Risk Assessor Aims at Security Audit Survival

Updated: April 21, 2006

by Dan Burger

Carol Woodbury has more than 15 years in the security industry. She spent 10 of those years working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. When she left IBM it was to start up a security software and services company that specializes in the AS/400, iSeries, and now the System i5. Two years ago her company, SkyView Partners, introduced its first software product. It has done well in the marketplace and in two weeks, Risk Assessor Version 2 will become generally available.

Enhancements have come as a result of customer feedback, which is how most products evolve. "People asked for more information on Open ports," Woodbury says, "so we added a report covering that information and other TCP/IP configuration settings not covered previously." Other areas that are addressed with new reports include group profile password settings and the security aspects of WebSphere configuration files. Woodbury also noted that many of the existing reports in Risk Assessor were altered to make it easier for users to determine the scope of the risk associated with a particular configuration item. "We also added more information on how to start using object level security," she says. "Our goal with Risk Assessor output is to educate people on their security configuration, suggest improvement, and give them the knowledge they need for implementing a sound security practice. These new and modified reports aid in that education process."

The compliance issues that businesses are facing have made the security software and services business very popular. Security policies (if they even exist) are under scrutiny and software that monitors information access is helping to ease the burden on many IT departments. ÒIt seems as though each set of laws, regulations, or standards has a slightly different definition of compliance," Woodbury notes. "After looking at these, it became clear to us that the lowest common denominator in assessing security is 'best practices.' If you can give people an unbiased assessment that includes a plan to help them move their security toward best practices, they will be in far better shape when it comes to surviving an IT security audit."

That conclusion is what led to the debut of Risk Assessor. After installing the software, it compares the existing security configuration to SkyView's version of best practices. From there it provides a plan to improve security. "It stands to reason," Woodbury says, "that if you move your security posture toward best practices, compliance with all laws, regulations, and standards is far less of an issue."

Among the benefits Risk Assessor offers are two points that Woodbury emphasizes: "It reduces the workload involved in iSeries audits and it provides a comprehensive security overview that enables the successful identification and remediation of areas of potential risk." An iSeries audit typically involves many hours of interviewing and interrogating the system.

Upgrading to Risk Assessor Version 2 is included in the maintenance program for those licensing the original Risk Assessor software. Version 2 is supported on OS/400 and i5/OS versions V4R4 through V5R4.