl team runs and manages the world's largest and most critical workloads and the IT infrastructure that supports entire industries. Security must be ingrained in everything we do.”
— Rhonda Childress, Services Business Information Security Officer (BISO), Vice President, Fellow, Data Security and Privacy Officer, Master Inventor
It’s important to note that as a fully owned IBM subsidiary all IBM information security policies remain in effect for Kyndryl until Kyndryl becomes a fully separate entity later in 2021. For details on IBM Security and Privacy please visit https://www.ibm.com/trust
In the interim in addition to adherence to IBM’s information security policies, Kyndryl will produce its own information security policies that meet or exceed IBM’s information security policy polices. Kyndryl’s information security policy will come into effect as necessary before Kyndryl becomes a fully separate entity later in 2021. As required, theses pages will be updated to reflect how Kyndryl is protecting our customers and business with security and privacy best practices.
Security Principles for Protecting Our Enterprise
- Assign the appropriate classification and security controls to information, data and assets categories.
- Apply appropriate access controls to restrict access on a business need-to-know basis.
Register and create an inventory of assets.
Establish an acceptable use policy for each asset or group of assets.
Access Control Policy - Establish an Access Control Policy for every application or system that describes how to manage risks from user account management, access enforcement and monitoring, separation of duties, and remote access.
User Access Management - Assign access rights based on a business need-to-know basis. Privileged access should be assigned carefully and with the least amount of privilege required. Revoke rights when there is no longer a business need for the employee or contractor to have the access. Access rights are reviewed on a regular basis to ensure continued business need and privileged revalidation.
Application and System Access Control - Use secure logon procedures to control access to applications and systems, including multi-factor authentication.
Use encryption based on risk criteria, such as information sensitivity or classification.
Protect data in transit on public and private networks and secure data at rest in applications or systems to mitigate threats.
Protect and encrypt cryptographic keys throughout the entire key management life cycle.
Maintain operating procedures and make these available to relevant users.
Operating procedures may include: Installation and configuration of applications and systems
Startup and close-down procedures
Authentication and authorization management
Maintenance and backup procedures
Information handling procedures, both automated and manual activities
Problem determination and handling
Logging and monitoring
Communication with support and escalation contacts
Security incident handling
Vulnerability and patch management
Design and operate networks with the following objectives:
- To limit access to Kyndryl networks to authorize parties.
- To be resilient when confronted with external threats such as intrusion and disruption.
- Protect information in systems and applications on the Kyndryl network.
Place infrastructure assets in controlled access areas, with the exception of those intended for public use.
Apply risk-based access controls, which may include locking or guarding areas to:
- Allow access only to authorized individuals
- Maintain physical security during power outages
- Maintain access logging
Evaluate suppliers based on their ability to meet business and security requirements. The supplier must demonstrate security and privacy practices, for example, through certifications or third-party attestations.
Kyndryl has established security and use standards for Kyndryl employees and the extended workforce and their workstations and mobile devices used to conduct Kyndryl business or that connect to the Kyndryl internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. Kyndryl’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting Kyndryl Confidential information and provide security and appropriate use requirements.
Kyndryl employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.
Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.
Safe Use and Education
Kyndryl employees receive guidance and education regarding the safe use of information technology assets. Further, Kyndryl has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on Kyndryl’s ethics and integrity and Kyndryl requires that employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, Kyndryl employees are required to read and agree to comply with its ethics and integrity standards as a condition of employment.
Kyndryl maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.
The Company will provide mandatory customized cybersecurity training to all employees on an annual basis, including training on recognizing, avoiding and reporting suspicious activity. The CISO organization provides a variety of mechanisms for employees and others to report potential security incidents, which can range from lost mobile phones to malware on a laptop to phishing incidents and misdirected e-mails. On a regular basis, the CISO organization performs phishing simulations to test and practice the readiness of employees in recognizing and responding to email-based threats.
The Security Operations Center (SOC) monitors for threats to the Company’s networks and systems. In order to identify, monitor and address internal threats, the SOC relies on a variety of threat intelligence sources. The SOC manages an extensive deployment of advanced detection and response technologies.
In addition to the SOC, dedicated teams are devoted to threat intelligence, threat hunting, penetration testing and remediation. These teams work together to proactively identify possible adversary campaigns, hunt for suspicious activity within the Company’s networks and systems, identify potential weaknesses in the security posture before they can be exploited, and ensure that follow-up remediation is completed. These teams are also engaged with the SOC and CSIRT teams to enhance monitoring and assist incident investigations
The Company utilizes a comprehensive incident response process to deal with cybersecurity incidents worldwide. This process spells out the end-to-end procedures and the responsibilities of each stakeholder in responding to an incident. The process is reviewed and updated periodically to take into account lessons learned in this evolving area.
A team composed of Cybersecurity Incident Response Team (CSIRT) and Cyber Legal meets regularly to evaluate information about both new and previously reported incidents. Incidents are delegated to appropriate individuals for assessment, investigation and remediation. Depending on the nature of the matter, the incident response may include CSIRT, Cyber Legal, the CISO and various CISO teams, the Chief Privacy Officer, Human Resources, Procurement, the Chief Accounting Officer, and Corporate Security, in consultation with the General Counsel and the SVP with responsibilty for cybersecurity.
The Kyndryl CSIRT is an internal team staffed with incident responders and forensic analysts. In-scope cybersecurity incidents include:
- A potential or suspected security breach of data or information technology assets and systems owned or managed by Kyndryl.
- A potential compromise of customer data or information technology assets and systems when the incident might involve Kyndryl personnel, systems, products, or services.
The Company has a dedicated Chief Information Security Officer (CISO), whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. The CISO organization works across all of the organizations within the company to protect the Company, its brand, and its customers against cybersecurity risks.
The Cybersecurity Governance Board will provide oversight and direction for the management of the Company’s cybersecurity risk. The Cybersecurity Governance Board will be responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence.
The Company’s Board of Directors will monitor the cyber governance process and will briefed on issues such as the identification, management and remediation of cybersecurity risks, both internal and external, threat intelligence, emerging global policies and regulations, cybersecurity technologies, cybersecurity issues and incidents.
This webpage describes Kyndryl’s security management program objectives for Kyndryl’s internal operations. The security of Kyndryl commercial services is described in the terms and conditions associated with those specific services. Services dedicated to a single Kyndryl customer are governed by requirements established by contract with the customer. The information is provided “as-is” and for informational purposes only and must not be included in any contracts or agreements. Kyndryl L may modify the information contained on this webpage from time to time at Kyndryl’s sole discretion without prior notice and such modifications will supersede prior versions.