ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvsecauditchecklists.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Checklists for security auditing" />
<meta name="abstract" content="Use this checklist to plan and audit system security." />
<meta name="description" content="Use this checklist to plan and audit system security." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="secauditchecklists" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Checklists for security auditing</title>
</head>
<body id="secauditchecklists"><a name="secauditchecklists"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Checklists for security auditing</h1>
<div><p>Use this checklist to plan and audit system security.</p>
<p>As you plan security, choose the items from the list that meet your security
requirements. When you audit the security of your system, use the list to
evaluate the controls you have in place and to determine if additional controls
are needed. The list contains brief descriptions of how to do each item and
how to monitor that it has been done.</p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Security Auditing Planning Form</caption><thead align="left"><tr><th colspan="2" valign="top" id="d0e22">Security Auditing Planning
Form</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e22 ">Prepared by:</td>
<td valign="top" headers="d0e22 ">Date:</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring physical security:</strong></td>
</tr>
<tr><td valign="top" headers="d0e22 ">Is backup media protected from damage and theft?</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Is access to workstations in public areas restricted?
Use the DSPOBJAUT command to see who has *CHANGE authority to the workstations.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring system values:</strong></td>
</tr>
<tr><td valign="top" headers="d0e22 ">Verify that the settings for system values match your
System Values Selection form. Use the Print System Security Attributes (PRTSYSSECA)
command.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Review your decisions about system values, particularly
when you install new applications. Have any system values changed?</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 "><strong>Monitoring group profiles:</strong></td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Verify that group profiles have no passwords. Use the
DSPAUTUSR command to verify that all group profiles have a password of *NONE.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Verify that the correct people are members of the group.
Use the DSPUSRPRF command with the *GRPMBR option to list the members of a
group.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Check the special authorities for each group profile.
Use the DSPUSRPRF command. If you are running at security level 30, 40, or
50, group profiles should not have *ALLOBJ authority.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring user profiles:</strong></td>
</tr>
<tr><td valign="top" headers="d0e22 ">Verify that user profiles on the system belong to one
of these categories: <ul><li>User profiles for current employees</li>
<li>Group profiles</li>
<li>Application owner profiles</li>
<li>IBM-supplied profiles (start with Q)</li>
</ul>
</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Remove their user profile when the company transfers
a user or when a user leaves the company. Use the Change Expiration Schedule
Entry (CHGEXPSCDE) command to automatically delete or disable the profile
as soon as the user leaves.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Look for inactive profiles and remove them. Use the
Analyze Profile Activity (ANZPRFACT) command to automatically disable profiles
after they have been inactive for a certain time.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Determine which users have a password that is the same
as their user profile name. Use the Analyze Default Passwords (ANZDFTPWD)
command. Use the option of this command to force users to change their passwords
the next time they sign on to the system.<div class="attention"><span class="attentiontitle">Attention:</span>  Do not remove
any IBM-supplied profiles from the system. IBM-supplied profiles start with
the character Q.</div>
</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Be aware of who has a user class other than *USER and
why. Use the Print User Profile (PRTUSRPRF) command to get a list of all users,
their user class, and their special authorities. Match this information with
your System Responsibilities form.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Control which user profiles have the Limit capabilities
field set to *NO.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring critical objects:</strong></td>
</tr>
<tr><td valign="top" headers="d0e22 ">Review who has access to critical objects. Use the Print
Private Authorities (PRTPVTAUT) command and the Print Publicly Authorized
Objects (PRTPUBAUT) command to monitor objects. If a group has access, verify
the members of the group with the *GRPMBR option of the DSPUSRPRF command.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Verify who can use application programs that provide
access to objects through another security method, such as adopted authority.
Use the Print Adopting Objects (PRTADPOBJ) command.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring unauthorized access:</strong></td>
</tr>
<tr><td valign="top" headers="d0e22 ">Instruct system operators to be alert for security messages
in the QSYSOPR message queue. In particular, have them notify a security officer
of repeated unsuccessful attempts to sign on. Security messages are in the
range of 2200 to 22FF and 4A00 to 4AFF. They have prefixes CPF, CPI, CPC,
and CPD.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e22 ">Set up security auditing to log unauthorized attempts
to access objects.</td>
<td valign="top" headers="d0e22 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>
<p>For additional information on using the security auditing checklist, see
Chapter 9 of the <a href="../rzahg/rzahgsecref.htm">iSeries™ Security
Reference</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Checklists for security auditing" />`
			`<meta name="abstract" content="Use this checklist to plan and audit system security." />`
			`<meta name="description" content="Use this checklist to plan and audit system security." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="secauditchecklists" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Checklists for security auditing</title>`
			`</head>`
			`<body id="secauditchecklists"><a name="secauditchecklists"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Checklists for security auditing</h1>`
			`<div><p>Use this checklist to plan and audit system security.</p>`
			`<p>As you plan security, choose the items from the list that meet your security`
			`requirements. When you audit the security of your system, use the list to`
			`evaluate the controls you have in place and to determine if additional controls`
			`are needed. The list contains brief descriptions of how to do each item and`
			`how to monitor that it has been done.</p>`

			`<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Security Auditing Planning Form</caption><thead align="left"><tr><th colspan="2" valign="top" id="d0e22">Security Auditing Planning`
			`Form</th>`
			`</tr>`
			`</thead>`
			`<tbody><tr><td valign="top" headers="d0e22 ">Prepared by:</td>`
			`<td valign="top" headers="d0e22 ">Date:</td>`
			`</tr>`
			`<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring physical security:</strong></td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Is backup media protected from damage and theft?</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Is access to workstations in public areas restricted?`
			`Use the DSPOBJAUT command to see who has *CHANGE authority to the workstations.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring system values:</strong></td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Verify that the settings for system values match your`
			`System Values Selection form. Use the Print System Security Attributes (PRTSYSSECA)`
			`command.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Review your decisions about system values, particularly`
			`when you install new applications. Have any system values changed?</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 "><strong>Monitoring group profiles:</strong></td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Verify that group profiles have no passwords. Use the`
			`DSPAUTUSR command to verify that all group profiles have a password of *NONE.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Verify that the correct people are members of the group.`
			`Use the DSPUSRPRF command with the *GRPMBR option to list the members of a`
			`group.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Check the special authorities for each group profile.`
			`Use the DSPUSRPRF command. If you are running at security level 30, 40, or`
			`50, group profiles should not have *ALLOBJ authority.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring user profiles:</strong></td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Verify that user profiles on the system belong to one`
			`of these categories: <ul><li>User profiles for current employees</li>`
			`<li>Group profiles</li>`
			`<li>Application owner profiles</li>`
			`<li>IBM-supplied profiles (start with Q)</li>`
			`</ul>`
			`</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Remove their user profile when the company transfers`
			`a user or when a user leaves the company. Use the Change Expiration Schedule`
			`Entry (CHGEXPSCDE) command to automatically delete or disable the profile`
			`as soon as the user leaves.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Look for inactive profiles and remove them. Use the`
			`Analyze Profile Activity (ANZPRFACT) command to automatically disable profiles`
			`after they have been inactive for a certain time.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Determine which users have a password that is the same`
			`as their user profile name. Use the Analyze Default Passwords (ANZDFTPWD)`
			`command. Use the option of this command to force users to change their passwords`
			`the next time they sign on to the system.<div class="attention"><span class="attentiontitle">Attention:</span> Do not remove`
			`any IBM-supplied profiles from the system. IBM-supplied profiles start with`
			`the character Q.</div>`
			`</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Be aware of who has a user class other than *USER and`
			`why. Use the Print User Profile (PRTUSRPRF) command to get a list of all users,`
			`their user class, and their special authorities. Match this information with`
			`your System Responsibilities form.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Control which user profiles have the Limit capabilities`
			`field set to *NO.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring critical objects:</strong></td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Review who has access to critical objects. Use the Print`
			`Private Authorities (PRTPVTAUT) command and the Print Publicly Authorized`
			`Objects (PRTPUBAUT) command to monitor objects. If a group has access, verify`
			`the members of the group with the *GRPMBR option of the DSPUSRPRF command.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Verify who can use application programs that provide`
			`access to objects through another security method, such as adopted authority.`
			`Use the Print Adopting Objects (PRTADPOBJ) command.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td colspan="2" valign="top" headers="d0e22 "><strong>Monitoring unauthorized access:</strong></td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Instruct system operators to be alert for security messages`
			`in the QSYSOPR message queue. In particular, have them notify a security officer`
			`of repeated unsuccessful attempts to sign on. Security messages are in the`
			`range of 2200 to 22FF and 4A00 to 4AFF. They have prefixes CPF, CPI, CPC,`
			`and CPD.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e22 ">Set up security auditing to log unauthorized attempts`
			`to access objects.</td>`
			`<td valign="top" headers="d0e22 "> </td>`
			`</tr>`
			`</tbody>`
			`</table>`
			`</div>`
			`<p>For additional information on using the security auditing checklist, see`
			`Chapter 9 of the <a href="../rzahg/rzahgsecref.htm">iSeries™ Security`
			`Reference</a>.</p>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`