This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 1
@SkyView Partners, Inc, 2012. All Rights Reserved. 3
Read the business page of national and local newspapers Read publications from your organization’s vertical industry Listen to webcasts, read magazines, online forums,
newsletters and articles for i5/OS-specific information ◦ SkyView Partners has regular webinars
http://www.skyviewpartners.com/lawsandregs.php
◦ Examples: PCI Data Security Standards
EU Data Privacy Laws
SOX
J-SOX
BASEL III
Privacy Laws: Korea, PIPEDA, The Companies Bill
www.skyviewpartners.com 5
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Implement security best practices wherever possible
Document the areas where best practices isn’t possible
@SkyView Partners, Inc, 2012. All Rights Reserved. 6
May be changed to enable a function and never set back.
Vendors may modify a value when installing their product.
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Default passwords
Inactive users
Special authority assignment
Group membership
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 7
ANZDFTPWD – Analyze default passwords
Change the CRTUSRPRF command default as well as your user profile creation process so that profiles are never created with a default password.
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
Step 1 - Set profiles to Status *DISABLED In V7R1, use the profile expiration attribute on CRT/CHGUSRPRF Use IBM SECTOOLS
2. Display active profile list (list of omitted profiles) 3. Change active profile list (to omit profiles from being set to Status *DISABLED) 4. Analyze profile activity (scheduled job runs daily to set profiles to *DISABLED.
Sends message to message queue of user running the menu option.) Write your own –
◦ key is to look at the right dates - Last used (vs Last sign on) Creation Restore
◦ DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS) and join with DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(CJW/ALLUSERS2)
Use a vendor product such as SkyView Policy Minder Note: If you perform a roll-swap, need to stop the automatic disabling of profiles. Step 2 – Delete profiles Must be done manually (i5/OS provides no automatic delete)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 8
Profiles are typically copied.
Recommend: ◦ Developing role-based access implemented via group profiles
◦ Copy a template rather than another user’s profile
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Recommend that group membership be reviewed at least annually
www.skyviewpartners.com 16 (c) SkyView Partners, Inc., 2012. All
Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 9
Access to files containing private data or programs performing critical actions such as de-crypting need to be reviewed for appropriate:
Default access (*PUBLIC authority)
Additional private authorities
Authorization list assignment
Ownership
Adopted authority settings (programs / service programs)
(c) SkyView Partners, Inc.,
2012. All Rights Reserved www.skyviewpartners.com
Critical files in libraries Authority to files containing: ◦ Card holder data ◦ HR information ◦ HIPAA data ◦ Confidential data belonging to your organization
and in the IFS Authority to directories and files containing: ◦ Payroll information ◦ Credit card transactions
and don’t forget to review authorization lists
www.skyviewpartners.com
(c) SkyView Partners, Inc.,
2012. All Rights Reserved
www.skyviewpartners.com
@SkyView Partners, Inc, 2012. All Rights Reserved. 10
Review authorities - *PUBLIC and private – are they appropriate? ◦ Use DSPAUTL AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTL AUTL(autl_name) OUTPUT(*OUTFILE)
Review objects secured by the authorization list ◦ Use DSPAUTLOBJ AUTL(autl_name) OUTPUT(*PRINT) or ◦ DSPAUTLOBJ AUTL(autl_name) OUTPUT(*OUTFILE) ◦ (Note: Prior to V6R1, DSPAUTLOBJ locks all of the objects secured by
the authorization list. It’s best to run this command when users are not attempting to run the application.)