Data Compliance for Private Companies using IBM i

Data Compliance for Private Companies using IBM i

All companies face risks when it comes to their sensitive data. Even if you are not required to comply with regulations, data compliance acts such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), it’s a good idea to apply some of these standards to your business in order to protect your data. Below we have identified four risks that all companies face, regardless of whether they are public or private.

Four risks companies face without data compliance standards

Data compliance can be a daunting task. There are so many areas to cover and often the requirements are vague. In addition, there is not a blue print in how to achieve compliance, which makes the task even harder to accomplish.

That said, if you are not required to comply with any particular regulatory standard, you should still put in place some basic standard-like controls to ensure that you are protecting your data as much as possible. Compliance-like controls can help avoid the following risks.

1. Nice people, lots of damage–A well-meaning employee can do a lot of damage, if they have too much authority. This could be your biggest exposure. Too many users with *ALLOBJ authority is one of the most common risks that IBM I companies are exposed to today. Limiting the number of users who have *ALLOBJ authority to only those who need it to accomplish their day to day activities will greatly reduce your risk. If your users are not able to accidentally corrupt the data, you will greatly improve the security of your critical data.
2. When in Rome, comply as the Romans do –By not following some form of compliance best practices, you can limit your business opportunities without even realizing it. In some cases, companies who need to be compliant can’t do business with companies which don’t also meet their compliance regulations. The reason is that they can’t risk their data being exposed by a partner. Being able to demonstrate that your data is secure according to expected standards, can allow you to do business with all the companies that can help your business to grow.
3. Beware the stranger–Visitors are another risk to companies. In some cases, companies have strong physical security requirements to protect their sensitive information. This includes passing through a security check point to access the grounds or the organization’s data center. Cell phones may not be allowed in secure areas, due to their camera and recording capabilities. Companies also limit internet access by visitors and access to data. In addition, companies often require the signing of non-disclosure agreements to ensure their sensitive data is protected.
4. Preventing wandering data and viruses–External media devices can be a threat to sensitive data. With these devices, data can be taken offsite and shared or a file can be manipulated and then uploaded back to the IBM i. In some cases companies don’t allow their users to use external media such as USB drives or HD cards…period. Disabling USB ports or monitoring PC’s to ensure that those ports are not used seems extreme but, when compliance or competitive advantage is on the line you can’t be too careful. USBs can also be used to transmit viruses or spyware into your network, which is yet another reason to severely limit their usage.

No one wants to be infamous for having had a data breach. We hear about data breaches on the news all the time. When we do it affects how we perceive those companies, especially if we do business with them. Do you want to risk being on the nightly news regarding a data breach?  Our guess is no.

How to get started with data protection

What regulatory data compliance does offer to private companies is a roadmap for improving security. Poor security implementations are still a problem in the IBM i community and still can put your business at risk. You may not be forced to pay a fine but you could lose critical data or worse, lose customers because of a data breach.

We suggest you pick some of the low hanging compliance fruit and apply those IBM i controls. Limit the number of users who have *ALLOBJ authority, increase your security level to be at least 30, ideally level 40, and turn on auditing, so you at least have a trail of user activity. Once you have auditing turned on, you can then add solutions such as SEA’s iSecurity Audit to help you to decipher the journal entries and run reports to identify security risks.

Best practices for security apply to business in all industries and of all sizes. Improving security regardless of the reason is never a bad investment. You never know, it could keep your company from becoming infamous.