© 2010 The PowerTech Group, Inc.
All Rights Reserved
The System i is shipped with a wide variety of network services pre-configured and ready to communicate with other nearby computers. All System i systems should have network services secured by installing programs on IBM network servers to monitor and control network access.
There are three ways to access data on an AS/400 system; through a menu and an application, from a system command line, or across a network. Most applications do a sufficient job of securing access through the menu and through command lines. However, the greatest risk of abuse remains both internal and external network access using data transfer capable tools.
Several COBIT objectives apply to this section:
COBIT DS5.3 - Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.
COBIT DS5.5 - Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.
To mitigate the risk of unauthorized access, auditors recommend that *PUBLIC is *EXCLUDE on every significant production database and source code and that individuals or groups of individuals are specifically given the necessary authority as required.
Check Public Authority to all significant production source code and databases. It should be set to exclude with access allowed only through appropriate individual settings. Checking authority to libraries is a good place to start.
COBIT DS5.3 - Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.
User and Password Security are critical because they are the most obvious, and the most exploited, method of compromising a system. One of the most difficult aspects of user and password security is that the elements can change from day to day.
User Profile Recommendations and Reports |
||
Category |
PowerTech Recommendation |
Report |
Inactive User IDs |
0 |
|
No. of Users with more than 3 Invalid Sign on Attempts |
< 5 |
|
No. of Invalid Sign on Attempts on each profile |
< 3 |
|
Unsecured User Profiles |
0 |
|
Users with Default Passwords |
0 |
|
Password system values can be checked and benchmarked using the Password system value report, or the full system value report.
Password Setting Standards and Values |
||
Password Setting |
PowerTech Standard |
OS/400 System Value |
Passwords should expire in less than: |
90 days |
|
Minimum Length |
6 characters |
|
Are Digits Required? |
Yes |
|
Password must be different from previous: |
10 passwords |
|
Our recommendations for password policy are based on sections 11.2.3, 11.3.1 and 11.5.3 of the ISO 17799 standard, which provide detailed guidance on setting strong password policies and managing user accounts. COBIT points out the need for effective management of user accounts:
COBIT DS5.4 - User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management.
COBIT DS5.5 - Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained.
OS/400 provides a variety of methods of securing both the operating system itself, and the workstations that are connected to it. In order for the operating system to stay intact, you must carefully monitor programs (typically from third party vendors) that attempt to modify operating system objects.
Additionally, when a user logs on to your system, each terminal session represents a security exposure anytime a user walks away and leaves the terminal session unattended. In this section we examine the system values that protect your operating system and your workstations. These values can be checked and benchmarked using the full system value report.
Audit Point Values, Recommendations, and Standards |
|||
Audit Point |
OS/400 System Value |
PowerTech Recommendation |
Relevant Standards |
Allow Restore of Security-Sensitive Objects |
*ALWPGMADP |
PO3.1 Technological Direction Planning; ISO 10.4.1 Controls Against Malicious Code |
|
Verify Object on Restore |
3 |
PO3.1 Technological Direction Planning; ISO 10.4.1 Controls Against Malicious Code |
|
Use Adopted Authority Authorization List |
An authorization list. |
DS5.3 Identity Management; ISO 11.6.1 Information Access Restriction |
|
System Security Level |
40 |
||
Time-out Period for Inactive Jobs |
30 = 30 Minutes |
ISO 11.3.2 Unattended User Equipment; ISO 11.5.6 Limitation of Connection Time |
|
Limit SECOFR to allowed terminals |
1 = Limit Security Officer sign on |
||
Device I/O error action |
|
||
User limited to one device session |
1 = Limit number of concurrent sessions & control at the user profile level |
|
|
Action after number of signon attempts exceeds the max |
2 = Disable Profile |
DS5.3 Identity Management; ISO 11.5.1 Secure Log On Procedures |
|
System auditing is comprised of two functions: logging and reporting. Logging simply means events are recorded in a secure log. Reporting is where relevant security events are brought to the attention of system administrators and site management. Logs are an important information source for intrusion detection/prevention and vulnerability assessments. It is important to collect the data in order to effectively manage default user rights, network security, user and password settings, system security, and administrative rights.
The most important report that we recommend from the audit journal is:
Some other important reports to consider as part of your regular audits are:
The COBIT objectives are clear on the need for security auditing and monitoring:
Define, implement and maintain standard procedures for IT operations and ensure the operations staff is familiar with all operations tasks relevant to them.
COBIT DS5.5 - Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained.
Administrative rights, called Special Authorities in AS/400 jargon, are rights that are granted to allow a specific security sensitive function to be performed by specific users for a specific reason. These rights are very powerful and should be reserved only for trusted and knowledgeable IT professionals. In addition, users with these special authorities should have their activities subject to independent review.
There are eight types of administrative rights delivered by IBM, and it is important to monitor and manage the dissemination and use of these rights. Auditors are increasingly concerned about how an organization manages these powerful profiles, given known damage caused by disgruntled current and former employees.
Review the special authorities assigned to user profiles.
Learn more about auditing group profiles.
© 2010 The PowerTech Group, Inc.
All Rights Reserved