2014 SWG Export Education

2013 International Business Machines Corporation
Supporting IBMs Purpose, Values & Practices

Complying with Export Regulations
For more than a century - as products, technologies and eras have
come and gone - IBMers have been animated by an enduring
Purpose - to be essential. We have been defined by a core of shared
Values. And now we have come together to determine how we will
put that Purpose and those Values into practice. -- Ginni Rometty,
Chairman, President and Chief Executive Officer
The goal of this learning activity is to share expertise on how IBM complies with export
regulations so that you may go forward with knowledge on how these regulations may
impact your day to day activities. At the conclusion, you will understand how you are
essential to IBMs compliance posture around the world.
Keep our expertise vital
IBMers constantly learn, develop skills and contribute to the advancement of
their fields, professions and disciplines.
Bring expertise to the client
We draw on the skills of our colleagues, partners, clients and academic peers,
bringing our clients the most relevant experts and expertise.
Give the gift of knowledge
Our goal is not to impress others with what we know; but to add to their own
knowledge, to make them smarter.
The practice of Sharing Expertise
Complying with export regulations relates directly to IBMs core value of Trust
and personal responsibility in all relationships.
Unite across IBM, and beyond
We are at our best when we work together in borderless collaboration.
Get it done
We are thorough, always keeping our promises and delivering on our commitments.
Work with thoughtful urgency
We put a premium on speed. We do not confuse activity with results.
The practice of Uniting to Get it Done Now
IBM has a global export compliance program, which includes:
Corporate Export Regulation Office (ERO)
Define Export Regulation Requirements
Interprets the US Government regulations
Acts as interface with US Government for securing export authorizations
Conducts compliance reviews and advises management of potential gaps
Provides guidance to IBM's export network
Oversight of non-US export regulation compliance programs
Decentralized Global IBM Export Regulation Network
Implements requirements, including the following:
designing and overseeing local ICP (Internal Control Program)
establishing procedures and ensuring compliance
Provides local education, advice and guidance
ERO Website : w3.ibm.com/chq/ero
Give the gift of knowledge
The Policy
Because IBM is a US Company, IBM, including all of its subsidiaries, must act in
accordance with the laws of the United States. Those laws are dictated by the
following agencies:
Department of Commerce Export Administration Regulations (EAR)
Dual use products and technology and restrictive trade practices (boycotts)
Department of State International Traffic in Arms Regulations (ITAR)
Military, Intelligence, Police and Space technology, including commercial satellites
Department of The Treasury - Office of Foreign Assets Control (OFAC)
Embargoes, trade sanctions, and narcotics kingpin sanctions
For IBM subsidiaries located outside of the United States, there may be additional local
export regulation laws which would also apply. Your Export Regulation Coordinator will
be able to assist you with making this determination.
Keep our expertise vital
Export Defined
The transfer of anything to a "Foreign Person" by any means, anywhere, anytime or the
knowledge that what you are transferring to a "US Person", will be further transferred to
a "Foreign Person"
A "US Person" is defined as: A US citizen or permanent resident
A "Foreign Person" (or foreign national) is defined as: A non-US citizen, who is not
a permanent resident of the US
Applying the Definition:
The following would all be considered subject to US export regulations:
Technical data and source code transfers to a non resident within any country
(deemed export), e.g. a Russian national working in Ireland
Exports to another IBM subsidiary, e.g. IBM Singapore exporting to IBM US
Exports to an IBM Customer, Partner or Supplier located outside your country, e.g.
Export of a SWG products binary code from IBM Hungary to Flextronics in Canada
Deliveries of technical data to an external partner within your country with a remote
headquarters team involved in the engagement, e.g. Delivery to a customer in
California with headquarters located in China
Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible for
ensuring IBM remains in compliance.
Violation of the US export regulations is subject to penalties, including:
Monetary fines
Denial or suspension of export privileges
Possible imprisonment
Knowledge of an actual or potential export violation needs to be reported
immediately to your local Export Regulation Coordinator.
Dont let this happen to IBM!
October 18, 2012: Mohammad Reza Hajian, RH International & P and P Computers were convicted for
exporting computers and equipment to Iran via the United Arab Emirates. Haijan is spending 48
months in prison and the companies are on 12 months probation. Resulted in a $10,000,000 USD
forfeiture. Export privileges were denied until 2022.
April 24, 2013: Computerlinks FZCO took actions to evade the Regulations in connection with the
unlawful export and reexport to Syria of encryption items designed for use in monitoring and controlling
Web traffic valued at approximately $1,400,000 USD. The Settlement Agreement included a civil penalty
of $2,800,000 USD and required three external audits of its export control compliance program.
June 12, 2013: Baker Eastern, SA Tripoli, Libya complied with multiple requests to furnish information
about business relationships with or in a boycotted country which is in direct violation of the US
anti-boycott laws. The company was fined $182,325 USD.
March 5, 2014: The State Department issued an order imposing a $20 million USD fine and extensive
remedial measures against a Washington-based aerospace and defense manufacturing company to
settle a total of 282 charges for violations of the ITAR and the Arms Export Control Act. The
violations included improper classification of goods, failure to properly administer licenses and
agreements, and incomplete or poor recordkeeping.
How do these regulations impact your daily activities?
Customer facing organizations such as Sales & Delivery, Software Group Services
EXPORT OBLIGATION: Know Your Customer
Denied Parties List
Involved in Proliferation Activities
Embargoed / Terrorist Countries
Anti-boycott
Diversion Risk
EXPORT OBLIGATION: Military & ITAR Concerns
ACTION REQUIRED: Contact your ERC or ERO
Know Your Customer
Denied Parties List
Various Government agencies maintains listings of individuals and corporations with whom
IBM generally may not do business. The ERO has compiled these various lists into one, The
Denied Parties List (DPL).
In the past, the DPL was focused on only lists maintained by the US Government;
however, the tool is being expanded to include the listings provided by the following
countries:
If a customer or supplier is being established in one of these countries/regions, IBM must
screen against the applicable list, as well as the US Denied Parties List. It is NOT
required to screen against ALL list for every customer or supplier being established.
A customer being established in Australia would be screened against the US and
Australia lists; whereas, a supplier being established in Japan would be screened
against the Japanese list as well as the US list.
Access instructions for the DPL and detailed screening instructions are provided on the
ERO web site.
Malaysia
Japan
Germany
United Nations European Union
United Kingdom Canada
Switzerland Australia
Know Your Customer
Proliferation Activities
Under US Regulations, certain countries are prohibited from participating in the following
types of activities:
Nuclear Weapons
Chemical & Biological Weapons (CBW)
Missiles and/or unmanned air vehicles
Military Applications
Countries subject to these restrictions have additional screening requirements as part of the
customer or supplier set-up process; however, if your customer or supplier is known to be
involved in any of the activities listed above, or you have a reason to believe so, be aware the
transaction may be subject to very restrictive export controls or prohibited.
Know Your Customer
The US Government has identified certain countries as embargoed or terrorist-supporting, in
which a US company can not do business:
The level of sanctions may vary between these countries, but in general, IBM may not do business
with these countries, including their embassies or entities controlled by these countries. This
prohibition includes providing services which could potentially be used by our customers
customers, suppliers or even employees who operate in these countries.
If your customer or supplier is known to do business in any of the countries listed above, or you
have a reason to believe so, be aware the transaction may be prohibited.
Countries with additional screening requirements
Myanmar (Burma) and Iraq are not embargoed /terrorist countries; however, due to additional
Government requirements with these countries, it is necessary for all potential transactions to be
reviewed by the Export Regulation Office (ERO).
Syria
Sudan Iran
North Korea Cuba
NOTE: The ERO continuously monitors world events which may impact where IBM
is able to do business. Updates are provided via notification to the ERC
community and are also made available on the ERO web site.
Know Your Customer
Anti-Boycott
IBM is prohibited from accepting, cooperating, or participating in restrictive trade practices
and state-sponsored boycotts.
Boycott requests can occur worldwide, not just in the Arab League Nations
Boycott requests are typically included in contract language, request for proposals (RFP).
requests for quotes (RFQ), statement of work, or general law compliance clauses but they
may also come via verbal requests or other forms of documentation.
Examples of prohibited conduct include:
Agreeing not to do business with Israel, refusing goods of Israeli origin, or complying with
blacklists
Discriminating, or agreeing to discriminate, against any person based on race, religion, sex,
national origin or nationality
Creating clean lists of companies that are not Israeli based, owned, or managed
Agreeing with local country law that restricts business with Israel or any other nation the U.S.
Government deems "friendly
Furnishing information about IBM's (or affiliates) business relations with boycotted countries
or companies
US Government Reporting Required
In all cases, IBM must report requests to participate in boycott activities.
Know Your Customer
Diversion Risk
As you are actively listening to your clients needs, you are responsible for understanding
your customers needs and identifying any unusual requests or circumstances. These
unusual requests may be indicators, or Red Flags, that an unauthorized transaction may
occur.
Listen actively
We work to understand our clients challenges. We also
listen for the hopes and dreams they do not yet know how
to describe.
The practice of Listen for need, envision the future
Red Flag Examples:
The customer or agent is reluctant to offer information about the end-use of the item.
The product's capabilities do not fit the buyer's line of business.
A freight forwarding firm is listed as the product's final destination.
Routine installation, training, or maintenance services are declined by the customer.
Engagements with Public Sector, Military, or Aerospace and Defense Customers
Denied Parties List
Diversion Risk
Know Your Customer
Military & ITAR Concerns
Providing commercial off-the-shelf (COTS) products to a military department, or within a
defense contract is allowed:
Announced hardware e.g. DataPower, Guardium, Netezza
Announced software e.g. WebSphere Application Server, Rational Doors
However, the following may be highly regulated:
Assisting with the development, production or use of an item which will be
incorporated into a military or defense item, e.g. customized software for integration into
a military platform
Providing technical data associated with these items, e.g. blueprints, architecture
Providing services to these agencies including maintenance of COTS items which have
since been incorporated into a defense items, e.g. a server which has been ruggedized
and placed into a submarine
These regulations may apply if youre engaged with any the following types of
agencies:
National armed services (Army, Navy, National Guard, etc.)
Ministry of Defense
Police
Government intelligence or reconnaissance orgs
Government research agencies
Denied Parties List
Diversion Risk
Know Your Customer
Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the
following:
Potential match on the DPL
Suspicion of proliferation activities
Engagements involving military or defense customers
Engagements involving Huawei or ZTE
Red Flag Indicators are present in the customer engagement process
Requests to comply with a boycott activity
For proliferation activity concerns and red flag indicators:
Do Not obstruct the normal flow of information
Do Not ignore Red Flags or intentionally cut off the flow of information that comes to
IBM in the normal course of business
For boycott concerns:
Boycott incidents must be reported immediately after identification and refusal via EROs
Boycott Reporting Tool. This tool will facilitation the required review by the Export
Regulation Executive (ERE), regional legal counsel and the ERO.
Do not proceed until ALL issues are resolved and you have received documented approval and
instructions. Ensure you maintain documentation supporting the issue resolution in accordance
with records retention requirements.
Business units who are responsible for designing or delivering customer solutions, including SWG
Services, Global Business Services (GBS), Global Technology Services (GTS), Global Process
Services (GPS), and their respective delivery organizations, i.e. Services Delivery (GTS Services
Delivery and GPS Solutions and Delivery) and GBS Globally Integrated Delivery (GID)
EXPORT OBLIGATION: Know Your Product
Services & Solutions
Research, Development & Production Activities
Announcing an IBM product
Delivery of Controlled Products
Know Your Product
Services & Solution Designs
IBMs customer solutions are subject to US export regulations. The regulations apply in all
cases, even when IBMs customers are located outside of the US and have no US presence,
IBM providing a solution to a company headquartered in Germany with operations solely
in the European Union would still be required to comply with US regulations.
The IBM Client Services Evaluation Guide (CSEG) or its exact content equivalent is the
appropriate tool to determine if the proposed solution has any export concerns.
A new evaluation would be required for any significant changes, i.e. including an
additional delivery center within the delivery activities.
Examples of solutions subject to export regulations:
Processing any portion of financial transactions for a customer
Customizing items or services for use in any defense, military, space (including
commercial satellites), government intelligence gathering, or weapons detection capacity
Delivering items which are intended for surveillance purposes at any level of
government
Designing customized software with encryption capabilities
Hosting or delivery of cloud computing services
Use of global resources, i.e. offshore delivery centers or persons who are not citizens or
permanent residents of the local country
Intentional or incidental access to customers source code or technology
Organizations involved in research, development, manufacturing, or engineering.
Global Delivery
Announcing an IBM Product
Know Your Product
Encryption Defined
A product is considered to be an encryption product if:
It directly contains encryption algorithms proprietary or open source
AES, 3DES, OpenSSH, SSL, etc
It can call/access encryption algorithms from another source
Use of encryption libraries, e.g. GSKit
Calls to security functions, e.g. JVM.Security
Invoking secure communications, e.g. https, TLS
It can direct encryption functions in another product
Products which rely on WebSphere Application Server and use WAS APIs to
create an encrypted channel to send information.
Encryption Classifications
US export regulations divides encryption products into categories:
Limited Encryption: Password, digital signature, authentication functions only
Full Function Encryption
Mass Market Determination based on marketing information and price
Restricted Encryption Determination based on specifically defined criteria, e.g.
network infrastructure products, proprietary encryption source code, products
which have an Open Cryptographic Interface
Encryption which is not Mass Market or Restricted typically described as
Unrestricted
Know Your Product
Research & Development Activities
Groups involved in the exchange of technical data, technical assistance or source code within IBM or
with external customers and suppliers have additional requirements.
Transfers within IBM
US export regulations allow for the transfer of encryption source code and technology through all IBM
subsidiaries around the world, with only one exception:
Embargoed / terrorist countries and their nationals are not eligible
When transferring encryption source code or technology outside of the United States, local export
regulations may apply. In some cases, additional permits and authorizations are required.
Transfers outside of IBM
All transfers of encryption source code and technology outside of IBM requires review and approval.
Transfers to development partners or certification agencies
Classification Requirements: Technology and Source Code Export Evaluations
To determine any export restrictions associated with your source code or technology, export classification is
required:
Export classification of encryption technology and source code may be done using IBMs Internal
Project Classification and Guidance Form. This form will either allow you to self-classify your project
or point you to the appropriate classification resources. Alternatively, you may schedule a meeting with
your local Export Regulation Coordinator or ERO.
Ensuring any required export authorizations are obtained prior to transfer.
Ensure access controls are implemented according to the classification obtained.
Know Your Product
All IBM announced products are required to be classified for export. The classification
determines any delivery restrictions or requirements.
Export classifications must be obtained no later than 30 days prior to first release. 45 days is
required for products which contain encryption capabilities.
Products requiring classification via the Export Regulation Office
Hardware: all Machine Types and Models
Software: all code delivered outside IBM
Generally Available, Beta, Stand alone components
New Releases:
Version change (e.g. V1 to V2)
Point releases (e.g. V1.1 to V1.2) where encryption has been added or
changed
Obtaining export classifications
Export classifications may be obtained by submitting a product classification form in
EROs Classification Questionnaire database. Full function encryption products will
require a white paper.
Non-encryption and limited encryption assets being released without a PID or Part
Number may be self classified by development teams using the Software Classification
Guidance and Questionnaire form on the ERO web site.
Know Your Product
Encryption Product Classifications and End User Eligibility
The export categorization determines how a product classification is completed and where
the item may be delivered.
All ** Varies by item type
USG: Chips, toolkits, crypto libraries,
network forensics, non-standard
encryption, and encryption enabling
products
ERO: All others
Unrestricted
Supplement 3 Countries
Non-Government end users
outside of Supplement 3
Classified by US Government (USG) Restricted
All** Classified by ERO Mass Market
End User Eligibility Classification Category
** Delivery to embargoed / terrorist countries always prohibited!
Government End Users Defined:
Any foreign central, regional or local government department, agency, or other entity performing
governmental functions; including governmental research institutions, governmental corporations or
their separate business units which are engaged in the manufacture or distribution of items or services
controlled on the Wassenaar Munitions List, and international government organizations
Know Your Product
Supplement 3 Countries
Austria
Australia
Belgium
Bulgaria
Canada
Cyprus
Czech Republic
Estonia
Denmark
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
Netherlands
New Zealand
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
Organizations involved in delivery of hardware or software
Global Delivery
Know Your Product
Delivery of Encryption Products
Most of IBMs products are eligible for delivery to all IBM customers in all countries except
the embargoed / terrorist countries; however, there are some products which require
additional controls, including:
Encryption products classified as Restricted, typically network infrastructure products
such as ISS Proventia Network Multi-function Security Appliances, or encryption toolkits
Products primarily useful in law enforcement or cyber security, e.g. i2 Coplink, QRadar
Forensics
Products provided by third parties may also require additional controls, e.g.:
Priority 5 TACCS Situational Awareness software
Cisco or Juniper Network Infrastructure products
Some Intel microprocessors
Determining if there are additional Controls:
IBM publishes the export classification of its products on IBMs Export Compliance web
page. Delivery restrictions are identified with ERO Identifiers.
Export classifications of products provided by third parties must be obtained from the
supplier of the product. Work with your procurement representative to obtain this
information. Alternatively, contact the supplier directly for classification information. The
ERO provides links to the most common non-IBM products.
Ensure export authorizations are obtained when required.
Global Delivery
Know Your Product
Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the
following:
Assistance with SWG Services CSEG evaluations
Obtaining export classifications
Determining appropriate access controls
Obtaining export authorizations
Do not proceed until ALL issues are resolved and you have received documented approval and
instructions. Ensure you maintain documentation supporting the issue resolution in accordance
with records retention requirements.
Export Regulation University
University Link: http://lt.be.ibm.com/exre
Detailed export education on all topics mentioned in this module can be found in the
Global Trade University under the Export section.
We encourage you to expand your knowledge in the areas pertinent to your line of business!
Reminders:
Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible
for ensuring IBM remains in compliance.
ALL of our deliveries are subject to US export regulations.
Violations of these regulations jeopardize IBM's good reputation, and put our
exporting privilege at serious risk! In addition, it can cause countless
ramifications such as revenue loss for IBM, employee terminations, etc.
Export compliance is the responsibility of every employee.
You are supporting IBMs Purpose, Values & Practices by complying with
Export Regulations
Completion
You have now completed this course. Please mark the completion box to indicate you
have completed this activity.

2014 SWG Export Education

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2014 SWG Export Education

Uploaded by

Copyright:

Available Formats

2013 International Business Machines Corporation

Supporting IBMs Purpose, Values & Practices

You might also like