How to get an IBM i Security Assessment for Free
Many organizations don’t pay attention to IBM i security until they have to pay attention to IBM i security. IBM i security assessment and adjustment is usually a reactive rather than a proactive process. Many IBM i security officers configured their system security years ago and they now only tweak it when a new security or problem need appears.
When people usually audit and update security
Here’s a rough calendar of the times of year when people are most interested and least interested in auditing and updating their IBM i security.
Times when people are most interested in auditing and updating IBM i security
- When they have to finish incorporating audit security points from last year’s audit because your accounting firm is coming in for this year’s audit
- When regulatory auditors are coming
- When customer auditors are coming
- When an audit security breach occurs
- When industry security regulations or laws affecting security change
- When a high profile security breach has occurred in your industry
- When a new application has to communicate with an outside entity or an outside entity has to communicate with your IBM i
Times when people are least interested in auditing and updating IBM i security
- Company busy seasons
- Between audits
- Summer vacation and winter holidays
- When there are no pressing security needs
- Thanksgiving through New Year’s
The problem with outside security consultants
In most of these cases, assessing and updating IBM i security is event driven rather than proactive. When an organization wants to bring their security up to date, they can bring in consultants to analyze and find new security vulnerabilities. But that process can be expensive and IT shops don’t always have the budget for it. Also, many security consultants are experts in Windows server security and network equipment security, and routers, but they don’t have as much (or any) experience in analyzing the finer points of IBM i security. The result is that it’s usually easier to find someone to audit and evaluate your Windows and network security than it is to find someone to audit and assess your IBM I security.
Free IBM i Security Assessments
To keep up to date and find IBM i security vulnerabilities before the auditors or the back actors find them, some vendors (including Software Engineering of America, SEA) offer free IBM i security assessments that organizations can take advantage of at no cost. To help you understand what’s in a free assessment, let’s take a look at SEA’s free security assessment program.
Who gets a free IBM i security assessment?
SEA calls its free security assessment program the iSecurity Assessment. It’s available to both customers and non-customers. For customers, one free iSecurity Assessment is available each year as part of their software maintenance. Non-customers and prospects can also contact SEA to receive details on how to run a one-time assessment for their shops.
If you’re an SEA customer, a good strategy might be to conduct your annual assessment mid-year between the end of your prior year audit and the beginning of next year’s audit, so that you have enough time to fix any issues that arise before your auditors come.
What a free assessment does
The iSecurity Assessment provides an in-depth look at the IBM i security vulnerabilities and risks that you either may not have thought of or may not know about. It produces a detailed report covering potential threats and vulnerabilities in several key IBM i security areas, including:
- User authorities
- Password control
- Exit point vulnerabilities
- Network access issues
- System values
- Other common auditing issues
Who performs the assessment?
You don’t have to let an outsider log onto your IBM i system to assess your security. SEA developed iSecurity Assessment as a PC software package that you download, install, and run on a PC, not on your IBM i partitions. No one from SEA is going to poke around your IBM i; the software does the assessment for you. And because you’re downloading the software to a PC rather than an IBM i, you’ll be able to run iSecurity Assessment reports on several IBM i systems.
After performing the assessment, SEA’s experienced IBM i experts will review the report results with you, so you can identify your system’s security vulnerabilities and understand how to improve your security. You don’t have to trudge through the data yourself. You’ll have seasoned professionals who really under IBM i security talking directly to you about your system’s potential threats and vulnerabilities.
What do you have to lose?
As I said, SEA isn’t the only vendor who provides free IBM i security assessments. Other vendors also offer security assessment programs but when it comes down to it, we’re just the best (no brag just fact).
If you’re entitled to free yearly security assessments as an SEA customer or you’re interested in getting a free one-time assessment as a non-customer, please feel free to visit the iSecurity Assessment page on website to start the process. You can also check our Audit and Compliance Management site to see other SEA products and resources that can help you make your IBM i safer and more secure.