The word ‘audit’ is rarely welcomed with open arms by the IT department, and administrators often employ all sorts of delay and escape tactics to avoid the inevitable. But what they may not realize is the full significance of passing these assessments, or how painless the process can be with the right combination of policy enforcement and activity monitoring tools in place.
When IBM i users sit down to discuss reporting strategies and auditing exercises, the first image they often conjure up is that of a stern statistician holding a clipboard and waiting for the first opportunity to find fault with data center operations. Whether or not this perception is correct, it’s important to acknowledge the logic and process behind the standards qualified security assessors (QSAs) are referencing.
Whether companies are covered by HIPAA, SOX, PCI, FISMA or all of the above, IBM i users should remember that the objective of these frameworks is progress, not punishment. Regulatory bodies are a key component of the checks and balances that promote responsible IT administration and sensitive data protection. By keeping operations in line with federal, state and industry expectations, IBM i users will not only sidestep the potential expense of fines and unexpected upgrades, but position themselves as responsible corporate citizens as well.
Although external forces may be the most visible factor inspiring IBM i users to get their operations in order, true business leaders are driven by intrinsic motivation. That means even when an audit date isn’t lurking on the calendar, managers are applying proactive approaches toward policy enforcement and activity reporting to limit risk and promote progress. Through diligently designed plans and appropriately paired technologies, companies can gain the visibility they need to diagnose and resolve problems long before they surface on regulator radars.
The secret to success in today’s increasingly crowded and complex IBM i ecosystems is the power of automation. In an era in which continuous monitoring is the rule rather than the exception, manual assessments simply do not cut it. Luckily, there are a variety of smart solutions which can help with the heavy lifting—so long as administrators guide them in the correct direction. By leveraging advanced reporting tools which allow managers to define network and data access privileges and set customized alert thresholds, compliance and risk management professionals are provided with a bird’s eye view of all the essential information needed to assess their standing and to correct course as needed.