Re: Journal Receiver Retention for SOX

[Steve Martinson <smartfamily2003@xxxxxxxxx>]

I too have been responsible for OS/400 (i5/OS) security in banking (FFIEC - 
FDIC, OTS, OCC regs) as well as in SOX-regulated industries.  The seven year 
retention policy is typically for FFIEC-regulated entities only, but if you can 
get away with retaining some tapes off site for that long, it's better to have 
it should you ever need it, than to need it and not have it!
   
  I always recommend a max 60-day online retention of QAUDJRN receivers and the 
max (7 year) retention offline.  If possible, have the security journal 
receiver save be an entirely separate operation in addition to what would get 
backed up on a system save.  That way it's easier to get to the data if you 
ever need to do some forensic reporting.  Remember too that the amount of data 
that is written to your receivers is also a function of your QAUDCTL and 
QAUDLVL settings.  If you don't already have *NOQTEMP in QAUDCTL, go ahead and 
add it (i.e. don't audit "RAM").  QAUDLVL can also have some unnecessary (or 
simply unwise) values turned on too (such as *SPLFDTA and *PRTDTA).  Finally, 
object auditing value settings contribute to the total volume written to 
security journal receivers, so be careful you don't have too many objects 
turned on for *ALL auditing.
   
  I recently did a few articles for IT Jungle on this.  Check it out if you are 
so inclined.
   
  http://www.itjungle.com/fhg/fhg020806-story02.html
   
  http://www.itjungle.com/fhg/fhg031506-story02.html
   
  http://www.itjungle.com/fhg/fhg042606-story02.html
   
  Best regards,
   
  Steven W. Martinson, CISSP, CISM
  Senior Consultant - Servique, LLC
  Cell 281.546.9836
   
  www.servique.com 
  4801 Woodway Drive, Suite 300E
  Houston, TX 77056
  "Uniquely Qualified"
   

                
---------------------------------
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail.