Attaining and maintaining compliance europe

www.skyviewpartners.com

@SkyView Partners, Inc, 2012. All Rights Reserved. 1

Carol Woodbury @carolwoodbury

President and Co-Founder

SkyView Partners, Inc


1 www.skyviewpartners.com

www.skyviewpartners.com © SkyView Partners, Inc, 2012

All Rights Reserved. 2

http://www.skyviewpartners.com/



Be pro-active

Areas that are often out of compliance ◦ Automation opportunities

Items requiring regular review

Preparing for the next audit

www.skyviewpartners.com 3

(c) SkyView Partners, Inc.,

2012. All Rights Reserved

Be Pro-active

© SkyView Partners, Inc, 2012

All Rights Reserved. 4 www.skyviewpartners.com



Read the business page of national and local newspapers Read publications from your organization’s vertical industry Listen to webcasts, read magazines, online forums,

newsletters and articles for i5/OS-specific information ◦ SkyView Partners has regular webinars

http://www.skyviewpartners.com/lawsandregs.php

◦ Examples: PCI Data Security Standards

EU Data Privacy Laws

SOX

J-SOX

BASEL III

Privacy Laws: Korea, PIPEDA, The Companies Bill




Implement security best practices wherever possible

Document the areas where best practices isn’t possible

Engage your development group




http://www.skyviewpartners.com/lawsandregs.php



Start with an assessment

Prioritize the list of issues

Document your plans for remediation




Security standard ◦ BS7799 -> ISO17799 -> ISO/IEC27001:2005

www.iso.org

CobiT ◦ Process for analyzing risk in IT

www.isaca.org

Payment Card Industry ◦ Data Security Standards

http://www.skyviewpartners.com/java-skyviewp/visa.jsp

IBM i and i5/OS: ◦ IBM i Security Administration and Compliance by Carol Woodbury, 2012, available

from www.amazon.com or MCPress Store

◦ iSeries Security Reference manual ◦ www.skyviewpartners.com




http://www.iso.org/

http://www.isaca.org/




http://www.amazon.com/

http://www.mc-store.com/5129.html




www.skyviewpartners.com (c) SkyView Partners, Inc., 2012.

All Rights Reserved 9

Areas that are Often Out of Compliance –

Automation Opportunities




May be changed to enable a function and never set back.

Vendors may modify a value when installing their product.




Default passwords

Inactive users

Special authority assignment

Group membership






ANZDFTPWD – Analyze default passwords

Change the CRTUSRPRF command default as well as your user profile creation process so that profiles are never created with a default password.




Step 1 - Set profiles to Status *DISABLED In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF Use IBM SECTOOLS

2. Display active profile list (list of omitted profiles) 3. Change active profile list (to omit profiles from being set to Status *DISABLED) 4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED.

Sends message to message queue of user running the menu option.) Write your own –

◦ key is to look at the right dates - Last used (vs Last sign on) Creation Restore

◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS) and join with DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)

Use a vendor product such as SkyView Policy Minder Note: If you perform a roll-swap, need to stop the automatic disabling of profiles. Step 2 – Delete profiles Must be done manually (i5/OS provides no automatic delete)


2012. All Rights Reserved www.skyviewpartners.com



Profiles are typically copied.

Recommend: ◦ Developing role-based access implemented via group profiles

◦ Copy a template rather than another user’s profile



Recommend that group membership be reviewed at least annually

DSPUSRPRF USRPRF(SUPERGROUP) TYPE(*GRPMBR) OUTPUT(*PRINT)

DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)

www.skyviewpartners.com 16 (c) SkyView Partners, Inc., 2012. All

Rights Reserved



Access to files containing private data or programs performing critical actions such as de-crypting need to be reviewed for appropriate:

Default access (*PUBLIC authority)

Additional private authorities

Authorization list assignment

Ownership

Adopted authority settings (programs / service programs)



Critical files in libraries Authority to files containing: ◦ Card holder data ◦ HR information ◦ HIPAA data ◦ Confidential data belonging to your organization

and in the IFS Authority to directories and files containing: ◦ Payroll information ◦ Credit card transactions

and don’t forget to review authorization lists






Review authorities - *PUBLIC and private – are they appropriate? ◦ Use DSPAUTL AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTL AUTL(autl_name) OUTPUT(*OUTFILE)

Review objects secured by the authorization list ◦ Use DSPAUTLOBJ AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTLOBJ AUTL(autl_name) OUTPUT(*OUTFILE) ◦ (Note: Prior to V6R1, DSPAUTLOBJ locks all of the objects secured by

the authorization list. It’s best to run this command when users are not attempting to run the application.)




Prepare to Review these Annually





Review annually to ensure it addresses:

New technology

Mergers and acquisitions

Requirements from new laws or regs




Typical thought is – it’s not going to happen to us –

therefore – no plan is in place.

If a plan is in place, it needs to be reviewed to ensure:

New threats are accounted for

New incident techniques are documented

Contacts are updated

-> Consider a retainer with a company that specializes in investigating incidents






Program needs to be reviewed to ensure:

Employee policy issues are communicated

Awareness is raised about new threats

Requirements from new laws and regs are communicated




Verify documentation follows the what is actually done ◦ Worse to have an inaccurate document than no document at

all

Get rid of documentation for processes that are no longer followed

Ensure appropriate processes are documented






Encryption keys ◦ Who has responsibility for managing keys?

What happens if they leave the company?

◦ Do you have a process in place for a) regularly changing keys b) changing keys on an emergency basis?

Is all data encrypted that should be encrypted? ◦ Backups (get out of notification requirement of many state

breach notification laws)

◦ Private data (California breach now includes healthcare)

◦ On PCs – Massachusetts requires private data on mobile devices to be encrypted




Prepare for the Next Audit





Arrival won’t be as frantic if systems are perpetually in compliance.

Be prepared for their arrival by ◦ Updating policies and procedures

Document exceptions!

◦ Have work plans ready for known issues not yet addressed

◦ Keeping records proving that you’ve been checking compliance

◦ Providing the information they’ve requested prior to the audit

◦ Addressing previous audit findings




What changes did you have to make? ◦ System values

◦ User profile settings

Reduce special authorities

Remove inactive profiles

◦ Authorities

Database files

IFS directories






What reports did you have to generate? ◦ System values

◦ User profile settings

◦ Authorities




How can you automate these activities?

Benefits:

Stop putting so much effort prior to an audit

Perpetual compliance

Potential for being more secure






www.skyviewpartners.com (c) SkyView Partners, Inc., 2012.

All Rights Reserved

It’s a lifestyle

SkyView Partners – provider of security administration and compliance software, services and solutions


Reach us at:

[email protected]





mailto:[email protected]

Technology

Attaining and maintaining compliance europe