IBM i Solutions

IBM i solutions for compliance with security regulations

Comply with IT security regulations and meet auditor requirements for compliance monitoring, access control, and data privacy in IBM i environments with security solutions from Precisely

Meeting compliance regulations

There are many security standards that organizations must follow to adhere to data protection and privacy regulations — and avoid expensive fines.

Organizations are subject to industry, state and national regulations, and many are expected to comply with the requirements of multiple regulatory bodies. IBM i security and control is a major concern, as these systems are a rich source of data. Understanding and following security standards and regulations is a critical aspect of doing business today. Achieving ironclad compliance is more than an IT or legal concern; it is a business imperative.

More than half of all IBM i power users believe their companies’ security investments will focus on the three pillars of security regulations: compliance, auditing and reporting. As data privacy and security regulations become increasingly complex, compliance demands will only become more difficult to meet.

security regulations

Regardless of which specific security regulations a company is subject to, achieving full compliance with varied regulations can require the application of multiple IBM i security solutions.

Access control

Access control solutions keep unauthorized people out of your IBM i environment while maintaining tight control over what authorized users can do once logged in. A comprehensive solution will control assess through networks, communication ports, open source database protocols, command lines and more, triggering alerts if suspicious activity is detected.

Multi-factor authentication

Multi-factor authentication is demanded by certain regulations to protect sensitive data from view by requiring two or more identifying factors from users before access is granted. In addition to being used to control system logins, multi-factor authentication solutions can be implemented for specific situations such as controlling access to specific databases, individual files, or even commands.

Management of elevated privileges

Management of elevated privileges is required to protect the use of powerful profiles that include *SECADM authority, *ALLOBJ authority and other potentially dangerous capabilities. The best practice auditors require is to provide users with only the privileges required to do their jobs and only temporarily grant elevated authorities required for select tasks. Elevated authority management solutions automate the process of temporarily granting elevated privileges as required and optionally logging all actions taken by privileged users.

Data privacy measures

Data privacy measures are required by numerous regulations to prevent unauthorized users from viewing personally identifiable information (PII), personal health information (PHI) and personal credit card information. Encryption, tokenization, anonymization and masking solutions are available to protect the privacy of data both at rest and in motion.

Compliance monitoring and reporting

Many regulations require an audit trail of data and system changes that can be used to prove compliance. In some cases, these audit trails must be kept for years. In addition to the logging capabilities built into the IBM i operating system, solutions that log security events such as file decryption, changes to sensitive records within a file, and failed multi-factor authentication attempts provide greater visibility into security incidents.

Template-driven compliance monitoring and reporting solutions leverage powerful filtering, query and mapping capabilities to analyze the content of IBM i log files and ensure that your system remains in compliance with regulatory requirements. Alerts and reports identify the areas that require attention. These same solutions can be used to monitor compliance with internal security policies and flag events such as file accesses outside business hours, views of a sensitive spool file, changes to authorization lists and much more.

Forwarding these log events to a SIEM solution allows for IBM i security data to be correlated, analyzed and reported upon with data from other platforms.

Security risk assessments

Security risk assessments are essential tools for proactively seeking out security vulnerabilities, a practice required by many cybersecurity regulations. Security risk assessment tools and services should check system values, password settings, library authorities, open ports, exit point programs, and much more to produce reports on potential risks and deliver guidance on how to remediate them.

Security regulations often cross international and industry lines, affecting organizations representing both public and private sectors and operating in various markets. The most pressing data privacy and security regulations cover personally identifiable information, healthcare data, and financial transaction information:

Sarbanes-Oxley Act

This regulation is focused on increasing transparency within public companies in the United States, especially with regard to their financial reporting.

Auditors must review security policies and standards, access and authorization controls, network security, system and network monitoring capabilities and the separation of duties and responsibilities.

Payment Card Industry Data Security Standard (PCI DSS)

The main objective of PCI DSS is to minimize instances of credit card fraud and safeguard consumer payment information.

Like Sarbanes-Oxley, PCI DSS requires annual compliance reviews, assessing security controls including firewalls, access management, cardholder data protection, encryption, network and system monitoring and security testing protocols.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is designed to ensure the protection of personal healthcare information.

HIPAA guidelines address areas like access control, in-transit data protection, system access monitoring and incident response and reporting policies.

General Data Protection Regulation (GDPR)

GDPR is a series of guidelines dictating how data related to EU citizens is gathered, stored, and managed.

Any organization that processes data belonging to European citizens must adhere to GDPR’s security standards, regardless of where they are headquartered or where their servers are located. Although GDPR’s primary concern is user consent, it has detailed rules regarding data breach incident response protocols.

California Consumer Privacy Act (CCPA)

CCPA is designed to strengthen data privacy protections for consumers and contains an expansive definition of personal data.

As with GDPR, it is for companies to understand that CCPA applies to data collected about any resident of the state of California, regardless of where the company that collects or stores the data is based.

Customer Story – Corpbanca

Faced with the challenge of quickly meeting Chilean government and PCI regulations, Corpbanca implemented Assure Monitoring and Reporting and System Access Manager solutions to enhance transaction auditing and access-control capabilities. Corpbanca required solutions that would meet governmental regulations for monitoring and reporting, protecting sensitive files, and monitoring the behavior of powerful users.

They chose Assure Monitoring and Reporting to track and audit changes to sensitive business files. It also allows administrators to easily produce readable reports, either ad hoc or on a schedule, and automatically route these reports to the appropriate personnel. This saves the company hours of time that would normally be required to manually find, organize, format, and distribute audit data.

Read the case study to learn more.

 

Customer Story – Westpac Pacific Banking Corporation

Being part of the large Global Westpac Banking Corporation, Westpac Pacific Banking must comply with various regulatory guidelines and therefore needs visibility into everything that happens in their entire IBM i environment.

Since the implementation of Assure Monitoring and Reporting’s system audit capabilities, auditors and internal security officers have been pleased with their ability to generate concise and accurate reports. Equally important is the fact that today, the auditing and compliancy process is significantly more automated – eliminating the need for IT personnel to spend hours gathering system information, managing user access, and formatting the data into reports the auditors can interpret.

Read the case study to learn more.

 

What to look for in a compliance assessment

Running a thorough compliance assessment on an IBM i server and comprehensively checking system security against regulatory requirements requires a great deal of expertise. Companies often don’t have such deep IBM i knowledge on staff and must look to a third-party consultant or vendor to perform the assessment. In general, use of an independent auditor is considered best practice.

Any IBM i compliance auditor should have a deep understanding of the IBM i operating system. Businesses can also help themselves by reviewing their password and authentication policies, powerful user profiles, objects settings, exit points, and other areas of concern.

Once completed, your compliance assessment should offer clear action items regarding what changes need to be made to comply with specific regulations.

Review our eBook: Passing Your Next Audit: The Challenges of Properly Securing Your IBM i and Maintaining Compliance. 

Don’t go it alone

With resources stretched thin and internal expertise lacking, the best course of action for companies to take is to bring in a third-party service provider or consultant to support their efforts to comply with cybersecurity regulations.

Working with an established cybersecurity expert can help put businesses on the path to regulatory compliance, while freeing up skilled IT teams to tackle other, equally important tasks. Continued auditing is also highly recommended to continue assessing security hygiene and verify that data management practices are up-to-date and fully adherent to the latest best practices.

The emergence of detailed and sweeping security regulations like GDPR and CCPA is a sign of the times, reflecting the ongoing shift in thought surrounding data privacy controls and security standards. It is not a culmination of escalating regulations, but the start of a new era in risk management and compliance expectations.

Download our product sheet about Professional Security Services to learn more.