Keeping track of how user profiles get created is certainly no fun and definitely difficult at times, but it's required to maintain compliance with your security policy and to keep your auditors happy. SkyView Policy Minder for OS/400 and i5/OS can ease the burden of tracking the details of how profiles have been created. One feature of this new product is the ability to create user profile "templates." These templates allow you to define the profile configuration criteria that you are interested in when it comes to managing compliance. Let's look at some examples.
Identifying Inactive Profiles and Documenting the Exceptions
One area that is often difficult for administrators to manage is identifying inactive profiles (profiles that are no longer in use). Difficulty is compounded when HR has no formal process for notifying IT when someone leaves the organization. Profiles accumulate on the system and provide access points to the system that can lead to system exploitation. Policy Minder provides an easy way to discover the inactive profiles on your system so you can deal with them in a timely manner. Simply create a user profile template that includes all profiles on the system and specify the exact inactivity period (e.g., 30 or 45 days) required by your policy. Running a compliance check on this template every day will provide you with a list of profiles that have gone "inactive" as defined in your security policy. With this list, you can quickly remove these profiles and avoid having your auditors find them on your system.
But what about those profiles that are always inactive? You know which ones--the IBM-supplied profiles, group profiles, profiles that own applications, and profiles that come with vendor products. These profiles are always included in the list of inactive profiles because they are never used to sign on or to run jobs. To avoid this, simply specify that you want to omit these profiles from being included in the template, and they will no longer appear in the list. Then, you will have an accurate list of inactive profiles you need to take action on. In addition to making this task easier by simplifying the list, omitting the always-inactive profiles from the template will be documented in your policy. So it will be easy to show an auditor that you have accepted the business risk of allowing these particular profiles on your system. This tells your auditor that you understand the profiles on your system and have taken steps to easily and efficiently handle the profiles that are truly inactive.
Managing the Number of Profiles with *ALLOBJ Special Authority
Your policy may allow you to have only 10 non-IBM profiles with *ALLOBJ special authority on the system. You can easily define a template that includes all profiles but excludes IBM profiles so that they are not included in the count. Once the template is created, run a compliance check. Policy Minder will list the profiles having *ALLOBJ--skipping the IBM profiles--and let you know at a glance whether you've exceeded your limit. This compliance check is easily scheduled in your favorite job scheduler to run at whatever frequency satisfies your business requirements.
Monitoring How Profiles with *ALLOBJ are Created and Configured
In addition to specifying how many profiles with *ALLOBJ can be on the system, many auditors require that powerful profiles--profiles with at least *ALLOBJ special authority--have unique configuration requirements, such as these:
- These users must change their passwords more frequently than the rest of the user community.
- Command string (*CMD) auditing must be turned on (meaning that any command these users enter is logged in the OS/400 audit journal).
- The profiles' passwords cannot be a default password (the password cannot be the same as the user profile name).
Auditors and security professionals alike believe that these are good security practices. To ensure your *ALLOBJ profiles are created with these configuration settings, create a Policy Minder template that includes all profiles with *ALLOBJ--again, skipping the IBM-supplied profiles--and run a compliance check. You can see at a glance whether your powerful profiles are in compliance. If there are profiles out of compliance, you can enable the Policy Minder FixIt function to "fix" (or change) your profiles to match the settings defined in your *ALLOBJ user profile policy.
These are just a few examples of managing security compliance as it applies to user profiles. What about library and object authorities, directory authorities, authorization lists, and all the other details? SkyView's Policy Minder for OS/400 and i5/OS can help you with these as well. To find out what other details you should be concerned about when it comes to security compliance management, click here. And check out SkyView's other offerings in the MC Showcase Buyer's Guide.
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security compliance management and assessment software as well as security services. Carol is the former chief security architect for AS/400 for IBM in Rochester, Minnesota, and has specialized in security architecture, design, and consulting for more than 15 years. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 and i5/OS Security.
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online