Many companies want to improve the state of their IBM i security, but they often don’t know where to start. They also might not understand the long-term impact of recommended changes. Having a partner who can help you navigate through your security project can be the difference between success and failure. Let’s take a closer look at six steps to properly execute a security improvement project.
Step #1 – First seek to understand
One of the habits highly successful people practice is to first seek to understand, then seek to be understood; this applies to IT projects too. In order to successfully improve your security, you need to first understand what the state of your current security is. Many companies offer free assessments, which will evaluate your system values and compare them to industry standards for compliance.
System values control things like user access, which is critical when you are configuring security. You may think that your system is safe because your users have to log in with passwords and everyone uses the green screen. While this used to be enough to protect your business, it isn’t any longer. Before you can ensure that your business is secure you need to know the current state of your system values against best practice and compliance requirements. Only then can you determine where to go next.
In addition to having an assessment of your environment, if you are on 7.3 of the operating system you get the benefit of the Authority Collection. If you’re not on 7.3, this is a good reason to get there. This feature of the OS is designed to help you determine the lowest level of security your users actually need to do their daily tasks. This tool is invaluable in helping you to understand where you can go.
Step #2 – Understand the impact of change
Before compliance became so prevalent, companies were free to implement security based on their own needs. Today many companies are required to follow regulations or face real consequences.
If you have to follow regulations such as SOX, you must define user access based on least authority. This is unequivocally the correct way to configure the security on your IBM i, however, you just can’t go taking away user privileges without understanding the impact. If your system is below Security Level 40, you need to change it and quickly. But, you can’t just change the security level without doing your homework first.
If you’re not versed in things like the security levels and what is different between the levels, and how to provide object-level authority, then you should not attempt to change things without some input from experts. Or in the very least without reading your IBM documentation closely. Making changes without first understanding what the impact will be is never a good idea.
Step #3 – Plan, then plan some more
The key to any successful IT project is in the planning. Ensuring that you know what steps you will take, when you will take them, and the potential impact of those changes, is key to carrying out a successful project. The plan should also include time for testing and an independent review. Being over prepared is never a bad thing.
Step #4 – Test thoroughly
You can never test too much. When making changes to security, it’s important to conduct tests to ensure that the users can still perform their daily tasks when you reduce their privileges. The key to security is to ensure that the users have the least amount of privilege necessary to do their daily tasks. Making several changes and doing thorough testing will help you accomplish this.
Step #5 – Implement
When you have thoroughly tested what is going to happen when you make the changes in a test environment you are ready to implement those changes in production. If you did a good job in your planning and testing, the implementation should be a non-event. If you change your password rules, you may experience more helpdesk tickets related to passwords for a little while, but the day to day operations of the users should not be affected.
Step #6 – Independent Non-biased Review
Once you’ve implemented your security policy changes, it’s important to have a review of the results and the processes by an independent non-biased third party. This doesn’t have to be someone outside of the organization, although that is really the most effective, it just needs to be someone who is not invested in the project. This person should ask the hard questions to be sure that your security policy protects your sensitive data.
In today’s interconnected world, security is more important than ever. It’s not only the external world that you need to be concerned with, as more breaches are conducted by rogue employees than external sources. This means your security policy and how you provide access to sensitive data is extremely critical to your business.
If you’re ready to start Step 1 — understanding the current state of your security, we are currently offering a free assessment to get you started. To learn more, click here.