Creating your iSeries security policy

Rich Loeber

More Information There may be more entry points to your system than you know Securing data access on the iSeries database Take control of your iSeries network security -- part 1 Take control of your iSeries network security -- part 2

A security policy will define all aspects of information security for your installation. It will define what you want to protect, what will be expected of your users, how you want new applications to fit into the security environment, how you will monitor security and much more. In creating your security policy, you will have to define your objectives and how you plan to implement those objectives.

Security objectives can fall into one or more of the following categories:

• Resources -- defines how you will restrict access to resources on your system to just those users who are properly authorized and, by inference, how to keep unauthorized users out.
• User identification -- defines how you will guarantee that the user accessing the system is, in fact, an authorized user. This traditionally involves user profiles and passwords but can take on other aspects, as well.
• Integrity -- defines how you will guarantee both data integrity and system integrity. In today's SOX world, this is crucial and includes data protection as well as backup and recovery.
• Transaction confirmation -- defines how you will guarantee that a legitimate transaction has taken place through the use of, for example, digital signatures.
• Confidentiality -- defines how you will guarantee that the data in your system is protected from eavesdroppers. This can include encryption, digital certificates, Secure Socket Layer (SSL) and more.
• Auditability -- defines how you will be able to trace security events in your system to prove that they occurred correctly.

Your security policy will have ramifications that go beyond your iSeries platform, so you'll have to get more involved in that rather than just your own system. The policy will affect how e-mail is handled, how network connections are established and broken, how you might employ Virtual Private Network (VPN) connections and more.

For more information about that issue, I refer you to an excellent manual from IBM for V5R3 titled "iSeries and Internet Security" which you can find at IBM's iSeries Information Center. The manual contains implementation examples that may help you to better visualize how each of those areas of responsibility might work out in an actual real world implementation.

If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.




Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i iSeries physical security Security considerations for IBM i backups Time for a security checkup for your i Recovering your AS/400 security configuration A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Learning guide: Steps to a secure System i Securing printed output 12 security tips in 12 minutes Are all of your System i (iSeries) doors closed? -- part 1 Can you trust all those trigger programs? iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.