29
Fri, Nov
0 New Articles

Technology Focus: Auditing and Compliance Solutions for IBM i

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Applications that help IBM i managers monitor security events, support audits, and comply with regulations and standards continue to be vital.

 

The corporate audit for assuring that your enterprise is adhering to laws and regulations governing information protection has gotten to be as routine as filing your annual corporate taxes. The critical questions have changed from "how will we deal with this?" to "how can we streamline this unavoidable necessity?" and "what's new in laws and standards that we have to watch out for?"

 

Enterprises in the IBM i world, while still not as plagued by information thefts and downtime woes as users of many other platforms, still must cope with producing accurate digests of compliance information that auditors can understand. While the auditors are becoming more savvy in the ways of using computers to garner and sort through such data, applications that reduce this task to be more of a spoon-feeding process are proving their value. The less time an audit takes, the sooner IT and other personnel can return to their normal background tasks.

A Process That's Anything but SIEM-Less

Although laws and standards haven't changed much in the past year, a management process is morphing from other platforms into the IBM i world. It's called Security Information and Event Management (SIEM), and it is the process of keeping track of security events that affect applications, databases, and systems and transmitting them to centralized logs for analysis. Although more generally used in multiplatform environments in the past, SIEM is a source of growing interest for IBM i users as more i systems find themselves part of multiplatform infrastructures or part of larger networks that include multiple i machines.

 

SIEM information is centralized, which streamlines such actions as sending alerts of problems to critical personnel in short time spans, using graphical interfaces to sort and interpret the data for auditing and historical purposes, and generating reports that show helpful data such as patterns of problems affecting multiple systems. While not many IBM i auditing packages are providing built-in SIEM-type features yet, it appears to be a logical next step that will affect the market over the coming year or two.

 

In addition to legal requirements, certain types of businesses are obligated to maintain professional standards. International standards bodies and industry standards organizations have also made significant statements of expectations over the past two decades that, while not having the force of law, still represent important mandates enterprises must follow to do business.

A Primer of Requirements and Standards

Today's IT climate requires attention to five legal and four business standards, depending on the industries in which an enterprise is engaged, quickly summarized as follows.

 

  • The U.S. Code of Federal Regulations 21 CFR Part 11 enables the U.S. Food and Drug Administration (FDA) to set guidelines on data controls and auditing of electronic records and electronic signatures for enterprises operating in FDA-regulated industries.
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes legal standards in the U.S. for electronic healthcare transactions and national identifiers for providers, health plans, and employers.
  • The Massachusetts Law 201 CMR 17.00 and California SB 1386 are statutes protecting the privacy of personal information (e.g., name, address, social security and credit-card numbers) stored in computer systems. Any company doing business in those states must have a written policy for securing that information.
  • The Gramm-Leach-Bliley Act of 1999 (GLBA) requires protection of financial information from foreseeable data-security threats, mandates programs to test corporate information security, and expects companies to analyze their security risks.
  • The Sarbanes-Oxley Act of 2002 (SOX), among other provisions, establishes standards for external auditing of financial reports. Australia's CLERP 9 and Japan's J-SOX set similar regulations for companies doing business in those respective countries.
  • Basel II is a set of recommendations for banking regulatory laws issued by the Basel Committee on Banking Supervision, an international body formed by a consortium of large-economy nations that includes the United States. Countries around the world may implement these standards as regulations according to their own timetables, but most are expected to adopt nearly all Basel II recommendations eventually.
  • The Control Objectives for Information and related Technology (COBIT) are best-practices recommendations originated in 1996 by the Information Systems Audit and Control Association and the IT Governance Institute, for use and control of information technology in corporate enterprises.
  • The International Organization for Standards' ISO/IEC 27002 (formerly ISO 17799) prescribes standards for corporate risk assessment, data confidentiality, data-processing system access control, and business continuity, although these don't have the force of law. These were modeled on a U.K. government recommendation known as British Standard 7799 (BS 7799).
  • The Payment Card Industry Data Security Standards (PCI DSS) are financial-data security requirements rules set by the PCI Security Standards Council. These rules affect all companies that rely on any financial transactions using credit cards, debit cards, prepaid cards, ATMs, and similar instruments.

Also, enterprises doing business in Canada need to be aware of that country's Personal Information Protection and Electronic Documents Act (PIPEDA), which restricts how private companies can collect and use consumers' personal information. The Personal Information Protection Act (PIPA) is a slightly more strict provincial law for British Columbia (and there's a similar provincial law affecting only Alberta) that includes employee information as well as that of consumers.

 

In addition, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) is a compliance regimen required for electrical utilities and other enterprises responsible for power-infrastructure security. Although many of its requirements are similar to other standards in requiring auditing of such areas as file change detection, configuration, user account management and access controls, and SIEM-like log- and event-management, there are additional special requirements that not all IBM i auditing and compliance applications handle.

Meeting the Auditors' Needs

Auditing and compliance solutions facilitate the auditing process, as well as help enterprises keep an ever-watchful eye on data protection and system security events so that audits don't turn up embarrassing surprises. There are now 27 different software products that either run on, or analyze, IBM i security and data protections. Most focus on systems holistically, helping standardize and clarify access to all system objects, and others focus more narrowly on the aspect of securing sensitive data. But all are useful and are summarized below.

 

However, even though some means of facilitating audits has become a necessary part of doing business, it's not all bad news. Data gleaned from such solutions can also help enterprises streamline operations, learn about previously occluded aspects of their own businesses, and avoid reputation-damaging (and sometimes lawsuit-enticing) losses of sensitive data that can have incalculable hidden costs. In this context, auditing and compliance software can be a relatively cheap insurance policy.

 

It's also important to understand that auditing and compliance applications are just a subset of the wider market of security tools. The products surveyed here, with a few exceptions, don't handle such system security aspects as user authorization and authentication, file encryption, or the securing of data transmission across a network. Also, the solutions below are only those that work under i5/OS, though a few support other operating systems that can run on the IBM i.

 

Please note that the brief summaries here don't cover all the features each software product provides. You should consult the links provided for each product and contact the associated vendors for a more complete idea of what each product's capabilities include.

 

And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.

Auditing and Compliance Tools for IBM i

 

Bsafe Software Solutions

Bsafe Enterprise Security for IBM i

Bsafe Policy Compliance Manager

Bsafe Security Assessment

Bsafe Enterprise Security for IBM i includes application access control, user-profile management, object-authorization management, external-port access restrictions, and session-timeout and inactive-user controls. In addition, it offers a SOX compliance kit, a template-based policy compliance manager, and optional database field-masking tools. Finally, it provides auditing tools for file and application access, system journaling activities, and database changes.

 

Bsafe Policy Compliance Manager helps security personnel build, document, and maintain a corporate security policy. Once a policy is in place, the product also helps users verify compliance, generate reports, and uncover elements of system security not already handled by the policy. In addition, Policy Compliance Manager generates reports that are understandable by nontechnical readers.

 

Bsafe Security Assessment is an external security testing application that launches real-time security penetration tests, summarizes current security policies, and highlights deviations from recommended policy settings.

 

Bytware

Standguard Security

Standguard Security monitors exit points and the QAUDJRN,  monitors and manages system access, defines user access permissions, alerts administrators to changes in system values and profile changes, audits business asset libraries, checks system authority settings, and provides numerous reports and audit trails to enable compliance with standards, best practices, and regulations.

 

CCSS

QSystem Monitor

QSystem Monitor is an application and job-monitoring solution for IBM i. It filters all system messaging activities and provides a check on use of FTP and QSECOFR authority. It monitors system-value and user-profile changes and invalid password attempts. It also includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN and sends alerts of administrator-defined security breaches to appropriate personnel.

 

Cilasoft

QJRN/400

QJRN/400 is an auditing platform for IBM i machines that monitors system activity for compliance with major regulations and standards. It reports on changes to database authorization files, user profiles and authorities, network attributes, and system values. It also identifies modifications to corporate applications made by other software and monitors access of sensitive database fields.

 

Cosyn Software

Cosyn Audit Trail/400

Cosyn Audit Trail/400 tracks changes made to database files on IBM i machines without requiring the overhead of turning on journaling. The product uses triggers instead and outputs results to physical files that users can query or use to create their own reports.

 

CXL

AZScan

AZScan is a Windows application that can audit and evaluate security on IBM i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs 53 security tests for i5/OS, creates reports intelligible to nontechnical auditors, pinpoints problems, and assists users with maintaining regulation and industry standards compliance.

 

Imperva

SecureSphere Data Security Suite

SecureSphere Data Security Suite is an application and database security and auditing solution that includes DB2 monitoring for IBM i. The suite offers alerts, a database firewall with activity monitoring, and access controls for sensitive data. The solution's auditing features help non-technical auditors analyze and view database activity, as well as access standard and customizable reports on security-related user activities.

 

Innovatum

DataThread

DataThread tracks changes to databases, filters out routine activity and focuses on user-requested exceptions, centralizes and automates data-policy enforcement without requiring program changes to existing applications, notifies appropriate personnel of changes, and meets compliance requirements for all domestic and international regulations that require monitoring of IBM i data access and user activity. It also includes a validation documentation packet for companies in Life Sciences industries.

 

Kisco Information Systems

iFileAudit

Kisco's iFileAudit lets users track data updates and changes to files on a user-by-user, file-by-file, and field-by-field basis. The product includes a Web browser interface, a notation feature, the ability to track file-read actions for user-selected files, and produce audit reports on a global or selected basis.

 

KST Software

DataTrigger

DataTrigger uses data-trigger technology to audit IBM i databases. It checks for unauthorized database viewing or changes, automatically logs data events (e.g., read, insert, change, delete), and generates alerts if it detects unauthorized activity. It logs all data transactions to a data repository and blocks data actions from being carried out by unauthorized users.

 

NetIQ

NetIQ VigilEnt Policy Center

NetIQ Secure Configuration Manager

NetIQ Security Manager

NetIQ VigilEnt Policy Center is a Windows application that helps users develop, implement, and manage enterprise-wide policies for compliance, security, and other purposes. It provides standardized policy documents that users can customize, tests employee understanding of policies and reports on results, helps integrate policy information in applications and Web services, and tracks and reports compliance violations online.

 

NetIQ Secure Configuration Manager is a system-security configuration assessment and compliance-monitoring tool that helps administrators compare system security settings against regulatory and best-practice requirements. It assesses system configurations against multiple compliance mandates, reports on systems out of configuration, provides tools for restoring mandate compliance, generates reports that satisfy legal and industry standards requirements, and presents data via a dashboard-style interface.

 

NetIQ Security Manager is an SIEM application for IBM i that includes NERC-CIP compliance. It consolidates and logs event information from across a network (including multiplatform networks), helps satisfy legal log-retention requirements, facilitates data mining of logged data, and provides alerts of violations and problems. The product offers change detection and file-integrity monitoring, privileged-user monitoring, log management and analysis, query-based data-intrusion forensic tools, and security event correlation.

 

PowerTech Group

Compliance Monitor

Interact

Compliance Monitor provides a single console view with a GUI, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs. It also enables audit reporting and inspection of security-policy compliance with SOX, PCI, and other regulations and standards.

 

Interact monitors more than 500 system security events in real time and sends them to a system log in real time for later analysis or troubleshooting. Examples include QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events. Interact parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by date, time, user, IP address, and other criteria.

 

Raz-Lee Security

iSecurity Audit

iSecurity is a suite of 16 products designed to help with all facets of IBM i security concerns. Audit is the suite member most directly responsible for monitoring and reporting all activity on the system, as well as providing real-time server security and detailed audit trails. Audit documents all QAUDJRN file activity, offers an interface for managing all QUADJRN parameters, provides GUI-based drilldown tools for activity statistics and histories, collects and displays all changes in user profiles, and generates more than 200 standard status reports.

 

Safestone Technologies

Compliance Center for i

Safestone's Compliance Center for i provides a query-based reporting solution that automates the data collection and conversion into reports of audit, compliance, and security events. The product monitors such system activities as network accesses, object authorities, user profiles, QUADJRN and QHIST entries, system values, and SQL command usage. Users can either schedule reports on a regular basis or access them on demand.

 

SkyView Partners

SkyView Audit Journal Reporter

SkyView Policy Minder for IBM i and i5/OS

SkyView Risk Assessor

SkyView Security Compliance Solution

SkyView Audit Journal Reporter generates predefined and auditor-ready reports based on events recorded in QUADJRN. It helps reduce time needed to provide non-technical reports on system events for auditor use and produces ongoing reports as necessary to help users investigate compliance issues.

 

SkyView Policy Minder for IBM i and i5/OS automates security policy compliance. Examples of features include automatic checking of system settings (e.g., user profiles, libraries, objects, directories, authorization lists), security policy documentation via template-based and customized settings, and report generation on multiple aspects of security policy. The product also includes tools for modifying system parameters that are out of line with established security policy.

 

SkyView Risk Assessor provides an analysis of more than 100 system risks from the point of view of an external expert. Designed to provide the basis for a security audit of IBM i machines, Risk Assessor also helps evaluate enterprise compliance with PCI, HIPAA, and other standards.

 

SkyView Security Compliance Solution is a reporting application for IBM i that automates generation of security compliance reports. Standard reports include documents on system risk assessment, inactive profiles, users with default passwords, profiles having special authorities, system values settings, and access controls on files and directories containing sensitive information.

 

Tango/04 Computing Group

Tango/04 DataMonitor for iSeries

Tango/04 DataMonitor for SQL Server

VISUAL Security Suite

Tango/04 Data Monitor audits read, insert, update, and delete transactions performed on specific records and fields in DB2/UDB databases. It provides audit trails of all activity to satisfy U.S. and European regulations and can produce reports in a variety of file formats.

 

Tango/04 Data Monitor for SQL Server ensures the integrity of data stored in Microsoft SQL Server tables. It provides a graphical interface for auditing changes to data and ensures compliance with a wide range of standards that apply to data security. The monitor sends real-time alerts of violations, provides legally acceptable records of user activities, and provides security tools for protecting data.

 

VISUAL Security Suite (VSS) lets administrators audit activities of thousands of users, all Windows servers, more than 40 IBM i program exit points, multiple server and device security logs, system events and settings, and changes in user authorities. It stores auditing data in a Web-based data warehouse from which users can generate PDF-based reports and business-impact analyses or send the reports to a corporate Web site.

 as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7, V6R1 

 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: