SkyView Partners - OS/400 Security Compliance Handbook

• Home
• Products
  • SkyView Policy Minder
  • SkyView Risk Assessor
  • Complimentary Products
• Services
  • Security Check-up
  • Remediation Services
• Downloads
  • Login
  • Download Registration
• Support
  • Login
• Information
  • Security Information
  • Laws and Regulations
• About Us
  • Business Partners
  • Mission Statement
  • Privacy Policy
  • Contact Us
• Contact Us

OS/400 Security Compliance Handbook

Week 1:
What is Compliance?

One of the buzzwords in the industry today is “compliance.” There is corporate compliance, market-driving compliance, ISO17799 compliance, Visa CISP compliance, compliance monitoring, and, last but certainly not least, SOX compliance. We are constantly bombarded with ads for products that will help us be “in compliance.” But what does it all mean? And why should you care? This series on compliance will answer these questions as well as describe how compliance applies to the OS/400 world.

Compliance is defined in one dictionary as

conformity or acting according to certain accepted standards.

This is the definition most widely accepted and applied in the IT world. If you don’t have the best working relationship with your auditors you may feel the following definition is a better fit:

the act of submitting: usually surrendering power to another

All joking aside, when you see the word “compliance” you need to stop and think. I encourage you to determine and understand the definition of compliance that is being used. And, more importantly, what does “being in compliance” really mean to your organization as well as whether or not you even need to be “in compliance.”

Compliance in the security-world has been around for quite some time but limited to the government sector. For example, several years ago, parts of the U.S. Government required operating systems to be “C2 compliant” or they could not participate in a company’s bid for a government contract. That’s why, in V2R3, IBM went through the task of getting the C2 rating for OS/400. This means that OS/400 met the criteria defined by the U.S. Government for a C2 rating.

Another example of compliance in the security world is encryption devices. Parts of the finance industry require FIPS (Federal Information Processing Standards) compliant devices to perform certain aspects of encryption and encryption key management.

Compliance is more than just taking someone’s word. Compliance means meeting a set of criteria and usually implies testing – often rigorous testing – to ensure compliance. Compliance usually requires some form of proof that the criteria have been met. For example, OS/400 was only deemed C2 compliant after months of rigorous testing by numerous OS/400 developers and independent, government-appointed examiners verified the test documentation and output.

What does compliance mean in today’s world of security and why do we hear so much about it? Because laws and regulations were put into place to address an unfortunate issue - greed. Because of a few greedy and dishonest people, laws and regulations were enacted in an attempt to mandate appropriate behavior. The Sarbanes-Oxley Act was put in place to prevent another Enron or Parmalat fiasco. Almost all other laws and regulations were designed to protect an individuals’ privacy.

Previously, laws were enacted that only applied to specific industries such as the Gramm-Leach-Bliley Act (GLBA) for finance and the Health Insurance Portability and Accountability Act (HIPAA). However, the reach of these laws started to broaden as individual states started to enact laws to protect the private data of its citizens in an effort to reduce the chances of their residents becoming victims of identity theft. California is especially active in this area. Recently, the type of businesses affected by these laws and regulations was broadened again. Because of the rising incidence and cost (estimated to be in the trillions of dollars world-wide) of identity theft, the payment card industry (PCI) now has issued IT security requirements. Now, any business that takes a credit card and stores the information must comply with the IT security configuration and process requirements as published by the credit card companies.

What is the next set of regulations to be levied on business? It is hard to tell. But, bills similar to many of the state regulations have been introduced into both Houses of Congress. Lest you think this is solely a U.S. issue, “The Companies Bill” (Britian’s version of Sarbanes-Oxley) has had its second reading in the House of Parliament. In the not too distant future, we believe that any company that processes or retains private information (credit card numbers, social security numbers, bank account information, etc) is going to have to comply with some type of IT security law or regulation.

Next week we will discuss various bills and regulations with which your company may need to be in compliance.

Carol Woodbury is President and co-founder of SkyView Partners. Carol has over 15 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Click here to order Carol's second book, Experts' Guide to OS/400 and i5/OS Security.

Click here to ask Carol a question or request information on SkyView Partners products or services.

© SkyView Partners, Inc., 2004, 2008. All rights reserved.