Using System i security consultant services

Rich Loeber

In my last article, I started a description of how you can learn the job of being a security officer in the System i world of computing. This article will continue that thought by discussing how you can effectively use security consultants and learn from them in the process.

It is necessary to read about and to stay current with technology. I recommend the book "Inside Internet Security: What Hackers Don't Want You To Know" by Jeff Crume, which can be found used at Amazon.com. It is a real eye opener for those of you who have only been thinking about the System i side of the security question. The book is a little dated but still contains a lot of good information that is clearly presented without a lot of acronymic netspeak that can be so confusing.

Are consultants worth the investment?
The classic definition of a consultant is "someone who borrows your watch to tell you what time it is." To a certain degree this is true, but a good consultant will explain to you every aspect of your situation.

More on System i security: Establishing user accountability in AS400 System i security software gets upgrade System i security: It's people

The best way for me to tell you about using a consultant is to describe a situation from my past. I had been working for over 20 years as a programmer, systems analyst and IT manager when I started consulting for a local direct marketing company. I was there for about six months trying to address the multitude of issue that this fast-growing company was experiencing.

The owner decided to bring in an expert and found one for $2,000 per day (plus expenses -- a fortune at that time) to spend a day with us. We cleared our slates, got several key people together and followed the expert around for the day as he walked through the entire operation.

What an eye opener that was! In one day, we identified every issue that needed to be fixed, quite a long list. We turned this into a roadmap of sorts and started knocking items off. That one-day visit changed the entire course of the company for the next 10 years. It was more than worth the investment.

Using a security consultant
A security consultant should be able to do the same thing for you, but you need to use the consultant effectively:

1. Start by selecting a qualified person.
2. Develop a list of people from reliable sources.
3. Check references to make sure you're getting what you need.
4. Once this is done and a date has been set, make sure everyone who's needed is completely available.

While the consultant is with you, be completely honest with them. If you hide things because you're embarrassed by them, then your feedback from the consultant will be incorrectly skewed. Go through everything you're doing and take copious notes on what the consultant has to say. If your consultant is good, you'll be amazed at what you find out and you will learn to do a better job in the process.

Implementing security consultant recommendations
After the consultant leaves, don't just go on with business as usual. Make a list of the areas the consultant said need attention. Develop an action plan to get each item on the list addressed. It is important to have the right attitude as you go through this exercise. The objective is not for you to come out looking good (which is often the case when reacting to an audit), but to address security exposures and get them closed. Most consultants appreciate a follow up, so don't be afraid to get back in touch with the consultant with questions and clarifications after the initial consultation.

The day we spent with the consultant completely changed my understanding of how a direct mail company should operate, and the experience has stayed with me. Your investment in a security consultant will do the same for you and for your company. Consultants are expensive, but the alternative of having security exposures could not only be costly but devastating to your company.

If you have any questions about this topic, I can be reached by email. All email messages will be answered as quickly as possible.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users iSeries security planning Rescinding access rights Unsecured devices worry IT professionals System i5 Solutions For Business Resiliency Top 10 System i security Q&As i5 network intrusion: An allegory iSeries security and performance issues Profile without ALLOBJ authority to view joblog Security implemented via default settings Granting user B the same private authorities as user A Using the Print user profile command RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.