|
Some industries seem to have audits every other month and others only
once a year. Regardless of the frequency of your audits, they take-up
your time and energy.
If your auditor doesn't have actual knowledge of i5/OS security themselves,
they typically have a "playbook" of audit points to look for
in your i5/OS security configuration. Let's look at the most common
ones.
System values
According to an auditor's playbook, system values must be set to
certain settings. But what happens when you can't set a system value
to the auditor's required setting? Answer: You write a risk acceptance
statement justifying the current setting. SkyView Risk Assessor provides
a detailed description of all security-relevant system values along
with reasons you may not be able to set the value to "best practices."
You then use these expert explanations in your risk acceptance statement
that you document in the Policy Description in SkyView Policy Minder.
Because another item the auditor will demand is proof that you are (and
have been) in compliance with your organization's policy. Policy Minder
compliance reports provide this proof. And you can use the policy report
to show your auditor your policy and risk acceptance statements.
User profiles
When it comes to user profile settings, I've found that auditors
are looking for the following:
No default passwords. Risk Assessor provides a report of all users with
default passwords along with the profile's status special authorities.
This provides you with the risk associated with leaving the profile
with a default password. With Policy Minder, you can create a user profile
template to look for profiles with default passwords. Running a regular
compliance check allows you to prove to the auditors that you are pro-activity
looking for and dealing with profiles that have default passwords.
Management of inactive profiles. Auditors want to see that profiles
that haven't been used recently are removed from the system on a timely
basis. Policy Minder allows you to automate the discovery and management
of inactive profiles. Using the FixIt function, you can use a special
template to delete profiles. Reports showing that the profiles are being
removed in the appropriate timeframe can be generated for review by
the auditor. Policy Minder also lets you document and justify the profiles
that will always be inactive but must remain on the system (e.g., group
profiles, profiles that own objects, etc.)
Special authorities. Auditors look for the assignment of excessive capabilities.
Translated: they want to know you are managing how many users have *ALLOBJ
special authority or are a member of QSECOFR. You can create user profile
templates in Policy Minder to document the users that currently have
a special authority or users who are a member of QSECOFR, then run compliance
checks on a regular basis to identify new users with either of these
assignments.
User class assignment. While I don't particularly think this is a useful
analysis, auditors seem to be hung up on profiles' user class assignment.
In other words, they want to see all end users in the *USER user class
and only a few, administrator-types, be in the *SECOFR class. (i5/OS
does not use user class to determine what someone has authority to,
that's why I think using the User class is not particularly useful.)
However, Policy Minder accommodates this auditor requirement and allows
you to see all end users that are not assigned to the appropriate user
class.
Object Authorities
I typically see the requirement to have restricted access to files
containing private information from internal auditors or Payment Card
Industry (PCI) auditors. Translated: i5/0s database files containing
private information (health care information, SSNs or SINs, bank account
numbers or cardholder data) must be set to *PUBLIC *EXCLUDE. Whether
the requirement is to secure a library, directory, a specific file or
set of files, you can set a library or directory authority template
to monitor compliance with these types of audit requirements.
Independent assessment
You can use Risk Assessor to fulfill an auditor's requirement that
you have an expert, independent assessment of your system. Risk Assessor
examines over 100 areas of i5/OS security settings (including object
authorities, user profiles, TCP/IP configuration, file shares, system
values and more) and compares them to industry best practices. It describes
the issues, providing enough information for you to determine whether
the risk applies to your organization and if it does, tips for remediating
the issue.
Carol's Tech Tip
Your next audit is fast approaching. You want to make sure you're prepared,
but you don't have the time or expertise to perform a thorough assessment
of your i5/OS systems. SkyView Security Check-up is a service that takes
the burden off of you to determine the risks associated with the i5/OS
security configuration. Using SkyView's expertise, we provide you with
a detailed explanation of the issues discovered by running Risk Assessor
and a summary of the recommended action plans for remediation of those
issues.
SkyView Partners Solutions
-
With Risk Assessor you get comprehensive, easy-to-understand,
easy-to-produce and unbiased diagnostic reports that quite frankly
no other product in the marketplace will produce.
-
With Policy Minder, you take the time out of managing and
fixing the implementation details of your security policy,
as well as taking the guesswork out of your security compliance
status.
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in OS/400 and i5/OS security issues. Carol co-authored
the popular book, Experts'
Guide to OS/400 and i5/OS Security from 29th Street Press, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also a subject matter expert on
security for COMMON, security author for Experts Journal, contributing
author on security for System iNEWS and MC Press Online and the security
expert for search400.
|
