It is amazing to me that another year is already coming to an end. With the mad dash of last minute shoppers (yes, that would be me this year!), and the certainty of a white Christmas for us in much of the Midwest, it is definitely going out with a bang. In fact, although Winter officially began yesterday, the readers of this blog will know that we have been feeling it in Minneapolis for several weeks. December 21st is marked as Winter Solstice—the shortest day of the year due to the Earth’s tilt—so the good news is that summer is on its way. Ok, so I’m an eternal optimist!

In the spirit of the season, I thought I would create a last-minute holiday wish-list for the security officers that made Santa’s “good” list:

Perform an assessment

This is a good way to get the baseline metrics reviewed; identify the areas of weakness and strength so you can focus your resources where they are needed.

This one is a stocking stuffer, as PowerTech does it for free!

Create a policy

It is hard to measure your progress without a policy. You can even start with the open-source one at www.powertech.com!

Update your system values

Make sure that the server configuration reflects the directives in your security policy. After you set the correct attributes, use the policy feature of PowerTech Compliance Monitor to validate that nothing has changed with scorecard views of system value compliance.

Secure Your Borders

Internal employees are the cause of approximately 70% of data integrity events. Ensure that you don’t secure just your perimeter and leave corporate users with unrestricted network access. Any user with access to your servers should be audited and controlled. PowerTech’s Network Security provides both auditing and access control of powerful interfaces like FTP, ODBC, and remote command.

Don’t overlook your powerful users

Sure, we expect our programmers and administrators to run and maintain a system, but would we want them to have our social security numbers, bank balances, and the “skeleton key” to our corporate data? Try to reduce unnecessary assignment of special authorities, and then use a tool like PowerTech Authority Broker to facilitate on-demand access to super-users while auditing their activities.

Educate your staff

PowerTech conducts weekly online Webinars, as well as eTraining. In 2010, we are also taking some classes out on the road. Registration for the eTraining will open shortly at www.powertech.com. Get on our newsletter list while you are there and stay informed of events, as well as related security news and articles specific to IBM i.

We know that taking that first step can sometimes be a daunting one. If you are not sure how to get started, allow our team here to guide your compliance sleigh! After all, we have being doing it for years.

Happy Holidays!!

It’s always an eye-opening experience to speak with an auditor about the intricacies of auditing an IT environment. I respect their views, and I can only imagine how difficult it is trying to be an expert on the wide variety of technologies found in an average enterprise.

Last week, I spent a couple of days at the ISACA conference in Las Vegas, meeting and talking with auditors from around the country. While some had heard of the System i (or iSeries or AS/400), it was very evident that there weren’t any subject matter experts on hand. I was left wondering: “How can anyone receive an effective audit of a platform that IT auditors have such limited knowledge of?”

PowerTech security experts perform a healthy number of audits each year, but there are not many firms with our professional capabilities. Yet, we’re barely scratching the surface of the immense number of organizations that must maintain compliance with the seemingly-endless list of regulations and legislations found throughout the world. What about the others—are they just ignoring the mandates? Or, are they being subjected to questionable recommendations made from a comparison to an old checklist compiled from numerous online sources. I fear it’s probably a mix of the two!

PowerTech developed the wildly popular Compliance Assessment tool to perform a review of six major areas of vulnerability. We have made this tool available to users as a free service, and now include one-on-one time with a security expert to help interpret the findings. The auditors I talked to were extremely excited to know that there was someone out there to help make their lives easier, and to be an expert they can talk to when they encounter a System i. I’m excited and encouraged at the opportunities that brings to the PowerTech table as we continue to grow, and as we continue to service the IBM i community with world-class security solutions.

While you might not think of an IBM i-savvy auditor as a benefit, the fact that you’re talking with someone who understands real-world vulnerabilities, as well as the inherent strengths of security on the platform, adds protection to your corporate data. And the availability of a speedy tool that provides an educated view into the infrastructure makes your IBM i data even safer.

And, after all, isn’t that the purpose of a security audit in the first place?