IBM ICE (Innovation Centre for Education)

Welcome to:
Unit 5 - Audit and Monitoring, Intelligence, Compliance,
Management and Governance

© Copyright IBM Corporation 2015 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand the process of Information Security Audit
• Recognize the Auditing & Regulatory Standards used in
India
• Enumerate various concepts of Governance, Risk &
Compliance

© Copyright IBM Corporation 2015

Background IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The process of verifying the security implementation and

comparing it with a standard is known as audit or security
audit
• These audits are carried based on certain frameworks or
best practices that are also known as standards
• The security system of an organization can be improved if
an audit program which is risk based is carried out in an
organization

© Copyright IBM Corporation 2015

Introduction to Information Security
Audit IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Definition
– An information security audit is a process in which the organization’s
technology team conducts an organizational review to ensure that the
correct and most up-to-date processes and infrastructure are being
applied.
• Explanation
– Auditing is an evaluation of a person, organization, system, process,
enterprise, project or product performed to determine the validity and
reliability of information and also to provide an assessment of system’s
internal controls

© Copyright IBM Corporation 2015

Audit Drivers IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Drivers are responsible for initiating & implementing any

project. Following drivers are responsible for an audit:
– Policies
• Policies of an organization generally cover various aspects of the audits
that must be conducted for verifying proper functioning of its processes
– Regulations
• Various regulations provide various requirements that are important for the
regulation of various domains.
– Customer requirements
• Audits also depends on the various requirements of the customers to
improve the working of certain processes of the outsourced organization
that actually wants to ensure that the outsourcing partner will employ the
same amount of due diligence in its operations as the customer

© Copyright IBM Corporation 2015

Types of Audit IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Internal Audit
– Internal audit, sometimes called 1st party audit, is a systematic,
independent and documented process usually conducted by
organizations themselves
– Internal auditing is an independent, consulting and assuring activity
designed to improve an organization's operations.
• External Audit
– These audits are conducted by the other organizations for to verify and
validate the status of information security
• There are generally 2 types of external audits:
– 2nd party audit
– 3rd party audit

© Copyright IBM Corporation 2015

Audit Process IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The main objectives for a security audit are:

– Verify the existing security policy, guidelines, procedures and
standards
– Determine the insufficiencies and verify the effectiveness of the
existing policy, guidelines, procedures and standards
– Identify and determine the existing vulnerabilities and risks
– Analyze in-place security controls on administrative, managerial and
operational issues together with ensuring compliance with the
minimum security standards
– Offer recommendations on corrective actions for improvements

© Copyright IBM Corporation 2015

Approach for Information Security
Audit IBM ICE (Innovation Centre for Education)
IBM Power Systems

© Copyright IBM Corporation 2015

Information Security Audit Process IBM ICE (Innovation Centre for Education)
IBM Power Systems

© Copyright IBM Corporation 2015

Information Security Auditing
Standards IBM ICE (Innovation Centre for Education)
IBM Power Systems

• There are many audit standards for security which specifies

certain techniques that must be followed to make sure that
IT resources are protected appropriately
• Type of Auditing Standards
– Management Standard
– Accounting Standard
– Regulatory Standards

© Copyright IBM Corporation 2015

Management Standard IBM ICE (Innovation Centre for Education)
IBM Power Systems

• There are certain standards on which the information

security audit is based. These standards provide criteria on
which an organization’s security process is judged
• Types of management standards:
– ISO 27001
– SAS 70
– SSAE 16
– COBIT
– COSO
– HITRUST CSF

© Copyright IBM Corporation 2015

Accounting Standard IBM ICE (Innovation Centre for Education)
IBM Power Systems

• There are other standards as well apart from ISO standards

which can provide guidelines for an information security
audit such as:
• The Sarbanes-Oxley Act of 2002
– The legislation came into force in 2002 and introduced major changes
to the regulation of financial practice and corporate governance

© Copyright IBM Corporation 2015

Regulatory Standards IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Telecom
– The Draft National Telecom Policy – 2011 (NTP-2011), released on 10
October, 2011 directionally sets the groundwork for the next round of
transformation in the Indian telecommunications sector
• Banking
– The Reserve Bank of India (RBI) released detailed guidelines on
information technology (IT) governance, information security, and cyber
fraud for the Indian banking industry.
• Insurance
– The Insurance Regulatory and Development Authority (IRDA) has
released a draft guidelines on participation in its Electronic Transaction
Administration and Settlement System (ETASS)
• Healthcare
– Health Insurance Portability and Accountability Act (HIPAA) of 1996, the
Department of Health and Human Services promulgates rules and
regulations to regulate the privacy and security of medical information
© Copyright IBM Corporation 2015
Benefits IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The ability to systematically and proactively protect the

company form the dangers and potential costs of computer
misuses and cybercrime
• The ability to make informed practical decisions about
security technologies and solutions and thus increases the
return on information security investments
• The management and control of costs related to
information security
• Greater organizational credibility with staff, customers, and
partner organizations
• Better compliance with regulatory requirements for security
and privacy

© Copyright IBM Corporation 2015

Data Sampling and Collection IBM ICE (Innovation Centre for Education)
IBM Power Systems

• For collecting accurate and appropriate data, proper

filtering mechanisms must be employed so that relevant
data could be extracted from chunks of raw data. Once the
relevant data is identified, then it is collected and stored for
further processing

© Copyright IBM Corporation 2015

Log Management 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The process of transmitting, analyzing, storing and

disposing of computer security log data is known as log
management of computer security.
• The events which are occurring inside an organization’s
networks and systems are recorded and noted down.
These records are known as logs
• The logs were originally used for problems of
troubleshooting, but now a log does many more functions
as well in most organizations
• Types of function performed by log:
– To optimize the performance of the networks and systems
– To record the employee’s actions
– In case of a malicious activity, providing useful data

© Copyright IBM Corporation 2015

Log Management 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The volume, number and variety of logs associated to

computer security have increased due to two main reasons:
– Deployment of workstations, networked servers and devices of
computing has been widespread
– The threats against the systems and networks has increased as well
• Types of sources of logs
– Security Software logs
– Operating System logs
– Application logs

© Copyright IBM Corporation 2015

Security Software Logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A major source of computer security log data is the security

software
• To perform the following action several types of host based
and network based software of security are used by most
organizations
• Example
– Detection of malicious activities
– Protection of data and system
– Supporting the efforts of incident response

© Copyright IBM Corporation 2015

Security Softwares generating logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Antimalware Software
• Intrusion prevention and detection systems
• Web Proxies
• Authentication Servers
• Routers
• Firewalls
• Network Quarantine Servers

© Copyright IBM Corporation 2015

Operating System Logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A variety of information is usually logged by operating

systems. The common types of operating system logs
related to security are as follow:
– System Events
• These operating systems usually permit the administrators to specify which
event types will be logged.
– Audit Records:
• A list of events of security information is in an Audit record
– Failed and successful attempts of authentication
– Changes in the security policy
– Changes in the account details
– Attempts to access a file

© Copyright IBM Corporation 2015

Application Logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Operating systems and security software provide the

foundation and protection for applications, which are used
to store, access, and manipulate the data used for the
organization’s business processes
• Types of log information gathered:
– Account information
• The account changes, failed and successful attempts of authentication all
this kind of information falls in this category
– Usage information
• The number of transaction that has taken place in a period of time
• The transaction’s size

© Copyright IBM Corporation 2015

Application Log Indicators IBM ICE (Innovation Centre for Education)
IBM Power Systems

• If there is an increase in the e-mail activity, the rise of a new

malware which is e-mail borne is indicated
• Inappropriate information release is indicated if there is a
large e-mail that has been sent
• Operational actions of significant level
– This category has many actions of operations under its umbrella.
They are:
• Shutting down and starting up the application
• Failures in the application
• Changes in the configuration of major application. This can be
used to identify security compromises and operational failures

© Copyright IBM Corporation 2015

Data aggregation and reduction IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The analysis, storage and disposal of log data is typically

performed by the several functions of the log management
infrastructures. It is seen that the original logs are not
altered by the functions that are performed by these
functions.
• Most common type of infrastructure of log management are
as follows:
– General Log Management
– Log Storage

© Copyright IBM Corporation 2015

General Log Management IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Log parsing
– To use inputs from another process of logging by extracting data from
another log is called log parsing
• Event filtering
– The log entries are suppressed from reporting, long-term analysis or
simple analysis and this process is known as event filtering
• Event aggregation
– A single entry is made by consolidating many entries which are similar.
This process is known as event aggregation

© Copyright IBM Corporation 2015

Log Storage IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Rotation of log
– The process of opening a new log file after closing an existing log file is called
log rotation
• Archival of log
– : Important logs are sometimes retained for an extended time period, this
process is known as log archival
• Compression of log
– The process of storing a log file in such a way that it doesn’t alter the
content’s meaning and the size of the log file is reduced as well
• Reduction of log
– The process of creation of a new log by removing entries from a log which are
not needed
• Conversion of log
– This process parses a log in one format and stores its entry in a second
format
© Copyright IBM Corporation 2015
Monitoring and control IBM ICE (Innovation Centre for Education)
IBM Power Systems

• These events can be studied mainly by analyzing network

behavior or by reviewing computer security event logs.
• In order to avoid or minimize the losses from an incident
outcome, the events need to be analyzed as close to real-
time as possible
• Log monitoring is done by the third tier of log architecture
which contains consoles that may be used to monitor and
review log data and the results of automated analysis
• Log monitoring consoles can also be used to generate
reports

© Copyright IBM Corporation 2015

Importance of logs IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Logs can be very helpful in the determination of what had

happened when there was a security breach
• Logs are used basically to make the records of the data
• Other use of logs
– Logs can be helpful in detecting inappropriate use of data, attacks on
the systems and other frauds
– Logs can attack as the preliminary source of the information of the
attack as it records the malicious activities and commands that are
being issued to a server
– Logs can also help in correlating recorded events which are being
captured by the log types of primary level
– A log in the firewall can be helpful as it will store the connection
attempts which were unauthorized and were tried from the same
source IP address

© Copyright IBM Corporation 2015

Needs for management of logs 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Log management help in following ways:

– It is made sure by logs that the records of the computer security are
stored for a suitable time period and in sufficient details
– The log analysis and reviews are helpful for identifying violations of the
policy, security incidents, activity which is fraudulent and problems in
the operations in a very short period of time. The logs can also provide
data which can be useful for solving these problems
– The logs can support in carrying out internal investigation, identifying
operational trends, baseline establishment and carrying out forensic
and auditing analysis

© Copyright IBM Corporation 2015

Needs for management of logs 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A number of regulations and laws are present beside the benefits of

management of logs which makes it compulsory for an organization
review and store certain logs
• Regulatory compliances are as follow:
– Federal Information Security Management Act of 2002 (FISMA)
– Gramm-Leach-Bliley Act (GLBA)
– Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– Sarbanes-Oxley Act (SOX) of 2002
– PCI DSS

© Copyright IBM Corporation 2015

Considerations for effective log
management IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The issues which should be kept in mind while developing

the log management process are as follows:
– To balance a limited amount of the resources of log management
effectively
– There is an ever-increasing supply of log data which causes more
confusion
– The initial log generations have raised several problems of potential
nature because of their prevalence and variety
– The integrity, availability and confidentiality of the logs that are being
generated could be penetrated intentionally or inadvertently
– The preparation of the personnel responsible for performing analysis of
log are not supported or prepared well

© Copyright IBM Corporation 2015

Challenges affecting log
management IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Logs have their own challenges if they are monitored,

controlled and segregated properly. The challenges that an
organization face during the management of logs can have
catastrophic effect
• Types of Challenges are as follows:
– Challenges of Log Generation & Storage
– Challenge of Log Protection
– Challenges of Log Analysis

© Copyright IBM Corporation 2015

Challenges of Log Generation and
Storage 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Log sources are too many

– Multiple logs are generated by a single source of log
• Example
– The network activity and the attempts of authentication being stored in
a single application in two different logs
• Log content is in consistent
– Certain information pieces are recorded in each log source. The
information is stored in its log entries
• Example
– Host IP usernames and their addresses

© Copyright IBM Corporation 2015

Challenges of Log Generation and
Storage 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Timestamps are inconsistent

– The timestamp in the log will be inaccurate if a clock of host is
inaccurate. When logs from multiple hosts are being analyzed, the
analysis of log becomes more difficult due to this
• Example
– . An example of such an incident can be that two events that are
occurring at a gap of 2 minutes can be indicated by a false timestamp
that they occurred at a gap of 45 seconds

© Copyright IBM Corporation 2015

Challenges of log protection IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Unintentional or intentional destruction and alteration can

happen to the logs which are not secured properly in transit
or in storage
• The logs need to be protected from breach of confidentiality
and integrity because logs contain network and system
security records
• Example
– User’s password and the email contents can be inadvertently or
intentionally captured by the logs

© Copyright IBM Corporation 2015

Challenges of Log Analysis 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Administrators treat it as a low priority task because of

other responsibilities such as mitigating security
vulnerabilities and fixing operational problems together with
management requiring quick responses
• Administrator’s that mostly perform log analysis does not
have any training for prioritization of tasks that increases
the effectiveness and efficiency of it
• Administrators generally do not have effective tools for
automating the process of analyzing the logs using scripts
and security software tools
• Example
– Host-based intrusion detection products,
– Security information
– Event management software
© Copyright IBM Corporation 2015
Challenges of Log Analysis 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Most of these tools are specifically designed to find patterns

that are difficult to track by humans
– Correlating of multiple logs to track an event that may be invalid
• Most of the administrators are not inclined towards
analyzing logs that takes a lot of time and benefits are little
– After identifying problem through other means, analysis is done on logs to
get to the root cause
• Log analysis is mostly used as a reactive counter-measure
rather than proactive
– Monitoring logs to identify upcoming problems through various issues

© Copyright IBM Corporation 2015

Introduction to Governance,
Risk & Compliance IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Definition
– GRC is an integrated approach for improving governance through
more-effective compliance and a better understanding of the impact of
risk on business performance. It used by corporations to act in
accordance with the guidelines set for each category.
• Explanation
– GRC is the integration of all governance, risk assessment and
mitigation, and compliance and control activities to operate in synergy
and balance.
– Governance, Risk Management and Compliance (GRC) are three
pillars that work together for the purpose of assuring that an
organization meets its objectives
– A GRC strategy can help create business value by reducing costs,
identifying operational inefficiencies, rationalizing controls, and
enabling identification and management of risks
© Copyright IBM Corporation 2015
GRC Pillars IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Governance
– Good governance is about steering the company in the right direction
as well as evolving policies and procedures and improving process
efficiency to achieve better alignment with corporate goals
• Risk Management
– Effective risk management enables companies to protect the value
built within an organization and can also create new value by
identifying opportunities to build growth, increase competitive
advantage and drive efficiencies throughout the organization
• Compliance
– Compliance is achieved through various controls that are defined and
established to help organizations prevent or detect policy violations
and to improve business processes throughout the organization

© Copyright IBM Corporation 2015

The value of GRC to business IBM ICE (Innovation Centre for Education)
IBM Power Systems

• GRC promote the criteria unification, the effort coordination

and collaboration between different characters involve in
the direction of the organization
• Business values are as follows
– The integration of the government officials, administration and risk
management, internal control and compliance
– Role and responsibility assignation to key personnel
– Communication channels formalization
– Applying a risk-based approach
– The implementation of a compliance program

© Copyright IBM Corporation 2015

Benefits IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Reduced time and cost for audits

• Easy validation of compliance standards
• Reducing risks and increasing confidence in financial
reporting
• Improved decision-making process through real-time
diagnostics
• Generation of internal control guidelines in organizational
culture

© Copyright IBM Corporation 2015

Tools for GRC 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Accelus GRC
– Solution built to handle the diverse requirements of internal audit,
internal controls management, risk management, policy management,
legal and compliance professionals
• Key benefits:
– Provides visibility, transparency and oversight over GRC processes
– Monitor and track regulatory rule changes
– Mitigate risk hiding in client relationships and related human networks
– Identify and mitigate legal, regulatory and business risk
– Maintain effective policies and demonstrate supervision
– Streamline, audit, risk management and internal control processes
– Efficiently address required regulatory disclosure deadlines

© Copyright IBM Corporation 2015

Tools for GRC 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Open-Pages
– Is an integrated governance, risk and compliance platform that enables
companies to manage risk and regulatory challenges across the
enterprise
• Key benefits:
– Internal Audit
– Definition, planning, execution and reporting audit for all business lines
– Automated workflows and configurable reports
– IT Risk
– IT risk evaluation
– Identified critical risk, controls and gaps
– Operational Risk
– Identify, manage and monitor high level reports

© Copyright IBM Corporation 2015

Tools for GRC 3 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• RSA Archer e-GRC

– RSA Archer e-GRC solutions allows an organization to build an
efficient, collaborative enterprise governance, risk and compliance (e-
GRC) program across IT, finance, operations and legal domains
• Key benefits:
– Flexibility: The Platform offers a point-and-click interface for building
and managing business applications.
– Unified: Provides a common platform to manage policies, controls,
risks, assessments and deficiencies across lines of business
– Collaborative: The Platform enables cross functional collaboration and
alignment

© Copyright IBM Corporation 2015

Implementation in real world 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• A large financial institution wanted to implement a GRC

solution to provide reporting, automated scheduling and
facilitate cross-departmental reporting requirements for
approximately 1,000 vendors of various sizes and
capacities located around the globe. One key factor driving
the need for a GRC solution was the organization’s desire
to reduce the significant overhead being generated due to
time-consuming data entry on spreadsheets, regular
initiation of manual vendor reviews and vendor interaction
that provided incomplete questionnaires or missed
deadlines for submission of information

© Copyright IBM Corporation 2015

Implementation in real world 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems

• GRC is also important for regulatory compliances in

hospitals. Besides this, they also need to have an adequate
governance and risk approach embedded in their
organization. The frequency of new regulations getting
introduced requires for an approach with a strategic and
integrated perspective. Therefore, it is of great necessity
that hospitals develop an integrated and risk based GRC
policy. Moreover, it must also be ensured that this crucial
business concept is incorporated in a timely and consistent
manner and enables hospitals to be future proof. As many
hospitals struggle to organize their GRC processes, an
instrument can be very helpful to enhance the way in which
they deal with GRC related issues

© Copyright IBM Corporation 2015

Checkpoint (1 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Which of the following process is responsible for

inspection and verification of procedures?
– Business continuity plan
– Group privilege management
– Audit
– Security review
2. When was ISO 27001 updated?
– 2005
– 2013
– 2012
– Never updated

© Copyright IBM Corporation 2015

Checkpoint Solutions (1 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. Which of the following process is responsible for

inspection and verification of procedures?
– Business continuity plan
– Group privilege management
– Audit
– Security review
2. When was ISO 27001 updated?
– 2005
– 2013
– 2012
– Never updated

© Copyright IBM Corporation 2015

Checkpoint (2 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

3. What does GRC stands for?

– Governance, Regulation & Compliance
– Governance, Risk & Controls
– Government, Regulation & Compliance
– None of the above
4. Which is the updated version of SAS 70?
– ISO 27001
– SAS 71
– SAS 70: 2012
– SSAE 16

© Copyright IBM Corporation 2015

Checkpoint Solutions (2 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

3. What does GRC stands for?

– Governance, Regulation & Compliance
– Governance, Risk & Controls
– Government, Regulation & Compliance
– None of the above
4. Which is the updated version of SAS 70?
– ISO 27001
– SAS 71
– SAS 70: 2012
– SSAE 16

© Copyright IBM Corporation 2015

Checkpoint (3 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

5. Who conducts Internal Audit?

– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
6. Who conducts an External Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor

© Copyright IBM Corporation 2015

Checkpoint Solutions (3 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

5. Who conducts Internal Audit?

– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
6. Who conducts an External Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor

© Copyright IBM Corporation 2015

Checkpoint (4 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

7. Which of the following is the regulatory standard for

Healthcare?
– SOX
– GLBA
– HIPAA
– None of the above
8. Which of the following is a GRC tool?
– RSA Archer
– RSA GRC
– Arcsight
– All of the above

© Copyright IBM Corporation 2015

Checkpoint Solutions (4 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

7. Which of the following is the regulatory standard for

Healthcare?
– SOX
– GLBA
– HIPAA
– None of the above
8. Which of the following is a GRC tool?
– RSA Archer
– RSA GRC
– Arcsight
– All of the above

© Copyright IBM Corporation 2015

Checkpoint (5 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

9. What does PDCA stands for?

– Plan Do Complete Act
– Process Device Compliance Actions
– Plan Do Check Act
– Plan Do Complete Act
10.What is a Log?
– An information that records every activity related to any device or
application
– A process to store data
– A procedure to collect event information
– A file that stores information of any problem

© Copyright IBM Corporation 2015

Checkpoint Solutions (5 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems

9. What does PDCA stands for?

– Plan Do Complete Act
– Process Device Compliance Actions
– Plan Do Check Act
– Plan Do Complete Act
10.What is a Log?
– An information that records every activity related to any device or
application
– A process to store data
– A procedure to collect event information
– A file that stores information of any problem

© Copyright IBM Corporation 2015

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit, you should be able to:

• Understand the process of Information Security Audit
• Recognize the Auditing & Regulatory Standards used in
India
• Enumerate various concepts of Governance, Risk &
Compliance

© Copyright IBM Corporation 2015