*This topic includes the current ISO standard information from the ISO 27002 (17799) update.
PowerTech has updated all Compliance Guide material to refer to this latest version of the standard. If your organization is still using the version of the standard from the year 2000, contact PowerTech to obtain a version of the guide that refers to this current version.
ISO 27002 (17799), an internationally recognized information security standard, has found more widespread use in the United States in recent years. Many companies use the ISO standard alone to define their security policy, or they use it to provide more detailed guidance on the security specific issues outlined by COBIT.
In July 2005 the International Standards Organization released a new version of the Information Security Standard, which was referred to as ISO 17799:2005. The standard was later renamed ISO 27002 and the content is identical to the 17799:2005 version (only the name changed). The Standard forms the basis of the IS27001 certification.
The ISO 27002 (17799) standard is an information security specific standard; whereas COBIT applies more broadly to information technology in general. As such, the ISO standard often provides considerably more detailed guidance on topics of information security.
This standard contains 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment. PowerTech products can help companies in many ways to comply with the ISO standard.
ISO 27002 (17799) security control clauses mapped to PowerTech products
|
1) Security Policy PowerTech Open Source Security Policy 2) Organizing Information Security PowerTech Network Security 3) Asset Management 4) Human Resources Security PowerTech Easy Pass 5) Physical and Environmental Security 6) Communications and Operations Management PowerTech Authority Broker, Compliance Monitor, Encryption, Network Security 7) Access Control PowerTech Network Security, Authority Broker, Compliance Monitor, Easy Pass 8) Information Systems Acquisition, Development and Maintenance PowerTech Compliance Monitor and Network Security 9) Information Security Incident Management PowerTech Network Security and Interact 10) Business Continuity Management PowerTech Network Security 11) Compliance PowerTech Compliance Monitor |
|
The format of the 2005 update version of the ISO 27002 (17799) standard is much easier to read and understand than previous versions. In the 2005 update version, each main security category details the following four criteria:
The controls are clearly defined and present the specific control statement to satisfy the control objective.
The easy-to-read format is shown below in the excerpt from the ISO 17799:2005 update:
Note: The ISO 27002 (17799) standard is available for purchase at http://www.standardsdirect.org. |
After a thorough review of the ISO 27002 (17799) update by PowerTech security experts, the relevant sections of the standard are listed here for easy reference. Click on the links in the ISO section/topic table below to view specific excerpts from the ISO 27002 (17799) update, PowerTech recommendations, and applicable PowerTech reports - or scroll through the entire summary of security related ISO sections that follows. (At the end of this topic, you'll also find ISO sections mapped to PowerTech products/reports in an easy-to-read reference chart.)
ISO 27002 (17799) Section/Topic
|
Section # |
Topic |
|
Information security policy document | |
|
Identification of risks related to external parties | |
|
Addressing security when dealing with customers | |
|
Roles and responsibilities | |
|
Management responsibilities | |
|
Removal of access rights | |
|
Change management | |
|
Segregation of duties | |
|
Controls against malicious code | |
|
Controls against mobile code | |
|
Information back-up | |
|
Network controls | |
|
Security of network services | |
|
Information exchange policies and procedures | |
|
Electronic messaging | |
|
Business information systems | |
|
Electronic commerce | |
|
Audit logging | |
|
Monitoring system use | |
|
Protection of log information | |
|
Administrator and operator logs | |
|
Fault logging | |
|
Access control policy | |
|
User registration | |
|
Privilege management | |
|
User password management | |
|
Review of user access rights | |
|
Password use | |
|
Unattended user equipment | |
|
Policy on use of network services | |
|
Network connection control | |
|
Secure log-on procedures | |
|
User identification and authentication | |
|
Password management system | |
|
Use of system utilities | |
|
Session time-out | |
|
Limitation of connection time | |
|
Information access restriction | |
|
Policy on the use of cryptographic controls | |
|
Key management | |
|
Control of operational software | |
|
Protection of system test data | |
|
Information leakage | |
|
Reporting information security events | |
|
Including information security in the business continuity management process | |
|
Identification of applicable legislation | |
|
Compliance with security policies and standards | |
|
Technical compliance checking | |
|
Information systems audit controls | |
|
Protection of information systems audit tools |
Note: The following Summary contains actual excerpts from ISO/IEC 17799:2005(E) © ISO/IEC 2005
Summary: ISO 27002 (17799) Standards and PowerTech Recommendations
|
5.1.1 Information security policy document |
|
Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties.
PowerTech Recommendations PowerTech has made available an open source Security Policy at no charge that describes best practices in implementing security policy on an AS/400 (download here). This Compliance Guide provides detailed explanation of OS/400 security concepts that can be used as a reference in defining the appropriate policy for your organization.
|
|
6.2.1 Identification of risks related to external parties |
|
Control The risks to the organizations information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access.
PowerTech Recommendations PowerTech Network Security allows organizations to monitor and control any access of third parties to any data on the AS/400 or System i through all of the network access services including ftp, ODBC (SQL ), and DDM.
|
|
6.2.2 Addressing security when dealing with customers |
|
Control All identified security requirements should be addressed before giving customers access to the organizations information or assets.
PowerTech Recommendations PowerTech Network Security allows organizations to monitor and control any access of third parties to any data on the AS/400 or System i through all of the network access services including ftp, ODBC (SQL), and DDM.
|
|
8.1.1 Roles and responsibilities |
|
Control Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organizations information security policy.
|
|
8.2.1 Management responsibilities |
|
Control Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.
|
|
8.3.3 Removal of access rights |
|
Control The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
PowerTech Recommendations PowerTech Easy Pass allows organizations to take advantage of native operating system capabilities to implement an architecture that eliminates passwords across all AS/400 and System i systems. With one simple action, access for a terminated employee can be denied on all System i systems in the company.
|
|
10.1.2 Change management |
|
Control Changes to information processing facilities and systems should be controlled.
PowerTech Recommendations PowerTech Authority Broker ensures that programmers and IT staff only make changes on production systems in a fully controlled and audited manner.
|
|
10.1.3 Segregation of duties |
|
Control Duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organizations assets.
Implementation guidance Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.
Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. It is important that security audit remains independent.
PowerTech Recommendations PowerTech Authority Broker can be used to grant privileged access rights (special authorities on the AS/400) to users only on a need to have basis. IT Staff don't need to have powerful privileges in their profiles on production systems segregation of duties is enforced.
|
|
10.4.1 Controls against malicious code |
|
Control Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.
PowerTech Recommendations Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCNVRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.
|
|
10.4.2 Controls against mobile code |
|
Control Where the use of mobile code is authorized, the configuration should ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorized mobile code should be prevented from executing.
PowerTech Recommendations Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCNVRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.
|
|
10.5.1 Information back-up |
|
Control Back-up copies of information and software should be taken and tested regularly in accordance with the agreed backup policy.
Implementation guidance Adequate back-up facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.
The following items for information back-up should be considered:
d) the back-ups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;
h) in situations where confidentiality is of importance, back-ups should be protected by means of encryption.
PowerTech Recommendations It is good policy to store a copy of backup tapes offsite. Any loss or theft of the backup tapes can result in costly and embarrassing disclosures because of privacy regulations like California SB1386. PowerTech Encryption can be used to encrypt all sensitive data on backup tapes.
|
|
10.6.1 Network controls |
|
Control Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.
Implementation guidance Network managers should implement controls to ensure the security of information in networks, and the protection of connected services from unauthorized access.
In particular, the following items should be considered:
d) appropriate logging and monitoring should be applied to enable recording of security relevant actions;
PowerTech Recommendations PowerTech Network Security enables administrators to precisely control who has access to AS/400 systems via the network through ODBC, FTP, etc. Administrators can also control access to the security application controls and administrative rights. With PowerTech Network Security all network traffic to and from the AS/400 system can be stored and logged in secure journals on the system creating a complete audit trail of activity that is eligible to be used for criminal proceedings or in a court of law.
|
|
10.6.2 Security of network services |
|
Control Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided inhouse or outsourced.
PowerTech Recommendations Use PowerTech Network Security reports.
|
|
10.8.1 Information exchange policies and procedures |
|
Control Formal exchange policies, procedures, and controls should be in place to protect the exchange of information through the use of all types of communication facilities.
Implementation guidance The procedures and controls to be followed when using electronic communication facilities for information exchange should consider the following items:
g) use of cryptographic techniques e.g., to protect the confidentiality, integrity and authenticity of information (see Clause 12.3);
PowerTech Recommendations PowerTech Encryption can be used to encrypt all sensitive data on backup tapes.
|
|
10.8.4 Electronic messaging |
|
Control Information involved in electronic messaging should be appropriately protected.
|
|
10.8.5 Business information systems |
|
Control Policies and procedures should be developed and implemented to protect information associated with the interconnection of business information systems.
Implementation guidance Consideration given to the security and business implications of interconnecting and such facilities should include:
g) restricting selected facilities to specific categories of user;
PowerTech Recommendations PowerTech Network Security can help enforce classification guidelines on the AS/400 by restricting access to data. Access rules can be enforced for users, groups of users, or IP address locations.
|
|
10.9.1 Electronic commerce |
|
Control Information involved in electronic commerce passing over public networks should be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.
PowerTech Recommendations PowerTech Network Security can help enforce classification guidelines on the AS/400 by restricting access to data. Access rules can be enforced for users, groups of users, or IP address locations.
|
|
10.10.1 Audit logging |
|
Control Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Objective: To detect unauthorized information processing activities. Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified. An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.
PowerTech Recommendations Use PowerTech Compliance Monitor reports.
|
|
10.10.2 Monitoring system use |
|
Control Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly.
PowerTech Recommendations OS/400 provides a comprehensive logging capability for security events in the security audit journal, which is configured using the QAUDLVL and QAUDCTL system values. PowerTech's Compliance Guide provides a detailed recommendation on what the different audit settings mean, along with recommendations.
PowerTech Compliance Monitor enables regular scheduled reporting on events from the security audit journal. Data is parsed to make it easy to read and relevant to security staff who need to review the logs.
|
|
10.10.3 Protection of log information |
|
Control Logging facilities and log information should be protected against tampering and unauthorized access.
Other information System logs often contain a large volume of information, much of which is extraneous to security monitoring. To help identify significant events for security monitoring purposes, the copying of appropriate message types automatically to a second log, and/or the use of suitable system utilities or audit tools to perform file interrogation and rationalization should be considered.
System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.
PowerTech Recommendations Only users with *AUDIT special authority on OS/400 have the privilege to make changes to the audit settings. PowerTech Authority Broker can be used to ensure that this privilege is only used when absolutely necessary and that all changes are logged to secure journals for subsequent reporting.
Use PowerTech Compliance Monitor reports.
|
|
10.10.4 Administrator and operator logs |
|
Control System administrator and system operator activities should be logged.
PowerTech Recommendations PowerTech Compliance Monitor and Authority Broker provide extensive capabilities for reporting against OS/400 logs.
|
|
10.10.5 Fault logging |
|
Control Faults should be logged, analysed, and appropriate action taken.
PowerTech Recommendations Use PowerTech Compliance Monitor reports.
|
|
11.1.1 Access control policy |
|
Control An access control policy should be established, documented, and reviewed based on business and security requirements for access.
Implementation guidance The policy should take account of the following:
f) standard user access profiles for common job roles in the organization;
PowerTech Recommendations Use PowerTech Network Security and Authority Broker. All network access by AS/400 users can be controlled and audited based on individual user job requirements or job responsibilities using PowerTech Network Security.
h) segregation of access control roles, e.g., access request, access authorization, access administration;
i) requirements for formal authorization of access requests (see 11.2.1);
PowerTech Recommendations Authority Broker (FireCall feature) allows help desk operators, or any other person who has been designated, to temporarily grant a System User emergency access to a Switch Profile.
Other information Care should be taken when specifying access control rules to consider:
b) establishing rules based on the premise Everything is generally forbidden unless expressly permitted rather than the weaker rule Everything is generally permitted unless expressly forbidden.
PowerTech Recommendations Consistent with this policy, PowerTech recommends that new users should first audit their existing traffic before setting up access control rules, and then allow the known acceptable transactions before locking out all other network transactions.
|
|
11.2.1 User registration |
|
Control There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
Implementation guidance The access control procedure for user registration and de-registration should include:
g) maintaining a formal record of all persons registered to use the service;
h) immediately removing or blocking access rights of users who have changed roles or jobs or left the organization;
i) periodically checking for, and removing or blocking, redundant user IDs and accounts (see 11.2.4);
j) ensuring that redundant user IDs are not issued to other users.
PowerTech Recommendations PowerTech Compliance Monitor allows you to conduct regular audits of all the user profiles on every system. The product includes predefined reports to help identify inactive or dormant accounts. The custom sorting and filtering capabilities make it easy to ensure that profiles are assigned to the right people with the appropriate levels of privilege.
|
|
11.2.2 Privilege management |
|
Control The allocation and use of privileges should be restricted and controlled.
Implementation guidance Multi-user systems that require protection against unauthorized access should have the allocation of privileges controlled through a formal authorization process. The following steps should be considered:
b) privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (11.1.1), i.e. the minimum requirement for their functional role only when needed;
c) an authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete;
d) the development and use of system routines should be promoted to avoid the need to grant privileges to users;
e) the development and use of programs which avoid the need to run with privileges should be promoted;
f) privileges should be assigned to a different user ID from those used for normal business use.
PowerTech Recommendations PowerTech Authority Broker allows you to allocate privileges to users only when they really need to have access. Users swap into profiles to assume elevated levels of authority on those occasions when they are really necessary and all actions while swapped are fully audited to secure journals.
Use PowerTech Compliance Monitor reports.
|
|
11.2.3 User password management |
|
Control The allocation of passwords should be controlled through a formal management process.
Implementation guidance The process should include the following requirements:
b) when users are required to maintain their own passwords they should be provided initially with a secure temporary password (see 11.3.1), which they are forced to change immediately;
h) default vendor passwords should be altered following installation of systems or software.
PowerTech Recommendations PowerTech Compliance Monitor provides a complete set of password related reports, including predefined reports that identify users with default passwords where password is the same as user id. A filter is also provided to select the IBM user profiles.
|
|
11.2.4 Review of user access rights |
|
Control Management should review users access rights at regular intervals using a formal process.
PowerTech Recommendations PowerTech Compliance Monitor provides a complete set of reports for users access rights to the system. Reports can be scheduled to run on a regular basis on the AS/400 system.
|
|
11.3.1 Password use |
|
Control Users should be required to follow good security practices in the selection and use of passwords.
Implementation guidance All users should be advised to:
a) keep passwords confidential;
b) avoid keeping a record (e.g. paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved;
c) change passwords whenever there is any indication of possible system or password compromise;
d) select quality passwords with sufficient minimum length which are: 1) easy to remember; 2) not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.; 3) not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries); 4) free of consecutive identical, all-numeric or all-alphabetic characters;
e) change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or cycling old passwords;
f) change temporary passwords at the first log-on;
g) not include passwords in any automated log-on process, e.g. stored in a macro or function key;
h) not share individual user passwords;
i) not use the same password for business and non-business purposes.
PowerTech Recommendations OS/400 controls password settings with the QPWD* system values. Some of the values that are most relevant to the ISO standard are:
QPWDMINLEN minimum password length QPWDEXPITV password expiration interval QPWDRQDDIF require a different password
PowerTech Compliance Monitor allows you to run regular reports to check on the status of system values.
|
|
11.3.2 Unattended user equipment |
|
Control Users should ensure that unattended equipment has appropriate protection.
PowerTech Recommendations OS/400 has a couple of system values that control session timeouts: QINACTITV and QINACTMSGQ. The secure screen feature in PowerTech Network Security works in conjunction with these system values to specify a range of actions that can occur when sessions reach the timeout limits. Alternatively, many people rely on setting timeout controls on the Windows sessions that are used to connect to the AS/400.
|
|
11.4.1 Policy on use of network services |
|
Control Users should only be provided with access to the services that they have been specifically authorized to use.
PowerTech Recommendations PowerTech Network Security enables AS/400 administrators to carefully regulate how much access a user can have through the network and who can have this type of access to the AS/400. Access control rules can be defined by user, group, or IP address. Network Security controls what and how data is access by third party through network connections such as ODBC, FTP, and File Transfer.
|
|
11.4.6 Network connection control |
|
Control For shared networks, especially those extending across the organizations boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications (see 11.1).
Implementation guidance The network access rights of users should be maintained and updated as required by the access control policy (see 11.1.1). The connection capability of users can be restricted through network gateways that filter traffic by means of pre-defined tables or rules.
Examples of applications to which restrictions should be applied are: a) messaging, e.g. electronic mail; b) file transfer; c) interactive access; d) application access.
Linking network access rights to certain times of day or dates should be considered.
PowerTech Recommendations PowerTech Network Security enables administrators to precisely control who has access to AS/400 systems via the network through ODBC, FTP, etc. Administrators can also control access to the security application controls and administrative rights.
|
|
11.5.1 Secure log-on procedures |
|
Control Access to operating systems should be controlled by a secure log-on procedure.
Implementation guidance The procedure for logging into an operating system should be designed to minimize the opportunity for unauthorized access. The log-on procedure should therefore disclose the minimum of information about the system, in order to avoid providing an unauthorized user with any unnecessary assistance.
A good log-on procedure should:
a) not display system or application identifiers until the log-on process has been successfully completed;
e) limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts, and consider: 1) recording unsuccessful and successful attempts; 2) forcing a time delay before further log-on attempts are allowed or rejecting any further attempts without specific authorization; 3) disconnecting data link connections; 4) sending an alarm message to the system console if the maximum number of log-on attempts is reached; 5) setting the number of password retries in conjunction with the minimum length of the password and the value of the system being protected;
PowerTech Recommendations OS/400 has a number of system values that control session connections. The relevant system values to the ISO standard are:
b) display a general notice warning that the computer should only be accessed by authorized users;
c) not provide help messages during the log-on procedure that would aid an unauthorized user;
PowerTech Recommendations The following Signon error messages should be modified* so as to provide an outside attacker with few clues to why access is being refused;
CPF1107 CPF1107 - Password not correct for user profile. CPF1118 CPF1118 - No password associated with user &1. CPF1120 CPF1120 - User &1 does not exist. CPF1133 CPF1133 - Value &1 is not a valid name.
i) not transmit passwords in clear text over a network.
PowerTech Recommendations PowerTech Easy Pass facilitates password elimination.
|
|
11.5.2 User identification and authentication |
|
Control All users should have a unique identifier (user ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user.
Implementation guidance Regular user activities should not be performed from privileged accounts.
|
|
11.5.3 Password management system |
|
Control Systems for managing passwords should be interactive and should ensure quality passwords.
Implementation guidance A password management system should:
c) enforce a choice of quality passwords (see 11.3.1);
d) enforce password changes (see 11.3.1);
PowerTech Recommendations OS/400 controls password settings with the QPWD* system values. Some of the values that are most relevant to the ISO standard are:
QPWDMINLEN minimum password length QPWDEXPITV password expiration interval QPWDRQDDIF require a different password
PowerTech Compliance Monitor allows you to run regular reports to check on the status of system values.
|
|
11.5.4 Use of system utilities |
|
Control The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
Implementation guidance The following guidelines for the use of system utilities should be considered:
c) limitation of the use of system utilities to the minimum practical number of trusted, authorized users (see also 11.2.2);
d) authorization for ad hoc use of systems utilities;
f) logging of all use of system utilities;
i) not making system utilities available to users who have access to applications on systems where segregation of duties is required.
PowerTech Recommendations PowerTech Authority Broker allows you to allocate privileges to users only when they really need to have access. Users swap into profiles to assume elevated levels of authority on those occasions when they are really necessary and all actions while swapped are fully audited to secure journals.
|
|
11.5.5 Session time-out |
|
Control Inactive sessions should shut down after a defined period of inactivity.
Implementation guidance A time-out facility should clear the session screen and also, possibly later, close both application and network sessions after a defined period of inactivity. The time-out delay should reflect the security risks of the area, the classification of the information being handled and the applications being used, and the risks related to the users of the equipment. A limited form of time-out facility can be provided for some systems, which clears the screen and prevents unauthorized access but does not close down the application or network sessions.
Other information This control is particularly important in high risk locations, which include public or external areas outside the organization's security management. The sessions should be shut down to prevent access by unauthorized persons and denial of service attacks.
PowerTech Recommendations OS/400 has a couple of system values that control session timeouts: QINACTITV and QINACTMSGQ. The secure screen feature in PowerTech Network Security works in conjunction with these system values to specify a range of actions that can occur when sessions reach the timeout limits. Alternatively, many people rely on setting timeout controls on the Windows sessions that are used to connect to the AS/400.
|
|
11.5.6 Limitation of connection time |
|
Control Restrictions on connection times should be used to provide additional security for high-risk applications.
Other information Limiting the period during which connections to computer services are allowed reduces the window of opportunity for unauthorized access. Limiting the duration of active sessions prevents users from holding sessions open to prevent re-authenticating.
|
|
11.6.1 Information access restriction |
|
Control Access to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy.
PowerTech Recommendations Use PowerTech Network Security.
|
|
12.3.1 Policy on the use of cryptographic controls |
|
Control A policy on the use of cryptographic controls for protection of information should be developed and implemented.
Implementation guidance When developing a cryptographic policy the following should be considered:
c) the use of encryption for protection of sensitive information transported by mobile or removable media, devices or across communication lines;
d) the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
Other information Specialist advice should be sought to identify the appropriate level of protection and to define suitable specifications that will provide the required protection and support the implementation of a secure key management system (see also 12.3.2).
PowerTech Recommendations PowerTech Encryption uses AES (Advanced Encryption Standard), which has been selected by the National Institute of Standards and Technology (NIST) of the US government for use in private and public applications to protect sensitive information. PowerTech Encryption uses a single key to encrypt data and supports a key size of 256 bits.
|
|
12.3.2 Key management |
|
Control Key management should be in place to support the organizations use of cryptographic techniques.
Other information The management of cryptographic keys is essential to the effective use of cryptographic techniques.
PowerTech Recommendations PowerTech Encryption includes a key management facility. It automatically encrypts and backs up key store when new keys are created.
|
|
12.4.1 Control of operational software |
|
Control There should be procedures in place to control the installation of software on operational systems.
Implementation guidance To minimize the risk of corruption to operational systems, the following guidelines should be considered to control changes:
b) operational systems should only hold approved executable code, and not development code or compilers;
PowerTech Recommendations Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCNVRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.
|
|
12.4.2 Protection of system test data |
|
Control Test data should be selected carefully, and protected and controlled.
Implementation guidance The use of operational databases containing personal information or any other sensitive information for testing purposes should be avoided. If personal or otherwise sensitive information is used for testing purposes, all sensitive details and content should be removed or modified beyond recognition before use. The following guidelines should be applied to protect operational data, when used for testing purposes:
a) the access control procedures, which apply to operational application systems, should also apply to test application systems;
|
|
12.5.4 Information leakage |
|
Control Opportunities for information leakage should be prevented.
PowerTech Recommendations PowerTech Network Security provides access controls for the flow of data both to and from the System i platform.
|
|
13.1.1 Reporting information security events |
|
Control Information security events should be reported through appropriate management channels as quickly as possible.
PowerTech Recommendations PowerTech Network Security enables AS/400 Administrators to execute procedures that audit, detect, and respond to AS/400 network security incidents. PowerTech Interact can be configured to send AS/400 security events to the RealSecure SiteProtector security management console from ISS.
|
|
14.1.1 Including information security in the business continuity management process |
|
Control A managed process should be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organizations business continuity.
PowerTech Recommendations PowerTech Network Security supports disaster recovery and high availability environments by enabling precise control of network access rules on the backup AS/400 system. The backup system can contain two sets of access rules: one set for backup mode; and another set for production operation.
|
|
15.1.1 Identification of applicable legislation |
|
Control All relevant statutory, regulatory, and contractual requirements and the organizations approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization.
PowerTech Recommendations The PowerTech Compliance Monitor's Compliance Guide provides a description of various regulations and how they impact the System i. As in this guide, standards and frameworks are mapped to System i issues and solutions.
|
|
15.2.1 Compliance with security policies and standards |
|
Control Managers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.
PowerTech Recommendations Use PowerTech Compliance Monitor and its Compliance Guide.
|
|
15.2.2 Technical compliance checking |
|
Control Information systems should be regularly checked for compliance with security implementation standards.
PowerTech Recommendations PowerTech Compliance Monitor provides a comprehensive set of reports that can be run on a regular schedule to audit a System i environment. Reports are easily customized in a graphical interface to match the specific needs of an organizations security policy.
|
|
15.3.1 Information systems audit controls |
|
Control Audit requirements and activities involving checks on operational systems should be carefully planned and agreed to minimize the risk of disruptions to business processes.
Implementation guidance The following guidelines should be observed:
i) the person(s) carrying out the audit should be independent of the activities audited.
PowerTech Recommendations PowerTech Compliance Monitor data collections can be scheduled to run at off peak times, minimizing the impact to production. The priority of the Compliance Monitor jobs can be adjusted.
|
|
15.3.2 Protection of information systems audit tools |
|
Control Access to information systems audit tools should be protected to prevent any possible misuse or compromise.
PowerTech Recommendations PowerTech Compliance Monitor includes a comprehensive authorization scheme so that users who need to see report data for given systems are given access to only the areas that they need. Also, auditors or security staff do not need special authorities like *ALLOBJ to use the product.
|
For your convenience, the following table maps ISO 27002 (17799) objectives to the applicable reports that are provided in PowerTech Compliance Monitor.
ISO 27002 (17799) sections mapped to PowerTech Compliance Monitor Reports
An 
