New SkyView Security Tool Assists with Regulatory Compliance

by Alex Woodie

SkyView Partners is gearing up for the launch of Policy Minder, a new tool for determining if an OS/400 server is configured according to a user's own security policy, an important element in regulatory compliance. There are many products on the market designed to apply best practices to OS/400 security, including SkyView's own Risk Assessor. The new Policy Minder tool augments these tools by enforcing procedures an organization has laid out as the security policy component of a compliance initiative.

One of the very first tasks OS/400 shops face as part of a regulatory compliance project is to define a security policy. After defining that security policy, the next logical step is to maintain compliance, says Carol Woodbury, who is the co-founder and president of SkyView Partners, and a former OS/400 security architect at IBM. "The auditors have come in and focused on policy and procedure. New security policies have sprung up where none existed before. It's now the responsibility of the system administrators and IT departments to make sure they are in compliance with these policies and provide proof to the auditors," Woodbury says.

When it becomes available later this month, Policy Minder will provide an important tool for maintaining adherence to organizations' security policies, which is an important aspect (although by no means the only part) of complying with new regulations such as Sarbanes-Oxley, HIPAA, Visa Payment Card Industry (PCI), and others. The new product will accomplish this by helping administrators define security policies, by checking OS/400 security settings and configurations against security policies, and by changing settings and configurations so they agree with a company's internal policies and external regulations.

The first step in using Policy Minder is the initialization function, which populates many of the details of a security policy from the users' current OS/400 server configuration and settings. Users can choose to accept or change any of those security policy details, SkyView says, and customized templates are created that allow administrators to fine-tune the specific areas that Policy Minder checks for compliance.

(It should be noted that automating the creation of strong OS/400 security policies is not the primary objective of Policy Minder, although it can assist administrators and IT professionals in documenting good practices that are already in place. Even if a company has a weak security policy, and it is that company's goal to enforce that weak policy--which, strange as it may sound, satisfies at least some of what auditors are looking for--Policy Minder can help a company accomplish that goal.)

Once the product has created a baseline of how OS/400 security settings should look for the company to be in compliance with its own security policy, then the real work with Policy Minder can begin. With a single command, Policy Minder checks a range of OS/400 settings against the templates, including: user profile settings; library, object, and directory authorities; system values; adopted authority; command authorities; exit points; file shares; TCP/IP servers; user-created objects in QSYS; job descriptions; and authorization lists. It can take several hours to check an entire server, which is why the product will typically be run during off-hours, company officials say.

After checking all the settings, Policy Minder generates a report, which is delivered as an on-screen summary or in PDF or HTML format. This report tells the user whether the actual configuration is in compliance with the organization's security policy. If it's not in compliance with the policy, the tool enables the user to drill down for more details. The software features a green-screen interface, although Sky View has plans to develop a GUI for a future release.

SkyView Partners has even included a "FixIt" option to correct deficiencies automatically, which eliminates the guesswork and tedium of repairing a problem, the company says. The FixIt function can be used for almost any type of setting, such as altering user profile properties to ensure that all the profiles in a group have identical authorities. The automated FixIt function can't be used with items like exit points, which need more attention, a company official says.

Policy Minder can catch various innocent (and not-so-innocent) errors that would cause a company to be out of compliance with its own security policy, and possibly out of compliance with new regulations One of the most common errors involves programmers who bypass change management processes when promoting changes to an object, says John Vanderwall, Woodbury's business partner and cofounder of SkyView. Often, these programmers forget to change the authorities for an object, which could provide a back-door opening for unscrupulous programmers to access company assets down the road.

Brian Hole, who manages the OS/400 servers at Les Schwab Tire Centers, worked with an early release of Policy Minder, and reports a positive experience. "The level of detail covered by Policy Minder is impressive," he says. "The [cap]ability to check compliance is great, but the fact that you can, for example, create a template for user profile settings and see who has more authority than they should, or you can create a library and file policy template and see whether these files are secured appropriately, makes this a tool that you quickly begin to rely on from a systems management point of view."

Another company used Policy Minder to make sure that the security settings of an Infinium HR application on a development box were identical to the settings it enforces on its production iSeries. This early user, which is only described by SkyView as a large distribution company in the western U.S., found many discrepancies between ownership of objects and libraries on the development box, and the processes it sought to have in place concerning who has access to sensitive data. Checking the ownership of each library or object by hand would have taken many hours, but the company was able to identify the problems and fix them automatically using Policy Minder and the FixIt function.

SkyView intends Policy Minder to be used with Risk Assessor, which it launched about two years ago. Risk Assessor checks similar settings as Policy Minder, and generates customized reports that assess the OS/400 server's security vulnerability in terms of industry and platform best practices. See "New SkyView Software Assesses OS/400 Security Risks" for more information about Risk Assessor.

SkyView announced Policy Minder during the recent Fall COMMON conference held in Orlando, Florida. The product is scheduled for general availability in late October 2005. It will work with OS/400 V4R4 and higher, and ranges in price from $3,495 to $7,995. For more information, visit www.skyviewpartners.com.