PowerTech recommends that you define a security policy for your organization and run reports against your system on a regular basis to ensure that your system continues to comply with your security policy.
Standards such as COBIT or ISO 27002 (17799) should be used as a framework to guide the development of your corporate security policy. In many places throughout this Guide, we have mapped our recommended audit point to specific parts of the COBIT or ISO 27002 (17799) standards.
When to Run Reports
PowerTech recommends running the reports at least once per quarter (which matches with the quarterly reporting requirements of Section 302 of the Sarbanes-Oxley Act), but in many cases you should run reports on a more frequent basis to ensure that there are no significant surprises when it comes to audit time.
|
PowerTech Recommendations Use the Compliance Monitor 'Regulatory Recommendations' reports to ensure compliance. |
Compliance Monitor - 'Regulatory Recommendations' reports
External auditors often may not be interested in checking specific reports,
but they do want to know if you have a regular process in place to check
security policy and configuration on your systems.
PowerTech recommends running the following basic set of reports to form a foundation for an audit of your system. Depending on the specific needs and usage of your system, and the applications it is running, you may choose to run more reports than the basic top ten listed here.
System Values
PowerTech recommends that your security policy defines an appropriate set of system values and that you run the system value report on a regular basis to find any deviations from the policy.
Subsequent system value reports will highlight any values that deviate from the benchmarked value. PowerTech provides recommendations based on IBM recommendations and COBIT and ISO standards where appropriate.
User Profiles
Careful management and review of user access to a system is a key requirement of all security related regulations and standards.
The Most Important Items to Review are:
Special authorities assigned
to user profiles
Command line access for
all users
Users with Password set
to User Name
Dormant Users (Inactive
Profiles)
Invalid Signon attempts
and User password status
Object Authorities
Check Public authority to all significant production source code and databases. It should be set to exclude, with access allowed only through appropriate individual settings. Checking authority to libraries is a good place to start.
Auditing to the Journal
One of the strengths of the OS/400 system is the powerful auditing capabilities that it provides. As part of an overall compliance program, you should turn on auditing on your platform. Click here to learn about the detailed audit settings and to find recommendations on how to set up your system.
The most important report that we recommend from the audit journal is:
Authority
Failures - Report on failed signon attempts to the platform
Compliance Monitor and 'Log File' reports
However a much simpler approach is to use Compliance Monitor's predefined 'Log File' reports to review the entries in the journal.
Other important reports to consider as part of your regular audits are:
Important security
related events
Network Access
In today's world there are hundreds of ways to access your System i data without respect to traditional menu security, thereby making a security breach more likely than ever before. Don't assume it takes only hackers or malicious intent to be at risk - the majority of security breaches happen by accident and from within your company.
It is important to check network transaction activities to see who is accessing data on the System i through the network access servers like ftp, odbc, and telnet.
The most useful report to review is:
Network
Security Exit Programs