1 / 32

Pass SOX security audits and Improve XA security CISTECH Security Solutions

Pass SOX security audits and Improve XA security CISTECH Security Solutions. Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net 704-814-0004. Agenda. Introduction to Enhanced Security Implementing a Security Model Advanced Analysis and Testing

dbrenda
Download Presentation

Pass SOX security audits and Improve XA security CISTECH Security Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Pass SOX security audits and Improve XA securityCISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services belinda.daub@cistech.net 704-814-0004

  2. Agenda • Introduction to Enhanced Security • Implementing a Security Model • Advanced Analysis and Testing • Auditing and Reporting • Prerequisites • Coming Enhancements • Related Security Services

  3. Enhanced Security for XA Why is it necessary? • SOX Requirement for public companies • Documented security policy • Documented procedures • Formal approval for security rights to be assigned • Regular auditing and monitoring • Private Companies • Are also addressing these requirements • Protects investors, employees, community

  4. Enhanced Security for XA Why is it necessary? • CAS Security • Green Screen interface • Difficult to determine how user has access to tasks • Reports are massive • No auditing capability • Risk to productivity when policy changes are made

  5. Enhanced Security for XA How can it help? • Add-on application written using Integrator • Implemented by environment • Three Components: • Security Modeling and Planning • Advanced Analysis and testing • Routine Auditing and reporting

  6. Add-on Application using Integrator Power and Flexibility of the XA Client architecture: • Create views and subsets • Export to Excel

  7. Implemented by environment • Install in each environment • Manage users for separate environments • Includes all CAS tasks (if assigned to an area) • Auditing for each environment

  8. Enhanced Security Application Card • Security Model • Create and finalize a new security model • Security Audits • Review security changes for validity or breaches • Current Environment • View security and user authorities in the current environment

  9. Security Modeling and Planning • Provides for implementation of new plan • Import users, groups, areas, and tasks from CAS files • Decide what you want to lock • Create groups and authorize to tasks • Assign users to groups • View current and planned authorities for users Note: this is all done in the model – not the live environment

  10. 1. Import Security Components • Import from the current environment: • Users • Groups • Areas and tasks • Group Authorities • Private Authorities You don’t have to start from scratch!

  11. 2. Decide what you want to lock • Subsets • Unlocked • Application • Type • Mass Change • Model Template It’s Easy!

  12. 3. Create groups and assign to tasks • Subsets • Views • Mass Change • R7 • Quick Change • Append subsets • Model Template Piece of Cake!

  13. 4. Assign users to groups • Validation • Subsets • User Groups • Group members • Templates • Return-to-create Your model is almost ready!

  14. 5. View authorities for users Current and planned authorities A. User being reviewed B. Tasks the user is granted B A C • C. How access was granted • Private (user id) • Group (group id) • Not locked (blank)

  15. Advanced Analysis and Testing • View tasks user will no longer have access to • View tasks user could not do before • Final Adjustments to the model • Export files to a test environment for user testing and acceptance Benefits • Reduce risk of affecting user productivity at go live • Resolve issues quickly after plan is implemented

  16. Advanced Analysis • Rights Revoked: • If users need any of these rights to do their jobs, they will be adversely affected when the plan is implemented. • Enhanced Security lets you make sure this won’t happen.

  17. Advanced Analysis Rights Granted: SOX requires that all access be reviewed by authorizing manager. With Enhanced Security, you can export user rights to standard forms for management approval.

  18. Testing • Testing is critical to ensure users are not affected by the new plan. • Users from every group • Formal test plan • Enhanced Security provides an export process for moving user rights from the model to an XA environment on the same or different iSeries. • Validation stamps generated • No re-keying

  19. Security Auditing and Reporting SOX requires regular review of changes to security authorizations Enhanced Security provides: • Detailed Transaction History • Security Change Audit • Conflicting Task Authorities • Regular Audit Reports

  20. Routine Auditing and Reporting • Freeze the Plan • Saves an image of the model • Triggers are activated on the XA security files • Changes in user rights begin to be written to a transaction file

  21. Detailed Transaction History • Customize views, subsets, and sorts • View or Host Print • Determine how a user has gained access to a task • Quickly identify the area(s) where changes need to be made

  22. Security Change Audits • Net Changes only (compared to last run or when model frozen) • Navigate to Detailed Transactions that resulted in the change • View or Print Report

  23. Regular Reporting – Scheduled Job Set Audit Options Schedule regular Auditor reports

  24. Security Audit Report • Summarize authority granted to users for the reporting period • From last run date (monthly changes) • From date that the plan was frozen

  25. Security Audit Reports High-Risk Authority Conflicts • Users who have authority for tasks that SOX defines as conflicting, for example: • Create a purchase order • Generate an AP check

  26. Coming Enhancements • IFM Security • iSeries User Security • CAS security maintenance • XA Menu inquiry (where tasks are used)

  27. Prerequisites • Integrator (R6 or R7) • R6 requires new business objects created at installation • OS V5R1 or higher • All functions to be secured must be set up in CAS as tasks and assigned to an area

  28. And the cost for ES… Enhanced Security <P30 $6,500 License P30+ $9,500 Implementation R6 (3 days) * $3600 and Training R7 (2 days) $2400 Annual License Fees none

  29. Interested? • Conference call and demo to address your specific areas of interest • Purchase the software and schedule implementation and training • Start with a Security Audit • Select other related services to help you meet your SOX requirements

  30. CISTECH Security Services Security Audit • Objective review of your iSeries and XA security configuration • Typically 2 to 3 days (single XA environment) • Review Security Settings • iSeries security configuration • iSeries User Profiles and environment access • XA Profiles and task authorities • Risk Assessment and Recommendations (deliverable) • Typical results • Estimate that 80% of companies need some improvements in Security • Security Policy not sufficient to protect unauthorized access to the system • XA security configuration is not optimized

  31. Related Security Services • Security Planning Assistance • XA Security Policy • iSeries Security Policy • Documented Plan and Procedures • Change Management and Environment Standards for Customizations

  32. Thank you! Questions?

More Related