When it comes to (security) compliance the IBM System i (iSeries/AS400 etc) can seem a daunting subject at first. Even though this system is (almost) free from the scourges affecting other platforms such as viruses and hackers, this system is still subject to rigorous scrutiny from auditors. Unlike most other platforms a lot can be done with the standard security configurations within the operating system. But when we look at the complexity and diversity of this objects and environment the IBM i still demands intensive management to specify the security policies and keep them in compliance, not to mention the production and compilation of reports required by auditors.
There are several products on the market for filling in the gaps left by the operating system, such as virus scanners, audit monitors and exit-point protection used to augment the security at network level. But most IBM I users still try to configure and maintain compliance of the i5 operating system using human resource. Given the increasing rarity of real expertise and in-depth knowledge of System i and the increased workload of those diminishing few that do have the expertise, the task of satisfying auditors that the IBM i is in compliance and remains in compliance, has to be automated.
It is with this challenge that NIBC searched the market for a solution. When NIBC found SkyView Partners “Risk Assessor” and “Policy Minder” (sold in the Benelux by SRC Secure Solutions bv) they knew that they had found the solution to their problem. SkyView Partners was co-founded by Carol Woodbury who for many years was the Security Architect for the AS400 at IBM. She developed Risk Assessor to provide an overview of a systems security configurations, to add her own analysis of the situation and recommend remedial actions where needed. Policy Minder was developed later to document the security policy, to check the systems compliance to that policy and to automate its recovery when the system became out of compliance. It the time of writing this document Policy Minder remains a unique product. NIBC ran Risk Assessor on their iSeries and the reports produced highlighted any shortcomings in their security. It also assisted them in defining a security policy using the “in built knowledge of Carol Woodbury” and produced reports which were immediately suitable for the audit. After building the security policy configuration within Policy Minder the system can be regularly checked for compliance and when necessary remediation can be an automatic procedure.
Policy Minder controls a broad range of security categories including System Values, User Profiles, Library Objects, TCP servers on the IBM i System. It has a traditional “Green Screen” and a graphical user interface. For more information contact SRC Secure Solutions.