Frequently asked questions

These are common questions about setting up and using system security.

Questions that customers often ask

Administrators and security officers are faced with a wide variety of options and solutions for protecting the systems that they manage. All of these potential solutions can be confusing and daunting; however, good system security involves understanding your basic security needs and the role that security plays within your company. To understand the value of security for your company and its systems, you should know what security means to you at its most basic level.
  1. Why is security important?

    Answer: The information stored on your system is one of your most important business assets. This sensitive information can be customer accounts, payroll statements, and financial statements. You must balance the need for protecting this information with the need to allow your employees access to complete their job responsibilities. You need to keep three important objectives in mind when determining how to protect your information assets:

    • Confidentiality: Good security measures can prevent people from seeing and disclosing confidential information. On your systems, what information do you consider confidential, which only a few select individuals can see and maintain?
    • Integrity: To some extent, a well-designed security system can ensure the accuracy of the information on your computer. With the right security, you can prevent unauthorized changes or deletions of data.
    • Availability: If someone accidentally or intentionally damages data on your system, you cannot access those resources until you recover them. A good security system can prevent this kind of damage.

      When people think about system security, they usually think about protecting their system from people outside the company, such as business rivals. Actually, protection against curiosity or system accidents by proper users is often the greatest benefit of a well-designed security system. In a system without good security features, a user might unintentionally delete an important file. A well-designed security system helps prevent this type of accident.

  2. Who should be responsible for security on my system?
    Answer: Different companies take different approaches to security. Sometimes programmers have responsibility for all aspects of security. In other cases, the person who manages the system is also in charge of security. To determine who should be responsible for security on your system or systems, consider the suggested approach of:
    • Your method of planning security depends on whether your company purchases or develops applications. If you develop your own applications, communicate your security needs during the development process. If you purchase applications, understand and work with the application designer. In both cases, the people who design applications should consider security as part of the design.
    • Your method of planning resource security depends on whether your company purchases or develops applications. If you develop your own applications, communicate your resource security needs during the development process. If you purchase applications, understand and work with the application designer. In both cases, the people who design applications should consider security as part of the design.

  3. Why should I customize security on my system?

    Answer: A small system might have three to five users that run a few applications. A large system might have thousands of users on a large communications network running many applications. You have the opportunity to change many things about how the system looks to your users and how it performs.

    When your system first arrives, you probably will not need or want to do very much customizing. IBM® ships your system with initial settings, called defaults, for many options. These defaults are the choices that usually work best for new installations.
    Note: All new systems ship with a default security level of 40. This security level ensures that only users who you have defined can use the system. It also prevents potential integrity or security risks from programs that can circumvent security.

    However, if you do some customizing, you can make your system a simpler and more effective tool for your users. For example, you can make sure that a user always gets the correct menu when signing on. You can make sure that every user's reports go to the right printer. Your users will feel that more confident about the system if you do some initial customizing to make it look and feel like their own system.

Questions customers should ask themselves

  1. Have I clearly defined my company's business requirements?

    Answer: To plan and set up security on your systems effectively, you must first know what your business requires to function effectively and efficiently. You need to understand how your systems will be used within your company. For example, systems that contain critical applications, such as databases that contain your company accounts, would need higher level of security than systems used for testing products within your company.

  2. What assets do I want to protect?

    Answer: Your business assets comprise not only the physical systems that you manage, but also the data and information that is stored on them. To minimize theft and tampering, you need to create an inventory of your systems and the information that they store.

    The amount of security you need depends on the type of information stored on that system, the sensitivity of that information, and the consequences to your business if that data is stolen or compromised. Understanding the risks that your systems may face allows you to more effectively manage security on your systems.

  3. Do I have a company policy regarding security?

    Answer: A security policy defines your company's requirements for protecting your company's resources, responding security-related incidents, and conducting secure business transactions with remote employees, business partners, and public customers. This security policy should entail physical security of your systems, network security issues, such as Internet access for employees, and measures for assessing and monitoring security on your systems. Think of your security policy as your foundation for all your security decisions. Your security policy needs to reflect your core business values, but also be flexible enough to accommodate future business demands.

  4. Do my employees have or need access to the Internet?

    Answer: Today, most companies see the need to allow employees access to the Internet to conduct research and respond to customers related to daily operations of their businesses. Whenever you connect your systems and users to the Internet, your internal resources are at risk of an attack. To protect your network from these risks that are associated with Internet use, you need to decide which network services will be allowed, how users will connect to the Internet, and how network security will be monitored in your network. Any decisions you make regarding the Internet and its use needs to be clearly defined and communicated to employees within your security policy. It is important to ensure that all your employees understand and sign a compliance agreement with these policies. Although implementing a network security policy is beyond the scope of this topic, you should include information regarding network security in your overall security policy.

Parent topic: Plan and set up system security