Developing a security incident response system for System i

A security incident response system consists of several steps and processes that your organization should document. There are many event types that you may be come across, and each one will have a number of responses to consider.

Any security incidents will, at their root, be the actions of a person or group of people. These incidents can have varying degrees of severity, and the first step in a response is to decide how serious the incident is for your organization.

Generally, incidents fall into three categories:

• Ordinary or normal: These do not affect your organization's operations, nor do they require notification of management. They can be contained and dealt with within the security group or help-desk function in your IT department.
• Elevated or serious: These can affect operations, and they will require an implementation in order to be dealt with. Management will have to be notified and perhaps even involved in the resolution.
• Emergency: These can affect people's health and well-being, breach your normal business controls, affect your financial performance or even place your organization in violation of public law. Management must be informed, as well as possibly vendors, customers and public officials.

Each type of incident needs a tailored response. Ordinary incidents, for example, can be logged and handled during the normal course of business. But serious and emergency incidents ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries system and application security Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords iSeries security tips Security considerations for IBM i backups Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

need to have a response plan in place.

The first thing to do is identify the specifics of the incident and determine if it is ongoing or a one-time event. If it is ongoing, your response should be to first identify the source and then stop the incident from continuing. This could be something like discovering a breach of your system via the FTP server function. If the person performing the breach is still logged on to your system, you should first get as much identifying information as possible and then cut them off by shutting down the FTP server function on your System i. This may affect other users on your system, but the integrity of your system is at risk and you need to take action to protect your organization's assets.

Once the event has been identified and suspended, you need to analyze it and determine how it was accomplished and what security safeguards can prevent it from happening again. If at all possible, the affected system should not be placed back into normal use until steps have been taken to prevent a repeat of the incident.

As soon as the incident's severity has been determined, you will have to notify management and your organization's principals. If the incident includes law violations, such as theft of identity information, public officials will also have to be notified. During this process, it might also be wise to contact your organization's public relations staff to make sure that the facts made public are correct and not overstated.

Each step along the way must be documented, with permanent records kept for future reference. This will show how the event was dealt with, along with providing a blueprint to prevent a repeat incident.

If you have any questions about this topic, you can reach me at rich@kisco.com.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.