|
Greetings!
It's been an interesting year, hasn't it? I don't know about you but last January I never would have predicted most of the events of 2008! It seems as though the topic on most peoples' minds is the state of the world economy. So how does the economy affect the world of security and compliance? Whether your organization has experienced significant cuts or is simply conserving, everyone is being required to do more with less and that has a tendency to affect morale. When morale is lowered and the realities of an economic slowdown are also factored in, the risks to your organization's data are increased. In uncertain times, workers are more likely to exploit system vulnerabilities or fail prey to schemes for obtaining private or company confidential information and selling it. Or they may fall into financial trouble and find ways to blatantly steal from the company. Please don't put your head in the sand and think that this can't happen to your organization. I've recently seen it happen in areas where I would have least suspected it.
So at the end of this rather tumultuous year, I thought I'd provide five tips for protecting your organization:
#1: Do a risk assessment
Find out where your systems' vulnerabilities are. You may think that you are aware of any or all issues on your systems, but without a full risk assessment, you won't know for sure. I say this, because when SkyView Partners reviews the results of the risk assessments performed through our Security Check-up Service, most have at least one item that is a surprise - even to the most security-conscience teams. A thorough security assessment allows you to understand the issues, assess the risk to your organization and apply your limited resources appropriately.
#2: Get rid of inactive profiles
While I see this issue getting addressed more frequently, many organizations have profiles on their systems that have not been active in years. I usually see some of the profiles whose status is disabled but there are always some if not a large number whose status is enabled. Worse, some profiles have *ALLOBJ or other special authorities and some even have default passwords. Even if profiles are disabled, they could easily become enabled - accidently or on purpose. Removing inactive profiles removes the possibility that the profile could be used to exploit its authorities and capabilities.
#3: Manage passwords
Passwords are one of those areas of security that require trade-offs. Requiring passwords to be too complex will often lead to users writing them down. But weak passwords can be easily guessed. My minimum password composition rule recommendations are to require a digit, minimum length of 7 and changed every 60 - 90 days. One area I often see exploited is where administrators have set their passwords to never expire. This is absolutely not appropriate. In fact, administrator or other profiles with *ALLOBJ special authority should be required to change their passwords more frequently - such as every 30 days. This is to reduce the time someone could exploit and use the profile should the password be guessed. Finally, make it part of your security policy that users should not share passwords. Accountability is lost when multiple users sign on to the same profile.
#4: Secure your data appropriately
A recent report from Symantec states that the market for selling credit card and other financial information has reached $276 million. Within your organization you should view any database file containing private information such as social security number, social insurance number, bank account, credit card or other personal information as a target for identity theft and review who has access to those files. If they aren't already set to the PCI's requirement of "deny by default" they need to be. You'll want to first understand what processes need access to this information, grant authority to that handful of profiles and block everyone else by setting *PUBLIC to *EXCLUDE.
#5: Educate your organization
One of your biggest lines of defense is your employee base. Rather than trying to protect data and your organization's reputation with just a small team of computer security professionals, why not mobilize your entire workforce? This is the time to educate your workforce on how to recognize and when to become concerned over suspicious behavior and what constitutes theft and fraud. You'll also want to create an anonymous way to report suspicious activity. Other areas of education include appropriate disposal of confidential and private information (e.g., shredding reports), what type of data is allowed on hand-held devices, encryption requirements, etc.
How SkyView Partners can Help
It's a given that everyone has to do more with less. One way we can help is to have SkyView Partners Inc. perform a Security Checkup that includes a security assessment of your IBM i systems. Let us be the experts so that you don't have to spend your valuable time, pouring through data and developing security skills. In addition, SkyView's Policy Minder product has a proven ROI (Return on Investment) for reducing the cost and the time it takes you to manage compliance requirements and perform security administration tasks.
Our mission, for 2009, is to deliver you security compliance products and services that will save you time and reduce the costs and complexities of attaining and maintaining compliance.
Christmas Greetings
Even though the economy is causing uncertainties, there are things we can be certain of - love of family and friends and our faith. We recognize that each culture and faith celebrates different holidays now and throughout the year and we wish everyone holiday greetings. We, at SkyView Partners, would like to extend to you the joys, blessings and hope we receive at this time of year as we celebrate Christmas and birth of our Savior, Jesus Christ.
Sincerely,
Carol Woodbury, President
SkyView Partners, Inc. |
|
Questions?
SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance.
|
