ROADMAP TO COMPLIANCE ON THE IBM SYSTEM i WHITE PAPER APRIL 2009
Table of Contents Prepare an IT security policy... 4 How are users accessing the system?... 5 How many powerful users are on the system?... 6 How well are users managing their passwords?... 8 Is system activity monitored and reported on?... 8 Best Practices for IT Security Compliance... 10 How Safestone Addresses Security Compliance... 11 Conclusion... 12 SAFESTONE SafestOne for Compliance on the System i Page 2 of 12
Roadmap to Compliance on the IBM System i Managing risk and adhering to corporate IT security policies has become an accepted practice for organizations. In the last five years regulations such as SOX, HIPAA and Basel II have been introduced and have evolved in complexity. In addition standards such as COBIT, ISO 27002 as well as the Payment Card Industry Data Security Standards (PCI DSS) have also emerged. These standards are an example of what auditors use to measure how well an organization complies with regulations. When preparing for an IT security audit, organizations should use these standards as guidelines for establishing a security policy that specifies how the organization will manage risk and secure sensitive data. Once the policy is established, routine audits should be conducted to ensure policy guidelines are being followed. These steps help organizations prepare for an IT audit. An IT audit should be a way for organizations to demonstrate to auditors that users understand and adhere to the established IT security practices. A roadmap to compliance should include the following phases: Creation of an IT security policy Regular internal and external audits Evaluation of audit discoveries Evolution of policies and procedures Following these steps will help companies stay aware of changing internal and external compliance requirements. SAFESTONE SafestOne for Compliance on the System i Page 3 of 12
Prepare an IT security policy Creating an IT security policy involves several different people within the organization. IT Administrators, Executives, Auditors and other key team members should be involved in the process to ensure the policy is adopted throughout. A security policy should not drastically change the way users work. Once they understand the policy users will begin to see its usefulness in increasing productivity as well as its importance for demonstrating compliance. When preparing the IBM System i for an IT security audit, administrators and management need to think about what the auditor is going to look for. According to ISO standards, the security policy is where an auditor will start. An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. ISO17799, v5.1 But writing a policy simply to show to auditors is not enough, auditors will want to know how the policy is being enforced throughout the organization. A security policy is a documented process for controlling and monitoring access to data on the system, but the real value of a security policy comes from how well it is implemented throughout the organization. If you do not already have a policy in place, where do you start? The first step should include determining what data needs to be protected and understand how it is being accessed, shared and utilized throughout the organization. This can be accomplished by running reports to answer the following: How are users accessing the system? How many powerful users are on the system? How well are users managing their passwords? Is all activity on the system monitored and reported on? An IT auditor will want to know answers to these questions and will look to a security policy for answers. SAFESTONE SafestOne for Compliance on the System i Page 4 of 12
How are users accessing the system? Why do auditors care about user access? Standards such as ISO 17799 and PCI DSS both clearly state that access to data must be controlled. The following extract is directly out of the PCI DSS and targets controlling user access: Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Relevant COBIT Objectives: DS5.4 User Account Management DS5.5 Security Testing, Surveillance, and Monitoring A security policy should define how users access data. On the System i, users can access data in multiple ways. They can get to data through the (1) application menu, (2) command line or (3) network. Access control methods using the application menu and command line are often used by Administrators to restrict access. These access control methods are very effective, however, they do not address a common way users access data on the System i, the network. Network access to data can be done using widely available tools such as FTP and ODBC. Every System i has this ability built into it and it does not require special configuration to implement. In an effort to help eliminate exposure of this type of access, IBM has created exit points which can be monitored using software that is specifically designed to control and limit network access. Even though network access is considered the most common way to access data, it is the most overlooked form of access control. Recent studies have shown that many organizations are not monitoring network access and even more are not controlling access to data. Nearly 70% of systems sampled were not monitoring this type of access, leaving sensitive data vulnerable and susceptible to becoming compromised. Best practices for controlling network access include utilizing software such as DetectIT Network Traffic Controller to monitor and control remote access requests. SAFESTONE SafestOne for Compliance on the System i Page 5 of 12
How many powerful users are on the system? Users with more access to data than is needed for their daily function is very common. Auditors are especially interested in learning how organizations overcome and manage this situation. Why do auditors care? According to PCI DSS and CobIT standards, monitoring and controlling privileged users is an important step in the compliance roadmap that must be addressed. Restrict access to cardholder data by business need to know PCI Requirement 7.1 7.23 Implement Strong Access Control Measures All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. CobIT DS5.3 Identity Management Controlling and limiting the number of powerful users is often the most challenging area to address. Once users have become accustomed to having privileged access to data it is very difficult to get them to relinquish any of that power. The need for privileged access is often seen as a requirement for users to perform their daily job functions and if this power is taken away they must ask for permission to perform duties which slows down productivity. It is because of this perceived requirement that nearly 60% of System i s assessed have too many powerful users. System i security best practices suggest that if a company has more than 10 active powerful users the company has too many users with this type of access. SAFESTONE SafestOne for Compliance on the System i Page 6 of 12
How should a company resolve this challenge and satisfy audit requirements? Controls to show what users are doing with data while working with these types of special authorities and a process to maintain an audit trail of all activity is essential to meeting auditors expectations. This includes monitoring users on the System i with the following special authorities: IBM System i Special Authority *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Function Complete access to all data, libraries and files on system. Authority to create new users. Ability to configure communication routes. System auditing. Complete authority over all reports and jobs. Hardware service access. Regulated authority over all reports and jobs. System save capability. Managing these types of profiles effectively requires administrators to run several reports, manually check out privileged profiles to users when needed and document all activity. There are software solutions that automate and facilitate this type of user management to aid in this manual but necessary process. Best practices for controlling privileged users include utilizing software such as DetectIT Powerful User Passport to limit the number of powerful users and provide auditors and management with a comprehensive audit trail of their activities. SAFESTONE SafestOne for Compliance on the System i Page 7 of 12
How well are users managing their passwords? Controlling how users access data and limiting powerful users are important security practices, however, a strong password policy is an essential step in the roadmap to compliance. Weak passwords mean sensitive data is extremely vulnerable and accessible by anyone within or outside the company. Why do auditors care about password management? A strong password policy can be seen as the first line of defence for securing access to data. According to PCI DSS and ISO 27002 standards: The allocation of passwords should be controlled through a formal management process. ISO 27002 (17799) 11.2.3 User Password Management Management should review users' access rights at regular intervals using a formal process. ISO 27002 (17799) 11.2.4 Review of User Access Rights Users would be required to follow good security practices in the selection and use of passwords, i.e. select quality passwords with sufficient minimum length, and that are free of consecutive identical, all numeric or all alphabetic characters. ISO 27002 (17799) 11.3.1 Password Use A recent study of security practices on the System i showed that many organizations have overlooked some critical steps in establishing internal password policies. A strong password policy should include: user profiles that have the following: No default passwords (password = username) Minimum password length (greater than 8 digits) Require a digit in the password Passwords that expire Best practices for monitoring password policies include Safestone s DetectIT User Profile Manager to manages profiles and passwords on the System i. SAFESTONE SafestOne for Compliance on the System i Page 8 of 12
Is system activity monitored and reported on? A security policy should define a regular audit process. The security policy and practices need to be reviewed and re evaluated on a regular schedule. Organizations should conduct regular internal audits to validate the effectiveness of the current IT security policy. Regular audits are also key components of security standards such as PCI DSS and ISO 27002: Maintain an information security policy. PCI DSS, Requirement 12 Review logs for all system components at least daily. PCI DSS requirement 10.6 The internal audit should contain the following components: Assessment Evaluate the current policy and identify corrections. Correction Determine where there are breakdowns in the IT security process and prioritize fixes. Maintenance This is an ongoing process which does not conclude at the end of the internal audit and when done regularly helps ensure data integrity. In addition to conducting regular internal audits, organizations should have external audits performed routinely to obtain a benchmark of where they are with their security policy. When an external audit is performed an auditor will want to know that internal audits have been conducted regularly and look for documentation that supports this. Retain audit trail history for at least one year, with a minimum of three months online availability. PCI DSS requirement 10.7 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future. ISO 17799 10.10.1 Best practices for internal and external audit preparation to include implementing a software solution such as Safestone s DetectIT Security Audit & Detection which monitors activity on the System i and produces meaningful reports relevant to an IT security policy. SAFESTONE SafestOne for Compliance on the System i Page 9 of 12
Best Practices for IT Security Compliance When preparing for an IT security audit organizations should follow these recommendations for managing risk and securing sensitive data. Create an IT security policy Secure network access Enforce separation of duties Control and limit privileged users Require strong password policies Conduct regular internal and external audits Demonstrate compliance to auditors Evolve security policies and procedures SAFESTONE SafestOne for Compliance on the System i Page 10 of 12
How Safestone Addresses Security Compliance Create an IT security policy. DetectIT Risk and Compliance Monitor contains pre defined policies based upon internationally accepted standards against which your systems are monitored. Secure network access. DetectIT Network Traffic Controller effectively firewalls the System i from the rest of the network. Enforce separation of duties. It is important that those using the system are not the same people who are policing it. DetectIT Smart Security Console can be used by nontechnical administrators to check on all users activities. Control and limit privileged users. DetectIT Powerful User Passport allows administrators to delegate what data and when users should have privileged access to without disrupting current business processes. Require strong password policies. DetectIT Password Self Help which includes, Password Synchronization and Password Validation Program ensure that strong passwords are used and the whole process of managing passwords is easily enforced. Conduct regular internal and external audits. DetectIT Security Audit and Detection Module can be scheduled to provide comprehensive audits on your System i. Demonstrate compliance to auditors. DetectIT Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events. Evolve security policies and procedures. Use results obtained from the various modules of DetectIT as a baseline for refining an IT security policy. SAFESTONE SafestOne for Compliance on the System i Page 11 of 12
Conclusion Government regulations and standards will continue to evolve and organizations will need to continue evaluating current security policies and evolving them with business and external changes. An IT security policy should not be viewed as merely a box to check to meet auditors demands, it should be used by organizations to refine processes and protect the company s most important asset sensitive data. Everyone in the organization shares ownership in protecting sensitive data and all have a responsibility to working towards compliance. When thinking about compliance organizations should view the process in four phases: Creation of an IT security policy Regular internal and external audits Evaluation of audit discoveries Evolution of policies and procedures None of these phases are trivial and all are essential building blocks in the creation of an effective security policy that will satisfy auditors requirements, each phase is created by following specific steps that build on the previous one. When done together they form a framework that provides the structure for everyone in the organization to know what their responsibilities are for accessing and modifying data according to corporate guidelines and standards. Once the framework is in place everyone will know what the policy is, and how it affects them. A security policy holds users accountable to internal compliance practices and is what your IT auditor will refer to at your next audit and use for measuring your organization s compliance. SAFESTONE SafestOne for Compliance on the System i Page 12 of 12