How do you know precisely what your auditors and consultants are doing, without accurately monitoring your IBM i systems? IT shops use consultants and auditors to work on and review their systems, but a shop frequently doesn’t know when a consultant or auditor is on the system, what information they’re accessing, or what changes they’re making.
Here are six tips you can use with third-party IBM i monitoring software to monitor, review, and control what your consultants and auditors are doing on your i systems.
Knowing when your consultants and auditors are signing in
Use a Third-Party IBM i Messaging Software to send an alert when one of your consulting or auditing users signs on to the system, regardless of whether they are signing in locally or remotely.
Limiting and reporting on user access with an IBM i firewall
Use a product such as IBM i Firewall Software to easily monitor and control consultant and auditor behavior through the following features.
- Creating rules that control what actions they can perform after access is granted. For example, you can write rules to prohibit auditors and consultants from remotely running SQL, ODBC, or JDBC commands.
- Securing IBM i exit points to prevent consultants and auditors from changing data (uploading) through FTP, ODBC, SQL, data transfer, etc. while allowing them to download information as appropriate for reporting.
- Controlling specific actions for your users to perform on native IBM i and IFS objects, such as the read, write, delete, and rename actions. You could give a consultant full access (update, write, and delete authorities) to your test library while prohibiting access to your production data.
- Producing pre-written reports to determine what users did on your system at specific times and dates. Many of these reports are written to satisfy regulatory needs for SOX, HIPAA, and other standards, and can be generated and given to auditors to help them find the information they’re looking for.
Use screen capture technology to know what green-screens consultants and auditors are running
Use a solution like iSecurity Capture software to capture screen-by-screen shots of user activity that can be stored, emailed, and reviewed. You can start capturing IBM i screens whenever a consultant or auditor logs on, and use the screen captures to verify their work or to just keep an eye on what users with QSECOFR authority are doing. Screen capture collections can also be archived for later forensic work if a problem occurs.
Know when sensitive files have been accessed, changed, or deleted
Alert your IT staff via email, message queues, syslog, text, or Twitter whenever a sensitive file has been accessed, changed, or deleted. Packages such as SEA’s iSecurity Audit can provide real-time monitoring, and kick off corrective actions, send out alerts, or report on sensitive file changes.
Know when sensitive records have been accessed, changed, or deleted
Use application and field level security monitoring software such as AP-Journal, to be alerted when a consultant or another user changes business critical data beyond a specified threshold. If you’re hiring a consultant to update pricing, for example, you could set a monitor on your price files to alert you if an item’s price rises or falls by more than 10 percent. Application and field level security monitoring can notify you when sensitive data are being changed outside of acceptable limits.
Only provide *ALLOBJ and special authority access, as needed
Consultants sometimes need to come in to correct corrupted data or to make a wholesale change across the entire database. However, you only want to give them a security officer or *ALLOBJ authority when needed, not every time they log on. You can use a program like iSecurity Authority on Demand to give users increased authority on an emergency or temporary basis. If a consultant needs one-time special authorities for an emergency or data cutover, you could give them access only for those events. The access will later expire, leaving the consultant with regular programmer access when completed. With these packages, all elevated access requests are logged and can be reported on for audit control.
Don’t forget your regular programming and administrative staff
These tips work well for managing and tracking consultants and outside auditors, but they can also be used for your internal programming and IT Operations (IT Ops) staff. Consultants and auditors frequently perform the same tasks as your programmers and IT Ops department. The techniques shown here will work just as well in controlling your IT staff as they do in controlling your outside users.
For more information
Please feel free to contact us at SEA if you’d like more information on using any of these techniques or to learn more about the products listed here.
