Article

Beware the Auditing and Security Free Lunch

IBM i
Posted:
March 7, 2017

Many IT managers tell us they use the IBM supplied Security Tool Kit or query primarily because they can’t justify the purchase of a more sophisticated auditing and security tool.

I’m always reminded of what my dad taught me: if it sounds too good to be true, it probably is. If you feel trapped using a free tool, it’s time to consider the importance of the data on your machine and the consequences if something goes undetected or does not comply with a regulatory initiative.

If you fail even a single audit, how will you be affected? What if the audit is pursuant to a compliance mandate like Sarbanes-Oxley, PCI, or HIPAA?

Calculate what it could cost the business if an audit were failed:

  • Heavy fines
  • Loss of company prestige
  • Possible loss of government contracts

At a minimum, these errors make the business look bad. At worst, it could cost the company in fines and lost future business, not to mention the loss of a preferred vendor status with a customer. What will this cost you?

A robust auditing and security tool will pay for itself by allowing you to automate reporting without a programmer writing a CL program or query, or appointing a dedicated person to review the output.

Here are some things you should expect to find in a robust auditing package:

  • An architecture that scales to multiple servers
  • Intuitive graphical interface
  • Powerful filtering, customization, and exception reporting capabilities
  • Scheduling and e-mailing
  • Knowledgeable and accessible technical support to answer your questions

Another frustration we hear with the free tool is the lack of enhancement options. The built-in tool deploys as is, with no additional features. What if you need additional functionality? Who do you have to talk to?

Don’t underestimate the value of your software vendor’s technical support staff. Typically, the purchase of a sophisticated auditing tool includes discussing strategy and setup with a technical expert. Your vendor’s maintenance contract ensures that you have resources available whenever you need them. It’s like hiring another operations expert to your staff without having to pay benefits. This service pays for itself in less experimentation and setup time.

Auditing your operations with the built-in tool or a tool developed in-house might succeed at first. However, the scope of the tool is usually narrow. Home-grown systems fail when it comes to the maintenance and enhancements that are required to continue the automation process. Efforts in these areas are expensive and typically low priority within the IT development group. Most internally developed auditing solutions stall out after achieving limited results.

Similarly, built-in tools lack the required features to fully automate your reporting. Many companies that have gone down this path turn to off-the-shelf auditing software in the long run.

As Milton Friedman, University of Chicago economist and Nobel Prize winner, famously said, “There is no such thing as a free lunch.” The question you need to answer for your company is: how much is that free lunch going to cost you?

For more information on achieving and maintaining PCI Compliance, download this PCI Compliance Information bundle that includes the:
- “PCI Compliance for Power Systems Running IBM i” white paper
- PCI Solutions Checklist
- PCI Quick Reference Guide
Get Started

Learn more about how an enterprise auditing tool can help you achieve visibility and compliance.

Related Solutions