Tools for auditing security events and certifying compliance with regulations and standards have become part of the IT landscape—and a way to save money.
After several notorious accounting scandals around the turn of the millennium, the U.S. Congress passed laws designed to force enterprises to do what common sense should have already dictated: keep a better watch over sensitive corporate data. Ever since, IT departments everywhere have had to endure periodic minor invasions of auditors looking into how systems and data are protected, as well as looking into the age-old question of the accuracy of the accounts.
Parallel to those legal requirements is the issue of maintaining professional standards. International standards bodies and industry standards organizations have also made significant statements of expectations over the past two decades that, while not having the force of law, still represent important mandates enterprises must follow to do business.
Pertinent Requirements and Standards
Today's IT climate requires attention to five legal and four business standards, depending on the industries in which an enterprise is engaged, quickly summarized as follows.
- The U.S. Code of Federal Regulations 21 CFR Part 11 enables the U.S. Food and Drug Administration (FDA) to set guidelines on data controls and auditing of electronic records and electronic signatures for enterprises operating in FDA-regulated industries.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes legal standards in the
- The Massachusetts Law 201 CMR 17.00 is a statute protecting the privacy of personal information (e.g., name, address, social security and credit-card numbers) stored in computer systems, for which any company doing business in that state must have a written policy for securing that information.
- The Gramm-Leach-Bliley Act of 1999 (GLBA) requires protection of financial information from foreseeable data-security threats, mandates programs to test corporate information security, and expects companies to analyze their security risks.
- The Sarbanes-Oxley Act of 2002 (SOX), among other provisions, establishes standards for external auditing of financial reports.
- Basel II is a set of recommendations for banking regulatory laws issued by the Basel Committee on Banking Supervision, an international body formed by a consortium of large-economy nations that includes the
- The Control Objectives for Information and related Technology (COBIT) are best-practices recommendations originated in 1996 by the Information Systems Audit and Control Association and the IT Governance Institute, for use and control of information technology in corporate enterprises.
- The International Organization for Standards' ISO/IEC 27002 (formerly ISO 17799) prescribes standards for corporate risk assessment, data confidentiality, data-processing system access control, and business continuity, although these don't have the force of law. These were modeled on a
- The Payment Card Industry Data Security Standards (PCI DSS) are financial-data security requirements rules set by the PCI Security Standards Council. These rules affect all companies that rely on any financial transactions using credit cards, debit cards, prepaid cards, ATMs, and similar instruments.
Turning Requirements into Opportunities
The upshot is that to fulfill these legal obligations, IT departments have had to figure out how best to meet them without devoting an inordinate amount of time to providing auditors with the information necessary to prove an enterprise's compliance. Because of the complexity and number of pertinent transactions, and the need to facilitate inspection by auditors whose technical computer expertise varies widely, automation of the auditing and compliance verification process is proving critical. Unless your enterprise is quite small, manual procedures to meet these needs are inadequate.
But the need to track and verify who has had what access to your systems and data is also an opportunity. Software applications that handle auditing and compliance tasks can save time and money over any manual processes and encourage keeping a better eye on system activities by simplifying the safeguarding processes. Instead of just hoping no one's gaining unauthorized access to sensitive corporate data, but not knowing because the research is too time-consuming or technical, auditing and compliance tools make such information available for managers and executives in a few simple steps.
Software vendors have been quick to meet this need, and the System i market is no exception. There are two dozen products for the platform that can help your enterprise meet its legal and business requirements. Most focus on systems holistically, helping standardize and clarify access to all system objects, and others focus more narrowly on the aspect of securing sensitive data. But all are useful and are summarized below.
It's important to understand that auditing and compliance applications are just a subset of the wider market of security tools. The products surveyed here, with a few exceptions, don't handle such system security aspects as user authorization and authentication, file encryption, or the securing of data transmission across a network. Also, the solutions below are only those that work under i5/OS, though a few support other operating systems that can run on the System i.
Please note that the brief summaries here don't cover all the features each software product provides. You should consult the links provided for each product and contact the associated vendors for a more complete idea of what each product's capabilities include.
And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.
Auditing and Compliance Tools for System i
Dynamic Systems Solutions
Auditron400 tracks field-level data modifications on System i and helps users manage and control system security. It also provides reports and enables inquiries about changes to system values and configurations, user profiles, user authorities, and other security settings.
CXL
AZ Scan is a PC-based application that can audit and evaluate security on System i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs 53 security tests for i5/OS, generates reports that nontechnical auditors can read, highlights problems, and helps assure compliance with regulations and industry standards.
Bsafe Enterprise Security for IBM i
Bsafe Policy Compliance Manager
Bsafe Software Solutions
Bsafe Enterprise Security for IBM i offers application access control, user-profile management, object-authorization management, external-port access restrictions, and session-timeout and inactive-user controls. It also includes a template-based policy compliance manager, a SOX compliance kit, and auditing tools for file and application access, system journaling activities, and database changes.
Bsafe Policy Compliance Manager is a template-driven tool that helps security personnel build, document, and maintain a corporate security policy. Once a policy is in place, the product also helps users verify compliance, generate reports, and uncover elements of system security not already handled by the policy. Policy Compliance Manager also produces outputs that are friendly to outside auditors and other nontechnical readers.
Bsafe Security Assessment is an application that tests system security with realtime security penetration attacks, summarizes current security policies in effect, and highlights deviations from recommended policy settings.
Califon Systems
Califon Systems' Audit Module logs all changes to databases and system objects and lets administrators audit users, systems, and objects. It also enables analysis of audit logs.
PowerTech Group
Compliance Monitor enables audit reporting and inspection of security policy compliance with SOX, PCI, and other regulations and standards. The product provides a single console view with a GUI, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs.
Cosyn Software
Cosyn Audit Trail/400 tracks changes made to database files on System i machines without requiring the overhead of turning on journaling. The product uses triggers instead and outputs results to physical files that users can query or use to create their own reports.
Innovatum
DataThread tracks changes to databases without requiring program changes to existing applications, notifies appropriate personnel of changes, helps centralize and automate monitoring and exception reporting for data access, and meets compliance requirements for all domestic and international regulations that require monitoring of System i data access and user activity.
KST Software
DataTrigger is a security auditing tool for System i databases based on data-trigger technology. It automatically logs data events (e.g., read, insert, change, delete), checks for unauthorized viewing or changes, and generates alerts if it detects unauthorized activity. It logs all data transactions to a data repository and blocks data actions from being carried out by unauthorized users.
DetectIT Security Manager Suite
Safestone Technologies
DetectIT Security Manager Suite is an integrated group of security products for System i. It includes
GFM Consulting
GFM Security Evaluator provides an application that can evaluate the data-security environment of a System i without requiring use of a security officer (SECOFR) profile. The product analyzes user profiles and authorities, critical-command use, object descriptions, system values, and other information.
Raz-Lee Security
iSecurity is a suite of 16 products designed to help with all facets of System i security concerns. Suite members identify security breaches, provide antivirus protection, analyze security policy, document Audit Journal (QAUDJRN) file activity, control user authorities, monitor suspicious user activities, help administer multiple System i machines, automate checks of compliance with policies and standards, provide firewalls, check password strength, mask sensitive files and fields, and address requirements for meeting regulations and standards.
NetIQ Secure Configuration Manager
NetIQ
NetIQ Secure Configuration Manager is a system-security configuration assessment and compliance-monitoring tool that helps administrators compare system security settings against regulatory and best-practice requirements. It provides reporting capabilities to satisfy legal and industry standards requirements, operates using customizable policy templates, identifies flaws, and presents data via a dashboard-style interface.
NetIQ Security Manager provides realtime monitoring of
system changes and user activity, detection of threats and
intrusions, security event management and correlation, log
management, and incident-response automation. It consolidates and logs event information from across a network (including multiplatform networks), helps satisfy legal log-retention requirements, facilitates data mining of logged data, and provides realtime alerts of violations and problems.
Cilasoft
QJRN/400 is an application that monitors System i machines for compliance with major regulations and standards (e.g., SOX, HIPAA, Basel II, PCI). It reports on changes to system values, user profiles and authorities, network attributes, and database authorization files. It also identifies interventions on sensitive fields and modifications to corporate applications made by other software.
CCSS
QMessage Monitor is an application and job-monitoring solution for System i. It filters all system messaging activities, providing a check on use of FTP and QSECOFR authority, system-value and user-profile changes, and invalid password attempts. It includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN constantly and sends alerts of administrator-defined security breaches to appropriate personnel.
S3 Control Enterprise Edition for Data Centers
Solidcore Systems
S3 Control PCI Pro is a file-integrity monitoring application for retailers using servers that run i5/OS, Linux, UNIX, or Windows. The product captures realtime transaction data, such as server name, file name, and the time, type, and content of any changes made. The solution helps users meet integrity monitoring and audit-trail requirements specified in PCI DSS sections 10 and 11.
S3 Control Enterprise Edition for Data Centers includes the functionality of Control PCI Pro, but adds database monitoring (e.g., DB2, Oracle, SQL Server) file audits, assessment of system configurations for servers, and enforcement of change policies. It also generates 40 reports in six compliance-auditing categories.
SecureSphere Data Security Suite
Imperva
SecureSphere Data Security Suite is an application and database security and auditing package. Among other features, it provides a database firewall with activity monitoring, alerts, and sensitive data access-protection. The solution's auditing features help nontechnical auditors analyze and view database activity, as well as access standard and customizable reports on security-related user activities. The product recently added DB2 monitoring for System i.
SkyView Policy Minder for IBM i
SkyView Partners
SkyView Policy Minder for IBM i automates security compliance activities by checking a variety of security settings (e.g., user profiles, libraries, objects, directories, authorization lists), documenting security policies with template-based and customized settings, generating reports about multiple aspects of security policy, and simplifying application of repairs to system parameters that are out of line with established security policy.
Bytware
Standguard Security monitors exit points and the QAUDJRN, monitors and manages system access, defines user access permissions, alerts administrators to changes in system values and profile changes, audits business asset libraries, checks system authority settings, and provides numerous reports and audit trails to enable compliance with standards, best practices, and regulations.
Tango/04 Data Monitor for iSeries
Tango/04 Computing Group
Tango/04 Data Monitor audits read, insert, update, and delete transactions performed on specific records and fields in DB2/UDB databases. It provides audit trails of all activity to satisfy
VISUAL Security Suite (VSS) lets administrators audit activities of thousands of users, all Windows servers, more than 40 System i program exit points, multiple server and device security logs, system events and settings, and changes in user authorities. It stores auditing data in a Web-based data warehouse from which users can generate reports and business-impact analyses.
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online