The task of securing computer systems has been with us for decades. Over the last several years, a number of new United States (U.S.) and country-specific laws and regulations have come into effect. In the U.S. these include:
- Payment Card Industry (PCI)
- Sarbanes-Oxley (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO/IEC 27000-family information security standards (ISO27k)
These laws and regulations are forcing organizations to reconfigure and more closely audit their systems’ accessibility to be compliant with security and privacy requirements. Depending upon the nature of your business and country requirements, demonstrating compliance with these regulations is becoming a requirement to do business.
Some regulations come from government agencies, and others come from essential business partners such as payment card processors VISA and MasterCard and others. New regulatory requirements require that IT professionals adapt to new ways of working and new ways of thinking about and tracking security.
This publication addresses the security capabilities available under IBM i 6.1. Before addressing IBM i specifics, we spend time in this chapter going over some security basics that evolve into making use of IBM i security capabilities. If you are well versed in these basics, you may skim through the content in this chapter and quickly go to the succeeding chapters.
In general, computer security involves the implementation of specific measures taken to protect a computer environment against espionage, sabotage, crime, attack, or any type of unintentional or accidental harm. The computer environment is inclusive of the hardware, network, applications, and data.
To implement computer security, you must understand and analyze the risks to the computer environment and take appropriate actions to reduce the risks to the acceptable level appropriate for the organization. No consultant or auditor can tell you how to set up security for your organization unless they have a complete understanding of your organization’s assets, threats, risks, and environment.
To determine the proper security settings for a system, you must implement a security program. This chapter introduces many of the terms used in a security program. Chapter 2, “Security process and policies” on page 13, introduces the process to follow to build a security program. A security policy is the central component of a security program and must be documented before the proper level of security controls can be applied to the computer environment.
Everyone from senior management to users should be concerned with security. Security protects your computer system and sensitive information from both intentional and unintentional security breaches.
An important step in implementing a security program is to determine which systems, information, and additional items to secure. After you establish your security policy, you must conduct training to educate the users to be compliant with the new security rules. Security is what you have after you analyze the risks, lessen the risks that you can, and know which risks you have chosen to accept.
Assets, vulnerabilities, threats, risks, and countermeasures
Assets, vulnerabilities, threats, risks, and countermeasures are related terms that you must understand and evaluate as input into the organization’s security policy:
In general, an asset is a resource, process, product, or system that has value to the organization. Since assets have a value, they normally require some level of protection. The level of protection depends on the value of the asset, the threats that exist against the asset, and how vulnerable the asset is should the threat be exploited. Assets can be either tangible or intangible. Examples of tangible assets are computer hardware, computer data, licensed products, and software applications. Data privacy and the organization’s public image are examples of intangible assets.
A vulnerability is a weakness that threatens the confidentiality, integrity, or availability of an asset. Vulnerabilities are not only deficiencies of software or inappropriate implementation of technical measures. Consider untrained employees, incorrect procedures, and missing documentation as well. The threat is that someone will uncover a specific vulnerability and take advantage of it for malicious purposes.
A threat is any activity that can have an adverse or undesirable effect on an organizational asset. Threats exploit vulnerabilities. Hardware failure, fire, hackers, espionage, malicious code, sabotage, vandalism, and weather are some of the many different threats that an organization might face.
A risk is the possibility of a threat exploiting a vulnerability. Risks can be mitigated, but at a cost. Also, a risk can never be completely eliminated. An important input for developing a security policy is to determine how much risk your organization is willing to accept for each asset that must be protected.
Countermeasures are security safeguards that mitigate the risk of threats. To be aware of i5/OS-specific threats and to help understand vulnerabilities, risks, and countermeasures, you should read computer security literature, attend computer security conferences, and keep up to date with security advisories.