Creating a System i database security policy: First steps

If you are are a System i security officer, your primary responsibility is securing the databases running on your system. Good IT security starts with a clearly defined policy, and if you're wondering where to start, you are in the right place.

Before you start creating a security policy for your AS/400 system, you need to get your user community involved. A security policy created and implemented without end-user participation is destined to be a problem. However, if your end users are asked to participate and buy into the policy, smoother implementation will result. If you find resistance to participation in policy creation, get management on your side. Whatever you do, don't create the policy on your own as an IT project.

The first consideration when formulating your security policy is what your overarching objectives are. You have two choices at this point.

Strict IT security policy: With a strict policy, access to every object in your system will be determined and enforced at the operating system level. Each user's specific requirements will be analyzed and then encoded in the security implementation provided by the IBM i OS.

Relaxed IT security policy: With a more relaxed approach, you can decide that users will have broader access to objects on your system with strict access rules only for certain pre-defined data assets.

In actual practice, most System i shops adopt the relaxed approach, but your auditors will love you if you go for the strict option.

Once you've made this decision on your general approach, make a list of the applications on your system. You will need to define the owner -- the person who makes final security decisions -- for each application .

Within each application, you should list the data assets created and used by the application with a note for each one regarding its security sta...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

tus. Some applications will need little or no security, whereas others will have very strict requirements. Make sure that your users are in full agreement about the nature of each data asset and its security requirements.

When deciding on the security requirements for each asset, there are three things to consider.

• Is this information that should be restricted from all employees?
• Is this information that is critical to the way you do business? Does it give your organization a competitive advantage in the marketplace?
• Is this information crucial to your day-to-day operations?

Obviously, payroll falls into the first category and is the classic data type for this classification. But you may have other data assets that also are included. Those would be any data assets that record credit card information or any other personal identity information for your employees or your customers.

An example of the second type of data would be a Master Customer database or a Contact database. These are compiled databases that clearly help you do business and that you do not want falling into the hands of competitors.

Finally, an example of the last type of data asset might be your month-to-date sales database or your current accounts receivable. These are management tools needed to maintain your day-to-day business operation.

With each of these assets defined, you can describe the type of security that you want in place. When you're done with each application, have a final review and sign-off by the user (or owner) of each application. Only after this legwork has been done can you consider how to best implement the security requirements. I'll elaborate on that in next month's tip.

If you have questions about anything in this tip, you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.