As hard as it is to believe, today is already the last day of school for my two children, Jordan and Sydney. Another academic year down, and a summer vacation about to begin. At this point, both kids have no real plan for what the summer will hold, but that isn’t going to stop them racing into their highly anticipated time off!
Their enthusiasm, despite the lack of a solid game plan, started me thinking how many people start a security project with similar gusto, but also without any real direction on where to begin (or end). Not only can this be expensive, but it is also likely to be an inefficient use of skilled resources, and will lead to frustration and possibly even abandonment of the project as being “too complicated.” As such, I though I would share one way that I have seen customers successfully embark on such a project.
As with any project, the first step is to establish the project goal or objective. In a security project, the objective is usually to become secure or to become compliant. If you are a frequent reader of the PowerTech blog, you will know that these two objectives are not necessarily the same, but are terms that are often used interchangeably. From there, identify the tasks needed to achieve the objective, and then prioritize and schedule those tasks.
Okay, so back to our IBM i security project. If this is a new type of initiative for your organization, then determining the tasks, as well as the priority of the tasks, can be a daunting process. If you have ever spent any time looking at risk management, you know that you want to assign levels of risk based on the likelihood of an event occurring, in conjunction with the cost and effort of mitigating the exposure versus the cost of recovery if the event were to occur. High risk items should be mitigated first. Low risk items should be mitigated last, or perhaps not at all if the risk is considered acceptable.
One of the best ways to identify the tasks is with a formal review of your IBM i environment. PowerTech has two popular offerings to assist with this process:
Security Assessment Tool
We have devised an automated assessment tool that performs a high-level review of six key security-related metrics on IBM i. The assessment findings are presented instantly to your team via a rich browser-based application, and a comparison is made to common best-practice standards to provide direction on mitigation. PowerTech provides access to the tool for 7 days, plus a security specialist to help interpret the findings, all at no charge for the first partition.
Security Assessment Service
After using the automated tool, perhaps a “deep dive” review is deemed necessary. This fee-based offering can be customized to your own business requirements, but is typically a five day engagement involving a security specialist performing a comprehensive review of the IBM i configuration. The resulting report details a prioritized list of concerns, along with background information on why an item is a concern.
Now that the exposures are known, it is much easier to assign the priority of the remediation tasks and to assign the costs to mitigate them. Some items, such as network access to data and applications, is one of the biggest vulnerabilities we see, but it can also be one of the easier high-risk items to resolve. Other concerns, such as overly powerful users, might take more planning and manual effort to mitigate.
Beyond the class-leading software solutions that PowerTech is renowned for, we can assist with virtually any task in an IBM i security project. Our security specialists have experience and expertise in mitigating risk in many areas, including system configuration and applications.
Don’t allow your enthusiasm to be dampened by the lack of a solid game plan. Starting with an assessment can prevent delaying the start of a project as important as this. After all, your application data is one of your most valuable business assets.
Drop me a line at email@example.com for more information, or visit www.powertech.com.