Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

1.Introduction to Enhanced Security 2.Implementing a Security Model 3.Advanced Analysis and Testing 4.Auditing and Reporting 5.Prerequisites 6.Coming Enhancements 7.Related Security Services Agenda

Why is it necessary? SOX Requirement for public companies Documented security policy Documented procedures Formal approval for security rights to be assigned Regular auditing and monitoring  Private Companies Are also addressing these requirements Protects investors, employees, community Enhanced Security for XA

Why is it necessary? CAS Security Green Screen interface Difficult to determine how user has access to tasks Reports are massive No auditing capability Risk to productivity when policy changes are made Enhanced Security for XA

How can it help? Add-on application written using Integrator Implemented by environment Three Components: Security Modeling and Planning Advanced Analysis and testing Routine Auditing and reporting Enhanced Security for XA

Power and Flexibility of the XA Client architecture: –Create views and subsets –Export to Excel Add-on Application using Integrator

Install in each environment Manage users for separate environments Includes all CAS tasks (if assigned to an area) Auditing for each environment Implemented by environment

Security Model Create and finalize a new security model Security Audits Review security changes for validity or breaches Current Environment View security and user authorities in the current environment Enhanced Security Application Card

Provides for implementation of new plan –Import users, groups, areas, and tasks from CAS files –Decide what you want to lock –Create groups and authorize to tasks –Assign users to groups –View current and planned authorities for users Note: this is all done in the model – not the live environment Security Modeling and Planning

Import from the current environment: –Users –Groups –Areas and tasks –Group Authorities –Private Authorities You don’t have to start from scratch! 1. Import Security Components

Subsets –Unlocked –Application –Type Mass Change Model Template It’s Easy! 2. Decide what you want to lock

Subsets Views Mass Change R7 –Quick Change –Append subsets Model Template Piece of Cake! 3. Create groups and assign to tasks

Validation Subsets –User Groups –Group members Templates Return-to-create Your model is almost ready! 4. Assign users to groups

Current and planned authorities A. User being reviewed B. Tasks the user is granted C. How access was granted Private (user id) Group (group id) Not locked (blank) A B C 5. View authorities for users

View tasks user will no longer have access to View tasks user could not do before Final Adjustments to the model Export files to a test environment for user testing and acceptance Benefits –Reduce risk of affecting user productivity at go live –Resolve issues quickly after plan is implemented Advanced Analysis and Testing

Rights Revoked: If users need any of these rights to do their jobs, they will be adversely affected when the plan is implemented. Enhanced Security lets you make sure this won’t happen. Advanced Analysis

Rights Granted: SOX requires that all access be reviewed by authorizing manager. With Enhanced Security, you can export user rights to standard forms for management approval. Advanced Analysis

Testing is critical to ensure users are not affected by the new plan. Users from every group Formal test plan Enhanced Security provides an export process for moving user rights from the model to an XA environment on the same or different iSeries. Validation stamps generated No re-keying Testing

SOX requires regular review of changes to security authorizations Enhanced Security provides: Detailed Transaction History Security Change Audit Conflicting Task Authorities Regular Audit Reports Security Auditing and Reporting

Freeze the Plan –Saves an image of the model –Triggers are activated on the XA security files –Changes in user rights begin to be written to a transaction file Routine Auditing and Reporting

Customize views, subsets, and sorts View or Host Print Determine how a user has gained access to a task Quickly identify the area(s) where changes need to be made Detailed Transaction History

Net Changes only (compared to last run or when model frozen) Navigate to Detailed Transactions that resulted in the change View or Print Report Security Change Audits

Schedule regular Auditor reports Set Audit Options Regular Reporting – Scheduled Job

Summarize authority granted to users for the reporting period From last run date (monthly changes) From date that the plan was frozen Security Audit Report

Users who have authority for tasks that SOX defines as conflicting, for example: Create a purchase order Generate an AP check Security Audit Reports High-Risk Authority Conflicts

IFM Security iSeries User Security CAS security maintenance XA Menu inquiry (where tasks are used) Coming Enhancements

Integrator (R6 or R7) –R6 requires new business objects created at installation OS V5R1 or higher All functions to be secured must be set up in CAS as tasks and assigned to an area Prerequisites

Enhanced Security <P30 $6,500 License P30+ $9,500 Implementation R6(3 days) * $3600 and Training R7(2 days) $2400 Annual License Fees none And the cost for ES…

Conference call and demo to address your specific areas of interest Purchase the software and schedule implementation and training Start with a Security Audit Select other related services to help you meet your SOX requirements Interested?

Security Audit Objective review of your iSeries and XA security configuration Typically 2 to 3 days (single XA environment) Review Security Settings –iSeries security configuration –iSeries User Profiles and environment access –XA Profiles and task authorities Risk Assessment and Recommendations (deliverable) Typical results –Estimate that 80% of companies need some improvements in Security –Security Policy not sufficient to protect unauthorized access to the system –XA security configuration is not optimized CISTECH Security Services

Security Planning Assistance –XA Security Policy –iSeries Security Policy –Documented Plan and Procedures –Change Management and Environment Standards for Customizations Related Security Services

Thank you! Questions?