John Ghrist Agency
executive overview example
A Security Blanket for SOX
By John Ghrist

If you feel totally confident that your system security policies are ready for Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and seeming scads of other new and impending federal and state accountability mandates, you're lucky. Phalanxes of winged auditors must flight thee to thy rest each night. But if you're like the rest of us, you know that no matter how ready you may think you are, you know something can always go wrong.

Fortunately, there's at least one remedy for that hollow feeling you can get when you start thinking about your iSeries security policies. And you don't even have to drop it in a glass and watch it fizz before using it. It's SkyView Partners Policy Minder for OS/400 and i5/OS, an application that controls and partially automates the tasks of making sure that, among other things, outsiders can't gain access to your data and insiders can't corrupt it.

Policy Minder lets iSeries system administrators or security officers define security policies for such system areas as authorization lists, command authorities, directory settings, exit points, file shares, job descriptions that specify a user profile, library and object settings, security-relevant system values, TCP/IP servers, and user-profile attributes, among others. It also lets administrators check at will how well the system is in compliance with security policies once they've been set, and produce auditing reports that show compliance levels.

Security Policy Making 101

If an enterprise doesn't yet have a complete set of security policies worked out for system settings, Policy Minder provides help. Except for directory authority, library and object authorities, and user profiles, Policy Minder provides predefined entries for all other values that administrators can simply adopt by default. These remain in place until a different policy is formulated later. (Of course, that won't necessarily stop users with high-level authorities from rejiggering certain settings, but Policy Minder's checking procedure will bring any such changes to an administrator's attention promptly.) Alternatively, if a facility is running multiple iSeries and settings have been worked out for existing machines, Policy Minder lets system managers import a set of initial values from another system via FTP. This importation process can optionally be encrypted or password protected.

Policy Minder lets security officers initialize security policies for Policy Minder to watch according to existing settings. For example, if the security officer is initializing a policy for the TCP/IP Server category, Policy Minder will examine all TCP/IP servers currently on the system and set the policy to be the servers' current auto-start values. (As you would expect, these values can be changed later.)

For enterprises that have made some or all of the policy decisions about system settings, Policy Minder lets system administrators or security officers set new policy values for each system security category and each entry in each category. These automatically replace those set by Policy Minder defaults, the policy initialization procedure, or imported values from another system.

Policy Minder helps enterprises define security policies by providing templates for user profiles, libraries, and their objects and directories. For example, to define a user profile template, Policy Minder walks administrators through the template-creation process by requiring details of such rules as defining user or group profiles, specifying which users or user classes are to be included or omitted from a particular template or group profile, and choosing the characteristics and capabilities each template or group profile will have from a list of options.

Additional Security Templates

Procedures for building templates that control access to libraries can be complicated. Policy Minder provides step-by-step procedures for building templates that cover a spectrum from simply protecting one payroll file to establishing a complex template structure that affects multiple applications. Similarly, building templates that control access to directories on the iSeries Integrated File Server (IFS) that may hold sensitive data is a matter of following a granular procedure to establish security protections that can be either loose or tight.

Programs that adopt authorities can be a source of trouble. Policy Minder helps IT departments keep track of programs that adopt users with *ALLOBJ authority and monitor programs that adopt a particular user profile. Other capabilities include control of commands for limited users and object creation in the IBM QSYS library. Advanced functions include Policy Minder message monitoring, journaling Policy Minder files, using Policy Minder to remediate application or system security plans, and high-availability features.

Policy Minder's compliance utility lets administrators keep an eye on changes. If after a run of the utility the administrator detects unauthorized setting changes, a FixIt program can automatically change settings back to their designated values. A good system administrator could manually change the settings Policy Minder controls and write programs that could perform its monitoring tasks, but the process would be time-consuming and prone to human error. Policy Minder helps IT departments automate this process and control it more efficiently. To ensure compliance with today's business mandates, such as SOX, a product such as Policy Minder can make administrators' systems — and jobs — more secure.


SkyView Partners, Inc.
(425) 458-4975

SkyView Partners Policy Minder for OS/400 and iS/OS

(Reproduced with kind permission of SystemiNEWS. For additional examples of articles by John Ghrist, see, click on "Archives," then the "Author" tab, and enter "Ghrist" in the author search window.)
Website Builder