Kyndryl Cyber Security

Access Control Policy - Establish an Access Control Policy for every application or system that describes how to manage risks from user account management, access enforcement and monitoring, separation of duties, and remote access.

User Access Management - Assign access rights based on a business need-to-know basis. Privileged access should be assigned carefully and with the least amount of privilege required. Revoke rights when there is no longer a business need for the employee or contractor to have the access. Access rights are reviewed on a regular basis to ensure continued business need and privileged revalidation.

Application and System Access Control - Use secure logon procedures to control access to applications and systems, including multi-factor authentication.

• Use encryption based on risk criteria, such as information sensitivity or classification.
• Protect data in transit on public and private networks and secure data at rest in applications or systems to mitigate threats.
• Protect and encrypt cryptographic keys throughout the entire key management life cycle.

• Maintain operating procedures and make these available to relevant users
• Operating procedures may include: Installation and configuration of applications and systems
• Startup and close-down procedures
• Authentication and authorization management
• Maintenance and backup procedures
• Information handling procedures, both automated and manual activities
• Problem determination and handling
• Logging and monitoring
• Communication with support and escalation contacts
• Security incident handling
• Security testing
• Vulnerability and patch management

Design and operate networks with the following objectives:

• To limit access to Kyndryl networks to authorize parties.
  
• To be resilient when confronted with external threats such as intrusion and disruption.
• Protect information in systems and applications on the Kyndryl network.

Place infrastructure assets in controlled access areas, with the exception of those intended for public use.

Apply risk-based access controls, which may include locking or guarding areas to:

• Allow access only to authorized individuals
• Maintain physical security during power outages
• Maintain access logging

Evaluate suppliers based on their ability to meet business and security requirements. The supplier must demonstrate security and privacy practices, for example, through certifications or third-party attestations.

Kyndryl has established security and use standards for Kyndryl employees and the extended workforce and their workstations and mobile devices used to conduct Kyndryl business or that connect to the Kyndryl internal network. The focus of these standards is to protect data and information technology assets from loss, modification, or destruction. Kyndryl’s internal policies summarize the most critical steps employees must take to protect workstations and mobile devices. Further, the standards outline employee responsibilities for protecting Kyndryl Confidential information and provide security and appropriate use requirements.

Physical Security

Kyndryl employees are provided with specific guidance intended to maintain the physical security of their workstations, mobile devices and work areas, and maintain security while traveling.

Logical Security

Access management is required to protect information and systems at both individual and role-based levels. Passwords are expected to be changed regularly and comply with password complexity standards.

Safe Use and Education

Kyndryl employees receive guidance and education regarding the safe use of information technology assets. Further, Kyndryl has implemented annual mandatory IT security education to help employees understand security risk and comply with IT policies. Employees also receive education on Kyndryl’s ethics and integrity and Kyndryl requires that employees conduct business observing high ethical standards and in accordance with data security and confidentiality policies. Employees are expected to report illegal or unethical behavior. At the time of being hired and annually thereafter, Kyndryl employees are required to read and agree to comply with its ethics and integrity standards as a condition of employment.

Incident Reporting

Kyndryl maintains a globally accessible security incident reporting and mitigation system in which IT security and data incidents are reported. This report initiates a response from a 24x7x365 team of specifically trained and equipped employees who, working with the business teams and other subject matter experts as needed, will manage the incident until resolution.

The Company will provide mandatory customized cybersecurity training to all employees on an annual basis, including training on recognizing, avoiding and reporting suspicious activity. The CISO organization provides a variety of mechanisms for employees and others to report potential security incidents, which can range from lost mobile phones to malware on a laptop to phishing incidents and misdirected e-mails. On a regular basis, the CISO organization performs phishing simulations to test and practice the readiness of employees in recognizing and responding to email-based threats.

The Security Operations Center (SOC) monitors for threats to the Company’s networks and systems. In order to identify, monitor and address internal threats, the SOC relies on a variety of threat intelligence sources. The SOC manages an extensive deployment of advanced detection and response technologies.

In addition to the SOC, dedicated teams are devoted to threat intelligence, threat hunting, penetration testing and remediation. These teams work together to proactively identify possible adversary campaigns, hunt for suspicious activity within the Company’s networks and systems, identify potential weaknesses in the security posture before they can be exploited, and ensure that follow-up remediation is completed. These teams are also engaged with the SOC and CSIRT teams to enhance monitoring and assist incident investigations

The Company utilizes a comprehensive incident response process to deal with cybersecurity incidents worldwide. This process spells out the end-to-end procedures and the responsibilities of each stakeholder in responding to an incident. The process is reviewed and updated periodically to take into account lessons learned in this evolving area.

A team composed of Cybersecurity Incident Response Team (CSIRT) and Cyber Legal meets regularly to evaluate information about both new and previously reported incidents. Incidents are delegated to appropriate individuals for assessment, investigation and remediation. Depending on the nature of the matter, the incident response may include CSIRT, Cyber Legal, the CISO and various CISO teams, the Chief Privacy Officer, Human Resources, Procurement, the Chief Accounting Officer, and Corporate Security, in consultation with the General Counsel and the SVP with responsibilty for cybersecurity.

The Kyndryl CSIRT is an internal team staffed with incident responders and forensic analysts. In-scope cybersecurity incidents include:

• A potential or suspected security breach of data or information technology assets and systems owned or managed by Kyndryl.
• A potential compromise of customer data or information technology assets and systems when the incident might involve Kyndryl personnel, systems, products, or services.

Kyndryl’s IT security management structure is influenced by several industry security standards and frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). Kyndryl’s security and privacy policy and standards are reviewed regularly through a combination of frameworks, and other internal and external audits, as appropriate.

The Company has a dedicated Chief Information Security Officer (CISO), whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes. The CISO organization works across all of the organizations within the company to protect the Company, its brand, and its customers against cybersecurity risks.

The Cybersecurity Governance Board will provide oversight and direction for the management of the Company’s cybersecurity risk. The Cybersecurity Governance Board will be responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence.

The Company’s Board of Directors will monitor the cyber governance process and will briefed on issues such as the identification, management and remediation of cybersecurity risks, both internal and external, threat intelligence, emerging global policies and regulations, cybersecurity technologies, cybersecurity issues and incidents.