Ask the Expert: What are the First Steps for IBM i Security?


Q: Is it wrong to expect my IBM i to keep my system safe? Can't I simply rely on the built-in security IBM i has in place?

A: Can you rely on it? Yes. Can you do it simply? No. While the IBM i is one of the more secure systems, there are a spectrum of issues that need to be addressed and monitored, and being proactive is key to keeping your IBM i system safe.

If it feels overwhelming, start small.

When I work with companies , the first thing I like to do is create an environment of open sharing of information, obviously this should be a limited group or trustworthy individuals, and begin by asking questions in order to gather information. 

In the context of a Security Assessment, for example, I start by asking a bunch of questions.  And right off the bat, based on this input and information, I am able to provide solid advice that's helpful, useful, and actionable. 

In my experience, some basic information and tools can deliver an extremely high payoff.

For example,  you may have certain settings on a particular server and because they have been that way for many years it may have never dawned on you to change it. Based on the information we have gathered, as well as changing environments, I may recommend you change them.

Or perhaps you don't have any policy in place to address information security. We can absolutely recommend a good place to start. You don’t need to reinvent the wheel, you don't need to spend a fortune, there are basic things you can be doing to at least start increasing your security. Some smart first steps I recommend is taking advantage of Center for Internet Security (CIS) Controls and instituting multi-factor authentication (MFA) which can automatically reduce your risk of intrusion by over 80%.

Pay attention

The truth is that you can be proactive and still have an event. And the end result could not only involve a loss of confidence, but the loss of business and the loss of your good reputation. It may be enough for your customers to choose to do business elsewhere instead of with you. Now more than ever, we need to take cybersecurity seriously.

Beginning questions to ask yourself: 

  • What kind of information security policy does your company have in place?
  • How often is your policy reviewed and updated annually?
  • Does your policy address IBM i-specific security requirements?
  • Do you have a response and recovery plan in place? How are they managed?
  • Have you identified cyber supply chain risks?
  • Have you developed and implemented a vulnerability management plan?

Once you’ve addressed these issues, you’ll want to look at who has been assigned responsibility to manage your security and what simple protocols are protecting your security. 

  • Have user roles been defined via groups or authorization lists?
  • Who can create, maintain, and delete user profiles?
  • How and where is the adopted authority used?

Stay informed

Part of my passion for security awareness is helping the industry understand how they need to think about security. It needs to be a dedicated function. The topic is a very broad one. It's often been joked about being a mile wide and an inch deep. But security is not a one-and-done thing. The people who are involved in information security need to be vigilant about continuing education. I have a Certified Information Systems Security Professional (CISSP) certification which is an information security certification for security analysts. I recommend encouraging your team earns these credentials as well as a CISSP will assure that they have what it takes to effectively design, implement, and manage a best-in-class cybersecurity program.

Consider next-level IBM i security support

If you aren't sure about internal bandwidth or you want a stronger, more aggressive, approach outsourcing your security to cybersecurity experts can offer you the support to address your most challenging data protection problems at any stage of the security management lifecycle.

An IBM i Security Specialist can assess the effectiveness of your system's security through:

  • Evaluating your current security efforts
  • Establishing security best practices
  • Assessing vulnerability
  • Prioritizing and outlining implementation steps

Certified security companies, like Briteskies, can evaluate your IT security infrastructure and identify the best way to set up threat remediation and disaster recovery plans. We work with clients to improve their overall information security posture. Our goal is to help clients safeguard their systems from internal and external threats. We're all in this together and a more secure business makes for a safer cyberworld for all of us. 

Looking for more security information?

Visit our IBM i Security Resource Page 
Read Ask The Expert Vol. 1: How Should I Manage My Network Security
Learn More About Our Security Assessments


headshot-Robert-Nettgen-Briteskies-Security-ExpertAs an experienced IT and security professional with a broad range of business experience, Robert is a key player in our customer-centric team. With nearly 30 years of experience, he has championed information security as the forefront of every IT client’s needs. He believes that an effective security program is an “arms race” and good communication is a must at every level of an organization. Robert brings personal integrity and a personal toolset that includes attention to detail, a mindset for never-ending learning, and strong people skills.

Contact Us to get your security questions answered

Subscribe by Email

No Comments Yet

Let us know what you think