3. www.skyviewpartners.com
Read the business page of national and local newspapers
Read publications from your organization’s vertical industry
Listen to webcasts, read magazines, online forums,
newsletters and articles for i5/OS-specific information
◦ SkyView Partners has regular webinars
http://www.skyviewpartners.com/lawsandregs.php
◦ Examples:
PCI Data Security Standards
EU Data Privacy Laws
SOX
J-SOX
BASEL III
Privacy Laws: Korea, PIPEDA, The Companies Bill
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 5
Implement security best practices wherever possible
Document the areas where best practices isn’t
possible
Engage your development group
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 6
@SkyView Partners, Inc, 2012. All Rights Reserved. 3
4. www.skyviewpartners.com
Start with an assessment
Prioritize the list of issues
Document your plans for remediation
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 7
Security standard
◦ BS7799 -> ISO17799 -> ISO/IEC27001:2005
www.iso.org
CobiT
◦ Process for analyzing risk in IT
www.isaca.org
Payment Card Industry
◦ Data Security Standards
http://www.skyviewpartners.com/java-skyviewp/visa.jsp
IBM i and i5/OS:
◦ IBM i Security Administration and Compliance by Carol Woodbury, 2012, available
from www.amazon.com or MCPress Store
◦ iSeries Security Reference manual
◦ www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 4
5. www.skyviewpartners.com
(c) SkyView Partners, Inc., 2012.
All Rights Reserved www.skyviewpartners.com 9
Areas that are Often Out of Compliance –
Automation Opportunities
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 5
6. www.skyviewpartners.com
May be changed to enable a function and never set
back.
Vendors may modify a value when installing their
product.
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Default passwords
Inactive users
Special authority assignment
Group membership
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 6
7. www.skyviewpartners.com
ANZDFTPWD – Analyze default passwords
Change the CRTUSRPRF command default as well as your user
profile creation process so that profiles are never created
with a default password.
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Step 1 - Set profiles to Status *DISABLED
In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF
Use IBM SECTOOLS
2. Display active profile list (list of omitted profiles)
3. Change active profile list (to omit profiles from being set to Status *DISABLED)
4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED.
Sends message to message queue of user running the menu option.)
Write your own –
◦ key is to look at the right dates -
Last used (vs Last sign on)
Creation
Restore
◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS)
and join with
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)
Use a vendor product such as SkyView Policy Minder
Note: If you perform a roll-swap, need to stop the automatic disabling of profiles.
Step 2 – Delete profiles
Must be done manually (i5/OS provides no automatic delete)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 7
8. www.skyviewpartners.com
Profiles are typically copied.
Recommend:
◦ Developing role-based access implemented via group profiles
◦ Copy a template rather than another user’s profile
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Recommend that group membership be reviewed at
least annually
DSPUSRPRF USRPRF(SUPERGROUP) TYPE(*GRPMBR) OUTPUT(*PRINT)
DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)
(c) SkyView Partners, Inc., 2012. All
Rights Reserved www.skyviewpartners.com 16
@SkyView Partners, Inc, 2012. All Rights Reserved. 8
9. www.skyviewpartners.com
Access to files containing private data or programs performing
critical actions such as de-crypting need to be reviewed for
appropriate:
Default access (*PUBLIC authority)
Additional private authorities
Authorization list assignment
Ownership
Adopted authority settings (programs / service programs)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Critical files in libraries
Authority to files containing:
◦ Card holder data
◦ HR information
◦ HIPAA data
◦ Confidential data belonging to your organization
and in the IFS
Authority to directories and files containing:
◦ Payroll information
◦ Credit card transactions
and don’t forget to review authorization lists
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 9
11. www.skyviewpartners.com
Review annually to ensure it addresses:
New technology
Mergers and acquisitions
Requirements from new laws or regs
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 21
Typical thought is – it’s not going to happen to us –
therefore – no plan is in place.
If a plan is in place, it needs to be reviewed to ensure:
New threats are accounted for
New incident techniques are documented
Contacts are updated
-> Consider a retainer with a company that specializes in
investigating incidents
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 22
@SkyView Partners, Inc, 2012. All Rights Reserved. 11
12. www.skyviewpartners.com
Program needs to be reviewed to ensure:
Employee policy issues are communicated
Awareness is raised about new threats
Requirements from new laws and regs are
communicated
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 23
Verify documentation follows the what is actually done
◦ Worse to have an inaccurate document than no document at
all
Get rid of documentation for processes that are no
longer followed
Ensure appropriate processes are documented
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 24
@SkyView Partners, Inc, 2012. All Rights Reserved. 12
14. www.skyviewpartners.com
Arrival won’t be as frantic if systems are perpetually in
compliance.
Be prepared for their arrival by
◦ Updating policies and procedures
Document exceptions!
◦ Have work plans ready for known issues not yet addressed
◦ Keeping records proving that you’ve been checking
compliance
◦ Providing the information they’ve requested prior to the audit
◦ Addressing previous audit findings
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
What changes did you have to make?
◦ System values
◦ User profile settings
Reduce special authorities
Remove inactive profiles
◦ Authorities
Database files
IFS directories
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 28
@SkyView Partners, Inc, 2012. All Rights Reserved. 14
15. www.skyviewpartners.com
What reports did you have to generate?
◦ System values
◦ User profile settings
◦ Authorities
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 29
How can you automate these activities?
Benefits:
Stop putting so much effort prior to an audit
Perpetual compliance
Potential for being more secure
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com 30
@SkyView Partners, Inc, 2012. All Rights Reserved. 15
16. www.skyviewpartners.com
It’s a lifestyle
(c) SkyView Partners, Inc., 2012.
All Rights Reserved www.skyviewpartners.com
SkyView Partners – provider of security administration and compliance
software, services and solutions
www.skyviewpartners.com
Reach us at:
info@skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 16