How can you feel safe in these uncertain times?
It's been an interesting year. I never would have predicted the events of 2008! The state of the world economy is on people's minds. So how does the economy affect the world of security and compliance? Whether your organization has experienced significant cuts or is simply conserving, everyone is being required to do more with less, and that affects morale. When morale is lowered and the economic slowdown is factored in, the risks to your organization's data are increased. In uncertain times, workers are more likely to exploit system vulnerabilities or fall prey to schemes for obtaining confidential information and selling it. Or they may fall into financial trouble and blatantly steal from the company. Don't think this can't happen to your organization. I've recently seen it happen in areas where I would have least suspected it.
So at the end of this tumultuous year, I'm providing five tips for protecting your organization:
#1: Do a Risk Assessment
Find out where your systems' vulnerabilities are. You may think you're aware of all issues on your systems, but without a risk assessment, you can't be sure. When SkyView Partners reviews the results of the risk assessments performed through our Security Check-up service, most companies have at least one item that's a surprise--even to the most security-conscience teams. A thorough security assessment allows you to understand the issues, assess your risk, and apply your resources appropriately.
#2: Delete Inactive Profiles
Many organizations have profiles on their systems that have been inactive for years. I usually see some of those profiles with disabled status, but there are always some--if not many--with enabled status. Worse, some profiles have *ALLOBJ or other special authorities, and some even have default passwords. Even if profiles are disabled, they could easily become enabled, accidentally or deliberately. Removing inactive profiles removes the possibility that the profile could be used to exploit its authorities and capabilities.
#3: Manage Passwords
Passwords are one of those areas of security that require tradeoffs. Requiring too-complex passwords leads to users writing them down. But weak passwords can be easily guessed. My password composition recommendations are to require a digit and a minimum of seven characters and change them every 60 - 90 days. Too often, administrators set their passwords to never expire. This is absolutely inappropriate. In fact, administrator or other profiles with *ALLOBJ special authority should be required to change their passwords more frequently than users, such as every 30 days. This reduces the time someone could exploit the profile should the password be guessed. Finally, your security policy should require that users not share passwords. Accountability is lost when multiple users sign on to the same profile.
#4: Secure Your Data
A recent report from Symantec states that the market for selling financial information has reached $276 million. You should view any database file containing private information (such as social security number, bank account number, or credit card number) as a target for identity theft and review who can access those files. If they aren't already set to the PCI's requirement of "deny by default," they need to be. Determine what processes need access to this information, grant authority to those profiles, and block everyone else by setting *PUBLIC to *EXCLUDE.
#5: Educate Your Organization
One of your biggest lines of defense is your employee base. Rather than try to protect your data and reputation with a small team of computer security professionals, why not mobilize your entire workforce? Educate your workforce on what constitutes theft and fraud and how to recognize suspicious behavior. Create an anonymous way to report suspicious activity. Other areas of education include appropriate disposal of confidential and private information (e.g., shredding reports), what type of data is allowed on hand-held devices, etc.
SkyView Partners Can Help
It's a given that everyone has to do more with less. SkyView Partners can help by performing a security checkup of your IBM i systems. Let us be the experts so that you don't have to spend your time poring through data and developing security skills. In addition, SkyView's Policy Minder product has a proven ROI for reducing the cost and the time of managing compliance requirements and performing security administration tasks.
Our mission for 2009 is to deliver security compliance products and services that will save you time and reduce the costs and complexities of attaining and maintaining compliance.
Christmas Greetings
Even though the economy is causing uncertainties, there are things we can be certain of: love of family and friends and our faith. We recognize that each culture and faith celebrates different holidays throughout the year, and we wish everyone holiday greetings. We at SkyView Partners extend to you the joys, blessings, and hope we receive at this time of year as we celebrate Christmas and the birth of our Savior, Jesus Christ.
Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale
|
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online