Menu Close
 
Data infrastructure optimization, availability & security software
Data integration & quality software
The Next Wave of technology & innovation

Achieving Compliance: Understanding & Following IT Security Regulations

Help your organization successfully comply with security regulations and meet its needs for security auditing and control in IBM i environments with Syncsort cybersecurity solutions for IBM i 

Contact our IBM i security experts

What are the key areas of compliance concerns?

Regardless of which specific security regulations a company is subject to, achieving full compliance with varied regulations can require a number of core security capabilities:

Access control solutions keep unauthorized people out of your IBM i environment while maintaining tight control over what authorized users can do once logged in. A comprehensive solution will control assess through networks, communication ports, open source database protocols, command lines and more, triggering alerts if suspicious activity is suspected.

See how Assure System Access Manager can help you control user access to your IBM i system.

Multi-factor authentication is demanded by certain regulations to protect sensitive data from view by requiring two or more identifying factors from users before access is granted. In addition to being used to control system logins, multi-factor authentication solutions can be implemented for specific situations such as controlling access to specific databases, individual files, or even commands.

Syncsort can help you with multi-factor authentication. Learn more about Assure Multi-Factor Authentication.

Management of elevated privileges is required to protect the use of powerful profiles that include *SECADM authority, *ALLOBJ authority and other potentially dangerous capabilities. Best practice is to provide users with only the privileges required to do their jobs and only temporarily grant authorities required for select tasks. Elevated authority management solutions automate the process of temporarily granting elevated privileges as required and optionally logging all actions taken by privileged users.

Learn more about Assure Elevated Authority Manager

Data privacy measures are required by numerous regulations to prevent unauthorized users from viewing personally identifiable information (PII), personal health information (PHI) and personal credit card information. Encryption, tokenization, anonymization and masking solutions are available to protect the privacy of data both at rest and in motion.

Syncsort can help you encrypt sensitive data. Learn more about Assure Encryption

Regulatory compliance must be continually monitored to ensure your IBM i environment has not deviated from regulatory requirements. Template-driven solutions monitor your system to ensure that it remains in compliance with regulatory requirements, raising alerts and generating reports to identify the areas that require attention. These same systems can be used to monitor compliance with internal security policies.

Need to meet compliance regulations quickly? See how Syncsort can help -- watch our webcast: Accelerating Regulatory Compliance for IBM i Systems

System activity logging is required by many regulations to generate an audit trail of data and system changes that can be used to prove compliance. In some cases, these audit trails must be kept for years. In addition to the logging capabilities built into the IBM i operating system, solutions that log security events such as file decryption, changes to sensitive records within a file, and failed multi-factor authentication attempts provide greater visibility into security incidents.

For more information, read more about Assure Monitoring and Reporting

Security monitoring and reporting solutions leverage powerful filtering, query and mapping capabilities to analyze the content of IBM i log files and generate alerts or reports on events such as file accesses outside business hours, views of a sensitive spool file, changes to authorization lists and much more. Forwarding these log events to a SIEM solution allows for IBM i security data to be correlated, analyzed and reported upon with data from other platforms.

For more information, read more about Assure Monitoring and Reporting

Security risk assessments are essential tools for proactively seeking out security vulnerabilities, a practice required by many cybersecurity regulations. Security risk assessment tools and services should check system values, password settings, library authorities, open ports, exit point programs and much more to produce reports on potential risks and deliver guidance on how to remediate them.

For more information, download our solution sheet: Assure Security Risk Assessment

Meeting compliance regulations

There are many security standards that organizations today must follow to adhere to data protection and privacy best practices — and avoid expensive fines. Sarbanes-Oxley (SOX), PCI DSS and HIPAA are among the most pressing regulatory concerns with newcomers like the European Union’s General Data Protection Regulation (GDPR) posing all-new challenges for even the most diligent companies.

Understanding and following security standards and regulations is a critical aspect of doing business today, especially for companies that operate in various markets stretching across international lines. Achieving ironclad compliance is more than an IT or legal concern; it is a business imperative.

Organizations are subject to industry, state and national regulations, and many are expected to comply with the requirements of multiple regulatory bodies. IBM i security and control is a major concern, as it is a rich source of data. More than half of all IBM i power users believe their companies’ security investments will focus on the three pillars of security regulations: compliance, auditing and reporting. As data privacy and security regulations become increasingly complex, compliance demands will only become more difficult to meet.

What are the most important security regulations?

Security regulations often cross international and industry lines, affecting organizations representing both public and private sectors and operating in various markets. The most pressing data privacy and security regulations cover personally identifiable information, healthcare data, financial transactions and much more:

Enacted in 2002, this federal law is aimed at increasing transparency within public companies in the United States, especially in regards to their financial reporting. Sarbanes-Oxley requires corporations to run annual audits on their internal controls and report the results of those assessments to the Securities and Exchange Commission.

Sarbanes-Oxley’s coverage extends to numerous areas, but security is one of the most important factors to address. Auditors must review security policies and standards, access and authorization controls, network security, system and network monitoring capabilities and the separation of duties and responsibilities.

Although not a federal law, PCI DSS holds a firm grip on any organization that processes or handles credit card information. The main objective of PCI DSS is to minimize instances of credit card fraud and safeguard consumer payment information.

Like Sarbanes-Oxley, PCI DSS requires annual compliance reviews, assessing security controls including firewalls, access management, cardholder data protection, encryption, network and system monitoring and security testing protocols.

HIPAA has long been a major concern for companies in the healthcare, insurance and pharmaceutical spaces, establishing national standards for the management of electronic healthcare information.

HIPAA guidelines contain a laundry list of security requirements, including access control, electronic healthcare information protection, in-transit data protection, system access monitoring and incident response and reporting policies.

The EU’s GDPR officially went into effect on May 25, 2018, significantly increasing the scope and complexity of security compliance requirements. GDPR is a series of guidelines dictating how data related to EU citizens is gathered, stored, and managed.

However, it does not apply only to European companies. Any organization that processes data belonging to European citizens must adhere to GDPR's security standards, regardless of where they are headquartered or where their servers are located. Although GDPR’s primary concern is user consent, it has detailed rules regarding data breach incident response protocols.

GDPR has also introduced fines that far exceed anything seen with other leading security standards and data privacy regulations. Under GDPR, violators may be required to pay fines totaling 20 million Euro , or 4 percent of a company's annual global turnover (whichever figure is higher).

 

What to look for in a compliance assessment

Running a thorough compliance assessment and comprehensively checking system security against regulatory demands requires a great deal of expertise. Companies often do not have such knowledgeable individuals on staff, meaning they must look to a third-party consultant or vendor to execute these tasks. In general, use of an independent auditor is considered best practice.

Any IBM i compliance auditor should have a deep understanding of the IBM i operating system. Businesses can also help themselves by reviewing their password and authentication policies, powerful user profiles, objects settings, exit points, and other areas of concern.

Once completed, your compliance assessment should offer clear action items regarding what changes need to be made to comply with specific regulations.

 

What IBM i security solutions are required?

IBM i provides a solid foundation upon which companies can build their security frameworks, but it will require additional layers of security to wrap around the core operating system.

Additional security assessment tools, for instance, are needed to run detailed risk assessments that identify potential vulnerabilities in the system. Companies should also consider building out their access management capabilities to incorporate features like advanced control of access through networks, database protocols, commands lines and more.

Multi-factor authentication, including voice and mobile authentication, strengthens password security by mitigating the risks of an unauthorized user compromising employee profiles and accessing sensitive data and systems.

Accelerating compliance timetables through professional services and technology that uses compliance templates to generate compliance alerts and reports is also recommended to speed up this process and avoid hefty fines.

Data privacy solutions such as encryption, tokenization and anonymization are essential to safeguarding sensitive data and meeting the most stringent security regulations such as PCI DSS.

Get in touch with our IBM i security experts

Don’t go it alone

With resources stretched thin and internal expertise lacking, the best course of action for companies to take is to bring in a third-party service provider or consultant to support their efforts to comply with regulatory requirements for cybersecurity.

Working with an established cybersecurity expert can help put businesses on the path to regulatory compliance, while freeing up skilled IT teams to tackle other equally important tasks. Continued auditing is also highly recommended to continue assessing security hygiene and verify that data management practices are up to date, fully adherent to the latest best practices.

The emergence of more detailed and sweeping security regulations like GDPR is a sign of the times, reflecting the ongoing shift in thought surrounding data privacy controls and security standards. It is not a culmination of escalating regulations, but the start of a new era in risk management and compliance expectations.

Syncsort experts are here to help. Learn more about our Professional Security Services

Accelerating Regulatory Compliance

Watch our webcast:
Accelerating Regulatory Compliance for IBM i Systems

Watch Now

I want to learn more about Data Security Solutions from Syncsort

Simply fill out the form and one of our Product Experts will be in touch!