SkyView Addresses Compliance with New OS/400 Security Service
by Alex Woodie
SkyView Partners introduced a new OS/400 security service last week called SkyView OnCall, designed to make it easier for iSeries shops to comply with certain provisions of the Sarbanes-Oxley Act and other new industry regulations. Instead of guessing at what auditors might require for SOX compliance, the Seattle-area company says, companies are better off outsourcing that job to SkyView and its team of OS/400 security experts, who have a good idea of what auditors may expect.
"What we've seen with SOX audits is a moving target," says SkyView cofounder John Vanderwall. "The idea of SOX compliance is interesting. Comply with what? [What auditors look for] is not universally the same. This is what we have not seen on the Visa CISP front."
While SOX is getting most of the headlines these days, there's another compliance initiative looming on the horizon for any shop that holds credit card information. Visa's new Cardholder Information Security Program may be just the tip of the iceberg, as other credit card issuers enact similar measures.
While CISP may make SOX look "pale in comparison," according to Vanderwall, SOX is the big issue for many companies in 2005, and it's generating plenty of concern. "There's a lot of uncertainty and doubt" concerning SOX, says Carol Woodbury, cofounder of SkyView and former OS/400 security architect for IBM.
What Is Visa CISP?
Visa CISP is a new industry initiative designed to thwart the growing threat of identify theft, which some estimates put in the trillions of dollars. Visa is leading the effort among the major credit cards, but other issuers, like MasterCard, American Express, and Discover, are following suit with similar initiatives of their own. Collectively, the various efforts to strengthen information security are known as the Payment Card Industry Data Security Standard.
CISP differs from the Sarbanes-Oxley Act in a number of ways. First, there is no threat of your CEO or CFO going to jail. Failing an audit by Visa would result in fines and eventually a permanent ban from the Visa network.
Now for the good news. With CISP, there are specific steps that IT departments can follow to gain, and maintain, compliance, says Carol Woodbury. "It specifically states what auditors should do," she says. "From a computer-security professional's point of view, they have done an excellent job espousing what security best practices are."
In SOX audits, Woodbury says she's seen everything from auditors not even looking at IT to wanting full COBIT (Control Objectives for Information and Related Technology) standards. "COBIT is really a guideline for assessing risk. It's a huge, huge process, and most iSeries shops just can't afford that," she says.
What Woodbury has found is that there are a few areas of OS/400 where SOX auditors will commonly look to ensure that a company is following good security practices, areas like use of special authorities, network configuration, passwords, security level, and some things in the audit journal. "Typically, we see that auditors are requiring what they have seen [implemented] at other iSeries shops," she says.
In many instances, auditors will also look for a change management system to be in place, which helps companies keep a handle on application source code. But system settings are a different bird entirely. "A lot of people are being burdened with monitoring the security configurations. They don't have the staff or the expertise to do that," Woodbury says. "They're really at the mercy of their auditors."
With SkyView OnCall, the company has put together a service that keeps business managers aware of how OS/400 system settings relate to their security policy. The service works with a software product called the Risk Assessor, which SkyView introduced a little over a year ago (see "New SkyView Software Assesses OS/400 Security Risks") to evaluate more than 100 different OS/400 security settings. In addition to the evaluations conducted by Risk Assessor, SkyView OnCall also looks into the OS/400 audit journal to track any changes that might have been made to the system.
Here's how SkyView OnCall works. First, SkyView Risk Assessor runs a scan of various security settings, to show users where the weaknesses are in their system settings. Using that initial run as a benchmark, SkyView's security team, led by Woodbury, will generate a policy based on the customer's specific requirements. SkyView's security experts will then periodically create an executive summary, based on additional Risk Assessor runs and any changes caught by the audit journal, which shows whether that customer is still adhering to the initial policy.
Because companies will take different approaches to complying with SOX (based on the fact that SOX is vague about the specifics of IT compliance), OnCall customers may also not be complying with OS/400 security best-practices set forth in the Risk Assessor. Whether to implement OS/400 security best-practices is a business decision that every company must make for itself, Woodbury explains. The key thing to keep in mind with OnCall is that it will catch any changes that are made to the system, and will notify the customer when they are no longer adhering to that initial policy generated by SkyView in the first go around (which may or may not adhere to best practices).
"The way you've chosen to configure the system, you may still have issues. OnCall is not there to continue to pass judgment, but to tell you that it hasn't changed. That's the biggest difference," Woodbury says. "Once the risk assessment is in place, [OnCall tells the customer] that it's still in that state, that they are adhering to their policy. That's what they are looking for. We will do the monitoring for them."
Companies could choose to gather all the data and generate compliance reports for SOX manually. In fact, this appears to be exactly what many public are doing to gain SOX compliance, at least for their initial quarterly audit. But SkyView is betting that once companies realize SOX isn't a one-time event, like Y2K, but is an ongoing process, they'll want to automate some of that grunt work.
"Rather than, every quarter, telling three people in the IT department to go gather data and write a report, leave it to the experts," Vanderwall says. "We will sign on remotely and run the report [and] feed this back to the powers that be at the subscribing companies, whether it's good, bad, or indifferent."
SkyView OnCall requires a virtual private network connection that allows SkyView's security experts to sign on remotely. If a company doesn't have a VPN connection, the necessary data can still be sent to SkyView using e-mail, but it requires more work on the part of the subscriber.
The company has priced SkyView OnCall to cost the average company about $9,000 per year. The OnCall service itself costs $1,995 per quarter and another $495 for each computer or logical partition. There is also a $2,500 initiation fee. Companies will also need the SkyView Risk Assessor, which starts with a flat rate of $3,500, as well as a tier-based system or logical partition charge starting at $1,995.
With about 100 users, adoption of Risk Assessor has been good the first year, says Vanderwall, who hopes many Risk Assessor users will adopt SkyView's new OnCall service to effectively outsource much of the security management burden.
For more information, see Visa's CISP page or SkyView's Visa CISP page.