2014 Swg Export Education

© 2013 International Business Machines Corporation

Supporting IBM’s Purpose, Values & Practices –Complying with Export Regulations


For more than a century - as products, technologies and eras have come and gone - IBMers have been animated by an enduring Purpose - to be essential. We have been defined by a core of shared Values. And now we have come together to determine how we will put that Purpose and those Values into practice. -- Ginni Rometty, Chairman, President and Chief Executive Officer


• The goal of this learning activity is to “share expertise” on how IBM complies with export regulations so that you may go forward with knowledge on how these regulations may impact your day to day activities. At the conclusion, you will understand how you are essential to IBM’s compliance posture around the world.

Keep our expertise vitalIBMers constantly learn, develop skills and contribute to the advancement of

their fields, professions and disciplines.

Bring expertise to the clientWe draw on the skills of our colleagues, partners, clients and academic peers,

bringing our clients the most relevant experts and expertise.

Give the gift of knowledgeOur goal is not to impress others with what we know; but to add to their own

knowledge, to make them smarter.

The practice of Sharing Expertise


• Complying with export regulations relates directly to IBM’s core value of Trust and personal responsibility in all relationships.

Unite across IBM, and beyondWe are at our best when we work together in borderless collaboration.

Get it doneWe are thorough, always keeping our promises and delivering on our commitments.

Work with thoughtful urgencyWe put a premium on speed. We do not confuse activity with results.

The practice of Uniting to Get it Done Now


Unite across IBM, and beyond

• IBM has a global export compliance program, which includes:– Corporate Export Regulation Office (ERO)

• Define Export Regulation Requirements• Interprets the US Government regulations• Acts as interface with US Government for securing export authorizations• Conducts compliance reviews and advises management of potential gaps• Provides guidance to IBM's export network• Oversight of non-US export regulation compliance programs

– Decentralized Global IBM Export Regulation Network • Implements requirements, including the following:

– designing and overseeing local ICP (Internal Control Program)– establishing procedures and ensuring compliance

• Provides local education, advice and guidance

– ERO Website : w3.ibm.com/chq/ero


Give the gift of knowledge

• The Policy– Because IBM is a US Company, IBM, including all of its subsidiaries, must act in

accordance with the laws of the United States. Those laws are dictated by the following agencies:

• Department of Commerce – Export Administration Regulations (EAR)“Dual use” products and technology and restrictive trade practices (boycotts)

• Department of State – International Traffic in Arms Regulations (ITAR)Military, Intelligence, Police and Space technology, including commercial satellites

• Department of The Treasury - Office of Foreign Assets Control (OFAC)Embargoes, trade sanctions, and narcotics kingpin sanctions

– For IBM subsidiaries located outside of the United States, there may be additional local export regulation laws which would also apply. Your Export Regulation Coordinator will be able to assist you with making this determination.


Keep our expertise vital

• Export Defined– The transfer of anything to a "Foreign Person" by any means, anywhere, anytime or the

knowledge that what you are transferring to a "US Person", will be further transferred to a "Foreign Person"

• A "US Person" is defined as: A US citizen or permanent resident• A "Foreign Person" (or foreign national) is defined as: A non-US citizen, who is not

a permanent resident of the US

• Applying the Definition:– The following would all be considered subject to US export regulations:

• Technical data and source code transfers to a non resident within any country (deemed export), e.g. a Russian national working in Ireland

• Exports to another IBM subsidiary, e.g. IBM Singapore exporting to IBM US• Exports to an IBM Customer, Partner or Supplier located outside your country, e.g.

Export of a SWG product’s binary code from IBM Hungary to Flextronics in Canada• Deliveries of technical data to an external partner within your country with a remote

headquarters team involved in the engagement, e.g. Delivery to a customer in California with headquarters located in China


• Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible for ensuring IBM remains in compliance.

• Violation of the US export regulations is subject to penalties, including:– Monetary fines– Denial or suspension of export privileges– Possible imprisonment

• Knowledge of an actual or potential export violation needs to be reported immediately to your local Export Regulation Coordinator.


Don’t let this happen to IBM!

• October 18, 2012: Mohammad Reza Hajian, RH International & P and P Computers were convicted for exporting computers and equipment to Iran via the United Arab Emirates. Haijan is spending 48 months in prison and the companies are on 12 months probation. Resulted in a $10,000,000 USD forfeiture. Export privileges were denied until 2022.

• April 24, 2013: Computerlinks FZCO took actions to evade the Regulations in connection with the unlawful export and reexport to Syria of encryption items designed for use in monitoring and controlling Web traffic valued at approximately $1,400,000 USD. The Settlement Agreement included a civil penalty of $2,800,000 USD and required three external audits of its export control compliance program.

• June 12, 2013: Baker Eastern, SA Tripoli, Libya complied with multiple requests to furnish information about business relationships with or in a boycotted country which is in direct violation of the US anti-boycott laws. The company was fined $182,325 USD.

• March 5, 2014: The State Department issued an order imposing a $20 million USD fine and extensive remedial measures against a Washington-based aerospace and defense manufacturing company to settle a total of 282 charges for violations of the ITAR and the Arms Export Control Act. The violations included improper classification of goods, failure to properly administer licenses and agreements, and incomplete or poor recordkeeping.



• How do these regulations impact your daily activities?– Customer facing organizations such as Sales & Delivery, Software Group Services

• EXPORT OBLIGATION: Know Your Customer– Denied Parties List– Involved in Proliferation Activities– Embargoed / Terrorist Countries– Anti-boycott – Diversion Risk

• EXPORT OBLIGATION: Military & ITAR Concerns

• ACTION REQUIRED: Contact your ERC or ERO


Know Your Customer• Denied Parties List

– Various Government agencies maintains listings of individuals and corporations with whom IBM generally may not do business. The ERO has compiled these various lists into one, The Denied Parties List (DPL).

• In the past, the DPL was focused on only lists maintained by the US Government; however, the tool is being expanded to include the listings provided by the following countries:

• If a customer or supplier is being established in one of these countries/regions, IBM must screen against the applicable list, as well as the US Denied Parties List. It is NOTrequired to screen against ALL list for every customer or supplier being established.

– A customer being established in Australia would be screened against the US and Australia lists; whereas, a supplier being established in Japan would be screened against the Japanese list as well as the US list.

• Access instructions for the DPL and detailed screening instructions are provided on the ERO web site.

MalaysiaJapan

Germany

United NationsEuropean UnionUnited KingdomCanada

SwitzerlandAustralia


Know Your Customer• Proliferation Activities

– Under US Regulations, certain countries are prohibited from participating in the following types of activities:

• Nuclear Weapons• Chemical & Biological Weapons (CBW)• Missiles and/or unmanned air vehicles• Military Applications

– Countries subject to these restrictions have additional screening requirements as part of the customer or supplier set-up process; however, if your customer or supplier is known to beinvolved in any of the activities listed above, or you have a reason to believe so, be aware the transaction may be subject to very restrictive export controls or prohibited.


Know Your Customer• Embargoed / Terrorist Countries

– The US Government has identified certain countries as embargoed or terrorist-supporting, in which a US company can not do business:

– The level of sanctions may vary between these countries, but in general, IBM may not do business with these countries, including their embassies or entities controlled by these countries. This prohibition includes providing services which could potentially be used by our customer’s customers, suppliers or even employees who operate in these countries.

– If your customer or supplier is known to do business in any of the countries listed above, or you have a reason to believe so, be aware the transaction may be prohibited.

• Countries with additional screening requirements– Myanmar (Burma) and Iraq are not embargoed /terrorist countries; however, due to additional

Government requirements with these countries, it is necessary for all potential transactions to be reviewed by the Export Regulation Office (ERO).

• Syria

• Sudan• Iran

• North Korea• Cuba

NOTE: The ERO continuously monitors world events which may impact where IBM is able to do business. Updates are provided via notification to the ERC community and are also made available on the ERO web site.


Know Your Customer• Anti-Boycott

– IBM is prohibited from accepting, cooperating, or participating in restrictive trade practices and state-sponsored boycotts.

– Boycott requests can occur worldwide, not just in the Arab League Nations– Boycott requests are typically included in contract language, request for proposals (RFP).

requests for quotes (RFQ), statement of work, or general law compliance clauses but they may also come via verbal requests or other forms of documentation.

• Examples of prohibited conduct include:– Agreeing not to do business with Israel, refusing goods of Israeli origin, or complying with

“blacklists”– Discriminating, or agreeing to discriminate, against any person based on race, religion, sex,

national origin or nationality– Creating “clean lists” of companies that are not Israeli based, owned, or managed– Agreeing with local country law that restricts business with Israel or any other nation the U.S.

Government deems "friendly“– Furnishing information about IBM's (or affiliates) business relations with boycotted countries

or companies

• US Government Reporting Required– In all cases, IBM must report requests to participate in boycott activities.


Know Your Customer• Diversion Risk

– As you are “actively listening” to your client’s needs, you are responsible for understanding your customers needs and identifying any unusual requests or circumstances. These unusual requests may be indicators, or “Red Flags”, that an unauthorized transaction may occur.

Listen activelyWe work to understand our clients’ challenges. We also

listen for the hopes and dreams they do not yet know how to describe.

The practice of Listen for need, envision the future

• Red Flag Examples:– The customer or agent is reluctant to offer information about the end-use of the item. – The product's capabilities do not fit the buyer's line of business.– A freight forwarding firm is listed as the product's final destination.– Routine installation, training, or maintenance services are declined by the customer.



• How do these regulations impact your daily activities?– Engagements with Public Sector, Military, or Aerospace and Defense Customers

• EXPORT OBLIGATION: Know Your Customer– Denied Parties List– Involved in Proliferation Activities– Embargoed / Terrorist Countries– Diversion Risk




Know Your Customer• Military & ITAR Concerns

– Providing commercial off-the-shelf (COTS) products to a military department, or within a defense contract is allowed:• Announced hardware e.g. DataPower, Guardium, Netezza• Announced software e.g. WebSphere Application Server, Rational Doors

– However, the following may be highly regulated:• Assisting with the development, production or use of an item which will be

incorporated into a military or defense item, e.g. customized software for integration into a military platform

• Providing technical data associated with these items, e.g. blueprints, architecture • Providing services to these agencies including maintenance of COTS items which have

since been incorporated into a defense items, e.g. a server which has been ruggedized and placed into a submarine

– These regulations may apply if you’re engaged with any the following types of agencies:• National armed services (Army, Navy, National Guard, etc.)• Ministry of Defense• Police• Government intelligence or reconnaissance orgs• Government research agencies



• How do these regulations impact your daily activities?

• EXPORT OBLIGATION: Know Your Customer– Denied Parties List– Involved in Proliferation Activities– Embargoed / Terrorist Countries– Diversion Risk




Know Your Customer• Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the

following:• Potential match on the DPL• Suspicion of proliferation activities• Engagements involving military or defense customers• Engagements involving Huawei or ZTE• “Red Flag” Indicators are present in the customer engagement process• Requests to comply with a boycott activity

– For proliferation activity concerns and “red flag” indicators: • Do Not obstruct the normal flow of information• Do Not ignore “Red Flags” or intentionally cut off the flow of information that comes to

IBM in the normal course of business

– For boycott concerns:• Boycott incidents must be reported immediately after identification and refusal via ERO’s

Boycott Reporting Tool. This tool will facilitation the required review by the Export Regulation Executive (ERE), regional legal counsel and the ERO.

• Do not proceed until ALL issues are resolved and you have received documented approval and instructions. Ensure you maintain documentation supporting the issue resolution in accordance with records retention requirements.



• How do these regulations impact your daily activities?– Business units who are responsible for designing or delivering customer solutions, including SWG

Services, Global Business Services (GBS), Global Technology Services (GTS), Global Process Services (GPS), and their respective delivery organizations, i.e. Services Delivery (GTS Services Delivery and GPS Solutions and Delivery) and GBS Globally Integrated Delivery (GID)

• EXPORT OBLIGATION: Know Your Product– Services & Solutions– Research, Development & Production Activities– Announcing an IBM product– Delivery of Controlled Products



Know Your Product• Services & Solution Designs

– IBM’s customer solutions are subject to US export regulations. The regulations apply in allcases, even when IBM’s customers are located outside of the US and have no US presence,• IBM providing a solution to a company headquartered in Germany with operations solely

in the European Union would still be required to comply with US regulations.– The IBM Client Services Evaluation Guide (CSEG) or its exact content equivalent is the

appropriate tool to determine if the proposed solution has any export concerns. • A new evaluation would be required for any significant changes, i.e. including an

additional delivery center within the delivery activities.

– Examples of solutions subject to export regulations:• Processing any portion of financial transactions for a customer• Customizing items or services for use in any defense, military, space (including

commercial satellites), government intelligence gathering, or weapons detection capacity• Delivering items which are intended for surveillance purposes at any level of

government• Designing customized software with encryption capabilities• Hosting or delivery of cloud computing services• Use of global resources, i.e. offshore delivery centers or persons who are not citizens or

permanent residents of the local country• Intentional or incidental access to customer’s source code or technology



• How do these regulations impact your daily activities?– Organizations involved in research, development, manufacturing, or engineering.

• EXPORT OBLIGATION: Know Your Product– Services & Solutions– Global Delivery– Research, Development & Production Activities– Announcing an IBM Product– Delivery of Controlled Products



Know Your Product• Encryption Defined

– A product is considered to be an encryption product if:• It directly contains encryption algorithms – proprietary or open source

– AES, 3DES, OpenSSH, SSL, etc• It can call/access encryption algorithms from another source

– Use of encryption libraries, e.g. GSKit– Calls to security functions, e.g. JVM.Security– Invoking secure communications, e.g. https, TLS

• It can direct encryption functions in another product– Products which rely on WebSphere Application Server and use WAS APIs to

create an encrypted channel to send information.• Encryption Classifications

– US export regulations divides encryption products into categories:• Limited Encryption: Password, digital signature, authentication functions only• Full Function Encryption

– Mass Market – Determination based on marketing information and price– Restricted Encryption – Determination based on specifically defined criteria, e.g.

network infrastructure products, proprietary encryption source code, products which have an Open Cryptographic Interface

– Encryption which is not Mass Market or Restricted typically described as Unrestricted


Know Your Product• Research & Development Activities

– Groups involved in the exchange of technical data, technical assistance or source code within IBM or with external customers and suppliers have additional requirements.

• Transfers within IBM– US export regulations allow for the transfer of encryption source code and technology through all IBM

subsidiaries around the world, with only one exception:• Embargoed / terrorist countries and their nationals are not eligible

– When transferring encryption source code or technology outside of the United States, local export regulations may apply. In some cases, additional permits and authorizations are required.

• Transfers outside of IBM– All transfers of encryption source code and technology outside of IBM requires review and approval.

• Transfers to development partners or certification agencies

• Classification Requirements: Technology and Source Code Export Evaluations– To determine any export restrictions associated with your source code or technology, export classification is

required:• Export classification of encryption technology and source code may be done using IBM’s Internal

Project Classification and Guidance Form. This form will either allow you to self-classify your project or point you to the appropriate classification resources. Alternatively, you may schedule a meeting with your local Export Regulation Coordinator or ERO.

• Ensuring any required export authorizations are obtained prior to transfer.• Ensure access controls are implemented according to the classification obtained.


Know Your Product• Announcing an IBM product

– All IBM announced products are required to be classified for export. The classification determines any delivery restrictions or requirements.

– Export classifications must be obtained no later than 30 days prior to first release. 45 days is required for products which contain encryption capabilities.

• Products requiring classification via the Export Regulation Office• Hardware: all Machine Types and Models• Software: all code delivered outside IBM

– Generally Available, Beta, Stand alone components– New Releases:

» Version change (e.g. V1 to V2)» Point releases (e.g. V1.1 to V1.2) where encryption has been added or

changed• Obtaining export classifications

• Export classifications may be obtained by submitting a product classification form in ERO’s Classification Questionnaire database. Full function encryption products will require a white paper.

• Non-encryption and limited encryption assets being released without a PID or Part Number may be self classified by development teams using the Software Classification Guidance and Questionnaire form on the ERO web site.


Know Your Product• Encryption Product Classifications and End User Eligibility

– The export categorization determines how a product classification is completed and where the item may be delivered.

All **Varies by item type• USG: Chips, toolkits, crypto libraries,

network forensics, non-standard encryption, and encryption enabling products

• ERO: All others

Unrestricted

Supplement 3 CountriesNon-Government end users outside of Supplement 3

Classified by US Government (USG)RestrictedAll**Classified by EROMass MarketEnd User EligibilityClassification Category

** Delivery to embargoed / terrorist countries always prohibited!

Government End Users Defined: Any foreign central, regional or local government department, agency, or other entity performing governmental functions; including governmental research institutions, governmental corporations or their separate business units which are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List, and international government organizations


Know Your Product• Supplement 3 Countries

• Austria• Australia• Belgium• Bulgaria• Canada• Cyprus• Czech Republic• Estonia• Denmark• Finland• France• Germany• Greece• Hungary• Iceland• Ireland• Italy• Japan

• Latvia• Lithuania• Luxembourg• Malta• Netherlands• New Zealand• Norway• Poland• Portugal• Romania• Slovakia• Slovenia• Spain• Sweden• Switzerland• Turkey• United Kingdom



• How do these regulations impact your daily activities?– Organizations involved in delivery of hardware or software

• EXPORT OBLIGATION: Know Your Product– Services & Solutions– Global Delivery– Research, Development & Production Activities– Announcing an IBM product– Delivery of Controlled Products



Know Your Product• Delivery of Encryption Products

– Most of IBM’s products are eligible for delivery to all IBM customers in all countries except the embargoed / terrorist countries; however, there are some products which require additional controls, including: • Encryption products classified as “Restricted”, typically network infrastructure products

such as ISS Proventia Network Multi-function Security Appliances, or encryption toolkits• Products primarily useful in law enforcement or cyber security, e.g. i2 Coplink, QRadar

Forensics– Products provided by third parties may also require additional controls, e.g.:

• Priority 5 TACCS Situational Awareness software• Cisco or Juniper Network Infrastructure products• Some Intel microprocessors

– Determining if there are additional Controls:• IBM publishes the export classification of its products on IBM’s Export Compliance web

page. Delivery restrictions are identified with ERO Identifiers.• Export classifications of products provided by third parties must be obtained from the

supplier of the product. Work with your procurement representative to obtain this information. Alternatively, contact the supplier directly for classification information. The ERO provides links to the most common non-IBM products.

• Ensure export authorizations are obtained when required.



• How do these regulations impact your daily activities?

• EXPORT OBLIGATION: Know Your Product– Services & Solutions– Global Delivery– Research, Development & Production Activities– Announcing an IBM product– Delivery of Controlled Products



Know Your Product• Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the

following:• Assistance with SWG Services CSEG evaluations• Obtaining export classifications• Determining appropriate access controls• Obtaining export authorizations

• Do not proceed until ALL issues are resolved and you have received documented approval and instructions. Ensure you maintain documentation supporting the issue resolution in accordance with records retention requirements.


Export Regulation University

University Link: http://lt.be.ibm.com/exre

Detailed export education on all topics mentioned in this module can be found in the Global Trade University under the Export section.

We encourage you to expand your knowledge in the areas pertinent to your line of business!


• Reminders:– Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible

for ensuring IBM remains in compliance.

– ALL of our deliveries are subject to US export regulations.

– Violations of these regulations jeopardize IBM's good reputation, and put our exporting privilege at serious risk! In addition, it can cause countless ramifications such as revenue loss for IBM, employee terminations, etc.

– Export compliance is the responsibility of every employee.

– You are supporting IBM’s Purpose, Values & Practices by complying with Export Regulations


Completion

• You have now completed this course. Please mark the “completion box” to indicate you have completed this activity.

2014 Swg Export Education

Documents

Transcript of 2014 Swg Export Education