pass sox security audits and improve xa security cistech security solutions belinda daub, senior...
TRANSCRIPT
![Page 1: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/1.jpg)
Pass SOX security audits and Improve XA security
CISTECH Security Solutions
Belinda Daub, Senior Consultant Technical ServicesBelinda Daub, Senior Consultant Technical [email protected]
704-814-0004704-814-0004
![Page 2: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/2.jpg)
1. Introduction to Enhanced Security
2. Implementing a Security Model
3. Advanced Analysis and Testing
4. Auditing and Reporting
5. Prerequisites
6. Coming Enhancements
7. Related Security Services
Agenda
![Page 3: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/3.jpg)
Why is it necessary?
• SOX Requirement for public companies• Documented security policy• Documented procedures • Formal approval for security rights to be assigned• Regular auditing and monitoring
Private Companies• Are also addressing these requirements • Protects investors, employees, community
Enhanced Security for XA
![Page 4: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/4.jpg)
Why is it necessary?
• CAS Security• Green Screen interface• Difficult to determine how user has access to tasks• Reports are massive• No auditing capability • Risk to productivity when policy changes are made
Enhanced Security for XA
![Page 5: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/5.jpg)
How can it help?
• Add-on application written using Integrator • Implemented by environment• Three Components:
• Security Modeling and Planning• Advanced Analysis and testing• Routine Auditing and reporting
Enhanced Security for XA
![Page 6: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/6.jpg)
Power and Flexibility of the XA Client architecture:– Create views and subsets– Export to Excel
Add-on Application using Integrator
![Page 7: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/7.jpg)
• Install in each environment• Manage users for separate environments• Includes all CAS tasks (if assigned to an area)• Auditing for each environment
Implemented by environment
![Page 8: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/8.jpg)
• Security Model• Create and finalize a new security model
• Security Audits• Review security changes for validity or breaches
• Current Environment • View security and user authorities in the current
environment
Enhanced Security Application Card
![Page 9: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/9.jpg)
• Provides for implementation of new plan– Import users, groups, areas, and tasks from CAS files– Decide what you want to lock– Create groups and authorize to tasks– Assign users to groups– View current and planned authorities for users
Note: this is all done in the model – not the live environment
Security Modeling and Planning
![Page 10: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/10.jpg)
• Import from the current environment:– Users
– Groups
– Areas and tasks
– Group Authorities
– Private Authorities
You don’t have
to start from scratch!
1. Import Security Components
![Page 11: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/11.jpg)
• Subsets– Unlocked
– Application
– Type
• Mass Change
• Model Template
It’s Easy!
2. Decide what you want to lock
![Page 12: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/12.jpg)
• Subsets
• Views
• Mass Change
• R7– Quick Change
– Append subsets
• Model Template
Piece of Cake!
3. Create groups and assign to tasks
![Page 13: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/13.jpg)
• Validation
• Subsets– User Groups
– Group members
• Templates
• Return-to-create
Your model
is almost ready!
4. Assign users to groups
![Page 14: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/14.jpg)
Current and planned authorities
A. User being reviewedB. Tasks the user is granted
C. How access was granted•Private (user id)
•Group (group id)
•Not locked (blank)
A BC
5. View authorities for users
![Page 15: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/15.jpg)
• View tasks user will no longer have access to• View tasks user could not do before• Final Adjustments to the model• Export files to a test environment for user testing and
acceptance
Benefits– Reduce risk of affecting user productivity at go live– Resolve issues quickly after plan is implemented
Advanced Analysis and Testing
![Page 16: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/16.jpg)
Rights Revoked:
If users need any of these rights to do their jobs, they will be adversely affected when the plan is implemented.
Enhanced Security lets you make sure this won’t happen.
Advanced Analysis
![Page 17: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/17.jpg)
Rights Granted:
SOX requires that all access be reviewed by authorizing manager.
With Enhanced Security, you can export user rights to standard forms for management
approval.
Advanced Analysis
![Page 18: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/18.jpg)
Testing is critical to ensure users are not affected by the new plan.
•Users from every group
•Formal test plan
Enhanced Security provides an export process for moving user rights from the model to an XA environment on the same or different iSeries.
•Validation stamps generated
•No re-keying
Testing
![Page 19: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/19.jpg)
SOX requires regular review of changes to security authorizations
Enhanced Security provides:• Detailed Transaction History• Security Change Audit• Conflicting Task Authorities• Regular Audit Reports
Security Auditing and Reporting
![Page 20: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/20.jpg)
• Freeze the Plan– Saves an image of the model – Triggers are activated on the XA security
files– Changes in user rights begin to be written to a
transaction file
Routine Auditing and Reporting
![Page 21: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/21.jpg)
•Customize views, subsets, and sorts•View or Host Print•Determine how a user has gained access to a task•Quickly identify the area(s) where changes need to be made
Detailed Transaction History
![Page 22: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/22.jpg)
•Net Changes only (compared to last run or when model frozen)•Navigate to Detailed Transactions that resulted in the change•View or Print Report
Security Change Audits
![Page 23: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/23.jpg)
Schedule regular Auditor reports
Set Audit Options
Regular Reporting – Scheduled Job
![Page 24: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/24.jpg)
Summarize authority granted to users for the reporting period
•From last run date (monthly changes)
•From date that the plan was frozen
Security Audit Report
![Page 25: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/25.jpg)
Users who have authority for tasks that SOX defines as conflicting, for example:
•Create a purchase order
•Generate an AP check
Security Audit ReportsHigh-Risk Authority Conflicts
![Page 26: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/26.jpg)
• IFM Security
• iSeries User Security
• CAS security maintenance
• XA Menu inquiry (where tasks are used)
Coming Enhancements
![Page 27: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/27.jpg)
• Integrator (R6 or R7)– R6 requires new business objects created at installation
• OS V5R1 or higher • All functions to be secured must be set up in CAS as
tasks and assigned to an area
Prerequisites
![Page 28: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/28.jpg)
Enhanced Security <P30 $6,500
License P30+ $9,500
Implementation R6 (3 days) * $3600
and Training R7 (2 days) $2400
Annual License Fees none
And the cost for ES…
![Page 29: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/29.jpg)
• Conference call and demo to address your specific areas of interest
• Purchase the software and schedule implementation and training
• Start with a Security Audit
• Select other related services to help you meet your SOX requirements
Interested?
![Page 30: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/30.jpg)
Security Audit
• Objective review of your iSeries and XA security configuration• Typically 2 to 3 days (single XA environment)• Review Security Settings
– iSeries security configuration– iSeries User Profiles and environment access– XA Profiles and task authorities
• Risk Assessment and Recommendations (deliverable)• Typical results
– Estimate that 80% of companies need some improvements in Security – Security Policy not sufficient to protect unauthorized access to the
system– XA security configuration is not optimized
CISTECH Security Services
![Page 31: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/31.jpg)
• Security Planning Assistance– XA Security Policy
– iSeries Security Policy
– Documented Plan and Procedures
– Change Management and Environment Standards for Customizations
Related Security Services
![Page 32: Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net](https://reader035.vdocuments.site/reader035/viewer/2022081501/56649e795503460f94b78b48/html5/thumbnails/32.jpg)
Thank you!
Questions?