iSeries-AS/400 owners regularly boast about the security built into their systems, and rightly so, but if you don't implement and use the features, they're not going to do anything for you.
I have mentioned before that I live in upstate New York, in the heart of the Adirondack Mountains. In our neck of the woods (literally), security is not much of an issue for most people. In fact, most of our neighbors never lock their homes or cars since theft is just not a problem. At our house, we have extensive outdoor "security" lighting installed, and we use it whenever we go out at night. We even have one light on a motion detector that comes on automatically in case we forget the other lighting. But, even with the lighting on, we usually leave the door unlocked just because it is easier to get back in when we return home. If we ever get ripped off, we shouldn't be surprised as to how it happens.
I'm surprised, however, when I hear about iSeries-AS/400 shops that have this same approach to computer security. An alarming number of shops just do not pay attention to security issues and are surprised when a problem develops. OS/400 provides robust security capabilities and tools, but too often they go unused just because it is easier without them.
I remember a particular IT director whose company I did some consulting work for. I encouraged him to move up to security level 30 and implement object level controls on several mission critical files on their system. He gave it a try and, without any planning, moved the security level from 20 to 30 and IPL'd their system. When nobody could sign on except the security officer from the console, he backed the system back to level 20 and never tried it again. It would still be running at level 20 today if the company had not gone out of business.
My company sells a number of security solutions for the iSeries-AS/400 market. I am always amazed at the number of customers who buy our solutions and then never fully implement them. Some of these, it turns out, purchased our software just to satisfy an audit recommendation or someone else's concern. For others, they probably just don't have the time or the people resources to do the implementation correctly, so they shelve it or put it on the back burner.
The same is true for the shop that never bothers to set up OS/400 security. They've made a significant investment in OS/400, but are not bothering to use what they've paid for. Security is just as much of an investment as the computer hardware that it runs on.
You would probably never think of leaving the front door of the building open all night with the lights on. By that same measure, you should not leave your system exposed to intentional or even accidental abuse when you have it within your grasp to correct the situation and you have all the tools to do so at your disposal.
If you're reading this and are reminded of your own shop (or even yourself), don't worry. It's not too late to do something. Take an incremental approach and develop a plan. Don't rush into it, like my friend above, and do something you'll regret, but don't just sit there leaving your system exposed. The important thing is to get started and stop putting this off or waiting for enough resources or budget support.
If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My e-mail address is rich@kisco.com.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.
==================================
MORE INFORMATION ON THIS TOPIC
==================================
The Best Web Links: tips, tutorials and more.
Check out this Search400.com Featured Topic: Top ten security tips
Standardized security setup across multiple systems
Nothing supports the popularity of the iSeries as much as the number of customers with multiple systems installed. For security officers, it can easily mean a lot of extra work keeping each system configured and setup for company security policies. While this can be a complex task, IBM has provided a little known capability in OS/400 for quite a while now that can help you to enforce standard security configuration setup rules across separate systems.
Putting a security guide in place
One user writes, "After being audited this year, the auditors have asked me to create a "Security officers best practices guide". Can you recommend any articles/documents or books that could help me get started with this?" Search400.com's security expert Carol Woodbury responds.
