SlideShare a Scribd company logo

I Series User Management

S
SJeffrey23

test upload

1 of 13
Download to read offline
SAFESTONE safestone for User Management and Compliance on the System i
Contents The Internal User as a Threat......................................3 Why is User Management so important? .......................4 The Auditor’s Perspective........................................................................... 5 The Manager’s Perspective......................................................................... 6 The User’s Perspective .............................................................................. 7 Audit, Report, Enforce ................................................8 Common Sense Best Practices................................... 10 How Safestone Addresses these Practices ................... 11 The Business Case................................................... 12 Conclusion ............................................................. 13 About the Author..................................................... 13 About Safestone Technologies ................................... 13 SAFESTONE SafestOne for User Management and Compliance on the System i Page 2 of 13
The Internal User as a Threat The System i is used by organisations to process the most sensitive, critical data and this data is its most important asset. Companies have invested a great deal of effort in securing the perimeter from external attack, but the greatest threat comes from those inside the firewall. How these users access the data, the powers they wield and the way they are monitored should be the cornerstone of any security policy. Every survey and indicator tells us that the threat is within the firewall… • A survey conducted at InfoSecurity20081, Europe’s largest IT security event, tells us that over 88% of IT administrators revealed that if their employment was terminated tomorrow they could take valuable and sensitive information including privileged passwords, confidential databases, R & D plans and sensitive financial data about their employers business with them. • The latest edition of PricewaterhouseCoopers annual Global State of Information Security Survey2, also shows that ex-employees and current employees account for 50% of known security incidents, which is almost twice the number attributed to hackers. • Jerome Kerviel an employee at Societe Generale cost the bank $7billion in what the bank described as “…criminal computer fraud and records falsification”3 • “An Insider Threat Survey” conducted last year by the Computer Emergency Response Team (CERT) at Carnegie Mellon University found that 57 percent of insider security attacks identified were carried out by employees who at one time had privileged user status.4 What these surveys and many others show, is that companies have been diligent about making advancements in protecting valuable data assets from external threats but the biggest risk still lies with the very people actually allowed to access systems. For the System i, these risks are compounded by the great value of this data and its critical nature within the organisation that owns it. 1 http://www.cyber-ark.com/news-events/pr_20080827.asp 2 http://www.pwc.com/extweb/home.nsf/docid/C1CD6CC69C2676D4852574DA00785949?WT.ac=GISS_ho mepage_banner 3 http://www.informationweek.com/news/management/showArticle.jhtml?articleID=205918671 4 http://www.cert.org/insider_threat/ SAFESTONE SafestOne for User Management and Compliance on the System i Page 3 of 13
Why is User Management so important? In today’s regulation and compliance driven business it is no wonder that user management continues to be a topic of concern for auditors, compliance officers and IT administrators. When an organization undergoes an audit, user management is one of the first areas for auditors to scrutinize. Why? • It is an easy area to audit without having any technical understanding of the underlying hardware platform, operating system or applications. The questions are the same for any combination. • Frequently users have more access to data than is necessary because it is easier to grant more access to ensure the completion of their daily duties. • Poor user management represents a large security exposure to a business and its most valuable asset - data. Managing user profiles has always been a time consuming and troublesome task, the larger the user base the greater the pain! But even small organizations must comply with regulations and they too understand the complexity of provisioning and managing a user throughout the time of their employment Regulations such as PCI, HIPAA and Sarbox have introduced another challenge for organizations, especially IT Administrators who must answer to compliance officers and auditors while remaining responsive to users within the company who are trying to simply get their jobs done. The following control objectives come directly from the PCI Data Security Standard5 and even if a company is not dealing directly with PCI compliance, the controls provide an excellent example of how users should be managed within an organization: Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security These IT controls support the need for user management and access control to be enforced, proven and documented within any organization, public or private and regardless of size. Failure to do so will result in compliance deficiencies which not only leaves sensitive data compromised, it also damages a company’s reputation with customers and partners. 5 PCI Security Standards Council www.pcisecuritystandards.org SAFESTONE SafestOne for User Management and Compliance on the System i Page 4 of 13
The Auditor’s Perspective When you look at the large number of different hardware platforms, networks, operating systems and applications that auditors are expected to ensure compliance on, it is easy to see why carrying out simple user profile related checks feature prominently in almost all audits. More importantly, auditors realize user profiles also represent a big security risk since they are the means used to access your data. They will look at your organization to see if good user security practices and rules are enforced as well as documented. The kinds of checks auditors look at are likely to be similar to those below: • Does every user have a unique profile? • Are any profiles shared by more than one user? • How many users have special privileges? • Are those special privileges required to perform their day to day work? • How is the use of those special privileges monitored when they are used? • Do any unused user accounts exist? (Ex-employees, sleeper profiles) • Do any disabled user accounts exist? • Have any of the user accounts still got default passwords? • Who can create new users and how is this monitored? Associated checks are also likely to be carried for group memberships and password issues: • Which users are members of what groups? • Do any of those groups grant any special privileges? • How often do users have to change their password? o Is this enforced for all users? • What rules are enforced when changing a user password? Our experience shows that auditors run these types of tests because they uncover some basic failings in corporate IT security policies. They use the results from the tests to write up recommendations for user management improvement. SAFESTONE SafestOne for User Management and Compliance on the System i Page 5 of 13
The Manager’s Perspective The manager of a System i installation is responsible for designing, maintaining and evolving a computer and communications systems that is at the heart of the organization. In order to achieve the businesses’ objectives, there has to be a number of powerful users. Powerful users are responsible for the performance of the system; creating and maintaining user accounts; troubleshooting operational issues; administering system upgrades and any reconfigurations required in the course of ongoing operations. They need the ability to instantly access IT resources so they can tune systems to support business processes and high performance for end-users. A powerful user has the ability to manipulate infrastructure and application configurations, and with this increased power comes increased responsibility—and increased security risks for the enterprise. Powerful users on the System i have such rights as Security Officer or All Object Authority. The latter gives the user rights to ALL OBJECTS on the system, which means they are all powerful. The task for the Manager is to balance the needs of the business for powerful users against the need for the business to protect itself from them. In circumstances such as these a process needs to exist to provide the user with temporary access so that in exceptional circumstances they can provide the support required. When this happens a record of who was granted that access and what actions they carried out should ideally be recorded to protect both the user and the business. Some companies have developed such software programs to control these users and monitor their actions. However, auditors are quick to point out “Quis custodiet ipsos custodes?” (who watches the watchmen?). Understanding what special privileges have been given to users is probably the biggest question to answer when determining what type of access a user needs for their specific function. Once this is understood a way of granting appropriate access for your users and your business can then be planned. SAFESTONE SafestOne for User Management and Compliance on the System i Page 6 of 13
The User’s Perspective In addition to the powerful users, described above, there are also many (sometimes hundreds) of users who need to be provided with timely and appropriate access to networks, as well as multiple operating systems and applications across all those systems to complete their daily job functions. PCI and Sarbox both state that users should only have access to data on a need to know basis and it is the first thing an auditor will look for. So how can you maintain regulatory compliance if users need access to data to complete their job? Every user must have a secure password that is only known to them and is difficult to guess. A password should be changed regularly and contain both alpha and numeric characters. Not all systems’ passwords expire at the same time and users are tempted to create simple passwords that can be remembered by them (and guessed by others) more easily. This leads to many users forgetting their passwords. The amount of time spent waiting for the Help Desk to reset passwords significantly impacts the user’s ability to work and increases their frustration. It is also expensive for the organization. Apart from the lost work, 30% of calls to the IT helpdesk (according to the Gartner Group) are password related at a cost of up to $31 per call. For organizations with operating environments supporting thousands of users, this productivity bottleneck can quickly spiral out of control. SAFESTONE SafestOne for User Management and Compliance on the System i Page 7 of 13
Audit, Report, Enforce Of course auditors and compliance officers don’t give prominence to effective user management just because it’s easy! A badly managed user community represents a significant security risk. There is the obvious potential of a malicious act from outside the organization, but there is an even greater threat of data becoming compromised from users within the organization due to a lack of understanding on the impacts of their actions. Administrators should ask themselves the following questions: • Are employees taking home sensitive data on their laptops? • Who has access to the financial records of the organization and can they alter the data? • Is there a corporate policy in place that clearly outlines how data is accessed and who is responsible for its integrity? If we look back to the IT Controls within PCI DSS we can see why the questions asked above are necessary in reducing the risk of security exposures. Not only do these controls apply to companies facing PCI compliance, they apply to any company who wants to enforce strong user management: Implement Strong Access Control Measures Given the risks posed by a poorly managed user community it is surprising that so little time and effort is dedicated to the subject. For example, the budget available for user management compared to that available for other pieces of the IT security budget is generally much less. In fact, user management is often not seen as a security issue, it seen as an admin task and/or merely an inconvenience of doing business. Poor user management and lack of access control open up a company to a multitude of security exposures. Customers, partners and employees expect their data to be secure and if organizations are unable to ensure this and it is exposed to the public, the high costs of legal fees coupled with the loss of reputation can be difficult to overcome. Regularly Monitor and Test Networks According to the 2008 Global State of Information Security Study®, published by Pricewaterhouse Coopers, 73% of companies surveyed say they are confident internal policies are being followed, however 43% of those same companies say they are not auditing against those policies. Establishing a policy is the first step, however policies are only useful when there is accountability. SAFESTONE SafestOne for User Management and Compliance on the System i Page 8 of 13
Maintain an Information Security Policy With so many different departments responsible for various stages of users management, it is necessary to implement strong policies and processes on how data is accessed to avoid a security exposure. User management issues are not just an IT problem to tackle, it is a cross-function of several different departments: • Human Resources is responsible for providing details of new employees, former employees and employee change in status. • IT creates, amends and removes user profiles on required systems. • Management decides on required level of access to applications and data for users. • Support manages the Helpdesk and assists with login problems etc. This situation exists throughout all sizes of business from the large multinationals down to even the smallest businesses. In fact those with larger user bases are often the ones who have made an attempt to effectively manage their users, normally out of desperation as the problem of user management has simply become impossible with out some sort of controls and supporting procedures. However, the basic principles of good user management are just as important in the smallest business. In fact, it is possibly more so in smaller business since there are not enough dedicated resources tasked with solely managing the user community. Without some sort of policy, user management becomes another task for a beleaguered IT administrator who is already juggling a host of other responsibilities. SAFESTONE SafestOne for User Management and Compliance on the System i Page 9 of 13
Common Sense Best Practices The CERT6 promotes the following thirteen points for best practice: 1. Institute periodic enterprise-wide risk assessments. 2. Institute periodic security awareness training for all employees. 3. Enforce separation of duties and privilege. 4. Implement strict password and account management policies and practices. 5. Log, monitor, and audit employee’s online actions. 6. Use extra caution with system administrators and powerful users. 7. Actively defend against malicious code. 8. Use layered defense against remote attacks. 9. Monitor and respond to suspicious or disruptive behavior. 10. Deactivate computer access following termination. 11. Collect and save data for use in investigations. 12. Implement secure backup and recovery processes. 13. Clearly document insider threat controls 6 http://www.cert.org/insider_threat/ SAFESTONE SafestOne for User Management and Compliance on the System i Page 10 of 13
How Safestone Addresses these Practices 1. Institute periodic enterprise-wide risk assessments. DetectIT Security Audit and Detection Module can be scheduled to provide comprehensive audits on your System i 2. Institute periodic security awareness training for all employees Safestone provide a range of Professional Services to ensure the best practices are deployed 3. Enforce separation of duties and privilege. It is important that those using the system are not the same people who are policing it. DetectIT Smart Security Console can be used by non technical administrators to check on all users’ activities. 4. Implement strict password and account management policies and practices. The Password Self Help, Password Synchronization and Password Validation Program ensure that strong passwords are used and the whole process of managing passwords is easily enforced 5. Log, monitor, and audit employee’s online actions. The Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 6. Use extra caution with system administrators and powerful users. DetectIT gives you the ability to swap profiles and audit extensively on what powerful users are doing 7. Actively defend against malicious code. DetectIT allows you to identify new and changes to existing programs on the server 8. Use layered defense against remote attacks. Network Traffic Controller effectively “firewalls” the System i from the rest of the network 9. Monitor and respond to suspicious or disruptive behavior. DetectIT monitors thousands of different security events and reports on all activity that falls outside your predefined security policy guidelines 10. Deactivate computer access following termination. User Profile Manager provides full user life cycle management across multiple System i servers 11. Collect and save data for use in investigations. DetectIT Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 12. Clearly document insider threat controls Risk and Compliance Monitor contains pre-defined policies based upon internationally accepted standards against which your systems are monitored SAFESTONE SafestOne for User Management and Compliance on the System i Page 11 of 13
The Business Case Managing System i users effectively will deliver a financial benefit to any organization that employs robust user management. IT fraud such as the Societe Generale case and financial penalties for failure to comply with legislative initiatives (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II etc) can cost an organization a great deal of money. So it is no surprise that security audits are addressed at board level and management of System i users is given the highest priority. Security and operations must demonstrate the ability to control, audit and report on which users have access to what System i resources. Another, less obvious return on investment is in the case of password management. On average, up to 70% of calls to the service desk are due to forgotten passwords. Self service password resets and single sign on reduce the volume of calls by up to 80%. This eliminates many costly time consuming processes and delivers hard cash savings to IT operations. Gartner estimates that help desk calls cost an average of £30 each, and that personal management reports for users, accounts for a minimum of 40% of help desk call volumes. SAFESTONE SafestOne for User Management and Compliance on the System i Page 12 of 13
Conclusion Despite the huge threat posed by employees, user management can be overlooked in security projects. Too often, it is considered just an administrative task, rather than a security issue. The policy management and access control part of user management tends to be forgotten. The realities are that you can massively reduce the risk of security incidents, by correctly managing employees and other authorized users. This is where organizations should focus the majority of their efforts in securing their critical data. The three IT Controls mentioned earlier provide a useful framework for organizations to manage their user community: • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy When organizations follow these guidelines they can help ensure sensitive data stays secure and keep users productive. About the Author Simon Bott has over 16 years experience working in IT, this has encompassed time spent working within an end user environments, and for more than a decade working as a consultant for several successful IBM business partners with a focus on the iSeries/System i platform. For the past 3 years Simon helped build the networking and security function of one of IBM’s largest business partners working with technology partners such as Juniper Networks, RSA, Cisco, Trend Micro, Barracuda Networks to meet the growing demand for security services in today’s regulatory compliance driven business environment. Simon joined Safestone Technologies in summer 2008 to help Safestone continue to evolve and deliver the high quality innovative System i audit, compliance and security tools for which they are known. About Safestone Technologies Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Safestone’s module- based solutions are flexible, scalable, easy to implement and use, allowing the solution to address all varying degrees of audit, compliance and security requirements. Safestone has built up a global network over more than 21 years, which provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. SAFESTONE SafestOne for User Management and Compliance on the System i Page 13 of 13

Recommended

IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust DesignationMurray Security Services
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
306 310
306 310306 310
306 310Editor IJARCET
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016Karla Sasser, CPA CITP, CIA, CGMA
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 

Recommended

IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust DesignationMurray Security Services
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
306 310
306 310306 310
306 310Editor IJARCET
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016Karla Sasser, CPA CITP, CIA, CGMA
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
Top cited managing information technology articles
Top cited managing information technology articlesTop cited managing information technology articles
Top cited managing information technology articlesIJMIT JOURNAL
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
IBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database SecurityIBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database Securityebuc
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?IBM Security
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assignRonald Jackson, Jr
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 
Student led conferences 11
Student led conferences 11Student led conferences 11
Student led conferences 11asrsh48
 
SCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason JolleySCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason JolleyJason Jolley
 
Global issues bio
Global issues bioGlobal issues bio
Global issues bioasrsh48
 
Denobia olegba
Denobia olegbaDenobia olegba
Denobia olegbaDenobiaOlegba
 

More Related Content

What's hot

Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Top cited managing information technology articles
Top cited managing information technology articlesTop cited managing information technology articles
Top cited managing information technology articlesIJMIT JOURNAL
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
IBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database SecurityIBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database Securityebuc
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?IBM Security
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 

What's hot (18)

Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
Top cited managing information technology articles
Top cited managing information technology articlesTop cited managing information technology articles
Top cited managing information technology articles
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
IBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database SecurityIBM Infosphere Guardium - Database Security
IBM Infosphere Guardium - Database Security
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_Hill
 

Viewers also liked

Student led conferences 11
Student led conferences 11Student led conferences 11
Student led conferences 11asrsh48
 
SCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason JolleySCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason JolleyJason Jolley
 
Global issues bio
Global issues bioGlobal issues bio
Global issues bioasrsh48
 
I Series System Security Guide
I Series System Security GuideI Series System Security Guide
I Series System Security GuideSJeffrey23
 
HCC Value Analysis College Student Responses
HCC Value Analysis College Student ResponsesHCC Value Analysis College Student Responses
HCC Value Analysis College Student ResponsesHouston Community College
 
University Leadership Summit: HCC Chancellor Presentation
University Leadership Summit: HCC Chancellor PresentationUniversity Leadership Summit: HCC Chancellor Presentation
University Leadership Summit: HCC Chancellor PresentationHouston Community College
 
Latino Summit Presentation: Houston Community College Building a Pipeline of ...
Latino Summit Presentation: Houston Community College Building a Pipeline of ...Latino Summit Presentation: Houston Community College Building a Pipeline of ...
Latino Summit Presentation: Houston Community College Building a Pipeline of ...Houston Community College
 
HCC Transformation Journey: HCC Presentation at ACCT 2016
HCC Transformation Journey: HCC Presentation at ACCT 2016HCC Transformation Journey: HCC Presentation at ACCT 2016
HCC Transformation Journey: HCC Presentation at ACCT 2016Houston Community College
 

Viewers also liked (18)

Student led conferences 11
Student led conferences 11Student led conferences 11
Student led conferences 11
 
SCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason JolleySCNA: Developer Director Cheatsheet - Jason Jolley
SCNA: Developer Director Cheatsheet - Jason Jolley
 
Global issues bio
Global issues bioGlobal issues bio
Global issues bio
 
Denobia olegba
Denobia olegbaDenobia olegba
Denobia olegba
 
SCE Workforce Annual Report
SCE Workforce Annual ReportSCE Workforce Annual Report
SCE Workforce Annual Report
 
SBE Report (Through September 31, 2016)
SBE Report (Through September 31, 2016)SBE Report (Through September 31, 2016)
SBE Report (Through September 31, 2016)
 
I Series System Security Guide
I Series System Security GuideI Series System Security Guide
I Series System Security Guide
 
HCC Value Analysis College Community
HCC Value Analysis College CommunityHCC Value Analysis College Community
HCC Value Analysis College Community
 
HCC Value Analysis College Student Responses
HCC Value Analysis College Student ResponsesHCC Value Analysis College Student Responses
HCC Value Analysis College Student Responses
 
University Leadership Summit: HCC Chancellor Presentation
University Leadership Summit: HCC Chancellor PresentationUniversity Leadership Summit: HCC Chancellor Presentation
University Leadership Summit: HCC Chancellor Presentation
 
Latino Summit Presentation: Houston Community College Building a Pipeline of ...
Latino Summit Presentation: Houston Community College Building a Pipeline of ...Latino Summit Presentation: Houston Community College Building a Pipeline of ...
Latino Summit Presentation: Houston Community College Building a Pipeline of ...
 
Condensed fs2016 september
Condensed fs2016 septemberCondensed fs2016 september
Condensed fs2016 september
 
Condensed fs2016 august
Condensed fs2016 augustCondensed fs2016 august
Condensed fs2016 august
 
Transformation Phase 2.3
Transformation Phase 2.3Transformation Phase 2.3
Transformation Phase 2.3
 
BRG HCC IT ASSESSMENT
BRG HCC IT ASSESSMENTBRG HCC IT ASSESSMENT
BRG HCC IT ASSESSMENT
 
HCC Transformation Journey: HCC Presentation at ACCT 2016
HCC Transformation Journey: HCC Presentation at ACCT 2016HCC Transformation Journey: HCC Presentation at ACCT 2016
HCC Transformation Journey: HCC Presentation at ACCT 2016
 
Ce new student orientation 11-28-16
Ce new student orientation 11-28-16Ce new student orientation 11-28-16
Ce new student orientation 11-28-16
 
Southwest Career Advisement 11-28-16
Southwest Career Advisement 11-28-16Southwest Career Advisement 11-28-16
Southwest Career Advisement 11-28-16
 

Similar to I Series User Management

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSonny Hashmi
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 

Similar to I Series User Management (20)

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Intro To Secure Identity Management
Intro To Secure Identity ManagementIntro To Secure Identity Management
Intro To Secure Identity Management
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 

I Series User Management

  • 1. SAFESTONE safestone for User Management and Compliance on the System i
  • 2. Contents The Internal User as a Threat......................................3 Why is User Management so important? .......................4 The Auditor’s Perspective........................................................................... 5 The Manager’s Perspective......................................................................... 6 The User’s Perspective .............................................................................. 7 Audit, Report, Enforce ................................................8 Common Sense Best Practices................................... 10 How Safestone Addresses these Practices ................... 11 The Business Case................................................... 12 Conclusion ............................................................. 13 About the Author..................................................... 13 About Safestone Technologies ................................... 13 SAFESTONE SafestOne for User Management and Compliance on the System i Page 2 of 13
  • 3. The Internal User as a Threat The System i is used by organisations to process the most sensitive, critical data and this data is its most important asset. Companies have invested a great deal of effort in securing the perimeter from external attack, but the greatest threat comes from those inside the firewall. How these users access the data, the powers they wield and the way they are monitored should be the cornerstone of any security policy. Every survey and indicator tells us that the threat is within the firewall… • A survey conducted at InfoSecurity20081, Europe’s largest IT security event, tells us that over 88% of IT administrators revealed that if their employment was terminated tomorrow they could take valuable and sensitive information including privileged passwords, confidential databases, R & D plans and sensitive financial data about their employers business with them. • The latest edition of PricewaterhouseCoopers annual Global State of Information Security Survey2, also shows that ex-employees and current employees account for 50% of known security incidents, which is almost twice the number attributed to hackers. • Jerome Kerviel an employee at Societe Generale cost the bank $7billion in what the bank described as “…criminal computer fraud and records falsification”3 • “An Insider Threat Survey” conducted last year by the Computer Emergency Response Team (CERT) at Carnegie Mellon University found that 57 percent of insider security attacks identified were carried out by employees who at one time had privileged user status.4 What these surveys and many others show, is that companies have been diligent about making advancements in protecting valuable data assets from external threats but the biggest risk still lies with the very people actually allowed to access systems. For the System i, these risks are compounded by the great value of this data and its critical nature within the organisation that owns it. 1 http://www.cyber-ark.com/news-events/pr_20080827.asp 2 http://www.pwc.com/extweb/home.nsf/docid/C1CD6CC69C2676D4852574DA00785949?WT.ac=GISS_ho mepage_banner 3 http://www.informationweek.com/news/management/showArticle.jhtml?articleID=205918671 4 http://www.cert.org/insider_threat/ SAFESTONE SafestOne for User Management and Compliance on the System i Page 3 of 13
  • 4. Why is User Management so important? In today’s regulation and compliance driven business it is no wonder that user management continues to be a topic of concern for auditors, compliance officers and IT administrators. When an organization undergoes an audit, user management is one of the first areas for auditors to scrutinize. Why? • It is an easy area to audit without having any technical understanding of the underlying hardware platform, operating system or applications. The questions are the same for any combination. • Frequently users have more access to data than is necessary because it is easier to grant more access to ensure the completion of their daily duties. • Poor user management represents a large security exposure to a business and its most valuable asset - data. Managing user profiles has always been a time consuming and troublesome task, the larger the user base the greater the pain! But even small organizations must comply with regulations and they too understand the complexity of provisioning and managing a user throughout the time of their employment Regulations such as PCI, HIPAA and Sarbox have introduced another challenge for organizations, especially IT Administrators who must answer to compliance officers and auditors while remaining responsive to users within the company who are trying to simply get their jobs done. The following control objectives come directly from the PCI Data Security Standard5 and even if a company is not dealing directly with PCI compliance, the controls provide an excellent example of how users should be managed within an organization: Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security These IT controls support the need for user management and access control to be enforced, proven and documented within any organization, public or private and regardless of size. Failure to do so will result in compliance deficiencies which not only leaves sensitive data compromised, it also damages a company’s reputation with customers and partners. 5 PCI Security Standards Council www.pcisecuritystandards.org SAFESTONE SafestOne for User Management and Compliance on the System i Page 4 of 13
  • 5. The Auditor’s Perspective When you look at the large number of different hardware platforms, networks, operating systems and applications that auditors are expected to ensure compliance on, it is easy to see why carrying out simple user profile related checks feature prominently in almost all audits. More importantly, auditors realize user profiles also represent a big security risk since they are the means used to access your data. They will look at your organization to see if good user security practices and rules are enforced as well as documented. The kinds of checks auditors look at are likely to be similar to those below: • Does every user have a unique profile? • Are any profiles shared by more than one user? • How many users have special privileges? • Are those special privileges required to perform their day to day work? • How is the use of those special privileges monitored when they are used? • Do any unused user accounts exist? (Ex-employees, sleeper profiles) • Do any disabled user accounts exist? • Have any of the user accounts still got default passwords? • Who can create new users and how is this monitored? Associated checks are also likely to be carried for group memberships and password issues: • Which users are members of what groups? • Do any of those groups grant any special privileges? • How often do users have to change their password? o Is this enforced for all users? • What rules are enforced when changing a user password? Our experience shows that auditors run these types of tests because they uncover some basic failings in corporate IT security policies. They use the results from the tests to write up recommendations for user management improvement. SAFESTONE SafestOne for User Management and Compliance on the System i Page 5 of 13
  • 6. The Manager’s Perspective The manager of a System i installation is responsible for designing, maintaining and evolving a computer and communications systems that is at the heart of the organization. In order to achieve the businesses’ objectives, there has to be a number of powerful users. Powerful users are responsible for the performance of the system; creating and maintaining user accounts; troubleshooting operational issues; administering system upgrades and any reconfigurations required in the course of ongoing operations. They need the ability to instantly access IT resources so they can tune systems to support business processes and high performance for end-users. A powerful user has the ability to manipulate infrastructure and application configurations, and with this increased power comes increased responsibility—and increased security risks for the enterprise. Powerful users on the System i have such rights as Security Officer or All Object Authority. The latter gives the user rights to ALL OBJECTS on the system, which means they are all powerful. The task for the Manager is to balance the needs of the business for powerful users against the need for the business to protect itself from them. In circumstances such as these a process needs to exist to provide the user with temporary access so that in exceptional circumstances they can provide the support required. When this happens a record of who was granted that access and what actions they carried out should ideally be recorded to protect both the user and the business. Some companies have developed such software programs to control these users and monitor their actions. However, auditors are quick to point out “Quis custodiet ipsos custodes?” (who watches the watchmen?). Understanding what special privileges have been given to users is probably the biggest question to answer when determining what type of access a user needs for their specific function. Once this is understood a way of granting appropriate access for your users and your business can then be planned. SAFESTONE SafestOne for User Management and Compliance on the System i Page 6 of 13
  • 7. The User’s Perspective In addition to the powerful users, described above, there are also many (sometimes hundreds) of users who need to be provided with timely and appropriate access to networks, as well as multiple operating systems and applications across all those systems to complete their daily job functions. PCI and Sarbox both state that users should only have access to data on a need to know basis and it is the first thing an auditor will look for. So how can you maintain regulatory compliance if users need access to data to complete their job? Every user must have a secure password that is only known to them and is difficult to guess. A password should be changed regularly and contain both alpha and numeric characters. Not all systems’ passwords expire at the same time and users are tempted to create simple passwords that can be remembered by them (and guessed by others) more easily. This leads to many users forgetting their passwords. The amount of time spent waiting for the Help Desk to reset passwords significantly impacts the user’s ability to work and increases their frustration. It is also expensive for the organization. Apart from the lost work, 30% of calls to the IT helpdesk (according to the Gartner Group) are password related at a cost of up to $31 per call. For organizations with operating environments supporting thousands of users, this productivity bottleneck can quickly spiral out of control. SAFESTONE SafestOne for User Management and Compliance on the System i Page 7 of 13
  • 8. Audit, Report, Enforce Of course auditors and compliance officers don’t give prominence to effective user management just because it’s easy! A badly managed user community represents a significant security risk. There is the obvious potential of a malicious act from outside the organization, but there is an even greater threat of data becoming compromised from users within the organization due to a lack of understanding on the impacts of their actions. Administrators should ask themselves the following questions: • Are employees taking home sensitive data on their laptops? • Who has access to the financial records of the organization and can they alter the data? • Is there a corporate policy in place that clearly outlines how data is accessed and who is responsible for its integrity? If we look back to the IT Controls within PCI DSS we can see why the questions asked above are necessary in reducing the risk of security exposures. Not only do these controls apply to companies facing PCI compliance, they apply to any company who wants to enforce strong user management: Implement Strong Access Control Measures Given the risks posed by a poorly managed user community it is surprising that so little time and effort is dedicated to the subject. For example, the budget available for user management compared to that available for other pieces of the IT security budget is generally much less. In fact, user management is often not seen as a security issue, it seen as an admin task and/or merely an inconvenience of doing business. Poor user management and lack of access control open up a company to a multitude of security exposures. Customers, partners and employees expect their data to be secure and if organizations are unable to ensure this and it is exposed to the public, the high costs of legal fees coupled with the loss of reputation can be difficult to overcome. Regularly Monitor and Test Networks According to the 2008 Global State of Information Security Study®, published by Pricewaterhouse Coopers, 73% of companies surveyed say they are confident internal policies are being followed, however 43% of those same companies say they are not auditing against those policies. Establishing a policy is the first step, however policies are only useful when there is accountability. SAFESTONE SafestOne for User Management and Compliance on the System i Page 8 of 13
  • 9. Maintain an Information Security Policy With so many different departments responsible for various stages of users management, it is necessary to implement strong policies and processes on how data is accessed to avoid a security exposure. User management issues are not just an IT problem to tackle, it is a cross-function of several different departments: • Human Resources is responsible for providing details of new employees, former employees and employee change in status. • IT creates, amends and removes user profiles on required systems. • Management decides on required level of access to applications and data for users. • Support manages the Helpdesk and assists with login problems etc. This situation exists throughout all sizes of business from the large multinationals down to even the smallest businesses. In fact those with larger user bases are often the ones who have made an attempt to effectively manage their users, normally out of desperation as the problem of user management has simply become impossible with out some sort of controls and supporting procedures. However, the basic principles of good user management are just as important in the smallest business. In fact, it is possibly more so in smaller business since there are not enough dedicated resources tasked with solely managing the user community. Without some sort of policy, user management becomes another task for a beleaguered IT administrator who is already juggling a host of other responsibilities. SAFESTONE SafestOne for User Management and Compliance on the System i Page 9 of 13
  • 10. Common Sense Best Practices The CERT6 promotes the following thirteen points for best practice: 1. Institute periodic enterprise-wide risk assessments. 2. Institute periodic security awareness training for all employees. 3. Enforce separation of duties and privilege. 4. Implement strict password and account management policies and practices. 5. Log, monitor, and audit employee’s online actions. 6. Use extra caution with system administrators and powerful users. 7. Actively defend against malicious code. 8. Use layered defense against remote attacks. 9. Monitor and respond to suspicious or disruptive behavior. 10. Deactivate computer access following termination. 11. Collect and save data for use in investigations. 12. Implement secure backup and recovery processes. 13. Clearly document insider threat controls 6 http://www.cert.org/insider_threat/ SAFESTONE SafestOne for User Management and Compliance on the System i Page 10 of 13
  • 11. How Safestone Addresses these Practices 1. Institute periodic enterprise-wide risk assessments. DetectIT Security Audit and Detection Module can be scheduled to provide comprehensive audits on your System i 2. Institute periodic security awareness training for all employees Safestone provide a range of Professional Services to ensure the best practices are deployed 3. Enforce separation of duties and privilege. It is important that those using the system are not the same people who are policing it. DetectIT Smart Security Console can be used by non technical administrators to check on all users’ activities. 4. Implement strict password and account management policies and practices. The Password Self Help, Password Synchronization and Password Validation Program ensure that strong passwords are used and the whole process of managing passwords is easily enforced 5. Log, monitor, and audit employee’s online actions. The Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 6. Use extra caution with system administrators and powerful users. DetectIT gives you the ability to swap profiles and audit extensively on what powerful users are doing 7. Actively defend against malicious code. DetectIT allows you to identify new and changes to existing programs on the server 8. Use layered defense against remote attacks. Network Traffic Controller effectively “firewalls” the System i from the rest of the network 9. Monitor and respond to suspicious or disruptive behavior. DetectIT monitors thousands of different security events and reports on all activity that falls outside your predefined security policy guidelines 10. Deactivate computer access following termination. User Profile Manager provides full user life cycle management across multiple System i servers 11. Collect and save data for use in investigations. DetectIT Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 12. Clearly document insider threat controls Risk and Compliance Monitor contains pre-defined policies based upon internationally accepted standards against which your systems are monitored SAFESTONE SafestOne for User Management and Compliance on the System i Page 11 of 13
  • 12. The Business Case Managing System i users effectively will deliver a financial benefit to any organization that employs robust user management. IT fraud such as the Societe Generale case and financial penalties for failure to comply with legislative initiatives (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II etc) can cost an organization a great deal of money. So it is no surprise that security audits are addressed at board level and management of System i users is given the highest priority. Security and operations must demonstrate the ability to control, audit and report on which users have access to what System i resources. Another, less obvious return on investment is in the case of password management. On average, up to 70% of calls to the service desk are due to forgotten passwords. Self service password resets and single sign on reduce the volume of calls by up to 80%. This eliminates many costly time consuming processes and delivers hard cash savings to IT operations. Gartner estimates that help desk calls cost an average of £30 each, and that personal management reports for users, accounts for a minimum of 40% of help desk call volumes. SAFESTONE SafestOne for User Management and Compliance on the System i Page 12 of 13
  • 13. Conclusion Despite the huge threat posed by employees, user management can be overlooked in security projects. Too often, it is considered just an administrative task, rather than a security issue. The policy management and access control part of user management tends to be forgotten. The realities are that you can massively reduce the risk of security incidents, by correctly managing employees and other authorized users. This is where organizations should focus the majority of their efforts in securing their critical data. The three IT Controls mentioned earlier provide a useful framework for organizations to manage their user community: • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy When organizations follow these guidelines they can help ensure sensitive data stays secure and keep users productive. About the Author Simon Bott has over 16 years experience working in IT, this has encompassed time spent working within an end user environments, and for more than a decade working as a consultant for several successful IBM business partners with a focus on the iSeries/System i platform. For the past 3 years Simon helped build the networking and security function of one of IBM’s largest business partners working with technology partners such as Juniper Networks, RSA, Cisco, Trend Micro, Barracuda Networks to meet the growing demand for security services in today’s regulatory compliance driven business environment. Simon joined Safestone Technologies in summer 2008 to help Safestone continue to evolve and deliver the high quality innovative System i audit, compliance and security tools for which they are known. About Safestone Technologies Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Safestone’s module- based solutions are flexible, scalable, easy to implement and use, allowing the solution to address all varying degrees of audit, compliance and security requirements. Safestone has built up a global network over more than 21 years, which provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. SAFESTONE SafestOne for User Management and Compliance on the System i Page 13 of 13