Carol Woodbury: iSeries Security & Compliance

Key's February Webinar featured Carol Woodbury, co-founder of SkyView Partners. Woodbury addressed critical issues in i5/iSeries and AS/400 security and how they can affect compliance with new regulatory requirements. During this Web-based seminar, Woodbury and Jason Rubenstein of LifeCare Assurance Company discussed how to assess security and compliance risks and how to put proper controls in place to ensure a robust security environment that meets compliance regulations. Woodbury presented material on how to make the decision on whether to fix security and compliance exposures now, accept the risk, or plan for later remediation. Throughout, guidance on proactively preparing for compliance with HIPAA, Sarbanes-Oxley, GBLA, SB-1386, Visa CISP and other regulations was emphasized.

Topics covered in this Key Webinar included:

• The importance and value of security for the enterprise
  
• How to determine security risks/exposure
  
• Whether to fix problems now, delay or plan for later remediation
  
• How to prevent new exposures & eliminate recurrence of past exposures
  
• How security affects compliance readiness

Carol Woodbury
As a 10-year chief security architect and development manager for security at IBM's Rochester Labs, subject matter expert on security for COMMON and a worldwide expert in iSeries security, Carol Woodbury is knowledgeable about iSeries security and how it affects--and is affected by--the increasing number of rules published by regulatory agencies. During her presentation, Woodbury described the data and information assets that need to be protected, who should be accessing these assets and how best to protect them. One reason that security has become an even more critical issue is that it impinges on compliance because of new regulations, including HIPAA, Graham-Leach-Bliley (GLBA), Sarbanes-Oxley (SOX), SB 1386 and Visa CISP. In the case of SOX, there is no specific guidance in the regulations that calls out security requirements; it is pretty much up to the auditor to determine whether compliance with SOX is adequate (hence, the importance of working with auditors in this area).

It is important not to consider only the immediate data security of an installation, but to assess security across the entire system to gain a broad-spectrum view of the condition of your security. Once you have identified security issues that need attention, then you can categorize them into one of three categories: (1) fix them, (2) accept the risk for now, or (3) develop a work plan to be addressed in the future. Woodbury stressed the importance of identifying security issues yourself and of reporting them to your auditor … never leave them for your auditor to discover.

To gain a clear understanding of your security issues throughout your i5/iSeries and AS/400 servers, it's best to conduct regular security check-ups and regularly examine your security configuration. Be sure to look at your entire security configuration to verify that no changes have been made that might go against your security policies.

SkyView, the company co-founded by Woodbury, offers a product called Risk Assessor that provides intensive check-ups of i5/iSeries and AS/400 servers under OS400 and i5OS. The reports produced by Risk Assessor, coupled with the evaluation of these reports by both SkyView's and Key's security specialists, result in the presentation of a complete security plan with an executive summary that specifically covers the installation's security situation and recommended actions.

Woodbury reported, "When you think of compliance as it relates to security, the first thing you have to do is determine what you have to be in compliance with--is it one of the many oversight laws and regulations on the books today such as HIPAA (Health Insurance Portability and Accountability Act) or SOX (Sarbanes-Oxley Act)? Perhaps you are storing card-holder (credit card) information so you have to comply with the PCI (payment card industry) security requirements. Perhaps you simply have to comply with your company's security policies and procedures. Once you determine what you have to comply with, then you can determine what the requirements for compliance must be," she continued.

Once you understand your compliance requirements, you need to determine where your exposures lie within your system. It does no good to lock down a database file containing HR data if utilities exist that provide direct access to that data or users with too much authority or capability. To determine whether exposures exist in your configuration, you need to run a security assessment. This assessment will provide you with the information that you need to understand what your security issues are and what you need to do to address them.

SkyView Risk Assessor for OS/400 and i5/OS provides you with an assessment of your OS/400 or i5/OS security configurations. You can use this analysis to understand what issues need to be addressed to meet the compliance requirements facing your business. Risk Assessor provides a comprehensive analysis of the security configuration across your system, describes the issues it finds, as well as why they constitute an issue. This is important. Then you can determine from your specific business requirements and needs, which issues you are going to fix now, which issues you are going to accept as a business risk and which issues you are going to remediate in the future. Risk Assessor also provides recommendations on where to start to remediate the issues.

Compliance is more than just taking someone's word that you are following all the rules. Compliance means meeting a set of criteria. That usually implies testing - often rigorous testing - to ensure full compliance. To satisfy the compliance issue of regularly monitoring your security configuration, you can run SkyView Risk Assessor on a regular basis to determine if new issues have arisen or old issues have crept back into the operating system.

During the Webinar, attendees were asked how often they checked their OS/400 security. The responses were: None … 11%; once a year … 22%; two to four times a year … 43%; over four times a year … 22%.

User Report from Jason Rubenstein of LifeCare Assurance Company
Jason Rubenstein, infrastructure database architect for LifeCare Assurance Company, headquartered in Woodland Hills, CA, discussed his experience using Risk Assessor. LifeCare needed to develop its own security assessment and management as it related to a HIPAA security deadline that the organization had to meet this month. Once they loaded and evaluated Risk Assessor, Rubenstein's crew decided it was the most thorough of the solutions they evaluated. They found Risk Assessor easy to install and use. They currently run Risk Assessor monthly to check for adherence to specifically-targeted security standards. The major benefits that accrued from using Risk Assessor are the time saved in security maintenance and the prevention of hacking into their iSeries 810. Rubenstein reported that Risk Assessor was a great tool but it is not a teacher. He urged users to read the Risk Assessor Assessment Guide carefully. He reported that Risk Assessor had been a time-saver in collecting information about security and in avoiding the need to develop custom programs. He also said the reports generated by Risk Assessor were highly credible to LifeCare's auditors.

Terry Boulais - Key's Risk Assessor Offer
Terry Boulais, Key's director of business development, described Key's Risk Assessor offer. A 10 percent discount is available on Risk Assessor software. Software pricing is processor-based. Also, a service package is included for $4,500, covering data collection, analysis of collected security data, and presentation of a customized security plan. This offer is extends through April 30, 2005.

For an archived recording of this and all past KEY Webinars, go to: http://www.keyinfo.com/resources/web_arch.htm.