IBM i auditing and compliance (A&C) can be complicated and demanding. Compliance auditing requires a significant amount of time and effort to verify and document that IBM i controls, policies, and procedures follow A&C requirements. Non-compliance penalties can be high, including financial, legal, operational, and reputational penalties.
The IBM i Audit and Compliance Framework
To help satisfy A&C demands, today’s blog provides an excerpt from SEA’s Guide to IBM i Auditing & Compliance. It discusses an IBM i-specific framework for identifying, implementing, and verifying IBM i-specific A&C controls. The steps in our IBM i A&C framework include:
- Identify your IBM i audit and compliance stakeholders
- Determine your overall IBM i audit, compliance, and security requirements
- Create your IBM i audit and compliance roadmap
- Find your audit & compliance tools
- Apply IBM i Controls for Auditing & Compliance
This framework can be executed whether you’re new to IBM i A&C or whether you’re looking to verify and update your current auditing & compliance strategy.
The remainder of this blog provides a more detailed explanation for each framework step.
Step 1: Identify IBM i audit and compliance stakeholders
Identify and compile a list of all relevant IBM i stakeholders that have specific compliance requirements. Requirements can stem from many stakeholder sources, including internal auditors, customers, governments, regulators, insurance companies, business partners, enterprise IT security, and others. Stakeholder requirements may already be implemented on your IBM i servers. However, requirements can change every year and need constant review and update to remain current. Refresh this list occasionally as new stakeholders appear.
Step 2: Determine overall IBM i audit, compliance, and security requirements
Compile individual lists of requirements from each stakeholder and consolidate those lists to determine the organization’s overall IBM i audit, compliance, and security requirements. These lists can be used to implement and document required IBM i-specific controls for your servers.
Stakeholder audit lists and audit reports should always be reviewed to determine needed IBM i system controls. Some stakeholders will share similar requirements, such as minimum password lengths, multi-factor authentication (MFA) logins, or other security settings. Audit lists and reports may also be provided as part of an organization’s enterprise-wise IT audit and compliance plan.
When stakeholder requirements overlap or conflict, consider using the strictest requirement for common controls. For compliance issues, it’s usually better to go with stricter rather than looser standards as the stricter requirement implementation may also satisfy the looser requirement.
Audit and compliance requirements may be specified for IBM i systems other than your production environment. It’s essential to assess all servers that are eligible for compliance auditing and what requirements are needed for each server.
Step 3: Create Your IBM i Audit and Compliance Roadmap
Once you’ve identified your IBM i A&C requirements, it’s time to categorize and determine the controls, policies, and procedures needed for compliance. IBM i compliance can generally be categorized within the following six areas:
Figure 1: IBM i audit & compliance control, policy, and procedure areas
- Hardware and Peripheral Security: Securing physical access to the IBM Power systems, peripherals, and supplies associated with i servers.
- IBM i Security & Cybersecurity: IBM i operating system security and implementing cybersecurity protection solutions, including ransomware and malware protection.
- User Access, Authentication, and Auditing: Securing user access so that only authorized users can access IBM i systems, including multi-factor authentication, single sign-on, remote access, device-to-device communication, and TCP/IP utility access. Role-based and object-based access and security policies may be required for relevant system, data, and application access.
- Monitoring & alerts: System monitoring processing to alert personnel when sensitive actions are undertaken and what responses were initiated after those actions occurred.
- Backup & restore: Controls, policies, and procedures to protect backup data from illegal restoration and usage. Processes should be in place such that critical backup data cannot be restored or extracted by unauthorized users or bad actors.
- Audit logging & reporting: Activity logging and report generation for covered system activity.
These A&C control, policy, and procedural areas will serve as an overall roadmap for achieving audit compliance. They direct you to the areas and functions you’ll need to secure for meeting and documenting compliance requirements.
Step 4: Find your audit & compliance tools
To achieve IBM i compliance, you’ll need to employ many different software configurations, environmental components, supplies, processes, and procedures, which can be thought of as audit and compliance tools. These tools will be used to ensure that your IBM i server processing meets and provides documentational proof for overall stakeholder compliance.
A partial list of critical A&C tools includes the following. See SEA’s Guide to IBM i Auditing & Compliance for a complete list of audit and compliance tools.
Step 5: Apply IBM i Controls for Auditing & Compliance
Once you find your A&C tools, you can start applying them to prepare, configure, review, and document that your IBM i servers are in compliance.
Feel free to contact SEA with any questions you may have about bringing your own IBM i systems into compliance.
