Attaining and maintaining compliance europe

www.skyviewpartners.com

Carol Woodbury
@carolwoodbury
President and Co-Founder
SkyView Partners, Inc

www.skyviewpartners.com 1

© SkyView Partners, Inc, 2012
All Rights Reserved. www.skyviewpartners.com 2

@SkyView Partners, Inc, 2012. All Rights Reserved. 1


 Be pro-active
 Areas that are often out of compliance
◦ Automation opportunities
 Items requiring regular review
 Preparing for the next audit

(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 3

Be Pro-active




 Read the business page of national and local newspapers
 Read publications from your organization’s vertical industry
 Listen to webcasts, read magazines, online forums,
newsletters and articles for i5/OS-specific information
◦ SkyView Partners has regular webinars
 http://www.skyviewpartners.com/lawsandregs.php
◦ Examples:
 PCI Data Security Standards
 EU Data Privacy Laws
 SOX
 J-SOX
 BASEL III
 Privacy Laws: Korea, PIPEDA, The Companies Bill


 Implement security best practices wherever possible
 Document the areas where best practices isn’t
possible
 Engage your development group




 Start with an assessment
 Prioritize the list of issues
 Document your plans for remediation


 Security standard
◦ BS7799 -> ISO17799 -> ISO/IEC27001:2005
 www.iso.org
 CobiT
◦ Process for analyzing risk in IT
 www.isaca.org
 Payment Card Industry
◦ Data Security Standards
 http://www.skyviewpartners.com/java-skyviewp/visa.jsp
 IBM i and i5/OS:
◦ IBM i Security Administration and Compliance by Carol Woodbury, 2012, available
from www.amazon.com or MCPress Store

◦ iSeries Security Reference manual
◦ www.skyviewpartners.com

2012. All Rights Reserved www.skyviewpartners.com



(c) SkyView Partners, Inc., 2012.
All Rights Reserved www.skyviewpartners.com 9

Areas that are Often Out of Compliance –
Automation Opportunities




 May be changed to enable a function and never set
back.
 Vendors may modify a value when installing their
product.


 Default passwords
 Inactive users
 Special authority assignment
 Group membership




 ANZDFTPWD – Analyze default passwords
 Change the CRTUSRPRF command default as well as your user
profile creation process so that profiles are never created
with a default password.


Step 1 - Set profiles to Status *DISABLED
 In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF
 Use IBM SECTOOLS
 2. Display active profile list (list of omitted profiles)
 3. Change active profile list (to omit profiles from being set to Status *DISABLED)
 4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED.
Sends message to message queue of user running the menu option.)
 Write your own –
◦ key is to look at the right dates -
 Last used (vs Last sign on)
 Creation
 Restore
◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS)
and join with
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)
 Use a vendor product such as SkyView Policy Minder
 Note: If you perform a roll-swap, need to stop the automatic disabling of profiles.

Step 2 – Delete profiles
 Must be done manually (i5/OS provides no automatic delete)




 Profiles are typically copied.
 Recommend:
◦ Developing role-based access implemented via group profiles
◦ Copy a template rather than another user’s profile


 Recommend that group membership be reviewed at
least annually

 DSPUSRPRF USRPRF(SUPERGROUP) TYPE(*GRPMBR) OUTPUT(*PRINT)

 DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)

(c) SkyView Partners, Inc., 2012. All
Rights Reserved www.skyviewpartners.com 16



Access to files containing private data or programs performing
critical actions such as de-crypting need to be reviewed for
appropriate:
 Default access (*PUBLIC authority)
 Additional private authorities

 Authorization list assignment
 Ownership
 Adopted authority settings (programs / service programs)


Critical files in libraries
 Authority to files containing:
◦ Card holder data
◦ HR information
◦ HIPAA data
◦ Confidential data belonging to your organization

and in the IFS
 Authority to directories and files containing:
◦ Payroll information
◦ Credit card transactions

and don’t forget to review authorization lists




 Review authorities - *PUBLIC and private – are they
appropriate?
◦ Use DSPAUTL AUTL(autl_name) OUTPUT(*PRINT) or
◦ DSPAUTL AUTL(autl_name) OUTPUT(*OUTFILE)

 Review objects secured by the authorization list
◦ Use DSPAUTLOBJ AUTL(autl_name) OUTPUT(*PRINT) or
◦ DSPAUTLOBJ AUTL(autl_name) OUTPUT(*OUTFILE)
◦ (Note: Prior to V6R1, DSPAUTLOBJ locks all of the objects secured by
the authorization list. It’s best to run this command when users are not
attempting to run the application.)


Prepare to Review these Annually




Review annually to ensure it addresses:
 New technology

 Mergers and acquisitions

 Requirements from new laws or regs


Typical thought is – it’s not going to happen to us –
therefore – no plan is in place. 
If a plan is in place, it needs to be reviewed to ensure:
 New threats are accounted for

 New incident techniques are documented

 Contacts are updated

-> Consider a retainer with a company that specializes in
investigating incidents




Program needs to be reviewed to ensure:
 Employee policy issues are communicated

 Awareness is raised about new threats

 Requirements from new laws and regs are
communicated


 Verify documentation follows the what is actually done
◦ Worse to have an inaccurate document than no document at
all
 Get rid of documentation for processes that are no
longer followed
 Ensure appropriate processes are documented




 Encryption keys
◦ Who has responsibility for managing keys?
 What happens if they leave the company?
◦ Do you have a process in place for a) regularly changing keys
b) changing keys on an emergency basis?
 Is all data encrypted that should be encrypted?
◦ Backups (get out of notification requirement of many state
breach notification laws)
◦ Private data (California breach now includes healthcare)
◦ On PCs – Massachusetts requires private data on mobile
devices to be encrypted


Prepare for the Next Audit




 Arrival won’t be as frantic if systems are perpetually in
compliance.
 Be prepared for their arrival by
◦ Updating policies and procedures
 Document exceptions!
◦ Have work plans ready for known issues not yet addressed
◦ Keeping records proving that you’ve been checking
compliance
◦ Providing the information they’ve requested prior to the audit
◦ Addressing previous audit findings


 What changes did you have to make?
◦ System values
◦ User profile settings
 Reduce special authorities
 Remove inactive profiles
◦ Authorities
 Database files
 IFS directories




 What reports did you have to generate?
◦ System values
◦ User profile settings
◦ Authorities


 How can you automate these activities?

Benefits:
 Stop putting so much effort prior to an audit

 Perpetual compliance

 Potential for being more secure




It’s a lifestyle

(c) SkyView Partners, Inc., 2012.
All Rights Reserved www.skyviewpartners.com

SkyView Partners – provider of security administration and compliance
software, services and solutions


Reach us at:
info@skyviewpartners.com



Attaining and maintaining compliance europe

Recommended

Recommended

More Related Content

Similar to Attaining and maintaining compliance europe

Similar to Attaining and maintaining compliance europe (20)

More from COMMON Europe

More from COMMON Europe (20)

Recently uploaded

Recently uploaded (20)

Attaining and maintaining compliance europe