SkyView Addresses Compliance with New OS/400 Security Service

February 1, 2005 Alex Woodie

SkyView Partners introduced a new OS/400 security service last week called SkyView OnCall, designed to make it easier for iSeries shops to comply with certain provisions of the Sarbanes-Oxley Act and other new industry regulations. Instead of guessing at what auditors might require for SOX compliance, the Seattle-area company says, companies are better off outsourcing that job to SkyView and its team of OS/400 security experts, who have a good idea of what auditors may expect.

“What we’ve seen with SOX audits is a moving target,” says SkyView cofounder John Vanderwall. “The idea of SOX compliance is interesting. Comply with what? [What auditors look for] is not universally the same. This is what we have not seen on the Visa CISP front.”

While SOX is getting most of the headlines these days, there’s another compliance initiative looming on the horizon for any shop that holds credit card information. Visa’s new Cardholder Information Security Program may be just the tip of the iceberg, as other credit card issuers enact similar measures.

While CISP may make SOX look “pale in comparison,” according to Vanderwall, SOX is the big issue for many companies in 2005, and it’s generating plenty of concern. “There’s a lot of uncertainty and doubt” concerning SOX, says Carol Woodbury, cofounder of SkyView and former OS/400 security architect for IBM.

What Is Visa CISP?

Visa CISP is a new industry initiative designed to thwart the growing threat of identify theft, which some estimates put in the trillions of dollars. Visa is leading the effort among the major credit cards, but other issuers, like MasterCard, American Express, and Discover, are following suit with similar initiatives of their own. Collectively, the various efforts to strengthen information security are known as the Payment Card Industry Data Security Standard.

CISP differs from the Sarbanes-Oxley Act in a number of ways. First, there is no threat of your CEO or CFO going to jail. Failing an audit by Visa would result in fines and eventually a permanent ban from the Visa network.

Now for the good news. With CISP, there are specific steps that IT departments can follow to gain, and maintain, compliance, says Carol Woodbury. “It specifically states what auditors should do,” she says. “From a computer-security professional’s point of view, they have done an excellent job espousing what security best practices are.”

In SOX audits, Woodbury says she’s seen everything from auditors not even looking at IT to wanting full COBIT (Control Objectives for Information and Related Technology) standards. “COBIT is really a guideline for assessing risk. It’s a huge, huge process, and most iSeries shops just can’t afford that,” she says.

What Woodbury has found is that there are a few areas of OS/400 where SOX auditors will commonly look to ensure that a company is following good security practices, areas like use of special authorities, network configuration, passwords, security level, and some things in the audit journal. “Typically, we see that auditors are requiring what they have seen [implemented] at other iSeries shops,” she says.

In many instances, auditors will also look for a change management system to be in place, which helps companies keep a handle on application source code. But system settings are a different bird entirely. “A lot of people are being burdened with monitoring the security configurations. They don’t have the staff or the expertise to do that,” Woodbury says. “They’re really at the mercy of their auditors.”

SkyView OnCall

With SkyView OnCall, the company has put together a service that keeps business managers aware of how OS/400 system settings relate to their security policy. The service works with a software product called the Risk Assessor, which SkyView introduced a little over a year ago (see “New SkyView Software Assesses OS/400 Security Risks”) to evaluate more than 100 different OS/400 security settings. In addition to the evaluations conducted by Risk Assessor, SkyView OnCall also looks into the OS/400 audit journal to track any changes that might have been made to the system.

Here’s how SkyView OnCall works. First, SkyView Risk Assessor runs a scan of various security settings, to show users where the weaknesses are in their system settings. Using that initial run as a benchmark, SkyView’s security team, led by Woodbury, will generate a policy based on the customer’s specific requirements. SkyView’s security experts will then periodically create an executive summary, based on additional Risk Assessor runs and any changes caught by the audit journal, which shows whether that customer is still adhering to the initial policy.

Because companies will take different approaches to complying with SOX (based on the fact that SOX is vague about the specifics of IT compliance), OnCall customers may also not be complying with OS/400 security best-practices set forth in the Risk Assessor. Whether to implement OS/400 security best-practices is a business decision that every company must make for itself, Woodbury explains. The key thing to keep in mind with OnCall is that it will catch any changes that are made to the system, and will notify the customer when they are no longer adhering to that initial policy generated by SkyView in the first go around (which may or may not adhere to best practices).

“The way you’ve chosen to configure the system, you may still have issues. OnCall is not there to continue to pass judgment, but to tell you that it hasn’t changed. That’s the biggest difference,” Woodbury says. “Once the risk assessment is in place, [OnCall tells the customer] that it’s still in that state, that they are adhering to their policy. That’s what they are looking for. We will do the monitoring for them.”

Companies could choose to gather all the data and generate compliance reports for SOX manually. In fact, this appears to be exactly what many public are doing to gain SOX compliance, at least for their initial quarterly audit. But SkyView is betting that once companies realize SOX isn’t a one-time event, like Y2K, but is an ongoing process, they’ll want to automate some of that grunt work.

“Rather than, every quarter, telling three people in the IT department to go gather data and write a report, leave it to the experts,” Vanderwall says. “We will sign on remotely and run the report [and] feed this back to the powers that be at the subscribing companies, whether it’s good, bad, or indifferent.”

SkyView OnCall requires a virtual private network connection that allows SkyView’s security experts to sign on remotely. If a company doesn’t have a VPN connection, the necessary data can still be sent to SkyView using e-mail, but it requires more work on the part of the subscriber.

The company has priced SkyView OnCall to cost the average company about $9,000 per year. The OnCall service itself costs $1,995 per quarter and another $495 for each computer or logical partition. There is also a $2,500 initiation fee. Companies will also need the SkyView Risk Assessor, which starts with a flat rate of $3,500, as well as a tier-based system or logical partition charge starting at $1,995.

With about 100 users, adoption of Risk Assessor has been good the first year, says Vanderwall, who hopes many Risk Assessor users will adopt SkyView’s new OnCall service to effectively outsource much of the security management burden.

For more information, see Visa’s CISP page or SkyView’s Visa CISP page.

Tags:

Revolutionary Performance Management Software

At Greymine, we recognize there is a void in the IT world for a dedicated performance management company and also for a performance management tool that’s modern, easy to use, and doesn’t cost an arm and a leg. That’s why we created PERFSCAN.

PERFSCAN is designed to make your job easier. With revolutionary technology, an easy-to-read report and graphics engine, and real time monitoring, tasks that used to take days can now take minutes. This means you will know your system better and will be able to provide better service to your customers.

OUR FEATURES

PERFSCAN is full of robust features that don’t require you to take a three-day class in order to use the product effectively.

Customizable Performance Reporting

Whether you are troubleshooting a major system problem or simply creating a monthly report, PERFSCAN lets you select any combination of desired performance metrics (CPU, Disk, and Memory).

User Defined Performance Guidelines

No matter if you are a managed service provider managing complex systems in the cloud or a customer analyzing your on-premises solution, PERFSCAN gives you the flexibility to define all mission critical guidelines how they need to be.

Understanding The Impact Of Change

Tired of all the finger pointing when performance is suffering? PERFSCAN’s innovative What’s Changed and Period vs. Period analysis creates a culture of proof by correlating known environmental changes with system performance metrics.

Comprehensive Executive Summary

Creating performance graphs is easy. Understanding what they mean is another thing. With one mouse click, PERFSCAN includes an easy-to-understand executive summary for each core metric analyzed.

Combined Real-Time Monitor And Performance Analysis Tool

With PERFSCAN’s combined built in enterprise real-time monitor and historical performance analysis capability, you will always know how your mission-critical systems are performing.

Cloud Performance Reporting Is Easy

Managing performance for production systems in the cloud can be a black hole to many system administrators. The good news is PERFSCAN analyzes all core metrics regardless of the location. That’s why MSPs and customers love PERFSCAN.

Detailed Job Analysis

PERFSCAN shows detailed top job analysis for any desired period. All metrics are displayed in two ways: Traditional Report and Percentage Breakdown Pie Chart. This toggle capability instantly shows the jobs using the most system resources.

Save Report Capability

Your boss lost the report you gave to him on Friday. Now what do you do? With PERFSCAN’s save report capability, any report can be retrieved in a matter of seconds.

Professional PDF Reporting With Branding

Creating professional looking reports for your customers has never been easier with PERFSCAN. Branding for our partners and service provider customers is easy with PERFSCAN.

Check it out at perfscan.com

The Save-Restore Commands Repeated Characters in SQL

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search