If you don’t have to comply with any regulations or meet auditor’s demands today, you probably will eventually. Compliance is challenging to achieve. Part of the reason for this is because the regulations are vague and open to interpretation. To help companies to implement controls to mitigate risk and meet auditor’s demands, the Information Systems Audit and Control Association developed the COBIT (Control Objectives for Information and related Technology) Framework.
COBIT provides a set of best practices that help companies balance risk versus the benefits gained from implementing technology for a business need and costs.
COBIT is comprised of thirty-four high-level control objectives which are grouped into four categories:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
Each one of these categories has up to 30 detailed control objectives. No wonder compliance is difficult to achieve.
To add to the complexity of compliance, auditors who are assessing your compliance have no idea how IBM i is architected or how it works. They blindly want to apply the controls, which may not be appropriate. Even worse, they often miss security gaps that put your data at risk. Leaving you with a false sense of security.
We all know by now that the IBM i is the most securable platform available, but it doesn’t come that way. You have to take the time to implement the controls that protect your company’s biggest asset your data. Protecting data from both internal and external risks is what compliance is about.
Compliance really is about reducing risk.
Compliance is focused on protecting sensitive data. Whether it’s protecting financial information or personal information, you need to ensure that it doesn’t fall into the wrong hands. One of the biggest threats facing data today is ransomware attacks. External threats are not the concern though, often data breaches occur from within the company. Meaning you have to protect the data from all angles.
For the purpose of this discussion, I want to focus on COBIT and some of the objectives that relate to IBM i Administration and Security.
Manage Performance and Capacity
The first area that directly relates to those of you responsible for IBM i admin and securing your systems is Objective #3, Mange Performance and Capacity. If you are not monitoring the performance of your system and your capacity, then you are not compliant. System availability and performance are part of the overall compliance regulations. You need to have an availability plan that includes the availability requirements for the business, and monitoring to ensure that you can meet those needs. Not only should you be monitoring and reporting on your performance, but you also need to be proactive in managing the performance of your systems. This helps minimize risk and potential losses.
Ensure Continuous Service
The next major control point is Objective #4, Ensure Continuous Services; otherwise known as Disaster Recovery. There are 13 detailed control objectives that make up the controls needed for your DR plan. Compliance requires you to have a DR plan that includes safety protocols for staff, procedures to get the business back up and running to its previous state, and communication with the business. The plan needs to detail who the critical IT resources are and that you have alternative hardware available.
Another important objective is focused on off-site backups. In the event of a disaster, you need to have a way to recover your data, and it’s important that you keep your backup media offsite and accessible. Not only do you have to have a DR plan, but you are also required to maintain it, test it and provide training to your staff. It’s not enough to have a plan. It needs to be tested and revised and refined. This is another common theme with compliance, continuous improvements.
Ensure System Security
The whole idea behind compliance is about the security of your IT environment. This high-level control objective has twenty-one control objectives. The concept is about implementing a security plan that is aligned with business needs. Identifying the risks and coming up with a plan to protect the data, and then implementing the plan, assessing the plan, and continuously improving it. The plan has to take into consideration the rest of the security control objectives.
A major area of concern is user access. It’s critical to identify, authenticate user access. You also need to ensure that you restrict unauthorized access. User access should be controlled and monitored to protect the user and the data. Implementing single-sign to control access to your business systems, is addressed in this control objective also.
There are a few other areas to consider here. Data classification regarding which files are sensitive, incident handling, and processing third-party software. The other critical areas that these objectives cover are protecting your system from unwanted access by using firewalls, antivirus software, and guarding the access to your security system and keys. The bottom line is you need to control access to your systems and sensitive data to protect your business.
Since data is what drives business, this is really what we are trying to protect with compliance. The whole reason that SOX was enacted was to protect the company’s sensitive data. This objective has 30 control objectives. A long list of things to worry about. For the System Admins, this objective is focused on things like the security of data in transit and at rest, storage, and retention of backups. The other areas of this objective are focused on defining and implementing process controls for data.
Believe it or not, there are control objectives focused on Media Library Management. Not only do you have to maintain the integrity of the media, but you also have defined responsibility for the management of the library and the media. We highly recommend that companies test their restore, it’s also a control objective. Offsite storage of backups is required.
How do you address compliance?
Compliance is not something you do all in one step. I’m sure I missed a few of the objectives that relate to IBM i Systems Administration. That’s ok. Just like it’s ok if you have compliance requirements and you haven’t implemented all of the controls.
The Auditors want to see that you can identify where you have gaps and make improvements over time to ensure that your data is protected. You know what they say, “How do you eat an elephant?” “One bite at a time.” This is how you should approach your compliance efforts. Focus on fixing one thing at a time with a plan for the future. Prioritize your top security concerns and approach them one at a time. Identify the low-hanging fruit and make small continuous improvements.
If you’re not sure where to start, we can help. We offer a security assessment that will detail the current state of your IBM i security and we provide a list of recommendations for improvement. Even better, we have the experience, knowledge, and know-how to help you remediate your security risks.
More from this month:
- System Environment Variables for Controlling QNTC Behavior
- Changing Your IBM Business Partner
- Load and Stress Testing for Security Concerns
- IBM i Security Resource Page
- iTech iTip Videos
- Sips & Tricks: Coffee with iTech
- iBasics: IBM i Education for the Beginner System Administrator
- Upcoming Events
- IBM i, FSP, and HMC release levels and PTFs (April 2021)