Previous Table of Contents Next


COMMENTS

Y/N 13. Do users signing on from a remote system go through the normal sign-on procedure? (QRMTSIGN)
14. Are the following special authorities within the system restricted to appropriate personnel?
Y/N   a. All object (*ALLOBJ)
Y/N   b. Security Administrator (*SECADM): allows administration of user profiles
Y/N   c. Save System (*SAVSYS): allows a user to do save and restore operations for all resources on the system
Y/N   d. Job Control (*JOBCTL): allows manipulation of work queues
Y/N   e. Spool Control (*SPLCTL): allows control of spool functions
Y/N   f. Service (*SERVICE): allows the user to perform service functions such as storage display, alter, and dump; *SERVICE should be assigned very restrictively
IBM publication AS/400 Security and Auditing Considerations contains a grid of special authorities that are automatically granted to each user class (if QSECURITY is set to 30). Accordingly, classification of terminal users according to this suggested grid can automatically confine these special authorities to logical groups of people. Also note that special authorities can be granted at the user profile level, implying that a user may have authorities beyond that of those implied by the user class.

COMMENTS

Y/N 15. Are objects used in a production mode required to include an object description?

COMMENTS

Y/N 16. Do naming conventions prohibit the naming of an object that begins with the letter Q?
IBM supplied programs use the letter Q as a first character. A number of those properly are specified as adopting the authority of the security officer when they execute. If the shop prohibits creation of objects beginning with the letter Q, local programs that adopt security authority can be easily controlled.

COMMENTS

17. Group Profile Considerations

Y/N a. Do naming conventions clearly distinguish between group and individual profiles?
Y/N b. Are users prohibited from signing on using a group profile?

COMMENTS

18. Adopt Authority and Public Authority

Y/N a. Are all programs that adopt *ALLOBJ or *SERVICE authority reviewed by a security officer?
Y/N b. Are programs that adopt the authority of a powerful user restricted to authorized personnel?
Y/N c. Is public authority for source and object programs set to *EXCLUDE?

COMMENTS

19. Job Descriptions

Y/N a. Are job descriptions with a public authority specified as USER(*RQD)?
Y/N b. Do job descriptions that specify a user profile name have public authority *EXCLUDE?

COMMENTS

Y/N 20. Are encryption techniques in use?

COMMENTS—Please describe what they are being used for and why.

Y/N 21. Dial-up communication, if in use, should be controlled. Has this been done for your location?Dial back, dynamic passwords, and encryption are three possible ways to do this.

COMMENTS

Y/N 22. Are there procedures ensuring that separated/terminated personnel are immediately removed from the system?

COMMENTS

D. CHANGE MANAGEMENT

1. Project Request Procedures

Y/N a. Is there a standard form used to request additions and/or changes to systems?
Please attach one blank and one completed form.
Y/N b. Are there procedures for using the standard form?
Please attach a copy or describe the procedures.

COMMENTS

Y/N 2. Is there evidence of authorization for program modifications?
Y/N Does the evidence include a project request or other identification method?

COMMENTS

Y/N 3. Are changes to production source and executable programs monitored via reporting that is reviewed by a responsible person (with review evidenced by signature or initials)?

COMMENTS

Y/N 4. Are programmers limited to *USE (read-only) authority for source programs?

COMMENTS

5. Library Management

Y/N a. Are sensitive libraries restricted to appropriate users?
Y/N b. Are separate libraries being maintained for program development, testing, and production?
Y/N c. Are source programs recompiled after being transferred into production?
Y/N d. Are the application source, object, and data files stored in physically separate libraries?
Y/N e. Are program owners and data owners separate group profiles?This approach can help to separate users and programmers from an access standpoint—users are kept out of software libraries and programmers are kept out of data libraries.

COMMENTS

Y/N 6. Is a log or standard form kept for all changes to the production environment?
Attach an example of a completed log sheet or form and describe any means to determine the actual detail changes to the program code.

COMMENTS

Y/N 7. Are there any programs for which the source code is not available?Please identify them below and comment on how they are maintained.

COMMENTS

Y/N 8. Are you current on all software releases?

COMMENTS

9. If application software is leased or purchased and vendor support is utilized:
Y/N a. Is there sufficient documentation of in-house changes to the software?
Y/N b. Is there a procedure for applying updates to the system?

COMMENTS

E. BACKUP, RECOVERY AND CONTINGENCY PLANNING

1. Please complete the following table concerning the backups you make.

Type of Backup Frequency
(daily, weekly, etc.)
Number of
Generations
Stored On-Site
Number of
Generations
Stored Off-Site
SAVSYS      
SAVLIB (*NONSYS)      
SAVLIB (*ALLUSR)      
SAVLIB (*IBM)      
SAVOBJ      
SAVCHGOBJ      
Other:      
Y/N 2. Are backup commands fully coded and compiled as control language programs, as opposed to being typed in at the system console when required?
  Please provide a sample of backup instructions/commands, if they exist.

COMMENTS

Y/N 3. Are tapes and diskettes written on the AS/400 subject to controlled physical access?
IBM literature indicates that AS/400 produced magnetic media can be read on IBM equipment that has different architecture—implying that AS/400 produced media could be read on an IBM mainframe and potentially circumvent AS/400 security.

COMMENTS

Y/N 4. Do you have any applications that include a communications component? (Examples would include purchasing that had an EDI component and shop floor data collection utilizing store and forward logic.)
Identify fall-back alternatives and applications that incorporate communications in comments below.


Previous Table of Contents Next