TYS provides a secure network to bring trust to information sharing between business partners. Stringent standards are in place to ensure information security and data privacy. Learn more about Trust & Data Security.

Data Security FAQ

TYS information security policies are guided by recognized international security standards and reference best practices to the largest extent possible. TYS borrow best practices from COBIT and these ISO standards: 27001 (international information security standard), 27005 (information security risk management), 27701 (privacy information management systems / GDPR) and 27014 (governance of information security), and ultimately plans to become ISO 27001 certified. TYS is in the process of undergoing a SOC 2 certification and will conduct periodic audits in the future to ensure continued compliance.
No, it is not shared with everyone; data owners have control over which organizations can access the data they store in TYS. This is accomplished through user credentials, role-based access privileges, and the sharing of cryptographic keys. For example, a user from a buyer org can use their credentials to log into TYS and access their assigned role, which if appropriate will give them the ability to access data from all suppliers who have agreed to share their data with that buyer org. This is accomplished behind-the-scenes through the sharing of keys
TYS complies with privacy laws such as GDPR and follows the ISO 27701 Privacy Information Management System international standard when managing PII data. Since blockchain ledgers are immutable, TYS stores PII information off-chain so that ‘Right to Forget’ and other subject rights outlined in GDPR can be met. PII data is encrypted with the data owner’s organizational keys and is under the control of the owner (i.e. Supplier or Buyer). It can be shared at will by the owner with other permissioned members of the TYS network and also deleted at will.
Yes. TYS data confidentiality is preserved by encrypting it whenever possible. Member organizations have keys that enable them to encrypt blockchain data and any PII data they commit off-chain. Other off-chain data is natively encrypted at rest, and data in transit is always protected using HTTPS or TLS.
Backup and recovery of the ledger is native to the blockchain and TYS implements this by having multiple nodes in different zones and regions, with an identical copy of the ledger on each. Any node that fails will automatically sync up with other nodes to update its ledger upon recovery, meaning every node is considered a backup and blockchain data processed by TYS is never lost. Off-chain data is replicated in multiple instances of each off-chain database.
Passwords must be 8 - 15 characters long, contain both upper and lowercase letters and a numerical digit, and be changed every 180 days (the length of time can be changed by an Admin role). Passwords are always encrypted, and their hashes stored off-chain. SSO is enabled for TYS, using OpenID Connect or SAML. If utilized, users must observe their organization’s password rules.
TYS verifies the user’s ID, password hash, and existence of a valid X.509 certificate before granting application access and opening a new session. A user can only run one session at a time. Sessions are not open-ended: each user is issued a session token upon login that will expire once the length of a user’s inactivity exceeds a certain time, or if the user begins a new session outside of the current browser window.
TYS is hosted and maintained on IBM Cloud. All servers are currently in two IBM Data Centers – one in the U.S. and one in Europe – and are managed and operated by IBM. As such, they adhere to IBM physical policy guidelines and are protected against attacks, accidents and natural disasters. These security measures follow the NIST 800-53 PE security and privacy control framework as well as ISO 27001 A11 requirements.
TYS has a primary web-app firewall in front of the node application HTTPS ports, and all public internet traffic terminates at it. It only allows HTTPS traffic to the TYS web server. There is also an IBM firewall internal to IBM Cloud IaaS, which uses three interfaces to protect TYS elements in the cloud. More details, including a network diagram, are available upon request.
Yes: TYS has a complete Business Continuity Plan and regularly updates it. TYS has documented its overall BCP process and trained TYS support and operations personnel on it. TYS conducts annual BCP drills, including DAST and SAST application security testing, and remediates any vulnerabilities found during them.
Yes: TYS has an approved Security Incident Management Plan in place which will undergo revisions as future requirements are defined. It follows ISO/IEC Standard 27035 security incident guidance, which includes a recommended five-step process of preparing for incidents, monitoring and reporting incidents, assessing and working out how to mitigate incidents, responding by resolving incidents, and documenting lessons learned. Any user of the TYS network can report an observed incident, which get logged in a tracking tool and classified with a severity level.
TYS is in the process of configuring SIEM tools that perform several functions, including monitoring network traffic to and from the Kubernetes clusters, identifying attacks and potentially compromised assets, and looking at activity logs for unauthorized or suspicious user or application access and changes to IBM Cloud resources. More details available upon request.
The TYS network uses an IBP 2.0 high availability blockchain configuration and has distributed nodes across multiple zones and regions to allow for redundancy if a zone or region goes down. In the unlikely event that a critical severity 1 incident occurs, the TYS team will attempt to resolve it within 24 hours. TYS tests backup/restore processes and redundancy annually.
All TYS employees must complete a mandatory, custom security training program consisting of 23 modules on topics from malware to GDPR to general security awareness. The full list of modules is available upon request.
Read more