• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Attaining and maintaining compliance europe
 

Attaining and maintaining compliance europe

on

  • 394 views

COMMON Europe Congress 2012 - Vienna

COMMON Europe Congress 2012 - Vienna

Statistics

Views

Total Views
394
Views on SlideShare
394
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Attaining and maintaining compliance europe Attaining and maintaining compliance europe Document Transcript

    • www.skyviewpartners.com Carol Woodbury @carolwoodbury President and Co-Founder SkyView Partners, Inc www.skyviewpartners.com www.skyviewpartners.com 1 © SkyView Partners, Inc, 2012 All Rights Reserved. www.skyviewpartners.com 2@SkyView Partners, Inc, 2012. All Rights Reserved. 1
    • www.skyviewpartners.com  Be pro-active  Areas that are often out of compliance ◦ Automation opportunities  Items requiring regular review  Preparing for the next audit (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 3 Be Pro-active © SkyView Partners, Inc, 2012 All Rights Reserved. www.skyviewpartners.com 4@SkyView Partners, Inc, 2012. All Rights Reserved. 2
    • www.skyviewpartners.com  Read the business page of national and local newspapers  Read publications from your organization’s vertical industry  Listen to webcasts, read magazines, online forums, newsletters and articles for i5/OS-specific information ◦ SkyView Partners has regular webinars  http://www.skyviewpartners.com/lawsandregs.php ◦ Examples:  PCI Data Security Standards  EU Data Privacy Laws  SOX  J-SOX  BASEL III  Privacy Laws: Korea, PIPEDA, The Companies Bill (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 5  Implement security best practices wherever possible  Document the areas where best practices isn’t possible  Engage your development group (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 6@SkyView Partners, Inc, 2012. All Rights Reserved. 3
    • www.skyviewpartners.com  Start with an assessment  Prioritize the list of issues  Document your plans for remediation (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 7  Security standard ◦ BS7799 -> ISO17799 -> ISO/IEC27001:2005  www.iso.org  CobiT ◦ Process for analyzing risk in IT  www.isaca.org  Payment Card Industry ◦ Data Security Standards  http://www.skyviewpartners.com/java-skyviewp/visa.jsp  IBM i and i5/OS: ◦ IBM i Security Administration and Compliance by Carol Woodbury, 2012, available from www.amazon.com or MCPress Store ◦ iSeries Security Reference manual ◦ www.skyviewpartners.com (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 4
    • www.skyviewpartners.com (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 9 Areas that are Often Out of Compliance – Automation Opportunities www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 5
    • www.skyviewpartners.com  May be changed to enable a function and never set back.  Vendors may modify a value when installing their product. (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com  Default passwords  Inactive users  Special authority assignment  Group membership (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 6
    • www.skyviewpartners.com  ANZDFTPWD – Analyze default passwords  Change the CRTUSRPRF command default as well as your user profile creation process so that profiles are never created with a default password. (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com Step 1 - Set profiles to Status *DISABLED  In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF  Use IBM SECTOOLS  2. Display active profile list (list of omitted profiles)  3. Change active profile list (to omit profiles from being set to Status *DISABLED)  4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED. Sends message to message queue of user running the menu option.)  Write your own – ◦ key is to look at the right dates -  Last used (vs Last sign on)  Creation  Restore ◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS) and join with DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)  Use a vendor product such as SkyView Policy Minder  Note: If you perform a roll-swap, need to stop the automatic disabling of profiles. Step 2 – Delete profiles  Must be done manually (i5/OS provides no automatic delete) (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 7
    • www.skyviewpartners.com  Profiles are typically copied.  Recommend: ◦ Developing role-based access implemented via group profiles ◦ Copy a template rather than another user’s profile (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com  Recommend that group membership be reviewed at least annually  DSPUSRPRF USRPRF(SUPERGROUP) TYPE(*GRPMBR) OUTPUT(*PRINT)  DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 16@SkyView Partners, Inc, 2012. All Rights Reserved. 8
    • www.skyviewpartners.com Access to files containing private data or programs performing critical actions such as de-crypting need to be reviewed for appropriate:  Default access (*PUBLIC authority)  Additional private authorities  Authorization list assignment  Ownership  Adopted authority settings (programs / service programs) (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com Critical files in libraries  Authority to files containing: ◦ Card holder data ◦ HR information ◦ HIPAA data ◦ Confidential data belonging to your organization and in the IFS  Authority to directories and files containing: ◦ Payroll information ◦ Credit card transactions and don’t forget to review authorization lists (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 9
    • www.skyviewpartners.com  Review authorities - *PUBLIC and private – are they appropriate? ◦ Use DSPAUTL AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTL AUTL(autl_name) OUTPUT(*OUTFILE)  Review objects secured by the authorization list ◦ Use DSPAUTLOBJ AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTLOBJ AUTL(autl_name) OUTPUT(*OUTFILE) ◦ (Note: Prior to V6R1, DSPAUTLOBJ locks all of the objects secured by the authorization list. It’s best to run this command when users are not attempting to run the application.) (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com Prepare to Review these Annually © SkyView Partners, Inc, 2012 All Rights Reserved. www.skyviewpartners.com 20@SkyView Partners, Inc, 2012. All Rights Reserved. 10
    • www.skyviewpartners.com Review annually to ensure it addresses:  New technology  Mergers and acquisitions  Requirements from new laws or regs (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 21 Typical thought is – it’s not going to happen to us – therefore – no plan is in place.  If a plan is in place, it needs to be reviewed to ensure:  New threats are accounted for  New incident techniques are documented  Contacts are updated -> Consider a retainer with a company that specializes in investigating incidents (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 22@SkyView Partners, Inc, 2012. All Rights Reserved. 11
    • www.skyviewpartners.com Program needs to be reviewed to ensure:  Employee policy issues are communicated  Awareness is raised about new threats  Requirements from new laws and regs are communicated (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 23  Verify documentation follows the what is actually done ◦ Worse to have an inaccurate document than no document at all  Get rid of documentation for processes that are no longer followed  Ensure appropriate processes are documented (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 24@SkyView Partners, Inc, 2012. All Rights Reserved. 12
    • www.skyviewpartners.com  Encryption keys ◦ Who has responsibility for managing keys?  What happens if they leave the company? ◦ Do you have a process in place for a) regularly changing keys b) changing keys on an emergency basis?  Is all data encrypted that should be encrypted? ◦ Backups (get out of notification requirement of many state breach notification laws) ◦ Private data (California breach now includes healthcare) ◦ On PCs – Massachusetts requires private data on mobile devices to be encrypted (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com Prepare for the Next Audit © SkyView Partners, Inc, 2012 All Rights Reserved. www.skyviewpartners.com 26@SkyView Partners, Inc, 2012. All Rights Reserved. 13
    • www.skyviewpartners.com  Arrival won’t be as frantic if systems are perpetually in compliance.  Be prepared for their arrival by ◦ Updating policies and procedures  Document exceptions! ◦ Have work plans ready for known issues not yet addressed ◦ Keeping records proving that you’ve been checking compliance ◦ Providing the information they’ve requested prior to the audit ◦ Addressing previous audit findings (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com  What changes did you have to make? ◦ System values ◦ User profile settings  Reduce special authorities  Remove inactive profiles ◦ Authorities  Database files  IFS directories (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 28@SkyView Partners, Inc, 2012. All Rights Reserved. 14
    • www.skyviewpartners.com  What reports did you have to generate? ◦ System values ◦ User profile settings ◦ Authorities (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 29  How can you automate these activities? Benefits:  Stop putting so much effort prior to an audit  Perpetual compliance  Potential for being more secure (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com 30@SkyView Partners, Inc, 2012. All Rights Reserved. 15
    • www.skyviewpartners.com It’s a lifestyle (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com SkyView Partners – provider of security administration and compliance software, services and solutions www.skyviewpartners.com Reach us at: info@skyviewpartners.com (c) SkyView Partners, Inc., 2012. All Rights Reserved www.skyviewpartners.com@SkyView Partners, Inc, 2012. All Rights Reserved. 16