System i security policy: Time for a check up

[IMAGE]

As a System i security officer, you've spent a lot of time doing two main tasks. First, establishing a security policy and then setting your system up to enforce that policy. Once you have these two tasks set up, then you can sit back and relax .... right? Not really. In the real world, you have business changes to assess against your security policy, you have new technology to evaluate and determine changes in policy that might result from their implementation and the list goes on.

But, what about all that hard word you did to get your initial security policy implemented?

I have found during my career that things have a way of changing over time -- a sort of entropy in the digital world. A security implementation that was perfect once deteriorates over time unless you give it some attention. I found this out on my own server recently when going through the process of moving to a new system. Some of the security setup for specific objects had changed between when they were set up several years ago and when I went to do the migration. I've traced some of it to programmers (i.e.: me) who updated file descriptions without enforcing the right security settings. I'm sure there are other ways this happens too such as file restores that change security authorizations and object ownership.

Ideally, it would be good for you to go over your entire ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Sarbanes-Oxley Detecting copied files on the AS/400 using audit journals Tracking System i program object changes Learning guide: Steps to a secure System i 12 security tips in 12 minutes iSeries (AS/400) security: Who's in charge? Study: SOX-compliant firms see drop in costs in year 2 Compliance without Confusion: Addressing the Payment Card Industry's Data Security Standard Mandate Go beyond SOX for business continuity SOX regulations concerning applications COMMON: New security tools for iSeries Sarbanes-Oxley Research iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

security implementation periodically to make sure that it is still set up the way you initially designed it. If you recall the process, however, this could be a significant investment in time.

A better solution is to just use existing Security Tools reports to create listings on your system of how the security is currently set up. Scanning a report for items that stand out as different from the others is a lot easier than going back and examining every object to see how it is set up.

The System i has quite a few security reports that you can run from the Security Tools menu (SECTOOLS). Option #20 will get you to the Security Reports menu (SECBATCH). Different options on the menu will produce different reports, many of them very useful when scanning for security implementation entropy. Each of these options prompts for a Submit Job command so that the reports run in batch. Pressing the F4 key from the Submit Job command line will let you review and change parameters.

In the case of the problem that I found on my system, I ran option #11 and then prompted the command to limit the report to a specific library that I needed to check. In my case, I found several objects that should have been secured by an authorization list, but they were only being secured by object authority.

When you get some extra time, take a look through these reports and start running them to see what you find. Chances are very good that you'll uncover some issues before too long.

If you have any questions about this topic send me an email, I'll try to answer any questions you may have. All email messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.