By Robin Tatam

If you are responsible for securing your organization’s IBM i environment, you know there are many steps. The step that many people overlook is creating a well-defined security policy. And, without this step, you can’t really evaluate how well you’re doing with security!

The majority of large corporations have policies that address access to different types of technology, but it is still rare to find one that pertains to the required settings for IBM i. It is even more unusual for smaller organizations to have any type of formal policy beyond a simple “best practices” list.

Even if you are not legally required to set up a security policy (to comply with Sarbanes-Oxley, HIPAA, or other security regulations), everyone has a certain level of fiscal or moral responsibility (to the company’s customers, vendors, and employees) to protect the information with which you are entrusted. When you set up a policy, you create a standard that allows you to achieve or maintain compliance with your objectives.

As I mentioned earlier, large corporations often have multiple policies. There may be an overall policy and multiple sub-policies that define the requirements with more granular detail. For example, an international corporation may have a policy that defines the main purpose for even having the policy, and policy objectives at a global level. Then, each country has a lower level policy that supports the global policy, but adds more information and requirements specific to the local level.

If the impetus for creating a security policy is not coming from senior management, it is critical that you convince a manager to sponsor your effort. Without sponsorship, you will struggle to obtain the necessary capital to design and enforce the policy, and compliance is unlikely to be achieved, let alone maintained.

Creating a security policy is not solely an IT responsibility, but should be the result of a steering committee that is charged with identifying the key areas to be addressed in the policy. Once a policy is established, the IT staff is responsible for planning and implementing the technical controls necessary to adhere to the policy. An auditor determines if the controls are adequate.

If a security policy is going to provide real benefit to the organization, it must be followed. Therefore, you need to:

• Introduce the security policy to make employees aware of it.
• Distribute copies to appropriate employees.
• Outline the penalties for willful non-compliance with the policy.
• Create a schedule of audits to:
  • Build a gap analysis between the policy and controls
  • Identify weaknesses in the policy, the mitigating controls, or the implementation of the controls.
• Establish a defined life span for the policy.

Your security policy needs to be a living document that is reassessed at least every two to three years to ensure the policy:

• Continues to meet the needs of the organization.
• Addresses technology and business changes that occur.

Whenever the steering committee updates the policy, they must communicate changes to the appropriate audiences in a timely manner.

Additional Resources

Policy Enforcement with Compliance Monitor
To manage the compliance of system values on your IBM i system, PowerTech’s Compliance Monitor includes a security policy editor. Use this policy management tool to run a dashboard-style scorecard on your system that indicates which values are out of compliance. For more information, visit the Compliance Monitor page on the PowerTech Web site.

Open Source Security Policy
If you don’t know how to get started on your own security policy, PowerTech provides a FREE policy template available for download. You should edit this “open source” document to meet your unique corporate requirements. If you think the changes you make might be of interest to other members of the IBM i community, please send them to us and we’ll review them for inclusion in a future edition.

Live Policy Discussion
As part of our ongoing education commitment to the IBM i security community, Jill Martin, PowerTech’s Product Support Manager, will be visiting the following cities next week to conduct FREE 3-hour workshops on crafting IBM i security policies.

Date	City	Questions or RSVP
March 9	San Francisco	Katie.Carnicom@helpsystems.com
March 10	Irvine	Katie.Carnicom@helpsystems.com
March 11	Las Vegas	Katie.Carnicom@helpsystems.com

By Robin Tatam

Although PowerTech is known around the world as the leading provider of IBM i security solutions, there is far more to the story than just software. Not only do we perform professional services—on IBM i-based controls as well as the implementation of our software—but we also continually invest in the security area by committing money and resources to education and spreading the security message within IBM i organizations.

I would like to take a moment to introduce you to some of the other initiatives we are busy working on for 2010.

Local User Groups

One of the main networking channels for IBM i professionals is often the local and regional user groups that help promote education and knowledge sharing. Unfortunately, many of these groups struggle to fund resources to speak to their membership. To assist with this, I am personally visiting no less than seven states in the next couple of months to conduct speaking sessions on various group-selected topics—all fully funded by PowerTech!

If you live in or around the following cities, please come out and say “Hi!” I would love to meet you, and I am sure that your local user group would welcome the support.

Date Location January 19 Fairfield, CT January 20 Long Island, NY January 21 Fairfield, NJ January 28 St. Louis, MO February 9 Beaverton, OR February 16 Nashville, TN February 18 Buffalo, NY March (TBD) Reno, NV

Security Education

While IBM won’t schedule their security class until they have enough customers to attend (and then makes you travel to one of several major metropolitan cities), PowerTech is bringing a security class to you! Several of the above cities and dates have been selected to host a half-day class on the basics of IBM i security, at a very reasonable price!

If your company has a security initiative in its future, or you have staff members who need to learn some of the basics of IBM i security, this class is for you. Don’t delay—seats are limited.

Please visit www.powertech.com for additional information, or to sign up.

Webinars

Since August, PowerTech been conducting FREE weekly webinars on topics ranging from the configuration of the built-in IBM i audit controls; the risk associated with FTP, ODBC, and remote command; and performing an assessment of your IBM i server in 15 minutes. These have proven to be immensely popular, and so we are busy scheduling further chances to listen to them, as well as add new content into the schedule.

We’ve already established the topic lineup for January, and will continue to add dates and topics as the year progresses.

Set your alarm for Wednesdays at 10 a.m. CT.

Online Training

Don’t let staff changes, or limited budgets prevent you from being at the top of your game. By popular demand, we are now offering online training from an official PowerTech trainer. In February, we are launching a new online training program, starting with Network Security. Each session is an easy-to-manage 60 minutes, and the class comes in segments to accommodate different levels of expertise, and busy schedules.

The cost for this class is $99 for the basic session; $198 for the 2-part advanced session; or $259 for both (basic & advanced).  It will be held at 10 a.m. CT on the following dates:

Date	Description
February 4	PowerTech Network Security – The Basics
February 9	PowerTech Network Security – Advanced Topics Part I
February 11	PowerTech Network Security – Advanced Topics Part II

While Network Security is the first class we’re offering, we’re also working to provide similar courses on Authority Broker and Compliance Monitor.

Visit the registration page for additional information, or to sign up.

No-Charge Compliance Assessment

Whether you already feel like your system is secure, or you have no idea where to begin, the hugely popular PowerTech Compliance Assessment provides valuable insight into the security configuration of your IBM i server.

The assessment tool runs on your PC and, in about 15 minutes, presents the findings to your team in a rich application environment. Find out information about your profiles, your system values, and the event auditing settings you have configured.

Not only do you get an automated review, but a PowerTech security expert helps you interpret the findings—all at no charge and with no obligation.

Please visit www.powertech.com for additional information, or to request an assessment.

Professional Services

Who better to implement and train you on PowerTech software than the security experts of the PowerTech Group? If you need just a little nudge in the right direction, try our WebEx-based remote assistance. Need to bring a security expert on site? We offer that, too. Let us walk your security staff through the solution installation; perform the initial configuration of the tools; and then train them on how to squeeze every ounce of functionality out of them.

And, if you’ve ever tried to find someone skilled in IBM i security mechanisms, you know how difficult it can be. If you do find someone, you generally have to pay dearly or wait for months for them to get there. Now, there’s another option. Bring in the experts at PowerTech to provide security expertise at reasonable rates.

Some of the topics that we can assist you with include:

• Security Assessments
• Moving to security level 40
• Architecting application security
• Starting to use IBM i auditing features

For more information, visit www.powertech.com/powertech/PowerTech_Web_Services.asp.

We haven’t forgotten our roots…

Of course, software solutions are still our forté and we are investing heavily in our solutions to continue to help you secure your IBM i data through the next decade.

Happy New Year, everyone!