Monitoring Compliance Using the Compliance Automation Reporting Tool
Security breaches can be avoided if your security policies are wisely designed and if security regulations/rules are complied with.
By Terry Ford05/04/2020
By now, everyone should be aware that data losses occur through both internal and external means, representing significant risk to a company. It makes no difference whether you're large or small: The ability to steal your data sources is all that a hacker cares about. That can be avoided if your security rules and policies are wisely designed and if those security regulations/rules are complied with. But how do you effectively measure compliance? The size and number of systems, applications and users make this a daunting task that's compounded by an overall lack of understanding of a systems usage and historical implementation.
Customizing Compliance Reports
Reporting compliance is also daunting because different stakeholder groups will each want to see the data in a different view that’s meaningful to them. Executives generally want to know whether their organization is compliant via a “red, yellow, green” visual. As you move down the reporting chain, the need for different levels of detail grows.
Enterprises need a centralized view of security that provides management visibility to measurable key risk indicators demonstrating compliance, which is traceable to their standards and policies.
IBM Systems Lab Services recently updated its IBM i security tooling to offer enterprises views for the following stakeholder groups:
- Business owner: Assurance that the information and brand reputation of the business is protected
- Chief security officer: As custodian of the business and information owners, this stakeholder can reassure management that any risks present on the system are being managed to an acceptable level
- Security administrators: Confirmation that access is implemented appropriately as designed
- Compliance officer: Assurance that IT operations comply with not only corporate rules and regulations but also industry and government regulations
- Operations managers: Ensure that the correct policies/standards are in place and being followed
- Application developers: Can check to see that applications are being designed and placed in production correctly with sufficient controls to prevent inappropriate access
- Everyone: Adherence to policy ensures the continuity of the business
A compliance view tailored for each stakeholder group sounds great, but how can you do this effectively and efficiently? What follows are some common factors that inhibit compliance reporting that I've observed over the course of my 30-plus year career in IBM i security:
- For many IBM i shops, security is performed by an individual with multiple responsibilities: operations, administration, programming, etc.
- Security implementation is often misunderstood, neglected or not monitored due to time constraints
- Security setup is inherited from previous owners or application designers who aren’t available
- Security policies and standards don’t exist, are frequently misunderstood or aren’t implemented consistently
- Key risk indicators aren’t understood
This list leaves you to wonder: “Is my data safe? Is my company’s reputation safe? Is my job safe?” Gathering security information is time consuming and scattered in multiple places on the system. The analysis of this data or monitoring of security changes is often dated by the time it is read.
IBM Systems Lab Services has a tool that allows your organization to monitor your IBM i systems for compliance. Compliance Automation Reporting Tool, a component of the Security and Compliance Tools for IBM i, leverages more than 100 years of collective experience with IBM i security, availability and administration (see Figure 1, page 44). This provides IBM i clients with a comprehensive security and administrative tool that simplifies compliance management according to established risk thresholds (see Figure 2, below). More information on IBM Lab Services Security Services and Tooling.
Terry Ford is the team lead for security services delivery in IBM STG Lab Services.