Partner TechTip: Oh No! Another Audit! PDF Print E-mail
Tips & Techniques - Security
Written by Carol Woodbury   
Thursday, 25 October 2007 18:00

Article Sponsor

SkyView Partners, Inc.
Address
25563 SE 41st Court, Issaquah, WA, USA, 98029
Phone
425-458-4975
E-mail
Website
http://www.mcpressonline.net/buyers-guide/companies/skyview-partners-inc./visit.html
Products

 

 

 

System Values

According to an auditor's playbook, system values must be set to certain settings. But what happens when you can't set a system value to the auditor's required setting? Answer: You write a risk-acceptance statement justifying the current setting. SkyView Risk Assessor provides a detailed description of all security-relevant system values along with reasons you may not be able to set the value to "best practices." You then use these expert explanations in your risk-acceptance statement, which is part of your Policy Description in SkyView Policy Minder. Auditors will demand proof that you are (and have been) in compliance with your organization's policy, and Policy Minder compliance reports provide this proof.

User Profiles

When it comes to user profile settings, auditors often expect policies to document the following:

  • No default passwords—Risk Assessor provides a report of all users with default passwords along with the profile's special authorities. This identifies the risk associated with leaving the profile with a default password. With Policy Minder, you can create a user-profile template to look for profiles with default passwords. Running a regular compliance check allows you to prove to auditors that you are proactively looking for and dealing with profiles that have default passwords.
  • Management of inactive profiles—Auditors want to see that profiles that haven't been used recently are removed from the system on a timely basis. Policy Minder allows you to automate the discovery and management of inactive profiles. Using the FixIt function, you can use a special template to delete profiles. Reports showing that the profiles are being removed in the appropriate timeframe can be generated for auditors to review. Policy Minder also lets you document and justify the profiles that will always be inactive but must remain on the system (e.g., group profiles, profiles that own objects, etc.).
  • Special authorities—Auditors look for the assignment of excessive capabilities. Translated: They want to know you are managing the number of users who have *ALLOBJ special authority or are a member of QSECOFR. You can create user profile templates in Policy Minder to document the users that currently have a special authority or users who are a member of QSECOFR and then run compliance checks on a regular basis to identify new users with either of these assignments.
  • User class assignment—Auditors want all users to be in the *USER class and only a few administrators to be in the *SECOFR class. Policy Minder accommodates this auditor requirement and allows you to see all users that are assigned to inappropriate user classes.

Object Authorities

Internal auditors and Payment Card Industry (PCI) auditors typically require restricted access to files containing private information. Translated: i5/OS database files containing private information (healthcare information, SSNs or SINs, bank account numbers, or cardholder data) must be set to *PUBLIC *EXCLUDE. Whether the requirement is to secure a library, a directory, a specific file, or a set of files, you can set a library or directory authority template to monitor compliance with these types of audit requirements.

Independent Assessment

You can use Risk Assessor to fulfill an auditor's requirement that you have an expert, independent assessment of your system. Risk Assessor examines over 100 areas of i5/OS security settings (including object authorities, user profiles, TCP/IP configuration, file shares, system values, and more) and compares them to industry best practices. It describes the issues, providing enough information for you to determine whether the risk applies to your organization and, if it does, tips for remediating the issue.

We Can Help

Your next audit is fast approaching. You want to be prepared, but you don't have the time or expertise to perform a thorough assessment of your i5/OS systems. SkyView Security Check-up is a service that takes the burden off you to determine the risks associated with the i5/OS security configuration. SkyView provides you with a detailed explanation of the issues discovered by running Risk Assessor and a summary of the recommended action plans for remediation of those issues.


Carol Woodbury
About the Author:
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security policy compliance and assessment software as well as security services. Carol is the former Chief Security Architect for AS/400 for IBM in Rochester, Minnesota , and has specialized in security architecture, design, and consulting since 1990. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 & i5/OS Security

 

Read More >>

< Prev   Next >
 
MC Press Web Site Staff
** This thread discusses the Content article: Partner TechTip: Oh No! Another Audit!0
raymondrhyno
This product from Carol is not only the best product its also has a very fair price tag associated with it. After all - has anyone taken a look at the price tags on some of the other products. Products that do nothing more than what your i5/OS does already under the cover and you already purchased. Carol\'s product strong piont is it gives a consistent set of reports for Audits everytime. No matter how many times we say we have a secure system the Auditors want a third party telling from the system is secure. Carols product is what is needed to backup your claims and adds the added bit of information needed for Auditors. We know the i5/OS is the best - Carols product gives the added proof others need.
Please login to make comments.
User Rating: / 0
PoorBest 
   MC-STORE.COM