IBM i Security New Year's Resolutions
By Rich Loeber
Many people, self included, take this time of year for a little introspection. We try to see where we have problems or weaknesses and then contemplate methods and strategies to make changes. If we're serious, we'll sit down and make a list of things to do in the New Year. As the security officer for your IBM i shop, this is a good opportunity to do just that for your installation and here's my list of some items you should consider.
- Finally take the plunge and move the security level of your system up at least one level. If you're running at level 20 (shame on you!), move to level 30. If you're at level 30, move to level 40. Take the time to plan the move and use system security auditing to check results before you make the change.
- Check your system for user profiles with permanent passwords; then change them all. This will, at least, enforce an annual change in these passwords. And, this means your personal password too!
- Review the user profiles on your system and look for people who have left the company. Make sure those profiles are disabled and their passwords have been changed to *NONE. If you can do so easily, remove the profiles.
- Review all user profiles with the *ALLOBJ special authority or *SECADM/*SECOFR user class. Verify that each profile has a valid business reason for these high level access permissions.
- Do a full audit of all of the security related system values on your box and make sure they are set up to enforce your company's security policies correctly.
- Audit your system backup plan and make sure that the tapes are being properly labeled and stored for quick and accurate recovery if needed.
- Check on the way your backup tapes are transported to and from your off-site storage facility to make sure they are secure in transit.
- Dust off your Disaster Recovery plan and make sure it still works. Bring it up to date, then schedule an actual test.
- Review physical security arrangements for your computer room and for all devices attached to your system. Do a walk thru and actually look at the various work locations. Check for things like passwords on post-it notes and lists of system resources. Spank a few hands (not literally) for violators. Your physical presence in the end-user's environment will go a long way towards reinforcing the importance of security.
- Resolve to review your system security audit journal on a regular basis. If you don't have it active, turn it on. If you have it turned on but never look at it, develop a review process to check for problem issues.
- If you don't have network security implemented at the exit point level on your system, commit to getting this done in the new year. Either write your own exit routines or take a look at one of the many packages available for this important area of system security. If you're new to this, take a good look at Kisco's SafeNet/i Exit Point solution.
If you have other items to add to the list, let me know by email
. I'd love to hear about your new year's resolutions.
For me, I'm going to just resolve to loose 20 pounds this year. But then, that was my resolution last year and I'm weighing in at the same rate this year. At least things didn't get worse. Let's hope that your system security resolutions fare better.