SkyView Adds PCI Checks to Risk Assessment Tool

April 14, 2009 Alex Woodie

SkyView Partners this week will begin delivery of a new release of its SkyView Risk Assessor product that includes new checks for the Payment Cardholder Industry Data Security Standard (PCI DSS) requirements. By comparing a System i shop’s security settings against the PCI standards, the tool can make the difference between the company passing a PCI audit and continuing to process credit card transactions, or failing an audit and paying thousands of dollars in fees–or worse.

It’s been almost four years since the PCI standards went into effect. Since then, several high-profile cases of mass identify theft, such as the one at TJX, have rocked the retail world and given retailers newfound incentive to get off their duffs and make sure their IT security systems are up to snuff. While some people question whether PCI DSS is the best path to security–several PCI-compliant retailers have been hacked, for example–it remains as the industry’s current best hope for ensuring the security of cardholder data. (Without it, consumers may start to worry about using their credit cards, which would just make the recession even worse.)

With a decent following among retailers, the System i server has come head to head with PCI requirements at a number of locations. But because the PCI requirements were written from the point of view of a Windows or Unix administrator, it can take a System i administrator some time to get used to the different terminologies. A tool or automated guide can make it easier to get on the road to PCI compliance, and this is what SkyView is aiming to do with the new version of Risk Assessor that ships April 17.

“A large percentage of our customer base is dealing with PCI requirements,” Carol Woodbury, president of SkyView Partners and the i OS platform’s former security architect while working at IBM, says in a press release. “With this new release of Risk Assessor we’re including PCI ‘considerations’ when we make recommendations on the various security settings.”

One of the PCI DSS requirements calls for a company to “assure the confidentiality of data,” Woodbury says. This could have an impact in several areas of i OS security, including what security level you have set the QSECURITY setting to, or the use of encryption. After analyzing system settings, Risk Assessor will explain the ramifications of this PCI requirement, and make recommendations on what settings to change to comply with that particular requirement.

“This sort of documentation will help auditors better understand the IBM i and system administrators to better explain details to the auditors,” Woodbury says. “All in all this will help save everyone’s time in the risk assessment portion of a security audit.”

SkyView first shipped Risk Assessor back in 2003 as a way to provide iSeries shops with the same kind of security expertise and insight they would obtain with an on-sight assessment by Woodbury, but without incurring the expense of flying, housing, and feeding the renown i OS security expert. Some jokingly called it “Carol in a box.”

Today, Risk Assessor analyzes more than 100 “risk points” on the i OS system, including object authorities, user profiles, system values, authorization lists, exit programs, and other security settings. Once the information is gathered, the tool generates an analysis (called an “assessment guide”) that tells the user why an issue it found was raised as a security concern, what things should be considered before making any changes, and how a user could approach “fixing” the issues that are found, the company says. These recommendations can be tailored for several “best practice” levels, such as PCI, SOX, or a more stringent custom security policy adopted by a customer.

The new release of Risk Assessor also brings the capability to e-mail reports and “assessment guides” directly from the System i server. This feature was requested from existing customers, SkyView says.

“Our goal is to continually improve our products to help our customers cut down the amount of time spent on all the duties that fall under compliance,” Woodbury says. “Performing regular risk assessments is just one of those duties and Risk Assessor is the right tool for that job.”