8 Best Practices for IT Security Compliance



Similar documents
Managing Special Authorities. for PCI Compliance. on the. System i

Controlling Remote Access to IBM i

Exporting IBM i Data to Syslog

The State of System i Security & The Top 10 OS/400 Security Risks. Copyright 2006 The PowerTech Group, Inc

Password Self Help Password Reset for IBM i

Enforcive / Enterprise Security

About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

ESM s management across multi-platforms eliminates the need for various account managers.

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Best Practices for PCI DSS V3.0 Network Security Compliance

Introduction. PCI DSS Overview

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

White Paper. Central Administration of Data Archiving

REPRINT. Release Reference Manual. IBM iseries (AS/400) Developed and Distributed by

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

INFORMATION SYSTEMS. Revised: August 2013

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Application Monitoring for SAP

SECURING YOUR REMOTE DESKTOP CONNECTION

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

CSP & PCI DSS Compliance on HP NonStop systems

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Supporting information technology risk management

How To Manage Security On A Networked Computer System

Ecom Infotech. Page 1 of 6

AlienVault for Regulatory Compliance

PowerSC Tools for IBM i

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

FTP is Free, but Can You Really Afford It?

Security solutions White paper. Succeeding with automated identity management implementations.

Securing Your User Profiles Against Abuse

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Toronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;

IT Security & Compliance. On Time. On Budget. On Demand.

Teleran PCI Customer Case Study

REPRINT. Release User s Guide. iseries (AS/400) Developed and Distributed by

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

Best Practices for Audit and Compliance Reporting for Power Systems Running IBM i

March

Did you know your security solution can help with PCI compliance too?

Network Segmentation

Western Australian Auditor General s Report. Information Systems Audit Report

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

PCI Compliance for Cloud Applications

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

DMZ Gateways: Secret Weapons for Data Security

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

2: Do not use vendor-supplied defaults for system passwords and other security parameters

UCLA Policy 401 Minimum Security Standards for Network Devices

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Cyberoam Perspective BFSI Security Guidelines. Overview

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

White Paper. Sarbanes Oxley and iseries Security, Audit and Compliance

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

Windows Operating Systems. Basic Security

PCI DSS Requirements - Security Controls and Processes

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

The Auditors Agree!!! SafeNet/i Solves the Need

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Firewall and Router Policy

IBM i Encryption in a Snap! Implement IBM FIELDPROC with a simple to use GUI and a few clicks of your mouse.

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

PCI COMPLIANCE GUIDE For Merchants and Service Members

Supporting New Data Sources in SIEM Solutions: Key Challenges and How to Deal with Them

Performance Audit E-Service Systems Security

PCI DSS in Essence Through practical examples. September, 2016 Septia Academy

How SUSE Manager Can Help You Achieve Regulatory Compliance

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Cloud Computing Governance & Security. Security Risks in the Cloud

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Altius IT Policy Collection Compliance and Standards Matrix

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

BIO Safety - Tips For Maintaining Good Compliance

Credit Union Employee Security - Understanding CU*BASE

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

The Challenges and Myths of Sarbanes-Oxley Compliance

San Jose Airport Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011

SonicWALL PCI 1.1 Implementation Guide

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

IT Security Standard: Computing Devices

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

Security Controls What Works. Southside Virginia Community College: Security Awareness

Implementation Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Transcription:

ROADMAP TO COMPLIANCE ON THE IBM SYSTEM i WHITE PAPER APRIL 2009

Table of Contents Prepare an IT security policy... 4 How are users accessing the system?... 5 How many powerful users are on the system?... 6 How well are users managing their passwords?... 8 Is system activity monitored and reported on?... 8 Best Practices for IT Security Compliance... 10 How Safestone Addresses Security Compliance... 11 Conclusion... 12 SAFESTONE SafestOne for Compliance on the System i Page 2 of 12

Roadmap to Compliance on the IBM System i Managing risk and adhering to corporate IT security policies has become an accepted practice for organizations. In the last five years regulations such as SOX, HIPAA and Basel II have been introduced and have evolved in complexity. In addition standards such as COBIT, ISO 27002 as well as the Payment Card Industry Data Security Standards (PCI DSS) have also emerged. These standards are an example of what auditors use to measure how well an organization complies with regulations. When preparing for an IT security audit, organizations should use these standards as guidelines for establishing a security policy that specifies how the organization will manage risk and secure sensitive data. Once the policy is established, routine audits should be conducted to ensure policy guidelines are being followed. These steps help organizations prepare for an IT audit. An IT audit should be a way for organizations to demonstrate to auditors that users understand and adhere to the established IT security practices. A roadmap to compliance should include the following phases: Creation of an IT security policy Regular internal and external audits Evaluation of audit discoveries Evolution of policies and procedures Following these steps will help companies stay aware of changing internal and external compliance requirements. SAFESTONE SafestOne for Compliance on the System i Page 3 of 12

Prepare an IT security policy Creating an IT security policy involves several different people within the organization. IT Administrators, Executives, Auditors and other key team members should be involved in the process to ensure the policy is adopted throughout. A security policy should not drastically change the way users work. Once they understand the policy users will begin to see its usefulness in increasing productivity as well as its importance for demonstrating compliance. When preparing the IBM System i for an IT security audit, administrators and management need to think about what the auditor is going to look for. According to ISO standards, the security policy is where an auditor will start. An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. ISO17799, v5.1 But writing a policy simply to show to auditors is not enough, auditors will want to know how the policy is being enforced throughout the organization. A security policy is a documented process for controlling and monitoring access to data on the system, but the real value of a security policy comes from how well it is implemented throughout the organization. If you do not already have a policy in place, where do you start? The first step should include determining what data needs to be protected and understand how it is being accessed, shared and utilized throughout the organization. This can be accomplished by running reports to answer the following: How are users accessing the system? How many powerful users are on the system? How well are users managing their passwords? Is all activity on the system monitored and reported on? An IT auditor will want to know answers to these questions and will look to a security policy for answers. SAFESTONE SafestOne for Compliance on the System i Page 4 of 12

How are users accessing the system? Why do auditors care about user access? Standards such as ISO 17799 and PCI DSS both clearly state that access to data must be controlled. The following extract is directly out of the PCI DSS and targets controlling user access: Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Relevant COBIT Objectives: DS5.4 User Account Management DS5.5 Security Testing, Surveillance, and Monitoring A security policy should define how users access data. On the System i, users can access data in multiple ways. They can get to data through the (1) application menu, (2) command line or (3) network. Access control methods using the application menu and command line are often used by Administrators to restrict access. These access control methods are very effective, however, they do not address a common way users access data on the System i, the network. Network access to data can be done using widely available tools such as FTP and ODBC. Every System i has this ability built into it and it does not require special configuration to implement. In an effort to help eliminate exposure of this type of access, IBM has created exit points which can be monitored using software that is specifically designed to control and limit network access. Even though network access is considered the most common way to access data, it is the most overlooked form of access control. Recent studies have shown that many organizations are not monitoring network access and even more are not controlling access to data. Nearly 70% of systems sampled were not monitoring this type of access, leaving sensitive data vulnerable and susceptible to becoming compromised. Best practices for controlling network access include utilizing software such as DetectIT Network Traffic Controller to monitor and control remote access requests. SAFESTONE SafestOne for Compliance on the System i Page 5 of 12

How many powerful users are on the system? Users with more access to data than is needed for their daily function is very common. Auditors are especially interested in learning how organizations overcome and manage this situation. Why do auditors care? According to PCI DSS and CobIT standards, monitoring and controlling privileged users is an important step in the compliance roadmap that must be addressed. Restrict access to cardholder data by business need to know PCI Requirement 7.1 7.23 Implement Strong Access Control Measures All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. CobIT DS5.3 Identity Management Controlling and limiting the number of powerful users is often the most challenging area to address. Once users have become accustomed to having privileged access to data it is very difficult to get them to relinquish any of that power. The need for privileged access is often seen as a requirement for users to perform their daily job functions and if this power is taken away they must ask for permission to perform duties which slows down productivity. It is because of this perceived requirement that nearly 60% of System i s assessed have too many powerful users. System i security best practices suggest that if a company has more than 10 active powerful users the company has too many users with this type of access. SAFESTONE SafestOne for Compliance on the System i Page 6 of 12

How should a company resolve this challenge and satisfy audit requirements? Controls to show what users are doing with data while working with these types of special authorities and a process to maintain an audit trail of all activity is essential to meeting auditors expectations. This includes monitoring users on the System i with the following special authorities: IBM System i Special Authority *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Function Complete access to all data, libraries and files on system. Authority to create new users. Ability to configure communication routes. System auditing. Complete authority over all reports and jobs. Hardware service access. Regulated authority over all reports and jobs. System save capability. Managing these types of profiles effectively requires administrators to run several reports, manually check out privileged profiles to users when needed and document all activity. There are software solutions that automate and facilitate this type of user management to aid in this manual but necessary process. Best practices for controlling privileged users include utilizing software such as DetectIT Powerful User Passport to limit the number of powerful users and provide auditors and management with a comprehensive audit trail of their activities. SAFESTONE SafestOne for Compliance on the System i Page 7 of 12

How well are users managing their passwords? Controlling how users access data and limiting powerful users are important security practices, however, a strong password policy is an essential step in the roadmap to compliance. Weak passwords mean sensitive data is extremely vulnerable and accessible by anyone within or outside the company. Why do auditors care about password management? A strong password policy can be seen as the first line of defence for securing access to data. According to PCI DSS and ISO 27002 standards: The allocation of passwords should be controlled through a formal management process. ISO 27002 (17799) 11.2.3 User Password Management Management should review users' access rights at regular intervals using a formal process. ISO 27002 (17799) 11.2.4 Review of User Access Rights Users would be required to follow good security practices in the selection and use of passwords, i.e. select quality passwords with sufficient minimum length, and that are free of consecutive identical, all numeric or all alphabetic characters. ISO 27002 (17799) 11.3.1 Password Use A recent study of security practices on the System i showed that many organizations have overlooked some critical steps in establishing internal password policies. A strong password policy should include: user profiles that have the following: No default passwords (password = username) Minimum password length (greater than 8 digits) Require a digit in the password Passwords that expire Best practices for monitoring password policies include Safestone s DetectIT User Profile Manager to manages profiles and passwords on the System i. SAFESTONE SafestOne for Compliance on the System i Page 8 of 12

Is system activity monitored and reported on? A security policy should define a regular audit process. The security policy and practices need to be reviewed and re evaluated on a regular schedule. Organizations should conduct regular internal audits to validate the effectiveness of the current IT security policy. Regular audits are also key components of security standards such as PCI DSS and ISO 27002: Maintain an information security policy. PCI DSS, Requirement 12 Review logs for all system components at least daily. PCI DSS requirement 10.6 The internal audit should contain the following components: Assessment Evaluate the current policy and identify corrections. Correction Determine where there are breakdowns in the IT security process and prioritize fixes. Maintenance This is an ongoing process which does not conclude at the end of the internal audit and when done regularly helps ensure data integrity. In addition to conducting regular internal audits, organizations should have external audits performed routinely to obtain a benchmark of where they are with their security policy. When an external audit is performed an auditor will want to know that internal audits have been conducted regularly and look for documentation that supports this. Retain audit trail history for at least one year, with a minimum of three months online availability. PCI DSS requirement 10.7 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future. ISO 17799 10.10.1 Best practices for internal and external audit preparation to include implementing a software solution such as Safestone s DetectIT Security Audit & Detection which monitors activity on the System i and produces meaningful reports relevant to an IT security policy. SAFESTONE SafestOne for Compliance on the System i Page 9 of 12

Best Practices for IT Security Compliance When preparing for an IT security audit organizations should follow these recommendations for managing risk and securing sensitive data. Create an IT security policy Secure network access Enforce separation of duties Control and limit privileged users Require strong password policies Conduct regular internal and external audits Demonstrate compliance to auditors Evolve security policies and procedures SAFESTONE SafestOne for Compliance on the System i Page 10 of 12

How Safestone Addresses Security Compliance Create an IT security policy. DetectIT Risk and Compliance Monitor contains pre defined policies based upon internationally accepted standards against which your systems are monitored. Secure network access. DetectIT Network Traffic Controller effectively firewalls the System i from the rest of the network. Enforce separation of duties. It is important that those using the system are not the same people who are policing it. DetectIT Smart Security Console can be used by nontechnical administrators to check on all users activities. Control and limit privileged users. DetectIT Powerful User Passport allows administrators to delegate what data and when users should have privileged access to without disrupting current business processes. Require strong password policies. DetectIT Password Self Help which includes, Password Synchronization and Password Validation Program ensure that strong passwords are used and the whole process of managing passwords is easily enforced. Conduct regular internal and external audits. DetectIT Security Audit and Detection Module can be scheduled to provide comprehensive audits on your System i. Demonstrate compliance to auditors. DetectIT Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events. Evolve security policies and procedures. Use results obtained from the various modules of DetectIT as a baseline for refining an IT security policy. SAFESTONE SafestOne for Compliance on the System i Page 11 of 12

Conclusion Government regulations and standards will continue to evolve and organizations will need to continue evaluating current security policies and evolving them with business and external changes. An IT security policy should not be viewed as merely a box to check to meet auditors demands, it should be used by organizations to refine processes and protect the company s most important asset sensitive data. Everyone in the organization shares ownership in protecting sensitive data and all have a responsibility to working towards compliance. When thinking about compliance organizations should view the process in four phases: Creation of an IT security policy Regular internal and external audits Evaluation of audit discoveries Evolution of policies and procedures None of these phases are trivial and all are essential building blocks in the creation of an effective security policy that will satisfy auditors requirements, each phase is created by following specific steps that build on the previous one. When done together they form a framework that provides the structure for everyone in the organization to know what their responsibilities are for accessing and modifying data according to corporate guidelines and standards. Once the framework is in place everyone will know what the policy is, and how it affects them. A security policy holds users accountable to internal compliance practices and is what your IT auditor will refer to at your next audit and use for measuring your organization s compliance. SAFESTONE SafestOne for Compliance on the System i Page 12 of 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information