IBM AS400 Security Procedures

Table of Contents
Page A. B. C. D. E. F. G. H. I. J. K. Purpose and Scope Preparatory Steps General information Standards Documentation Physical Security Backup Procedures Disaster Recovery Implementation & Change Control Operations/Processing (Job Scheduling, Tape Library Management, Output Handling) System Security - General System Security Values User Group Profiles Libraries Objects System Utilities System Commands System Logs Physical Inventory Systems Performance Preventative Maintenance 1 2 3 5 6 8 9 11 12 16 19 20 27 34 35 36 37 39 41 42 43

L. M. N.

Auditor(s) Assigned

Audit Date

Workpaper Audit Objectives and Procedures Ref. By ________________________________________________________________________________________________________


Purpose And Scope This program is designed to enable the auditor to examine and test the effectiveness of controls and procedures at data centers using IBM System/34, 36, 38 and AS/400 computers. Included in the audit program are suggested audit steps that are designed to obtain evidence that key control procedures are operating effectively. The audit approach includes: background information, standards, documentation, implementation/change controls, backup procedures (including those financial files required by law - such as general ledger, payroll, receivables, sales, cost of sales and any master file/tables required to complete the financial information - such as chart of accounts, cost, price masters), disaster recovery, computer operations and logical access security. This guide should be read through in its entirety before an audit is commenced in order to gain a thorough understanding of the audit approach. The Appendix contains added information on classifying data and background information on the various machines that are covered in this audit program.


Auditor(s) Assigned

Audit Date

Workpaper Audit Objectives and Procedures Ref. By ________________________________________________________________________________________________________


Preparatory Steps 1. 2. 3. 4. 5. Review existing corporate computer policies and guidelines and evaluate their impact on the planned audit scope. Review the workpapers and response to the prior audit report. Obtain and review the current organizational chart for the relevant data center location. Review the letter of recommendations issued by the external audit firm when evaluating the audit scope. Document interviews and meetings with key audited personnel.


Auditor(s) Assigned

Audit Date

Workpaper Audit Objectives and Procedures Ref. By ________________________________________________________________________________________________________


General Information 1. 2. 3. 4. 5. 6. Document the type of data processing equipment, ownership, capacity and future expansion plans. Document the type of major software applications currently in production, who owns them and future development plans. Review insurance coverage for hardware, software, facility, etc. Determine if outside service bureaus or contract programmers are employed and list all applications processed or programmed. Review procedures for obtaining these services. Determine if any additional controls are provided to ensure all work performed by contract programmers is reviewed and approved. Evaluate the contract with the service bureau(s) or outside programmer(s) for ownership of data, confidentiality statements, etc. Review relevant job descriptions to ensure adequately defined duties, lines of responsibilities, etc. Verify that procedures are in place for management review of the daily history log of computer processing activity and program changes. Review EDP staffing policies relating to absenteeism, training, transfers and employee terminations. Verify that an EDP steering committee has been established and review objectives, members and frequency of meetings.


8. 9.

10. 11.


C/PROG Page 1


By ________________________________________________________________________________________________________ of 2 4 .Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.

General Information (continued) 12. of Review EDP budget versus actual cost reports to ascertain whether data center resources are properly monitored. 14. Review procedures that are in place for the evaluation and approval of computer equipment and software packages prior to acquisition and implementation. By ________________________________________________________________________________________________________ C. Review minutes of steering committee and management policy meetings to identify EDP activities and progress on these projects. 13. 15. Review management reports for evidence management review and coordination of EDP activities.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. GENERAL C/PROG Page 2 5 .

By ________________________________________________________________________________________________________ of 2 6 .Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.

By ________________________________________________________________________________________________________ D. Security requirements for both the applications and the computer itself.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. d. preparation of Conventions to be used in the development of programs. Standards 1. Verify that the EDP Standards Manual contains an adequate explanation of the policies for EDP procedures. Document who is responsible for creating and updating policies and procedures for the EDP Standards Manual. b. c. Standard forms. Operational standards for the EDP department and surrounding areas. 2. illustrations and their use. 3. STANDARDS D/PROG Page 1 of 1 7 . Verify that the EDP Standards Manual contains: a. Detailed procedures regarding the documentation for application systems. e.

The functional requirements of the system. signed approval of each element of documentation at an appropriate management level. 5. Verify that all major applications processed on the computer system have appropriate levels of corresponding documentation. System 6. Descriptions of each program and system interfaces. c. verify that corresponding Documentation contains an overview that includes: a. d. Document who is responsible for creating. c. For each application. 4. complete and current. DOCUMENTATION E/PROG Page 1of 2 8 . b. verify that corresponding Program Documentation contains: a. Review selected application documentation against corresponding software programs to ensure that documentation is accurate. 7. By ________________________________________________________________________________________________________ E. b. maintaining and distributing application documentation.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 3. Documentation 1. 2. The general nature and purpose of the system. For each application. Description of program logic and flow. The logical flow of the system or flow charts. Verify that there is a formal. Record layouts and file descriptions. Input and output description. Verify that the documentation is maintained in secure on-site and off-site storage facilities.

Description of screens. Documentation (continued) 8. d. Verify that current computer Operating Instructions contain: a.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. Sample reports and input screens. Application description. 9. e. responses. which describe the operations performed and contain: a. Source documents required. etc. By ________________________________________________________________________________________________________ E. verify that corresponding User Manuals are developed. c. d. Restart and recovery procedures. Emergency procedures. For each application. e. Procedural requirements. DOCUMENTATION E/PROG Page 2 of 2 9 . Listing of program messages. etc. edits. Operating system requirements. c. b. Set-up instructions. b.

13. Verify that the computer room is equipped with appropriate classes and sufficient number of clearly visible fire extinguishers. 10. Verify that the building is protected by an automatic fire extinguishing system. Ensure that smoking is prohibited in the computer room. Review procedures for maintenance of appropriate temperature levels. F/PROG Page 1 of 1 PHYSICAL SECURITY 10 . Ensure that all exits and evacuation routes are clearly marked. Document the procedures in place for notifying security when an employee is no longer allowed access to the building. Turning off data processing equipment. Determine whether there are sufficient fire and smoke alarms appropriate to the environment. By ________________________________________________________________________________________________________ F. 7. Ensure that all emergency procedures have been posted or distributed to all personnel. Document the provisions made to detect and report fires on a timely basis. Review provisions for preventing water damage to the equipment. appropriate to the environment. Verify that the computer room is accessible to only authorized personnel. 12. Evacuation of personnel. 8. 9. b. 6. Document computer room layout and location of all major hardware components. which should include at a minimum: a. 5. periodic maintenance/inspection of equipment. Review established emergency procedures for the data center. 3. Turning off electrical power to the computer room. 11. 4. Physical Security 1. 2. c.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.

BACKUP PROCEDURES G/PROG Page 1 of 1 11 . Verify that the frequency of backups is appropriate for the environment. Obtain a copy of the formal backup schedule for creating copies of production program and data files. describe the number of generations of files kept. Describe the secured area designated for on-site storage of backup media. etc. operating systems. for appropriate telecommunications facilities. Ensure that access to the off-site storage facility is restricted to only authorized personnel. 5. Also. Systems documentation. Describe how the company determines which files are to be saved and how often. 2.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 4. 3. 6. Operating system or other software. b. Review the arrangement for a computer backup site. 7. 9. Document who has authorized access to on-site backup area. List their names and functions. 8. Describe the off-site storage facility and the contents. Production programs and procedures for both source and object code. c. Describe backup procedure for the following: a. Backup Procedures 1. By ________________________________________________________________________________________________________ G.

7. 2. Verify that dates on backup media agree with backup schedule. Trace files on the VTOC to the backup schedule. Describe the contents of off-site storage facility. Obtain a current backup schedule for the programs and data files selected. Identify critical files used with this application on the Volume Table Of Contents (VTOC) listing. Locate backup files in on-site storage. 4. Verify that dates on backup media agree with backup schedule. 8. 5. 6.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 3. 9. BACKUP PROCEDURES G/TEST Page 1 of 1 12 . Locate backup files on off-site storage. By ________________________________________________________________________________________________________ Testing (Backup Procedures) 1. Select a critical application to be tested based on the scope of the review.

2. Disaster Recovery 1. 4. Ability to process without key personnel. Defining critical systems to be processed. 3. b. Agreement exist for the use of the alternate sites. Review interim manual procedures. Some items to be considered in the review are: a. Alternate sites tested at least annually. Possible alternate processing sites. Ability to adapt plan to lesser disasters. Review the documented results from the test of the disaster recovery plan. Ensure that all critical systems have been identified. g. Availability of peripheral equipment. for completeness. 5.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 7. 6. Describe the method and extent of user involvement in the creation and maintenance of the plan. Obtain the company's list of employees and vendors to be contacted in the event of an emergency. c. Obtain a formal copy of the company's current disaster recovery plan. prepared for users to continue processing critical transactions. By ________________________________________________________________________________________________________ H. d. e. Review the disaster recovery plan for completeness. f. DISASTER RECOVERY H/PROG Page 1 of 1 13 .

c. 2. e. Adherence to programming standards. c. Completion of a programming checklist. Target dates for completion. b. By ________________________________________________________________________________________________________ I.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. or major enhancements to existing systems. d. The assignment of programmers. d. Review the justification proposal created for all new systems. Time estimates. which may include: a. Ensure the programming phase is properly supervised by EDP management. CHANGE CONTROL I/PROGPage 1 of 3 14 . b. Verify that a formal method of project control has been established which covers all phases for the development of new/modified systems. Cost analysis. 4. Implementation/Change Controls 1. Required approval points. 5. Document the method and reports used to control and prioritize projects. Ensure that a detailed plan has been prepared and documented which should include: a. 6. Document the approval process to ensure that a steering committee or top management is involved. 3. Scope and purpose of the system User requirements.

Verify that programs are recompiled after modifications. 8. 9. By ________________________________________________________________________________________________________ I. 16. Document testing procedures established for all new/modified systems. Verify that all program changes are supported by appropriate authorization. c. Document the process used to transfer completed programs from test to production libraries. Verify that programmers perform all development work only in test libraries and using test data. 15. Verify that test results are reviewed by both EDP and User management to provide compliance with specifications. Does it include at a minimum: a. 12. prior to being placed into production. The training of users.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. b. 14. Implementation/Change Controls (continued) 7. Completion of documentation. Ensure that a designated official regularly reviews changes not yet implemented. CHANGE CONTROL I/PROGPage 2 of 3 15 . Review the plan for converting new/modified systems from development to production. Defining user access requirements. Ensure that users participate in the creation of test. 10. 13.

18. By ________________________________________________________________________________________________________ I. Describe how user access requirements are defined. when immediate modifications have to be made to production programs. System Documentation. 22.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. Implementation/Change Controls (continued) 17. c. Review evidence that old versions of programs are saved before making final changes. Examine evidence for documentation being created or updated. Data entry instructions. Operator instructions. b. d. 21. bypassing normal procedures. CHANGE CONTROL I/PROGPage 3 of 3 16 . including: a. Verify that procedures are in place for saving current versions of programs to diskette/tape prior to substituting the new programs to allow for restoration of the older version in case of program problems. 19. 20. Review evidence of final approval before project is transferred to projection library. Review procedures in effect to ensure that changes are correctly made and approved. User manuals. how passwords are assigned and who are authorized to perform these activities.

Describe the method of prioritizing requests submitted to steering committee or management for major projects. 8. 4. Ensure that EDP and user management evidence their review and approval of test results. b. Detail method used to create test data. 6. 7. Review log or method used to control all requests to ensure they are being followed up. Document method of assigning programmers to the project. Determine if cost for purchase versus in-house development was considered. 9. 3. File specifications. c. CHANGE CONTROL I/TEST Page 1 of 1 17 . By ________________________________________________________________________________________________________ Testing (Implementation/Change Controls) Select a representative number of completed program changes or new programs and trace from the initial request to the completion phase. Examine project progress reports for evidence that systems development is controlled in accordance with established procedures. performing or reviewing the following steps: 1. Review procedures for approval and progress reporting. Files created. d. Ensure that user management has evidenced their approval on the initial project request form. Program specifications. 2. 5. Test results filed. Review evidence of programmer having completed all necessary steps: a.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 10.

7. which should include job control procedures. Describe the times the computer is operational and the various shifts that are maintained. Review the computer activity log. Operations/Processing 1. 3. b. 5. 4. Determine if a concentration of duties exists and if compensating controls are in place. Describe how frequently the computer activity utilization reports are reviewed. All tasks are accomplished in a timely manner to meet user requirements. Document the procedures in place for the periodic review and update of the operator’s manual. Review the operator’s manual. 8. which is maintained for all work performed and any errors that occur. and compare it to the workload schedules to determine if schedules are satisfactorily met. 2. There is adequate staffing for each area of work. 6. Ensure adequate cross training of EDP personnel has occurred for continued functioning of the computer if the operator is absent. Obtain a copy of the EDP department work schedules for computer processing to ensure: a. 9. Ensure schedules are periodically reviewed to determine if they are current.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. By ________________________________________________________________________________________________________ J. OPERATIONS/PROCESSING J/PROG Page 1 of 3 18 . operating instructions and computer facility maintenance requirements.

Describe the method of storing the source documents while they are in the custody of the EDP department.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. which include: a. Internal labeling requirements. Review procedures for requirement of data entry personnel to contact users if there are any errors in batches prior to input. Describe the transmittal form used to control the movement of each batch of source documents or input forms between the users and data entry. Review procedures in place which would allow management to detect if operators process unauthorized jobs. Obtain a copy of the log maintained in the data entry area to record the flow of batches. 12. Provisions to ensure only the correct diskettes or tapes are used. 16. By ________________________________________________________________________________________________________ J. Operations/Processing (continued) 10. b. 18. Ensure that batches are identified by a serial number or sequence number to provide subsequent accountability and for reference purposes. 17. 11. Is a similar log maintained in user departments. Review procedures for the proper handling of diskettes or tapes. Review procedures to control access to and usage of production files stored on diskette or tape. Review completed batches for specially marked indicators to prevent duplication or omissions. External labeling requirements. 13. 15. c. 14. OPERATIONS/PROCESSING J/PROG Page 2 of 3 19 .

21. Are scratch tapes all accounted for (in scratch bin and missing from tape rack). a. until it arrives in the user departments. Document flow of output. If the tape inventory is separated by machine: a. Batch totals match output totals. Review the tape inventory list. 22. Obtain a copy of the current output distribution list. c. Review of all output for completeness. 20. b. etc.)? Review output distribution list for accuracy. By ________________________________________________________________________________________________________ J. All errors are recognized and reported. 24. are the tapes physically segregated? are the tapes identified in some way so as to distinguish one set of tapes from the other (color coordinated . 23. accts payable. OPERATIONS/PROCESSING J/PROG Page 3 of 3 20 . completeness. Review procedures for output.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. What about output ques? Are they separated for confidential reports ( an example)? is the serial number sequence unique? c. to ensure proper safeguards are placed on the output. b. Operations/Processing (continued) 19. Confidential outputs handled properly. Are other empty slots accounted for. etc. d. b. which should include: a.

9 K.1 K.7 K. Document applications that cannot be secured using built-in system security and ensure that the following controls are programmed into the application: edits on data fields.1. 4. etc. 3.4 K.5 K.] SYSTEM SECURITY K/PROG Page 1 of 22 21 .1. secondary passwords. Ensure that EDP duties are separated from user department duties. K.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.General K.1. Document who has access to the system console.1 System Access Security . how is the user informed.1.8 K. Determine if procedures have been developed for reporting and following-up on security violations. audit trails.1. Determine the required length of passwords.1. SYSTEM ACCESS CONTROLS Objective: To ensure that system security options are appropriately set to provide an adequate level of logical security.1. Procedures: K. is the password set at expired.6 K. [Recommend 6 to 8] 1. [How is the userid established. exception reports.11 Review the procedure in establishing the initial user-id. 2. Ensure that the responsibility of controlling diskettes/tapes is separated from that of programming or processing transactions. By ________________________________________________________________________________________________________ K.2 K. Review cross training procedures to ensure there is no segregation of duties problem.1.3 Ensure that all security files are backed-up to diskette/tape every time they are changed.1. Ensure that the responsibility of monitoring computer activity is separate from that of programming and operating.1.

2 System values are defined by the client.2. SYSTEM SECURITY K/PROG Page 2 of 22 22 .1.2 System Security Values .2 Review other duties performed by the Master Security Officer (MSO) to ensure they do not conflict with the responsibilities required by the MSO position (e. All possible options of each system value are listed and explained in this audit program as a guide.1. K. By ________________________________________________________________________________________________________ K. K. Obtain the system values report which lists all system values together with a brief description of each value by entering the following command: WRKSYSVAL The system values can also be displayed one by one on the terminal by using this command: DSPSYSVAL SYSVAL (system value) To print one by one use the command: WRKSYSVAL *SEC OUTPUT(*PRINT) System values are defined by the client according to their specific and unique security requirements. Security could be compromised if options are changed or inappropriate.1 Determine who is/are assigned the QSECOFR profile.Cont'd K.2. The person holding the QSECOFR profile is typically the master security officer or someone of high management level. All system inquiries in this section must be made with the QSECOFR profile as any others won't have enough privilege.g.2. if the MSO is a programmer).Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. IBM default values are underscored.

SYSTEM SECURITY K/PROG Page 3 of 22 23 .2 Determine the maximum number of sign-on attempts allowed: QMAXSIGN NOMAX: the system allows an unlimited number of sign-on attempts. the terminal is varied (forced) off and a message is logged. 30: User authentication and default resource protection. no resource protection.2 System Security Values .Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.2. After the specified maximum number of invalid sign-on attempts is reached. It prevents direct access to objects.Cont'd K. data of other jobs and internal system programs. no resource protection.2.1 Determine the system security level: QSECURITY 10: No user authentication. E&Y recommended value: maximum of 3.2. 20: User authentication through password security only. 40: Similar to level 30 but controls privileged instructions and the machine interface. E&Y recommended value: 30. By ________________________________________________________________________________________________________ K. K. 15: a user can try to sign on a maximum of 15 times.2. Level 40 should be considered for clients with high inherent risk.

duplicate password control.Cont'd K. 1: must be different from the previous 32 passwords. E&Y recommended value: 6 or more.minimum password length 1: minimum of 1 character. 1-366: valid range of days. SYSTEM SECURITY K/PROG Page 4 of 22 24 .password expiration interval *NOMAX: unlimited number of days. 2: disable user profile. E&Y recommended value: 30-90 days. K.2. 1 .2. By ________________________________________________________________________________________________________ K. ∃ QPWDMINLEN .4 Determine the user-selected options related to password security: ∃ QPWDEXPITV . 3: disable terminal and user profile. E&Y recommended value: 1.3 Determine action taken by system when QMAXSIGN is exceeded: QMAXSGNACN 1: disable terminal. E&Y recommended value: 3.2 System Security Values . ∃ QPWDRQDDIF .10: valid range of number of characters. 0: can be identical as the previous 32 passwords.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.2.2.

*NONE: no password validation program is used.maximum password length.5 Determine if users with all object (*ALLOBJ) or service (*SERVICE) special authorities may sign on to only work stations they have specific authority to access. SYSTEM SECURITY K/PROG Page 5 of 22 25 .2. QLMTSECOFR . 1: not allow users with *ALLOBJ or *SERVICE authorities to sign on any work stations unless they have specific authority to access.2 System Security Values . and users with *SERVICE can sign on to any display station with public authority of *CHANGE. ∃ 7-8 if connecting to systems other than QPWDVLDPGM . 0: allows all users with *ALLOBJ authority to sign on to any display station. Review specified program(password exit routine) used.limit security officer device access.password validation program.Cont'd ∃ QPWDMAXLEN . if any. By ________________________________________________________________________________________________________ K.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. K. E&Y recommended value: AS/400 or S/38. E&Y recommended value: 1.10: Valid range of number of characters. 10: Maximum of 10 characters.2. 1 . and ensure that it does not allow user to bypass password security and does not contain hard-coded passwords.

*ENDJOB can be used. By ________________________________________________________________________________________________________ K.2. secondary or group jobs.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.2 System Security Values -Cont'd K. Authorized users can re-key their user-ids and passwords to continue from the screen left off in the previous session.limit device sessions. Terminals left unattended for an extended period of time may be used by unauthorized persons to perform functions that are available under that session.6 Determine the appropriateness of time-out system value: QINACTITV . In addition. K. *NONE: no time out.inactive job time-out. Alternatively.300: valid range for maximum minutes before time-out. this will end any job. secondary or group. 0: does not limit the use of a user-id to one work station at a time.2. However. unauthorized users of unattended terminals may remain unidentifiable. possibly affecting production data and processing. 5 .2.7 Determine if concurrent device sessions are limited: QLMTDEVSSN .2. E&Y recommended value: 1. SYSTEM SECURITY K/PROG Page 6 of 22 26 . E&Y recommended value: 15. This is possible when we set the disconnect job (*DSCJOB) value to disconnect any interactive. 1: limits the use of a user-id to one work station at a time.

when applicable. and application names.8 Determine if sign-on information is displayed on screen. The system value QAUTOVRT specifies if pass-through virtual devices (as opposed to the workstation function virtual device) are automatically configured.sign-on display information control. The sign-on screen should show a restricted access message such as "For Authorized Users Only. SYSTEM SECURITY K/PROG Page 7 of 22 27 .Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. a warning that the password is due to expire in seven days or less. The value of QAUTOVRT should be set as low as possible.2 System Security Values -Cont'd K. Unauthorized Use Is Prohibited. This information can alert users to unauthorized attempts to use their profiles to access the system.2.3 Changing the Automatic Configuration of Virtual Devices Value The QAUTOVRT values controls the creation of virtual device descriptions on a remote system when users pass-through to that system.2. How ever in some locations where the passthrough activity is higher. system. 0: no sign-on information is displayed upon sign-on. By ________________________________________________________________________________________________________ K.2. E&Y recommended value: 1. This value can only be changed by the security officer or someone with all object (*ALLOBJ) and security administrator (*SECADM) special authority. 1: users are shown: ∃ ∃ ∃ date and time of last sign-on. it should be set as low as possible to minimize logon opportunities of unauthorized users. In most cases the value of 0 (zero) or 1 (one) is recommended. QDSPSGNINF . invalid sign-on attempts since last sign-on. K." It should also not show the company.

Determine that the production database and production source code files are maintained in a library with appropriately restricted access.5 Create Authority Parameter in System Value Review the QCRTAUT parameter on the system values report.4 System Security Values -Cont'd Changing the Remote Sign-on Value The QRMTSIGN value controls if users can bypass the sign-on display on the remote system when using the display station pass-through function or the workstation function of PC support. By ________________________________________________________________________________________________________ K. Or. and ensure that it has been changed from the default value of *CHANGE.2. SAMEPRF: Pass-through sessions without going through the sign-on procedure are allowed only for users whose user profile name on the remote system is the same as the user profile name on the local system VERIFY: Pass-through sessions without going through the sign-on procedure are allowed for all pass-through requests and no checking of passwords is done if the QSECURITY value is 10. REJECT: Pass-through sessions are not allowed to start on the remote system. use the Display Object Authority command and determine whether the Public Authority Access (PUBAUT) access parameter for each significant individual production database and production source code file is *EXCLUDE and individual access allowed are appropriate. ! ! K. to a setting of *USE or less. SYSTEM SECURITY K/PROG Page 8 of 22 28 . Must sign-on if QSECURITY value is 30.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. The possible values are: ! ! FRCSIGNON: All pass-through sessions that begin on the system must go through the normal sign-on procedure.2.2 K.

The passwords to these user profiles are identical to the user profile names.3 User/Group Profiles Objective: To ensure that user or group profiles are authorized and defined appropriately to maintain adequate segregation of duties. By ________________________________________________________________________________________________________ K. Vendor-supplied passwords for any commercial software products should also be changed.3. Procedures: K. SYSTEM SECURITY K/PROG Page 9 of 22 29 .3.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. A number of IBM user profiles are pre-defined when the system is shipped.3 K. Ensure that only one group profile is assigned to a user.1 Obtain all user and group profiles by entering the command: DSPAUTUSR SEQ (*GRPPRF) K. Inspect selected user profiles to ensure that they are authorized by appropriate management personnel and that their settings are compatible with their work functions.4 Note: QSRVBAS and QSRV passwords should be changed after every maintenance trip by authorized IBM personnel. Determine that the client has changed the passwords for these user profiles: User Profile QSECOFR QSRV QSRVBAS QSYSOPR QPGMR QUSER DST Description security officer full service functions basic service functions system operator programmer work station user Dedicated Service Tools K. except for DST's which is "QSECOFR".2 Inspect each significant group profile to ensure that it is authorized by appropriate management personnel and covers a common group of users with a common function.3.3.

3 CURLIB (Current Library) UPCRLB Determine that the specified library is suitable to the user function.3. 3 User/Group Profiles .3. K. K.3. Ensure that this library is adequately secured. Use a DSPAUTUSR list to verify that the following IBM-supplied user profiles have a password of *NONE: QDBSHR QTSTROS QDSNX QLPAUTO QSPL K.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.2 PWDEXPITV (Password Expiration Interval) UPGRPF *SYSVAL: system default specified in QPWDEXPITV If a number is specified it means that a specific interval has been set for this user. SYSTEM SECURITY K/PROG Page 10 of 22 30 .3.5.5 QDFTOWN QFNC QLPINSTALL QSPLJOB QDOC QGATE QSNADS QSYS Obtain a listing of user and group profiles using the following command: To get to magnetic file: Enter [DSPUSRPRF]: press (PF4): Select output file and name the file: have the file transferred to a PC or XCOMM to mainframe where Office Services will copy the file/s to audits cc 0820 G drive.1 GROUP (Group Profile) Determine if members of each group are related to a common user function. DSPUSRPRF USRPRF(profile name) TYPE(*BASIC) For each profile review the following settings: K. By ________________________________________________________________________________________________________ K.1 Signing on with IBM-supplied user profiles that are designed to be object owners is not permitted.Cont'd K.

users and programmers should not have any special authorities.Cont'd UPLTCP K. and SYSOPR by default. current library and attention-key-handling program values. Some commands can be run on the command line of a menu.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. initial menu. have *SAVSYS and *JOBCTL special authorities. SYSTEM SECURITY K/PROG Page 11 of 22 31 . K. By ________________________________________________________________________________________________________ K.allows unlimited access to almost every object .allows manipulation of work queues and subsystems .4 LMTCPB (Limited Capability) Specifies whether the user can change the initial special authority assigned Determine if the special authority assigned to each user class is suitable.5 SPCAUT (Special Authority) *ALLOBJ *SECADM *SAVSYS *JOBCTL *SERVICE *SPLCTL UPSPAU .for saving and restoring the system and data .3. QSECOFR.allows control of spool functions *USRCLS: . initial menu and current library values cannot be changed. SECADM.3. E&Y recommended value: *YES for production users. *PARTIAL: the initial program and current library values cannot be changed.5. Generally.3 User/Group Profiles .allows administration of user profiles .allows many uncontrolled functions . E&Y recommendation: *PUBLIC must be set to *EXCLUDE.user given special authorities that are appropriate for his class *NONE . IBM engineers may have *SERVICE. *NO: user may change all the values in his own user profile with the CHGPRF command. *YES: the initial program.5. The initial menu value can be changed (using CHGPRF) and commands can be run from the command line of a menu.

3. The initial program may not provide a way to exit from the program except to sign-off.7 INLMENU (Initial Menu) *SIGNOFF: UPINMN the user will be signed off the system once the initial program ends.8 LMTDEVSSN (Limit Device Sessions) UPLDVS *(SYSVAL: the system value selected determines if the user is limited to one device session. If a menu name is specified in the initial menu parameter then that menu is displayed. The initial menu appears after the initial program terminates. command level.5.5. limits the use of a user-id to one device session.5.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.3. incurs low security management cost. Menu security limits a user's capabilities and restricts the user to a predefined secured environment. E&Y recommended value: *YES or *SYSVAL and QLMTDEVSSN . and provides ease to use interface. The advantages of menu security are that it is easy to implement and therefore.Cont'd UPINPG User is given access to the K. SYSTEM SECURITY K/PROG Page 12 of 22 32 .6 INLPGM (Initial Program) *NONE:No initial program is used. By ________________________________________________________________________________________________________ K. E&Y recommendation: Use the limited capability approach where appropriate with library and object security. Ensure that there is no option in the menus/submenus to exit and access the command level.3 User/Group Profiles . The application design is critical to menu security. K.3. Caveat: Initial menus are mostly user-defined and therefore. *NO: *YES: does not limit the use of a user-id to one device session. K.Set to Option One(limit number of device sessions to one). may contain loop-holes. Ensure that users are assigned menus and menu options that are suitable for their job functions.

10 Obtain a list of user profiles and review for the following: 1. Determine if all users are permitted access based on written authorization by Departmental Management.Cont'd UPSTAT K. 3.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.11 Determine whether unauthorized users can process critical functions from their menu(s).3. 2. E&Y recommendation: Inactive or dormant user profiles should be set to *DISABLE to prevent unauthorized usage.9 STATUS (Status of user profile) Specifies whether the user profile is usable or not.3 User/Group Profiles . K. K. Identify the users permitted access to individual and each group profile. By ________________________________________________________________________________________________________ K. Confirm that all users are currently employed.5. etc.3. *DISABLED: profile is not usable.5. Note that system profiles such as QSYS.3. QSECOFR.5. *ENABLED:profile is usable. must be set to *ENABLE. SYSTEM SECURITY K/PROG Page 13 of 22 33 .

SYSTEM SECURITY K/PROG Page 14 of 22 34 .1 Determine if the security officer is aware of such programs and if he/she evaluates any new ones that use the adopted authority.7 Ensure that a security and password policy or guideline has been developed which includes: 1. By ________________________________________________________________________________________________________ K. periodic changing of passwords. 6. training users in the necessity of password secrecy and sign-off of workstations when not in use. password selection criteria. E&Y recommendation: The security officer should monitor programs that adopt the privileged QSECOFR authority. K.Cont'd List all programs which adopt the privileged QSECOFR authority: DSPPGMADP USRPRF(QSECOFR) Α OUTPUT(*PRINT)≅ to print] [optional Plan for running the above command overnight as it slows down the system.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. It allows a user to adopt the authority of the owner of a program whenever it executes. change or immediate removal of terminated employee's passwords.3.3 K. 5. This provides a method to give a user more access to objects. but the user is limited to the program function during execution.6 User/Group Profiles . actions to be taken for attempted security violations.6. (Obtain report on Previous Signon Date) 4. in addition to the authority of the user. Adopted authority provides a means to handle situations where programs or commands called by a user may require a higher level of authority than is normally available to that user. the secure assignment and distribution of passwords. K.3. 3. 2.3.

3. determine if passwords are changed within a reasonable interval of time [i.4)].Cont'd Obtain a list of authorized users using the following command. password last change date and user profile description.3 K.3. within a reasonable QPWDEXPITV value (see Procedure K.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. SYSTEM SECURITY K/PROG Page 15 of 22 35 .e.. DSPAUTUSR This list contains user profile. By ________________________________________________________________________________________________________ K.7 User/Group Profiles . By reviewing the password last change dates.2.

List the contents (objects) of the selected libraries: DSPLIB (Library Name) Ensure that only production objects are in production libraries. Libraries should be structured in a way that all objects within a library have identical security requirements. Also determine if the owner of the library is appropriate. By ________________________________________________________________________________________________________ K.3 List the object authorities for the above significant production libraries: DSPOBJAUT OBJ(QSYS/library name) OBJTYPE(*LIB) Determine that only authorized users or groups have access.4.2 Select a sample of significant production libraries.1 Obtain a list of all libraries in the system: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) OUTPUT(*PRINT) Determine that the production objects are segregated in separate libraries from the development objects. To have specific protection over individual objects within a library. K. See section 2. Libraries Objective: To ensure that appropriate access authority is defined at the library level in order to protect production data files and programs from unauthorized access. SYSTEM SECURITY K/PROG Page 16 of 22 36 . Procedures: K. Library security establishes security at the library level and it assumes that a nonspecific protection is adequate..4. object level security is needed.4 Review administration and authorization procedures for granting access to significant libraries.4.4. K. K. Development users should have no access to production libraries.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref.4.4. E&Y recommendation: Library level security is strongly recommended as it provides a relatively easy and effective method of securing objects within libraries.

By ________________________________________________________________________________________________________ K.1 Select a sample of sensitive production objects (data files or source programs) and print their specific object authorities: DSPOBJAUT OBJ(library/file) OBJTYPE(*FILE) (for files). and DSPOBJAUT programs). Object security establishes security at the specific object level. E&Y recommendation: Since assignment of object authorities to specific objects is tedious.5 Objects Objectives: To ensure that appropriate access authority is defined at the object level in order to protect specific production data files and programs from unauthorized access.5. K. SYSTEM SECURITY K/PROG Page 17 of 22 37 .5. The client may choose to protect specific sensitive objects at the object level if their inherent risk is high or if library level protection is not used.2 K. specific object authority should only be defined to handle exceptions.5. It is used when different objects require different protection requirements.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. otherwise. Review administration and authorization procedures for granting access to significant objects. the default public authority should be used. It can also be used as an exception to the general authorization rules. Procedures: K.3 OBJ(library/program) OBJTYPE (*PGM) (for Ensure that only authorized users or groups may access or use the sensitive objects.

DSPOBJAUT OBJ(QSYS/STRSEU) OBJTYPE (*CMD).1 Determine who has access to the above utilities: ∃ ∃ ∃ ∃ ∃ DSPOBJAUT OBJ(QSYS/STRDFU) OBJTYPE (*CMD).6 System Utilities Objective: To ensure that powerful system utilities are adequately restricted from unauthorized access and use. SYSTEM SECURITY K/PROG Page 18 of 22 38 . DSPOBJAUT OBJ(QSYS/STRSDA) OBJTYPE (*CMD). E&Y recommendation: *PUBLIC access should be set to *EXCLUDE. The following are powerful system utilities: SST System Service Tools DST Dedicates Service Tools DFU Data File Utility SEU Source Entry Utility SDA Screen Design Aid PDM Programming Development Manager QUERYQuery Language Procedures: K. not *USE. By ________________________________________________________________________________________________________ K. DSPOBJAUT OBJ(QSYS/STRPDM) OBJTYPE (*CMD). Only authorized programmers should have access to these utilities.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. DSPOBJAUT OBJ(QSYS/STRQRY) OBJTYPE (*CMD).6.

PUBLIC access is irrelevant. Restricted to *SAVSYS capability holder. By ________________________________________________________________________________________________________ K.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. A user cannot use these commands even if he/she has *ALLOBJ special authority. See the sensitive command object authority matrix. ~ Restricted to the security officer (QSECOFR) only. # Restricted to the service engineer (OSRV) only. SYSTEM SECURITY K/PROG Page 19 of 22 39 .7 System Commands Objective: To ensure that powerful system commands are adequately restricted from unauthorized use. Μ *PUBLIC should be set to *EXCLUDE. ∋ You need the DST security password to change the DST passwords. The following are powerful system commands: * * * * ∋Μ CRTUSRPRF CHGUSRPRF DLTUSRPRF RSTUSRPRF CHGDSTPWD RSTAUT # STRSST ~ CRTAUTHLR Μ DLTAUTHLR Μ SAVSYS ~ CHGSYSLIBL CHGSYSVAL * Create User Profile Change User Profile Delete User Profile Restore User Profile Change Dedicated Service Tool Password Restore Authority System Service Tools Create Authority Holder Delete Authority Holder Save the System Change System Library Change System Value Restricted to the security administrator (QSECADM) and security officer (QSECOFR) only.

Command source object contains the source code for all the CL commands and is used to recompile any one or all commands.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. Ensure that only authorized personnel may use these commands. By ________________________________________________________________________________________________________ K. It is not necessary for a user to have access to this object in order to access the CL commands. SYSTEM SECURITY K/PROG Page 20 of 22 40 . E&Y recommendation: Public authority of these commands should be set at *EXCLUDE. Only the security officer and users with the *ALLOBJ special authority may access this object.1 Review the object authority to the above significant security related commands: DSPOBJAUT OBJ(QSYS/cmd) OBJTYPE(*CMD).7.Cont'd Procedure: K.7 System Commands .

They normally review the log on-screen. initials. and scrutinize it for evidence of review (e.8 System Logs Objective: To ensure that system access and operational activities are monitored regularly by appropriate personnel.. SYSTEM SECURITY K/PROG Page 21 of 22 41 . typically the Systems Administrator or the Security Officer. K. sign-offs) by appropriate personnel. By ________________________________________________________________________________________________________ K. CPF2240 means inadequate authority to object. Determine that only the Security Officer has access to the QHST object and that PUBLIC be set to *EXCLUDE.g. Procedures: K.8.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. if any. CPF2234 means incorrect password. the full system log is not printed because it is too voluminous. For example. The following is a general format of the command to display messages recorded in the history log: DSPLOG LOG(QHST) PERIOD (start-time start-date) (end-time enddate) MSGID (message-identifier) OUTPUT(*PRINT){of OUTPUT(*)} Most security messages are in the range CPF2201 to CPF2299.1 Obtain the printed system log. The message number CPF2200 should be entered if all messages in the range is required.8. Note: Typically.2 Print the "Display Object Authority" list of the QHST object by the following command: DSPOBJAUT OBJ(QHST) OBJTYPE(*MSGQ) OUTPUT(*LIST).

. SECURITY . Verify the authorizations. K. user profiles. such as those related to object authority. This can be achieved by performing the following steps: (1) Create journal receiver: CRTJRNRCV JRNRCV(user-lib/user-name1) AUT(*EXCLUDE) (2) Create journal: CRTJRN JRN(QSYS/QAUDJRN) JRNRCV (user-lib/user-name1) AUT(*EXCLUDE) (3) Change system value: CHGSYSVAL QAUDLVL VALUES ('AUTFAIL *SECURITY *PGMFAIL .logs all access authorization failures. blocked instruction or program validation check failure.' The QAUDLVL values control which security-related events are logged to this journal. The Security Officer can monitor security by gathering audit information about specific security-related events.8 K.creates an authorization failure entry for each object domain. and PGMFAIL (security level 40) .5 SYSTEM SECURITY K/PROG Page 22 of 22 42 .8. Determine if a procedure is in place to provide a report to each user department identifiying the respective department's responsible transactions (especially update) and the authorized users for those transactions.. Also review the responses received from the users' heads of department explaining the violations.3 System Logs -Cont'd If the system log is not used. determine if the auditing journal (QAUDJRN) is generated and reviewed.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. The reports should be provided not less than every 6 months.8.4 Ensure that there are inquiry letters written by the Security Officer to the users' heads of department when significant access violations are detected by the logging facility. E&Y recommended QAUDLVL values are as follows: ∃ ∃ AUTFAIL . and system values.8. ∃ K.logs security-related activities. By ________________________________________________________________________________________________________ K.

PHYSICAL INVENTORY L/PROG Page 1 of 1 43 . 4. Determine procedure for disposing of equipment. Physical Inventory 1. Validate equipment to the Asset list. Lists of existing equipment is complete and current (including all PCs). 3. By ________________________________________________________________________________________________________ L. Leases/contracts are available and in force for hardware. and software. including peripheral equipment.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. 2.

Are there performance standards established? If not. what is the allowable limits of: a.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. System Performance Monitoring 1. What capacity development? planning is performed with new systems 3. Response time b. Disk Capacity 2. Is a report provided management depicting system performance? If yes. Preventative Maintenance (PM) 44 . how frequent? SYSTEMS PERFORMANCE MONITORING M/PROG Page 1 of 1 N. By ________________________________________________________________________________________________________ M.

PREVENTATIVE MAINTENANCE N/PROG Page 1 of 1 45 . Equipment description. Time period (Start and ending PM dates). a. b.Auditor(s) Assigned Audit Date Workpaper Audit Objectives and Procedures Ref. c. Frequency of PM d. Insure Preventative Maintenance agreements are available. 2. Charge per call or per year. By ________________________________________________________________________________________________________ 1. Insure PM is performed on contracted equipment only.