| Greetings!
Some industries seem to have audits every other month and others only once a year. Regardless of the frequency of your audits, they take-up your time and energy.
This month's newsletter is devoted to the discussion of the typical audit requirements that I see our customers experiencing; as well as, and how SkyView Partners products and services address those audit points.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security-related products and services that provide our customers with sound advice and that save them time in their quest to achieve a more secure environment.
Now, on to this month's i5/OS Security Tech Tip.
* * *
If your auditor doesn't have actual knowledge of i5/OS security themselves, they typically have a "playbook" of audit points to look for in your i5/OS security configuration. Let's look at the most common ones. | |
| System values |
|
According to an auditor's playbook, system values must be set to certain settings. But what happens when you can't set a system value to the auditor's required setting? Answer: You write a risk acceptance statement justifying the current setting. SkyView Risk Assessor provides a detailed description of all security-relevant system values along with reasons you may not be able to set the value to "best practices." You then use these expert explanations in your risk acceptance statement that you document in the Policy Description in SkyView Policy Minder. Because another item the auditor will demand is proof that you are (and have been) in compliance with your organization's policy. Policy Minder compliance reports provide this proof. And you can use the policy report to show your auditor your policy and risk acceptance statements. |
| User profiles |
When it comes to user profile settings, I've found that auditors are looking for the following:
No default passwords. Risk Assessor provides a report of all users with default passwords along with the profile's status special authorities. This provides you with the risk associated with leaving the profile with a default password. With Policy Minder, you can create a user profile template to look for profiles with default passwords. Running a regular compliance check allows you to prove to the auditors that you are pro-activity looking for and dealing with profiles that have default passwords.
Management of inactive profiles. Auditors want to see that profiles that haven't been used recently are removed from the system on a timely basis. Policy Minder allows you to automate the discovery and management of inactive profiles. Using the FixIt function, you can use a special template to delete profiles. Reports showing that the profiles are being removed in the appropriate timeframe can be generated for review by the auditor. Policy Minder also lets you document and justify the profiles that will always be inactive but must remain on the system (e.g., group profiles, profiles that own objects, etc.)
Special authorities. Auditors look for the assignment of excessive capabilities. Translated: they want to know you are managing how many users have *ALLOBJ special authority or are a member of QSECOFR. You can create user profile templates in Policy Minder to document the users that currently have a special authority or users who are a member of QSECOFR, then run compliance checks on a regular basis to identify new users with either of these assignments.
User class assignment. While I don't particularly think this is a useful analysis, auditors seem to be hung up on profiles' user class assignment. In other words, they want to see all end users in the *USER user class and only a few, administrator-types, be in the *SECOFR class. (i5/OS does not use user class to determine what someone has authority to, that's why I think using the User class is not particularly useful.) However, Policy Minder accommodates this auditor requirement and allows you to see all end users that are not assigned to the appropriate user class.
|
| Object Authorities |
I typically see the requirement to have restricted access to files containing private information from internal auditors or Payment Card Industry (PCI) auditors. Translated: i5/0s database files containing private information (health care information, SSNs or SINs, bank account numbers or cardholder data) must be set to *PUBLIC *EXCLUDE. Whether the requirement is to secure a library, directory, a specific file or set of files, you can set a library or directory authority template to monitor compliance with these types of audit requirements. |
| Independent assessment |
|
You can use Risk Assessor to fulfill an auditor's requirement that you have an expert, independent assessment of your system. Risk Assessor examines over 100 areas of i5/OS security settings (including object authorities, user profiles, TCP/IP configuration, file shares, system values and more) and compares them to industry best practices. It describes the issues, providing enough information for you to determine whether the risk applies to your organization and if it does, tips for remediating the issue. |
| We can help |
Your next audit is fast approaching. You want to make sure you're prepared, but you don't have the time or expertise to perform a thorough assessment of your i5/OS systems. SkyView Security Check-up is a service that takes the burden off of you to determine the risks associated with the i5/OS security configuration. Using SkyView's expertise, we provide you with a detailed explanation of the issues discovered by running Risk Assessor and a summary of the recommended action plans for remediation of those issues. | |
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a specializes in security policy compliance management and assessment software, as well as security services for IBM System i (AS/400, iSeries)customers.
| |
|
