A leading manufacturer automates the IBM i’s compliance challenge using SkyView Partners Security Administration software

The company manufactures a leading brand in their sector. Since a couple of years ago the company belongs to an international group of companies. The Dutch subsidiary is running their main business applications on IBM i (AS/400), 2 Power6 Systems: one for production and one for high availability and testing. Applications running on IBM i are the financial applications, a CRM application and others. The company has been utilizing IBM i and its predecessors since their introduction.

Like most organizations the company has to comply with internationally founded rules and regulations.  The number and the scope of such regulations is growing rapidly and further expansion of these regulations expected over the coming years. The growing number of compliance laws and regulations is a response to market demand, data breaches, potential vulnerabilities in open systems etc. We need organizations do business according to common agreed principles and this includes the protection of ICT systems and data from fraud, hacking, data theft, viruses etc. Being, and being seen to be in control is a tough job.  Besides using an external auditing company to measure compliance to applicable regulations, ICT management and staff are also obliged to take measures to be “in control”.

This company who’s IBM i system (among others) is being audited is required to run a number of procedures in which the IBM i reports on such issues as the users and their access rights, system security settings, access to the system and other important information pertaining to the security (or lack of security) of the system. Additionally the company is required to supply detailed information about their structure for the Segregation of Duties, the possibilities of external access via ODBC- and/or FTP-connections etc., the names of the system managers and other key IT staff.

Until 2011 the company collected all requested information by manually running a number of procedures to produce reports. In principle it refers every time to the same information, but is was incredibly labor and paper intensive. The company was unhappy with the length of time required by the auditors and their own staff to run the system audit.  In 2010 the system managers learned of the SkyView Partners products which can automatically analyze the system produce the reports for the auditors providing a complete vulnerability check on the IBM i. During 2010 a trial of SkyView Risk Assessor was run and reports were prepared automatically. The company is now aware of their “in control” status and the results of the measures taken to alleviate any vulnerability.

The reports were also supplied to the auditor as input for the ICT audit. The results were such that the company decided to purchase a license of SkyView Risk Assessor for the audit of 2011.

The main benefits of SkyView Risk Assessor are
1.    An independent vulnerability check of the system.
2.    An explanation of the settings
3.    Recommendations for remediation
4.    Detailed reports for auditing
5.    A management overview document in a format readable by Word
6.    Improving quality of ICT infrastructure (management)
7.    A vast reduction in the  time required for analysis and support by system managers;
8.     Protection from manipulation. The reports of SkyView Risk Assessor are produced on the IBM i in spool files and/or PDFs
9.    Regular updates in line with the IBM i operating system.

A quote from the company’s System Engineer for IBM Power 6: “SkyView Risk Assessor is something I’ve been waiting for years.”

The next step is being “in control” continuously by implementing SkyView Policy Minder. On a regular basis it automatically checks the actual security administration status of all IBM i systems, including the LPARs on an agreed security compliance policy.

The main benefits of SkyView Policy Minder are
1.    Documentation of the security policy
2.    Control of the actual status compared to the security policy
3.    Automated remediation of out-of-compliance items
4.    Compliance reporting on spool files, PDFs and email alerts
5.    Automated assurance of complete compliance
6.    Regular updates in line with the IBM i operating system.
7.    Complete object level security throughout i5/OS and IFS.

With the software of SkyView Partners the company learned that the “game” between the auditor and the ICT-department regarding security compliance is over.

srcsssmallSRC Secure Solutions

SRC Secure Solutions is a Dutch company specialising in Multiplatform Software for Security and Security Compliance Management.
SRC Secure Solutions builds on more than 20 years experience of supplying state-of-the art ICT solutions to large, medium and small organisations and companies.

 

SRC Secure Solutions BV.
Amstelveen, March 2011.