NIST (FISMA)

The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) of 2002 and in managing cost-effective programs to protect their information and information systems. FISMA is a U.S. federal law designed to ensure the effectiveness of security controls over information resources that support federal government operations & assets. The act mandates yearly audits.

The NIST Special Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems) was issued in August 2009 and is one of the key standards and guidelines developed by NIST to help federal agencies improve their security and comply with FISMA. 

The publication recommends management, operational and technical controls needed to protect the confidentiality, integrity and availability of federal information systems. The NIST controls* cover 17 security focus areas, including risk assessment, contingency planning, access control and incident response.

*PowerTech Compliance Monitor provides several reporting options that specifically address the NIST controls. The 'Report Groups' view of Compliance Monitor (shown below) displays the FISMA_NIST report group and reports (available at the PowerTech products download site).

PowerTech Compliance Monitor's FISMA_NIST Reports

The following figure illustrates the specific activities in the NIST Risk Management Framework and the information security standards and guidance documents associated with each activity.

NIST Risk Management Framework

After a thorough review of the "NIST Special Publication 800-53 Rev 3" by PowerTech security experts, the relevant sections of the standard have been compiled here for easy reference. Click on the links in the following NIST Controls/Topic Table to view specific excerpts from the "NIST Special Publication 800-53 Rev 3" PowerTech recommendations, and applicable PowerTech reports - or scroll through the NIST Summary Table that follows to view all relevant sections in the publication.

Excerpts From the NIST Special Publication 800-53 Rev 1

Controls #

Topic

AC-1  

ACCESS CONTROL POLICY AND PROCEDURES

AC-2

ACCOUNT MANAGEMENT

AC-3C-3

ACCESS ENFORCEMENT

AC-5

SEPARATION OF DUTIES

AC-6

LEAST PRIVILEGE

AC-7

UNSUCCESSFUL LOGIN ATTEMPTS

AC-8

SYSTEM USE NOTIFICATION

AC-9

PREVIOUS LOGON NOTIFICATION

AC-10

CONCURRENT SESSION CONTROL

AC-11

SESSION LOCK

AC-12

SESSION TERMINATION

AC-13

SUPERVISION AND REVIEW — ACCESS CONTROL

AC-17

REMOTE ACCESS

AU-2

AUDITABLE EVENTS

AU-3

CONTENT OF AUDIT RECORDS

AU-4

AUDIT STORAGE CAPACITY

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES

AU-6

AUDIT MONITORING, ANALYSIS, AND REPORTING

AU-7

AUDIT REDUCTION AND REPORT GENERATION

AU-8

TIME STAMPS

AU-9

PROTECTION OF AUDIT INFORMATION

AU-11

AUDIT RECORD RETENTION

CA-2

SECURITY ASSESSMENTS

CA-4

SECURITY CERTIFICATION

CM-2

BASELINE CONFIGURATION

CM-5

ACCESS RESTRICTIONS FOR CHANGE

CM-6

CONFIGURATION SETTINGS

CM-7

LEAST FUNCTIONALITY

CP-9  

INFORMATION SYSTEM BACKUP

IA-2

USER IDENTIFICATION AND AUTHENTICATION

IA-3

DEVICE IDENTIFICATION AND AUTHENTICATION

IA-5  

AUTHENTICATOR MANAGEMENT

PS-4

PERSONNEL TERMINATION

PS-5

PERSONNEL TRANSFER

SA-7

USER INSTALLED SOFTWARE

SC-7  

BOUNDARY PROTECTION

SC-10

NETWORK DISCONNECT

SI-4

INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES

SI-7

SOFTWARE AND INFORMATION INTEGRITY

Note: The following Summary Table contains actual excerpts from the NIST Special Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems).

NIST Controls and PowerTech Recommendations

AC-1   ACCESS CONTROL POLICY AND PROCEDURES

Control

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:

PowerTech Recommendations

PowerTech has always recommended that good security starts with a policy. PowerTech has made available an open source Security Policy at no charge that describes best practices in implementing security policy on an IBM System i (click here to download).

This Compliance Guide provides detailed explanation of OS/400 security concepts that can be used as a reference in defining the appropriate policy for your organization.

PowerTech Compliance Monitor can be used to compare configuration settings against policy defined for each system.

AC-2  ACCOUNT MANAGEMENT

Control

The organization manages information system accounts, including:

  1. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);

  2. Establishing conditions for group membership;

  3. Identifying authorized users of the information system and specifying access privileges;

  4. Requiring appropriate approvals for requests to establish accounts;

  5. Establishing, activating, modifying, disabling, and removing accounts;

  6. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;

  7. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;

  8. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users;

  9. Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and

  10. Reviewing accounts [Assignment: organization-defined frequency].

Supplemental Guidance

The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access.

PowerTech Recommendations

PowerTech Compliance Monitor allows you to conduct regular audits of all the user profiles on every system. The product includes predefined reports to help identify inactive or dormant accounts. The custom sorting and filtering capabilities make it easy to ensure that profiles are assigned to the right people with the appropriate levels of privilege.

PowerTech Compliance Monitor reports:

The 'User Profile Changes' report can be used to track creation and changes of new user accounts. 'Delete Object' report can be filtered to specifically show user profile deletions.

AC-3 ACCESS ENFORCEMENT

Control

The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

Supplemental Guidance

Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorized access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. For classified information, the cryptography used is largely dependent on the classification level of the information and the clearances of the individuals having access to the information. Mechanisms implemented by AC-3 are configured to enforce authorizations determined by other security controls.

PowerTech Recommendations

Use PowerTech Network Security and PowerTech Authority Broker. All network access by IBM System i users can be controlled and audited based on individual user job requirements or job responsibilities using PowerTech Network Security.

PowerTech Authority Broker is used to restrict privileged access to systems to only those times when there is a legitimate business need. All privileged access to the system is fully audited.

AC-5  SEPARATION OF DUTIES

Control

The organization:

  1. Separates duties of individuals as necessary, to prevent malevolent activity without collusion;

  2. Documents separation of duties; and

  3. Implements separation of duties through assigned information system access authorizations.

Supplemental Guidance

Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. Access authorizations defined in this control are implemented by control AC-3.

PowerTech Recommendations

PowerTech Authority Broker can be used to grant privileged access rights (special authorities on the IBM System i) to users only on a need-to-have basis. IT Staff don't need to have powerful privileges in their profiles on production systems if segregation of duties is enforced.

AC-6 LEAST PRIVILEGE

Control

The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Supplemental Guidance

The access authorizations defined in this control are largely implemented by control AC-3. The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.

PowerTech Recommendations

PowerTech Network Security can be used to implement access controls through network services like FTP, ODBC, and remote command (monitored exit points). PowerTech recommends an exclude based security policy where access is granted to those users who have a demonstrated business need and all others are restricted from access by default.

AC-7 UNSUCCESSFUL LOGIN ATTEMPTS

Control

The information system:

  1. Enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period]; and

  2. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection.

Supplemental Guidance

Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. If a delay algorithm is selected, the organization may chose to employ different algorithms for different information system components based on the capabilities of those components. Response to unsuccessful login attempts may be implemented at both the operating system and the application levels. This control applies to all accesses other than those accesses explicitly identified and documented by the organization in AC-14.

Control Enhancements

(1) The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded.  

OS/400 has a number of system values that control session connections. The relevant system values to AC-7 are:

PowerTech Recommendations

PowerTech Compliance Monitor reports:

AC-8 SYSTEM USE NOTIFICATION

Control

The information system:

  1. Displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording;

  2. Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and

  3. For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system.

Supplemental Guidance

System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.

PowerTech Recommendations

The 'Signon Screen Recommendations' section in this Guide explains how to adjust the default messages that ship with OS/400.

AC-9 PREVIOUS LOGON NOTIFICATION

Control

The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access).

Supplemental Guidance

This control is intended to cover both traditional logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service oriented architectures).

PowerTech Recommendations

QDSPSIGNINF - Shows a "Sign On Information" screen after each user signs on. This screen displays the last sign-on date and time, the number of invalid attempts, and permits the user to change their password. Users can alert the system administrator if their Sign-On has been used without their knowledge.

PowerTech Compliance Monitor reports:

AC-10 CONCURRENT SESSION CONTROL

Control

The information system limits the number of concurrent sessions for each system account to [Assignment: organization-defined number].

Supplemental Guidance

The organization may define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or a combination. This control addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple system accounts.

PowerTech Recommendations

QLMTDEVSSN - Controls whether users can, by default, signon concurrently more than once.

PowerTech Compliance Monitor reports:

AC-11 SESSION LOCK

Control

The information system:

  1. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and

  2. Retains the session lock until the user re-establishes access using established identification and authentication procedures.

Supplemental Guidance

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may be at the application-level. A session lock is not a substitute for logging out of the information system, for example, if the organization requires users to log out at the end of the workday.

PowerTech Recommendations

OS/400 has a couple of system values that control session timeouts: QINACTITV and QINACTMSGQ. The secure screen feature in PowerTech Network Security works in conjunction with these system values to specify a range of actions that can occur when sessions reach the timeout limits. Alternatively, many people rely on setting timeout controls on the Windows sessions that are used to connect to the IBM System i.

PowerTech Compliance Monitor reports:

AC-12 SESSION TERMINATION

Withdrawn: Incorporated into SC-10.

PowerTech Recommendations

OS/400 has a couple of system values that control session timeouts: QINACTITV and QINACTMSGQ. The secure screen feature in PowerTech Network Security works in conjunction with these system values to specify a range of actions that can occur when sessions reach the timeout limits. Alternatively, many people rely on setting timeout controls on the Windows sessions that are used to connect to the IBM System i.

PowerTech Compliance Monitor reports:

AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL

Withdrawn: Incorporated into AC-2 and AU-6.

PowerTech Recommendations

PowerTech Compliance Monitor log file reports can be used to monitor user activities. The 'T:CD Audited Command Strings' report shows all commands issued by users.

AC-17 REMOTE ACCESS

Control

The organization

  1. Documents allowed methods of remote access to the information system;

  2. Establishes usage restrictions and implementation guidance for each allowed remote access method;

  3. Monitors for unauthorized remote access to the information system;

  4. Authorizes remote access to the information system prior to connection; and

  5. Enforces requirements for remote connections to the information system.

Supplemental Guidance

This control requires explicit authorization prior to allowing remote access to an information system without specifying a specific format for that authorization. For example, while the organization may deem it appropriate to use a system interconnection agreement to authorize a given remote access, such agreements are not required by this control. Remote access is any access to an organizational information system by a user (or process acting on behalf of a user) communicating through an external network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless (see AC-18 for wireless access). A virtual private network when adequately provisioned with appropriate security controls, is considered an internal network (i.e., the organization establishes a network connection between organization-controlled endpoints in a manner that does not require the organization to depend on external networks to protect the confidentiality or integrity of information transmitted across the network). Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. Enforcing access restrictions associated with remote connections is accomplished by control AC-3. Related controls: AC-3, AC-18, AC-20, IA-2, IA-3, IA-8, MA-4.

Control Enhancements

(1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.

Enhancement Supplemental Guidance

Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.

PowerTech Recommendations

The System i is shipped with a wide variety of network services pre-configured and ready to communicate with other nearby computers, such as FTP, ODBC, and remote command. All IBM System i systems should have network services secured by installing exit programs on IBM network servers (exit points) to monitor and control network access. Read more

PowerTech Compliance Monitor reports:

AU-2 AUDITABLE EVENTS

Control

The organization:

  1. Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events];

  2. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

  3. Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

  4. Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event].

Supplemental Guidance

The purpose of this control is for the organization to identify events which need to be auditable as significant and relevant to the security of the information system; giving an overall system requirement in order to meet ongoing and specific audit needs. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are to be audited at a given point in time. For example, the organization may determine that the information system must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the extreme burden on system performance. In addition, audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Related control: AU-3.

PowerTech Recommendations

OS/400 provides a comprehensive logging capability for security events in the security audit journal, which is configured using the QAUDLVL and QAUDCTL system values. PowerTech's Compliance Guide provides a detailed recommendation on what the different audit settings mean, along with recommendations. The audit settings can be reviewed on a regular basis, and compared against policy, using system value reports.

PowerTech Compliance Monitor enables regular scheduled reporting on events from the security audit journal. Data from multiple IBM System i servers is consolidated into a single report. Event data is parsed to make it easy to read and relevant to security staff who need to review the logs.

PowerTech Compliance Monitor reports:

AU-3 CONTENT OF AUDIT RECORDS

Control

The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.

Supplemental Guidance

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Related controls: AU-2, AU-8.

PowerTech Recommendations

PowerTech Compliance Monitor provides comprehensive reporting against audit records that are a logged in QAUDJRN, the security audit journal.

PowerTech Interact can be used to send those events to Security Information and Event Management consoles in real time.

AU-4 AUDIT STORAGE CAPACITY

Control

The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.

Supplemental Guidance

The organization considers the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Related controls: AU-2, AU-5, AU-6, AU-7, SI-4.

PowerTech Recommendations

PowerTech Compliance Monitor provides 95% compression of the audit data on the central consolidator system, allowing organizations to store considerably more days of data than they could otherwise.

AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

Control

The information system:

  1. Alerts designated organizational officials in the event of an audit processing failure; and

  2. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

Supplemental Guidance

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Related control: AU-4.

PowerTech Recommendations

QAUDENDACN - Controls what action is taken if System Auditing is turned off.

PowerTech Compliance Monitor reports:

AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING

Control

The organization:

  1. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and

  2. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.  

PowerTech Recommendations

PowerTech Compliance Monitor provides a complete set of reports for users access rights to the system. Reports can be scheduled to run on a regular basis on the IBM System i.

AU-7 AUDIT REDUCTION AND REPORT GENERATION

Control

The information system provides an audit reduction and report generation capability.

Supplemental Guidance

An audit reduction and report generation capability provides support for near real-time audit review, analysis, and reporting requirements described in AU-6 and after-the-fact investigations of security incidents. Audit reduction and reporting tools do not alter original audit records. Related control: AU-6.

Control Enhancements

(1) The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.

PowerTech Recommendations

PowerTech Compliance Monitor automates the task of report generation for IBM System i. Users can easily investigate security events. Customizable filters are available for each report type to further drill down into the data.

AU-8 TIME STAMPS

Control

The information system uses internal system clocks to generate time stamps for audit records.

Supplemental Guidance

Time stamps generated by the information system include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Related control: AU-3.

Control Enhancements

(1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source].

PowerTech Recommendations

PowerTech Compliance Monitor allows you to define timezones for endpoints so that all centralized log reports are reported against standard reference times.

AU-9 PROTECTION OF AUDIT INFORMATION

Control

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental Guidance

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Related controls: AC-3, AC-6.

Control Enhancements

(1) The information system produces audit records on hardware-enforced, write-once media.

PowerTech Recommendations

QAUDJRN, the IBM Security Audit journal, is a write once journal that tracks security activity which is written to a log file. Reports can be run against audit settings and audit reports.

AU-11 AUDIT RECORD RETENTION

Control

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental Guidance

The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. The National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal policy on record retention.

PowerTech Recommendations

PowerTech Compliance Monitor provides 95% compression of the audit data on the central consolidator system, allowing organizations to store considerably more days of data than they could otherwise.

CA-2 SECURITY ASSESSMENTS

Control

The organization:

  1. Develops a security assessment plan that describes the scope of the assessment including:

  2. Assesses the security controls in the information system [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;

  3. Produces a security assessment report that documents the results of the assessment; and

  4. Provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative.

PowerTech Recommendations

PowerTech Compliance Monitor can be used to run regular audit reports against a system. System configuration values can be compared against policy.

CA-4 SECURITY CERTIFICATION

Withdrawn: Incorporated into CA-2.

CA-7 CONTINUOUS MONITORING

Control

The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:

  1. A configuration management process for the information system and its constituent components;

  2. A determination of the security impact of changes to the information system and environment of operation;

  3. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and

  4. Reporting the security state of the information system to appropriate organizational officials [Assignment: organization-defined frequency].

CM-2 BASELINE CONFIGURATION

Control

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

Supplemental Guidance

This control establishes a baseline configuration for the information system and its constituent components including communications and connectivity-related aspects of the system. The baseline configuration provides information about the components of an information system (e.g., the standard software load for a workstation, server, network component, or mobile device including operating system/installed applications with current version numbers and patch information), network topology, and the logical placement of the component within the system architecture. The baseline configuration is a documented, up-to-date specification to which the information system is built. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. The baseline configuration of the information system is consistent with the organization’s enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9.

PowerTech Recommendations

PowerTech Compliance Monitor has the ability to define a baseline policy for each system, against which values can be compared.

CM-5 ACCESS RESTRICTIONS FOR CHANGE

Control

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental Guidance

Any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Additionally, maintaining records of access is essential for ensuring that configuration change control is being implemented as intended and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system. Access restrictions for change also include software libraries. Examples of access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). Some or all of the enforcement mechanisms and processes necessary to implement this security control are included in other controls. For measures implemented in other controls, this control provides information to be used in the implementation of the other controls to cover specific needs related to enforcing authorizations to make changes to the information system, auditing changes, and retaining and review records of changes. Related controls: AC-3, AC-6, PE-3.

PowerTech Recommendations

PowerTech Authority Broker can be used to grant privileged access rights (special authorities on the AS/400) to users only on a need to have basis. IT Staff don't need to have powerful privileges in their profiles on production systems if segregation of duties is enforced.

PowerTech Network Security
can be used to implement access controls through network services like FTP, ODBC, and remote command (monitored exit points). PowerTech recommends an exclude based security policy where access is granted to those users who have a demonstrated business need and all others are restricted from access by default.

CM-6 CONFIGURATION SETTINGS

Control

The organization:

  1. Establishes and documents mandatory configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

  2. Implements the configuration settings;

  3. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and

  4. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Supplemental Guidance

Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Organizations establish organization-wide mandatory configuration settings from which the settings for a given information system are derived. A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, security guide, security technical implementation guide [STIG], or benchmark) is a series of instructions or procedures for configuring an information system component to meet operational requirements. Checklists can be developed by information technology developers and vendors, consortia, academia, industry, federal agencies (and other government organizations), and others in the public and private sectors. An example of a security configuration checklist is the Federal Desktop Core Configuration (FDCC) which potentially affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: CM-2, CM-3, SI-4.

PowerTech Recommendations

PowerTech Compliance Monitor provides central verification of system values against policy and other systems.

CM-7 LEAST FUNCTIONALITY

Control

The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services].

CP-9 INFORMATION SYSTEM BACKUP

Control

The organization:

  1. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

  2. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

  3. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and

  4. Protects the confidentiality and integrity of backup information at the storage location.

PowerTech Recommendations

PowerTech Compliance Monitor reporting can be used to ensure that backups are occurring on a regular basis.

IA-2 USER IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Control

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

Control

The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.

PowerTech Recommendations

PowerTech Network Security can be used to only allow network connections from specific IP addresses.

IA-5 AUTHENTICATOR MANAGEMENT

Control

  1. The organization manages information system authenticators for users and devices by:

  2. Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator;

  3. Establishing initial authenticator content for authenticators defined by the organization;

  4. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

  5. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

  6. Changing default content of authenticators upon information system installation;

  7. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate);

  8. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];

  9. Protecting authenticator content from unauthorized disclosure and modification; and

  10. Requiring users to take, and having devices implement, specific measures to safeguard authenticators.

PowerTech Recommendations

Passwords are the primary authenticators used on IBM System i. Compliance Monitor provides reports against the password configuration settings.

PowerTech Compliance Monitor reports:

PS-4 PERSONNEL TERMINATION

Control

The organization, upon termination of individual employment:

  1. Terminates information system access;

  2. Conducts exit interviews;

  3. Retrieves all security-related organizational information system-related property; and

  4. Retains access to organizational information and information systems formerly controlled by terminated individual.

PowerTech Recommendations

PowerTech Compliance Monitor allows you to conduct regular audits of all the user profiles on every system. The product includes predefined reports to help identify inactive or dormant accounts.

PS-5 PERSONNEL TRANSFER

Control

The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization and initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action].

PowerTech Recommendations

PowerTech Compliance Monitor allows you to conduct regular audits of all the user profiles on every system. The product includes predefined reports to help identify inactive or dormant accounts. The custom sorting and filtering capabilities make it easy to ensure that profiles are assigned to the right people with the appropriate levels of privilege.

SA-7 USER INSTALLED SOFTWARE

Control

The organization enforces explicit rules governing the installation of software by users.

Supplemental Guidance

If provided the necessary privileges, users have the ability to install software. The organization identifies what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect). Related control: CM-2.

PowerTech Recommendations

Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCVNRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.

SC-7 BOUNDARY PROTECTION

Control

The information system:

  1. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and

  2. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Supplemental Guidance

Restricting external web traffic only to organizational web servers within managed interfaces and prohibiting external traffic that appears to be spoofing an internal address as the source are examples of restricting and prohibiting communications. Managed interfaces employing boundary protection devices include, for example, proxies, gateways, routers, firewalls, guards, or encrypted tunnels arranged in an effective security architecture (e.g., routers protecting firewalls and application gateways residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ).

The organization considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third-party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. Related controls: AC-4, IR-4, SC-5.

Control Enhancements

 (3) The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.

Enhancement Supplemental Guidance

The Trusted Internet Connection (TIC) initiative is an example of limiting the number of managed network access points.

 (5) The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).

PowerTech Recommendations

PowerTech Network Security can be used to implement access controls through network services like FTP, ODBC, and remote command (monitored exit points). PowerTech recommends an exclude based security policy where access is granted to those users who have a demonstrated business need and all others are restricted from access by default.

SC-10 NETWORK DISCONNECT

Control

The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

Supplemental Guidance

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking  assignments at the application level if multiple application sessions are using a single, operating system-level network connection. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

PowerTech Recommendations

OS/400 has a couple of system values that control session timeouts: QINACTITV and QINACTMSGQ. The secure screen feature in PowerTech Network Security works in conjunction with these system values to specify a range of actions that can occur when sessions reach the timeout limits. Alternatively, many people rely on setting timeout controls on the Windows sessions that are used to connect to the IBM System i.

PowerTech Compliance Monitor reports:

SI-4 INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES

Control

The organization

  1. Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks;

  2. Identifies unauthorized use of the information system;

  3. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

  4. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and

  5. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

Supplemental Guidance

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components). Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, at selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. The Einstein network monitoring device from the Department of Homeland Security is an example of a system monitoring device. The granularity of the information collected is determined by the organization based on its monitoring objectives and the capability of the information system to support such activities. An example of a specific type of transaction of interest to the organization with regard to monitoring is Hyper Text Transfer Protocol (HTTP) traffic that bypasses organizational HTTP proxies, when use of such proxies is required. Related controls: AC-4, AC-8, AC-17, AU-2, AU-6, SI-3, SI-7.

Control Enhancements

(1) The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.

(2) The organization employs automated tools to support near real-time analysis of events.

(3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

(4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

Enhancement Supplemental Guidance: Unusual/unauthorized activities or conditions include, for example, internal traffic that indicates the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

(5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators].

Enhancement Supplemental Guidance: Alerts may be generated, depending on the organization-defined list of indicators, from a variety of sources, for example, audit records or input from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers.

PowerTech Recommendations

PowerTech Interact provides real time export of security events from the IBM System i to industry standard syslog format. Leading Security Information and Event Management solutions can import the events from syslog in real time.

SI-7 SOFTWARE AND INFORMATION INTEGRITY

Control

The information system detects unauthorized changes to software and information.

Supplemental Guidance

The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

PowerTech Recommendations

Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCVNRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.

Click the following link to view the 'NIST Special Publication 800-53 Rev 1' in its entirety:

NIST Special Publication 800-53