The System i is shipped with a wide variety of network services pre-configured and ready to communicate with other nearby computers, such as ftp, OBBC, and remote command. All System i systems should have network services secured by installing exit programs on IBM network servers (exit points) to monitor and control network access.
There are three ways to access data on an AS/400 system; through a menu and an application, from a system command line, or across a network. Most applications do a sufficient job of securing access through the menu and through command lines. However, the greatest risk of abuse remains both internal and external network access using data transfer capable tools.
There are several network access points that should be monitored and regulated for remote requests. Many AS/400's are built on a traditional security model that relies on menu security to keep users out of sensitive files. However, menu security is inadequate for systems that have networking capability because the network access methods are unaware of and do not respect menu restrictions. Network access exit programs can be used to regulate network traffic.
PowerTech Compliance Monitor provides several Network Security reports that allow you to check if you have exit programs installed.
Use the Compliance Monitor 'Network Security Exit Programs' report to audit all Network Security exit programs.
COBIT DS5.3 - Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable.
COBIT DS5.5 - Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.
ISO 27002 (17799) 11.4.1 - Policy on use of network services
Users should only be provided with access to the services that they have been specifically authorized to use.
ISO 27002 (17799) 11.4.6 - Network connection control
For shared networks, especially those extending across the organizations' boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications.
© 2010 The PowerTech Group, Inc.
All Rights Reserved