by Carol Woodbury, President, SkyView Partners, Inc
I’m not usually one to make New Year’s resolutions but I do take time at the beginning of each year to re-evaluate. So in the spirit of re-evaluation or resolutions or whatever you want to call this activity, I have five ideas for your consideration for the New Year.
#1 - Take advantage of new hardware or version upgrades
We know that many of you are upgrading to new versions of the operating system and/or to new hardware. Now is the time to take advantage of the testing window on that new hardware/release to implement that security project you've been putting off.
Whether it's implementing a new application security scheme or securing the files containing private data, moving to security level 40, removing users’ *ALLOBJ special authority or trying new password system values, SkyView Partners is ready to help you with this project. We’ve helped numerous clients implement security projects on new hardware and it’s amazing to see how much and how quickly you can get things done on a system that’s not yet in production. Contact us for more information.
#2 – Start creating user profiles correctly
Unless you’ve already addressed this, it’s likely that you have user profiles that have more special authorities than are necessary. I realize it could take a significant project to address all of the existing profiles, but you can at least start creating new profiles with only the special authorities required to perform their job function. If you start creating profiles with the proper special authorities, the issue will get no worse than it currently is. I recommend that you create an example or ‘template’ profile that is copied for each type of user you create and that you copy the appropriate template rather than copying an existing user’s profile.
#3 – Automate!
I talk to countless administrators who are still dumping the user profile attributes to an outfile and creating queries to get a list of users with a specific set of attributes or performing visual checks of file authorities and ownership and creating their own reports. All of you have WAY too much to do to be doing manual checks - either as your regular monitoring or in preparation for an auditor's visit.
Let our Policy Minder for IBM i and Policy Minder for AIX products automate your administration and compliance tasks. Because the processes are automated you can check for changes to authorization lists or new powerful user accounts on a daily or weekly basis for example. You don’t need to let your data or system be exposed until the next time you run the report for the auditor. You can catch – and correct – the issue right away.
#4 – Evaluate the condition of your security processes
As I said in my opening paragraph, at this time of year I step back and evaluate things. In our business, every year at this time we step back from the day to day and look to see what's working and what's not working. We then make a list of items to address and adjust plans and actions accordingly. The same thing needs to be done with your security processes. For example, are the reports you're generating giving you the information you need? Or are they being generated because that's what your predecessor setup and you haven't stopped to consider what's really important or what helps prove compliance? Is the proliferation of powerful users getting out of hand? Do the access control settings on critical files match your organization's security policy? In the absence of this evaluation and a prioritized list of actions that need to be taken, you can only hope that your processes are meeting your organization's requirements - but you won't know for sure.
If you need to step back and assess the security settings of your IBM i or AIX servers as part of your evaluation, consider SkyView's security check-up service. As part of this service, we evaluate the security configuration of your servers and provide you with a list of issues that we recommend be addressed.
#5 – Utilize the audit journal
Yes, from a security professional’s perspective I’m of course going to recommend that you review certain types of audit journal entries and look for abnormal activity. But I also want to encourage all administrators to use the information in the audit journal to help you with your daily tasks. If you don’t know how or who deleted a program out of a production library or a file in the IFS, the audit journal can tell you. Or you can find out that during the installation of a vendor product, system values were changed. A treasure trove of information resides in the audit journal – you just have to remember to ‘mine’ it.
To aide you – both for administrative discovery of what’s happened on your systems as well as to review actions from a security perspective - check-out SkyView's Audit Journal Reporter product.
Carol Woodbury, CRISC
President and co-founder, SkyView Partners
If you'd like more information on how SkyView's solutions can help your organization with your security compliance or administration needs, contact us.