RE: Audit

["John Earl" <john.earl@xxxxxxxxxxxxx>]

Rob,

You're note underscores the need for an OS/400 based security policy.
As others have noted in this thread, many times the auditors don't
understand the technology, and it is virtually guaranteed that your
auditor does not understand how your business runs.  The value of a
written security policy then is that it is the contract that you (the
sysadmin, I assume) have with your enterprise on how you will secure the
system.  If you think QLMTDEVSSN should be set to '1', and the auditor
doesn't, the fact that you have it written (and signed by management) in
your policy this way and have exception language why it should be set to
a '1', obviates the need to go over it with your auditor.  It's already
been decided, it's ion the policy, and you are securing the system
according to the policy.

Using this approach, it doesn't matter what standard you're having to
comply with, your own policy describes to the organization how you will
secure the system.  If someone doesn't like the way you have something
set, they can go argue with the (already approved and signed off)
policy, but they can't argue that you are not doing your job.

An audit doesn't have to be a traumatic event.  You just have to tell
the auditors what you game plan is and demonstrate that you are
following the plan.

jte

--
John Earl
The PowerTech Group, Inc. 
Direct:  253-479-1408
Mobile: 206-669-3336
 
www.powertech.com
 

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx 
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> Sent: Tuesday, November 25, 2008 10:35 AM
> To: Midrange Systems Technical Discussion
> Subject: Audit
>
> Boss is asking me to gather data for an IT audit.  You know, 
> I would be hard pressed to find a worse waste of time.  As 
> usual, they want the list of system values.  I am sure that 
> is so they can consider it a ding if we allow a user to have 
> more than one session.  Doesn't matter if they can go to 30 
> PC's and fire up browsers and look at the data but two 5250 
> sessions is a concern.
> Then they have the usual commands they want to be secured:  
> STRSEU, UPDDTA that sort of rot.  Of course WRKQRY, RUNQRY 
> QRYFILE..., STRSQL, EDTF are not in the list.  And no mention 
> of WDSC, etc.
> And, why be concerned about the special authority of *ALLOBJ 
> when they don't check one file at all to see if you are using 
> resource security? 
> Does it matter if no one has *ALLOBJ yet *public has *all 
> authority to the list of social security numbers and everyone 
> has iSeries Access (or ftp, or ...)?
> Gee, why don't we tell them that there is no twinax that 
> leaves the locked door?  Based on the above wouldn't that 
> then constitute a secured system?
>
> Rob Berendt
> --
> Group Dekko Services, LLC
> Dept 01.073
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
>
> --
> This is the Midrange Systems Technical Discussion 
> (MIDRANGE-L) mailing list To post a message email: 
> MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change 
> list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, 
> please take a moment to review the archives at 
> http://archive.midrange.com/midrange-l.