PowerTech Translates SOX Requirements Into iSeries Terms

OS/400 shops preparing for Sarbanes-Oxley Act audits can find some help in a new release of PowerLock SecurityAudit unveiled by The PowerTech Group last week. With SecurityAudit 2.0, PowerTech is including a new AuditAdvisor function that encapsulates the knowledge of the company’s OS/400 security experts, as well as COBIT and ISO standards, and helps generate the required SOX reports. The company is also making it easier to configure security on multiple iSeries with new releases of its NetworkSecurity and CentralAdmin products.

One of the most common complaints that companies have voiced about SOX compliance over the past three years is the lack of concrete guidelines from the federal government when it comes to IT processes. With imprisonment of C-level executives a possibility for companies found grossly out of compliance, it’s no wonder companies have sought expert SOX advice from the outside.

Much of this expert outside help is coming from the Big 4 accounting firms (which used to be the Big 5, until Arthur Andersen got all mixed up in Enron’s mess, which led to the call for a SOX-type regulation in the first place). Two of the key standards of measurements that these accounting firms are using when it comes to securing computer systems for SOX compliance are Control Objectives for Information and related Technology (COBIT) and ISO-17799, says Brendan Patterson, director of product management at PowerTech, which is based in Kent, Washington.

iSeries-to-COBIT-and-ISO Translation

OS/400 shops can see how their security settings stack up against COBIT and ISO-17799 standards through a combination of SecurityAudit 2.0 and the new AuditAdvisor tool, which is an online tool that is accessible by PowerTech customers through the PowerTech Web site. This reckoning between the COBIT and ISO-17799 requirements and OS/400 security settings was performed by PowerTech’s team of OS/400 security experts, including John Earl and Dan Riehl. Riehl is Power Tech’s director of services and Earl is chief technical officer and vice president.

“COBIT is for IT general. It doesn’t say anything about iSeries. What we’ve done is mapped what that means into iSeries security settings,” Patterson says. “We’ve captured a lot of the iSeries security knowledge in house, and made it available as a guide we provide to our customer.”

AuditAdvisor provides a comprehensive accounting of OS/400 security settings and their relative importance to meeting COBIT and ISO-17799 recommendations (and thereby going a long way to complying with SOX). AuditAdvisor provides recommendations for the full spectrum of iSeries security settings, including security system values, user profile settings, library authority settings, and more. Under the user profile heading, for example, it lists specific things to look for in regard to special authorities, command line access, group profiles, expired and weak passwords, inactive profiles, and invalid sign-on attempts.

SOX has been a big driver for PowerTech’s business, as it has for ISVs in related fields, like change management and high availability. But customers can also benefit, Patterson says. “It is good for customers if it helps them tighten up their process and implement good procedures,” he says. “Some companies are happy regulations have given them the impetus to implement some changes they knew they needed to make, but couldn’t get management’s attention to implement.”

But at the same time, SOX is just one of a swarm of new regulations that IT shops are burdened with supporting–which means reams and reams of paperwork and the mind-dulling side-affect that often accompanies it. “It’s not just SOX, but there are others, and it seems like there’s a new one all the time,” Patterson says. “HIPAA went into effect in April. The Visa CISP took effect in June. I just saw something in Canada, passing some sort of SOX requirement. And there’s a similar one in the UK. The regulations seem to be coming thick and fast.”

Time to Lock Down Your Server

OS/400 shops should implement good security protections to gain the blessing of the federal government. But they should also do it because it makes good business sense, and because protecting information about customers is important.

There is documentation that Asian organized crime syndicates are increasingly using the Internet to do their work, and there has been at least one hacker announcing his intention to break OS/400 security. Since the OS/400 server typically holds the most valuable information at companies that use it, this should be a wake-up call for OS/400 shops to stop being complacent with OS/400 security, to understand that SOX, COBIT, HIPAA, et al. are just stepping stones to a thorough and multi-faceted security policy, and–most importantly–to lock down their access points and other areas of vulnerability, and to do it right now. As the recent disaster along the Gulf Coast shows, government mandates are of little value when your front door has been ripped off its hinges.

Good iSeries administrators can configure OS/400 security settings manually, of course. For those buried in paperwork or for those that want a tool to make it faster and easier to lock down the server’s exit points, PowerTech provides PowerLock NetworkSecurity. With NetworkSecurity 5.0, also announced last week, PowerTech has made enhancements in the areas of reporting, configuring multi-server setups, and ease-of-use.

The capability to apply rules globally across a network of OS/400 servers in NetworkSecurity 5.0 will make it much easier to change security settings within larger companies with multiple iSeries. For example, if an administrator needs to provide Jane in accounting with access to FTP on the OS/400 (one of the server’s vulnerable spots if not properly protected), and to do so after the initial configuration, the administrator can grant her FTP access to multiple OS/400 servers, instead of configuring each one by hand.

This release also brings the capability to output NetworkSecurity reports in Microsoft Excel format. Once the report data is in Excel, any spreadsheet junky can whip up colorful and easy-to-read graphs in no time. PowerTech even supplies Excel templates to accelerate this process.

To complete the product trifecta, PowerTech unveiled PowerLock CentralAdmin 2.0. As its name suggests, CentralAdmin provides centralized administration for multiple OS/400 servers. It works with both NetworkSecurity and SecurityAudit in various means, including the propagation of new global rules in NetworkSecurity (described above) and running audit reports off multiple iSeries servers through SecurityAudit. Version 2 brings the capability to handle product licensing for multiple machines from a single location, as well as new centralized reporting features, the company says.

CentralAdmin 2.0 is still in beta, with availability expected at the end of September. NetworkSecurity 5.0 and SecurityAudit 2.0 are available now.

The PowerLock family of products supports OS/400 V5R1 and later versions. Licenses for NetworkSecurity are processor tier-based and range from $2,800 to $15,200, which allows a customer to install the software in a single partition; an additional fee of $1,000 or more is required for additional partitions. SecurityAudit has similar pricing. Adding the PowerLock CentralAdmin capability costs $1,500 per partition. For more information, visit www.powertech.com.