System Values

According to an auditor's playbook, system values must be set to certain settings. But what happens when you can't set a system value to the auditor's required setting? Answer: You write a risk-acceptance statement justifying the current setting. SkyView Risk Assessor provides a detailed description of all security-relevant system values along with reasons you may not be able to set the value to "best practices." You then use these expert explanations in your risk-acceptance statement, which is part of your Policy Description in SkyView Policy Minder. Auditors will demand proof that you are (and have been) in compliance with your organization's policy, and Policy Minder compliance reports provide this proof.

User Profiles

When it comes to user profile settings, auditors often expect policies to document the following:

• No default passwords—Risk Assessor provides a report of all users with default passwords along with the profile's special authorities. This identifies the risk associated with leaving the profile with a default password. With Policy Minder, you can create a user-profile template to look for profiles with default passwords. Running a regular compliance check allows you to prove to auditors that you are proactively looking for and dealing with profiles that have default passwords.
• Management of inactive profiles—Auditors want to see that profiles that haven't been used recently are removed from the system on a timely basis. Policy Minder allows you to automate the discovery and management of inactive profiles. Using the FixIt function, you can use a special template to delete profiles. Reports showing that the profiles are being removed in the appropriate timeframe can be generated for auditors to review. Policy Minder also lets you document and justify the profiles that will always be inactive but must remain on the system (e.g., group profiles, profiles that own objects, etc.).
• Special authorities—Auditors look for the assignment of excessive capabilities. Translated: They want to know you are managing the number of users who have *ALLOBJ special authority or are a member of QSECOFR. You can create user profile templates in Policy Minder to document the users that currently have a special authority or users who are a member of QSECOFR and then run compliance checks on a regular basis to identify new users with either of these assignments.
• User class assignment—Auditors want all users to be in the *USER class and only a few administrators to be in the *SECOFR class. Policy Minder accommodates this auditor requirement and allows you to see all users that are assigned to inappropriate user classes.

Object Authorities

Internal auditors and Payment Card Industry (PCI) auditors typically require restricted access to files containing private information. Translated: i5/OS database files containing private information (healthcare information, SSNs or SINs, bank account numbers, or cardholder data) must be set to *PUBLIC *EXCLUDE. Whether the requirement is to secure a library, a directory, a specific file, or a set of files, you can set a library or directory authority template to monitor compliance with these types of audit requirements.

Independent Assessment

You can use Risk Assessor to fulfill an auditor's requirement that you have an expert, independent assessment of your system. Risk Assessor examines over 100 areas of i5/OS security settings (including object authorities, user profiles, TCP/IP configuration, file shares, system values, and more) and compares them to industry best practices. It describes the issues, providing enough information for you to determine whether the risk applies to your organization and, if it does, tips for remediating the issue.

We Can Help

Your next audit is fast approaching. You want to be prepared, but you don't have the time or expertise to perform a thorough assessment of your i5/OS systems. SkyView Security Check-up is a service that takes the burden off you to determine the risks associated with the i5/OS security configuration. SkyView provides you with a detailed explanation of the issues discovered by running Risk Assessor and a summary of the recommended action plans for remediation of those issues.

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3^rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale