View
197
Download
2
Category
Tags:
Preview:
DESCRIPTION
COMMON Europe Congress 2012 - Vienna
Citation preview
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 1
Carol Woodbury @carolwoodbury
President and Co-Founder
SkyView Partners, Inc
www.skyviewpartners.com
1 www.skyviewpartners.com
www.skyviewpartners.com © SkyView Partners, Inc, 2012
All Rights Reserved. 2
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 2
Be pro-active
Areas that are often out of compliance ◦ Automation opportunities
Items requiring regular review
Preparing for the next audit
www.skyviewpartners.com 3
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Be Pro-active
© SkyView Partners, Inc, 2012
All Rights Reserved. 4 www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 3
Read the business page of national and local newspapers Read publications from your organization’s vertical industry Listen to webcasts, read magazines, online forums,
newsletters and articles for i5/OS-specific information ◦ SkyView Partners has regular webinars
http://www.skyviewpartners.com/lawsandregs.php
◦ Examples: PCI Data Security Standards
EU Data Privacy Laws
SOX
J-SOX
BASEL III
Privacy Laws: Korea, PIPEDA, The Companies Bill
www.skyviewpartners.com 5
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Implement security best practices wherever possible
Document the areas where best practices isn’t possible
Engage your development group
www.skyviewpartners.com 6
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 4
Start with an assessment
Prioritize the list of issues
Document your plans for remediation
www.skyviewpartners.com 7
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Security standard ◦ BS7799 -> ISO17799 -> ISO/IEC27001:2005
www.iso.org
CobiT ◦ Process for analyzing risk in IT
www.isaca.org
Payment Card Industry ◦ Data Security Standards
http://www.skyviewpartners.com/java-skyviewp/visa.jsp
IBM i and i5/OS: ◦ IBM i Security Administration and Compliance by Carol Woodbury, 2012, available
from www.amazon.com or MCPress Store
◦ iSeries Security Reference manual ◦ www.skyviewpartners.com
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 5
www.skyviewpartners.com (c) SkyView Partners, Inc., 2012.
All Rights Reserved 9
Areas that are Often Out of Compliance –
Automation Opportunities
www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 6
May be changed to enable a function and never set back.
Vendors may modify a value when installing their product.
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Default passwords
Inactive users
Special authority assignment
Group membership
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 7
ANZDFTPWD – Analyze default passwords
Change the CRTUSRPRF command default as well as your user profile creation process so that profiles are never created with a default password.
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Step 1 - Set profiles to Status *DISABLED In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF Use IBM SECTOOLS
2. Display active profile list (list of omitted profiles) 3. Change active profile list (to omit profiles from being set to Status *DISABLED) 4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED.
Sends message to message queue of user running the menu option.) Write your own –
◦ key is to look at the right dates - Last used (vs Last sign on) Creation Restore
◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS) and join with DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)
Use a vendor product such as SkyView Policy Minder Note: If you perform a roll-swap, need to stop the automatic disabling of profiles. Step 2 – Delete profiles Must be done manually (i5/OS provides no automatic delete)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 8
Profiles are typically copied.
Recommend: ◦ Developing role-based access implemented via group profiles
◦ Copy a template rather than another user’s profile
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Recommend that group membership be reviewed at least annually
DSPUSRPRF USRPRF(SUPERGROUP) TYPE(*GRPMBR) OUTPUT(*PRINT)
DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)
www.skyviewpartners.com 16 (c) SkyView Partners, Inc., 2012. All
Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 9
Access to files containing private data or programs performing critical actions such as de-crypting need to be reviewed for appropriate:
Default access (*PUBLIC authority)
Additional private authorities
Authorization list assignment
Ownership
Adopted authority settings (programs / service programs)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Critical files in libraries Authority to files containing: ◦ Card holder data ◦ HR information ◦ HIPAA data ◦ Confidential data belonging to your organization
and in the IFS Authority to directories and files containing: ◦ Payroll information ◦ Credit card transactions
and don’t forget to review authorization lists
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 10
Review authorities - *PUBLIC and private – are they appropriate? ◦ Use DSPAUTL AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTL AUTL(autl_name) OUTPUT(*OUTFILE)
Review objects secured by the authorization list ◦ Use DSPAUTLOBJ AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTLOBJ AUTL(autl_name) OUTPUT(*OUTFILE) ◦ (Note: Prior to V6R1, DSPAUTLOBJ locks all of the objects secured by
the authorization list. It’s best to run this command when users are not attempting to run the application.)
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Prepare to Review these Annually
© SkyView Partners, Inc, 2012
All Rights Reserved. 20 www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 11
Review annually to ensure it addresses:
New technology
Mergers and acquisitions
Requirements from new laws or regs
www.skyviewpartners.com 21
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Typical thought is – it’s not going to happen to us –
therefore – no plan is in place.
If a plan is in place, it needs to be reviewed to ensure:
New threats are accounted for
New incident techniques are documented
Contacts are updated
-> Consider a retainer with a company that specializes in investigating incidents
www.skyviewpartners.com 22
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 12
Program needs to be reviewed to ensure:
Employee policy issues are communicated
Awareness is raised about new threats
Requirements from new laws and regs are communicated
www.skyviewpartners.com 23
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Verify documentation follows the what is actually done ◦ Worse to have an inaccurate document than no document at
all
Get rid of documentation for processes that are no longer followed
Ensure appropriate processes are documented
www.skyviewpartners.com 24
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 13
Encryption keys ◦ Who has responsibility for managing keys?
What happens if they leave the company?
◦ Do you have a process in place for a) regularly changing keys b) changing keys on an emergency basis?
Is all data encrypted that should be encrypted? ◦ Backups (get out of notification requirement of many state
breach notification laws)
◦ Private data (California breach now includes healthcare)
◦ On PCs – Massachusetts requires private data on mobile devices to be encrypted
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Prepare for the Next Audit
© SkyView Partners, Inc, 2012
All Rights Reserved. 26 www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 14
Arrival won’t be as frantic if systems are perpetually in compliance.
Be prepared for their arrival by ◦ Updating policies and procedures
Document exceptions!
◦ Have work plans ready for known issues not yet addressed
◦ Keeping records proving that you’ve been checking compliance
◦ Providing the information they’ve requested prior to the audit
◦ Addressing previous audit findings
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
What changes did you have to make? ◦ System values
◦ User profile settings
Reduce special authorities
Remove inactive profiles
◦ Authorities
Database files
IFS directories
www.skyviewpartners.com 28
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 15
What reports did you have to generate? ◦ System values
◦ User profile settings
◦ Authorities
www.skyviewpartners.com 29
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
How can you automate these activities?
Benefits:
Stop putting so much effort prior to an audit
Perpetual compliance
Potential for being more secure
www.skyviewpartners.com 30
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 16
www.skyviewpartners.com (c) SkyView Partners, Inc., 2012.
All Rights Reserved
It’s a lifestyle
SkyView Partners – provider of security administration and compliance software, services and solutions
www.skyviewpartners.com
Reach us at:
info@skyviewpartners.com
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Recommended