A security policy will define all aspects of information security for your installation. It will define what you want to protect, what will be expected of your users, how you want new applications to fit into the security environment, how you will monitor security and much more. In creating your security policy, you will have to define your objectives and how you plan to implement those objectives.
Security objectives can fall into one or more of the following categories:
- Resources -- defines how you will restrict access to resources on your system to just those users who are properly authorized and, by inference, how to keep unauthorized users out.
- User identification -- defines how you will guarantee that the user accessing the system is, in fact, an authorized user. This traditionally involves user profiles and passwords but can take on other aspects, as well.
- Integrity -- defines how you will guarantee both data integrity and system integrity. In today's SOX world, this is crucial and includes data protection as well as backup and recovery.
- Transaction confirmation -- defines how you will guarantee that a legitimate transaction has taken place through the use of, for example, digital signatures.
- Confidentiality -- defines how you will guarantee that the data in your system is protected from eavesdroppers. This can include encryption, digital certificates, Secure Socket Layer (SSL) and more.
- Auditability -- defines how you will be able to trace security events in your system to prove that they occurred correctly.
Your security policy will have ramifications that go beyond your iSeries platform, so you'll have to get more involved in that rather than just your own system. The policy will affect how e-mail is handled, how network connections are established and broken, how you might employ Virtual Private Network (VPN) connections and more.
For more information about that issue, I refer you to an excellent manual from IBM for V5R3 titled "iSeries and Internet Security" which you can find at IBM's iSeries Information Center. The manual contains implementation examples that may help you to better visualize how each of those areas of responsibility might work out in an actual real world implementation.
If you have specific questions about this topic, e-mail me at firstname.lastname@example.org. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.