The Payment Card Industry (PCI) has a Data Security Standard to which organizations accepting and storing credit card information must adhere. Since the Data Security Standard applies to all systems, one must do some interpretation to determine how the requirements apply to the System i (AS/400 or iSeries). While some specifications are clearly spelled out, such as the password requirements, others are defined by their intent. The Data Security Standard's intent is that the integrity of the data can be assured, that access to the data is restricted, and that the system's security scheme is configured to support this intent.

This is where the interpretation comes in. SkyView Risk Assessor compares your system's security configuration against security best practices for over 100 risk points. These include various i5/OS configuration items such as system values, user profile settings, TCP/IP configuration, guest user profiles, and more. Risk Assessor provides an explanation of the issue to allow you to determine whether the issue requires remediation. If remediation is required, Risk Assessor provides suggestions on how to start the remediation process.

Beyond Risk Assessor's helping you ensure that the system's configuration supports the intent of the Data Security Standard on i5/OS, here are some ways SkyView products address specific Data Security Standard requirements:

• Risk Assessor lists any i5/OS user profiles that have a default password along with the capabilities currently assigned to these profiles. SkyView Policy Minder can check user profile configurations to ensure no profiles have default passwords.
• The Data Security Standard requires "strong access controls." In i5/OS terms, this means that database files containing cardholder data be set to public authority *EXCLUDE. Policy Minder can help you change this setting as well as perform regular compliance checks to ensure the files remain secured appropriately. If users are specifically allowed access, this can also be included in the check.
• The Data Security Standard requires that inactive profiles be removed from the system at least every 90 days. Policy Minder can simplify the discovery and automate the removal of inactive profiles.
• Policy Minder templates can be used to regularly monitor user profile configuration to check the configuration of user profiles, ensuring profiles are created with the correct special authorities, group assignments, initial programs, auditing settings, etc. It can also flag new profiles that have been created, changed, or restored to have *ALLOBJ (security officer) authority. Further, it identifies profiles that are no longer active and should be removed from the system as well as ensures that all users' passwords are changed every 90 days.
• Using the Policy Minder system value category, you can check to ensure that the system's password composition rules are being enforced (must have a minimum length of seven characters, must contain a digit, must be changed every 90 days, can be reused only after four other passwords have been used, and locks the user out after six invalid password attempts). Policy Minder also ensures that i5/OS auditing remains active and is configured properly.
• Risk Assessor specifically addresses the i5/OS requirement for "an annual process that identifies threats and vulnerabilities, resulting in a risk assessment."
• Policy Minder documents the i5/OS implementation of the organization's security policy.
• To provide proof to auditors that you are regularly monitoring your security configuration, Policy Minder generates compliance-check reports. If the item being checked is in compliance, meaning that it meets the requirements of your policy, a one-page summary report is generated stating that the items are in compliance with the policy requirements. If an item is out of compliance, the report contains a detailed description of the discrepancy.

Carol Woodbury is President and co-founder of SkyView Partners, Inc. She is the designer and architect of the SkyView products and has over 17 years in the security industry, 10 of those working as the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM. Carol is also the co-author of Experts' Guide to OS/400 and i5/OS Security.

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3^rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale