Many customers ask us what can they do to insure their IBM i systems are in compliance before their auditors show up. Here are some ideas for pre-compliance audit checking that you can perform to get your systems in shape before an audit happens.
Check the PCI DSS standard against your system, even if you’re not covered under PCI DSS
We’ve found that reviewing the Payment Card Industry (PCI) Data Security Standard (DSS) is one of the best things you can do to prepare your systems for an audit, even if you’re not covered under PCI DSS. Why? Because even though PCI DSS is geared towards credit card processing, it’s also an excellent source of common sense security configurations for protecting any type of confidential information.
Everybody has something that needs protection on their IBM i and their network…and PCI DSS provides a good template for what type of security should be in place. If you don’t have credit cards on your system, you probably have payroll information, engineering files, or customer databases that must be protected. Evaluating your shop against relevant PCI DSS standards can help you determine where potential IBM i and network weak spots are, including the PCI DSS standards on:
- Building and maintaining a secure network
- Maintaining a vulnerability management program (updating anti-virus programs, securing systems and applications)
- Implementing strong access control mechanisms
- Regularly monitoring and testing your networks
- Maintaining an Information Security Policy
Reviewing the PCI DSS standard is a good exercise because unlike many of the other standards, PCI DSS is much more specific in describing the goals needed to secure your network. And many PCI DSS goals can be applied towards other types of auditing.
Listen to your auditors and remember that compliance is an IBM i issue AND a network issue
Some auditors only want to audit your IBM i configurations. Other auditors need to look at both your IBM i configurations and the network infrastructure that information travels over. Check with your auditors to see which items are in scope, double-check your audit requirements checklist (if one is provided), and check previous audit reports (even if they were performed by different auditors) for audit points needing remediation.
If you find your network is considered within scope for an audit, make sure your network people are available and aware of any audit requirements they need to insure compliance. This is especially important in larger organizations where the network group and the IBM i support staff may reside in different departments or divisions.
If you’ve been sold or merged….
If your company was recently sold or merged with another division, review any audit records (requirements, reports, remediation, and follow up) that your new auditors had previously issued for your new organization. Prior documentation can help you determine what new requirements you’ll have to implement to become compliant. Old audit material can provide hints on what your auditors care about and what they focused on in the past.
Bring in an outside compliance evaluator
Several companies offer products and services that provide comprehensive evaluations of an organization’s IBM i compliance with PCI DSS, Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government or industry regulations. Compliance evaluators can be a major help in maintaining compliance before, during, and after an audit.
As an example, SEA offers iSecurity Compliance Evaluator, which performs IBM i compliance checking for several common regulations. Compliance Evaluator can check your IBM i system and network activity against a common standard; report on unexpected changes in the environment; score your performance against self-defined compliance targets that you enter yourself; and send out full reports as well as non-compliance reports that only show your problem areas. Other compliance evaluation packages may offer different functions, but the idea is to pre-evaluate and report on your system using criteria provided by you and your auditor and then remediate any deficiencies the system may find before the audit occurs.
Getting ready for the audit
These are only a few ideas for preparing your systems for an audit before the auditors show up. Please feel free to contact us at SEA software for more information and advice on how to prepare for your own audit situation.