330 likes | 355 Views
Pass SOX security audits and Improve XA security CISTECH Security Solutions. Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net 704-814-0004. Agenda. Introduction to Enhanced Security Implementing a Security Model Advanced Analysis and Testing
E N D
Pass SOX security audits and Improve XA securityCISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net 704-814-0004
Agenda • Introduction to Enhanced Security • Implementing a Security Model • Advanced Analysis and Testing • Auditing and Reporting • Prerequisites • Coming Enhancements • Related Security Services
Enhanced Security for XA Why is it necessary? • SOX Requirement for public companies • Documented security policy • Documented procedures • Formal approval for security rights to be assigned • Regular auditing and monitoring • Private Companies • Are also addressing these requirements • Protects investors, employees, community
Enhanced Security for XA Why is it necessary? • CAS Security • Green Screen interface • Difficult to determine how user has access to tasks • Reports are massive • No auditing capability • Risk to productivity when policy changes are made
Enhanced Security for XA How can it help? • Add-on application written using Integrator • Implemented by environment • Three Components: • Security Modeling and Planning • Advanced Analysis and testing • Routine Auditing and reporting
Add-on Application using Integrator Power and Flexibility of the XA Client architecture: • Create views and subsets • Export to Excel
Implemented by environment • Install in each environment • Manage users for separate environments • Includes all CAS tasks (if assigned to an area) • Auditing for each environment
Enhanced Security Application Card • Security Model • Create and finalize a new security model • Security Audits • Review security changes for validity or breaches • Current Environment • View security and user authorities in the current environment
Security Modeling and Planning • Provides for implementation of new plan • Import users, groups, areas, and tasks from CAS files • Decide what you want to lock • Create groups and authorize to tasks • Assign users to groups • View current and planned authorities for users Note: this is all done in the model – not the live environment
1. Import Security Components • Import from the current environment: • Users • Groups • Areas and tasks • Group Authorities • Private Authorities You don’t have to start from scratch!
2. Decide what you want to lock • Subsets • Unlocked • Application • Type • Mass Change • Model Template It’s Easy!
3. Create groups and assign to tasks • Subsets • Views • Mass Change • R7 • Quick Change • Append subsets • Model Template Piece of Cake!
4. Assign users to groups • Validation • Subsets • User Groups • Group members • Templates • Return-to-create Your model is almost ready!
5. View authorities for users Current and planned authorities A. User being reviewed B. Tasks the user is granted B A C • C. How access was granted • Private (user id) • Group (group id) • Not locked (blank)
Advanced Analysis and Testing • View tasks user will no longer have access to • View tasks user could not do before • Final Adjustments to the model • Export files to a test environment for user testing and acceptance Benefits • Reduce risk of affecting user productivity at go live • Resolve issues quickly after plan is implemented
Advanced Analysis • Rights Revoked: • If users need any of these rights to do their jobs, they will be adversely affected when the plan is implemented. • Enhanced Security lets you make sure this won’t happen.
Advanced Analysis Rights Granted: SOX requires that all access be reviewed by authorizing manager. With Enhanced Security, you can export user rights to standard forms for management approval.
Testing • Testing is critical to ensure users are not affected by the new plan. • Users from every group • Formal test plan • Enhanced Security provides an export process for moving user rights from the model to an XA environment on the same or different iSeries. • Validation stamps generated • No re-keying
Security Auditing and Reporting SOX requires regular review of changes to security authorizations Enhanced Security provides: • Detailed Transaction History • Security Change Audit • Conflicting Task Authorities • Regular Audit Reports
Routine Auditing and Reporting • Freeze the Plan • Saves an image of the model • Triggers are activated on the XA security files • Changes in user rights begin to be written to a transaction file
Detailed Transaction History • Customize views, subsets, and sorts • View or Host Print • Determine how a user has gained access to a task • Quickly identify the area(s) where changes need to be made
Security Change Audits • Net Changes only (compared to last run or when model frozen) • Navigate to Detailed Transactions that resulted in the change • View or Print Report
Regular Reporting – Scheduled Job Set Audit Options Schedule regular Auditor reports
Security Audit Report • Summarize authority granted to users for the reporting period • From last run date (monthly changes) • From date that the plan was frozen
Security Audit Reports High-Risk Authority Conflicts • Users who have authority for tasks that SOX defines as conflicting, for example: • Create a purchase order • Generate an AP check
Coming Enhancements • IFM Security • iSeries User Security • CAS security maintenance • XA Menu inquiry (where tasks are used)
Prerequisites • Integrator (R6 or R7) • R6 requires new business objects created at installation • OS V5R1 or higher • All functions to be secured must be set up in CAS as tasks and assigned to an area
And the cost for ES… Enhanced Security <P30 $6,500 License P30+ $9,500 Implementation R6 (3 days) * $3600 and Training R7 (2 days) $2400 Annual License Fees none
Interested? • Conference call and demo to address your specific areas of interest • Purchase the software and schedule implementation and training • Start with a Security Audit • Select other related services to help you meet your SOX requirements
CISTECH Security Services Security Audit • Objective review of your iSeries and XA security configuration • Typically 2 to 3 days (single XA environment) • Review Security Settings • iSeries security configuration • iSeries User Profiles and environment access • XA Profiles and task authorities • Risk Assessment and Recommendations (deliverable) • Typical results • Estimate that 80% of companies need some improvements in Security • Security Policy not sufficient to protect unauthorized access to the system • XA security configuration is not optimized
Related Security Services • Security Planning Assistance • XA Security Policy • iSeries Security Policy • Documented Plan and Procedures • Change Management and Environment Standards for Customizations
Thank you! Questions?