Thursday, August 24, 2017

Are Your IBM i Systems in Compliance?

Are Your IBM i Systems in Compliance?

IBM i Technical Sales Manager at Software Engineering of America (SEA)

Many customers ask us what can they do to insure their IBM i systems are in compliance before their auditors show up. Here are some ideas for pre-compliance audit checking that you can perform to get your systems in shape before an audit happens.
Check the PCI DSS standard against your system, even if you’re not covered under PCI DSS
We’ve found that reviewing the Payment Card Industry (PCI) Data Security Standard (DSS) is one of the best things you can do to prepare your systems for an audit, even if you’re not covered under PCI DSS. Why? Because even though PCI DSS is geared towards credit card processing, it’s also an excellent source of common sense security configurations for protecting any type of confidential information.
Everybody has something that needs protection on their IBM i and their network…and PCI DSS provides a good template for what type of security should be in place. If you don’t have credit cards on your system, you probably have payroll information, engineering files, or customer databases that must be protected. Evaluating your shop against relevant PCI DSS standards can help you determine where potential IBM i and network weak spots are, including the PCI DSS standards on:
  • Building and maintaining a secure network
  • Maintaining a vulnerability management program (updating anti-virus programs, securing systems and applications)
  • Implementing strong access control mechanisms
  • Regularly monitoring and testing your networks
  • Maintaining an Information Security Policy
Reviewing the PCI DSS standard is a good exercise because unlike many of the other standards, PCI DSS is much more specific in describing the goals needed to secure your network. And many PCI DSS goals can be applied towards other types of auditing.
Listen to your auditors and remember that compliance is an IBM i issue AND a network issue
Some auditors only want to audit your IBM i configurations. Other auditors need to look at both your IBM i configurations and the network infrastructure that information travels over. Check with your auditors to see which items are in scope, double-check your audit requirements checklist (if one is provided), and check previous audit reports (even if they were performed by different auditors) for audit points needing remediation.
If you find your network is considered within scope for an audit, make sure your network people are available and aware of any audit requirements they need to insure compliance. This is especially important in larger organizations where the network group and the IBM i support staff may reside in different departments or divisions.
If you’ve been sold or merged….
If your company was recently sold or merged with another division, review any audit records (requirements, reports, remediation, and follow up) that your new auditors had previously issued for your new organization. Prior documentation can help you determine what new requirements you’ll have to implement to become compliant. Old audit material can provide hints on what your auditors care about and what they focused on in the past.
Bring in an outside compliance evaluator
Several companies offer products and services that provide comprehensive evaluations of an organization’s IBM i compliance with PCI DSS, Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government or industry regulations. Compliance evaluators can be a major help in maintaining compliance before, during, and after an audit.
As an example, SEA offers iSecurity Compliance Evaluator, which performs IBM i compliance checking for several common regulations. Compliance Evaluator can check your IBM i system and network activity against a common standard; report on unexpected changes in the environment; score your performance against self-defined compliance targets that you enter yourself; and send out full reports as well as non-compliance reports that only show your problem areas. Other compliance evaluation packages may offer different functions, but the idea is to pre-evaluate and report on your system using criteria provided by you and your auditor and then remediate any deficiencies the system may find before the audit occurs.
Getting ready for the audit
These are only a few ideas for preparing your systems for an audit before the auditors show up. Please feel free to contact us at SEA software for more information and advice on how to prepare for your own audit situation.

Thursday, August 17, 2017

Briefly About the Basics and History of AS/400

Briefly About the Basics and History of AS/400

AS/400 is probably a term that tons of today’s young programmers haven’t even heard about.

I often run into different site’s, different surveys, like “What’s your favorite server operation system?”. Surprisingly (formerly) OS/400 (now IBM i) is not even on these lists anymore! I remember the times when the Operating System of the AS/400 was a huge hit!
This short article is for the ones who don’t really know much about this topic, but as an open-minded professional, want to know a bit more about this old-school giant.
ibm i as/400 as400 development developer application
An Original IBM AS/400 hardware.
The operating system of the AS/400 has had different names… OS/400, or iSeries, etc… We like its original name, because “AS” stands for “Application System”. It describes well what is special in the system:
It is an Application-centric OS, NOT a processor-centric.
It is called IBM i now, but it was a long road…

The Brief History of the OS

First, there was the IBM System/38. It was a minicomputer for business and departmental use, launched in 1979.
It was a complete product line, with different architectures: System/3, System/32, System/34, System/36.
Later on IBM realized that compatibility is key for the thousands of programs written in legacy code: They released the AS/400 midrange computer line in 1988. The AS/400 was supplied with a proprietary operating system: OS/400, which enabled programs written for System/34 and 36 to be moved to the AS/400.
In 2000, the AS/400 was rebranded as the eServer iSeries.
Then in 2006, it was rebranded again as IBM System i.
2 years later, in 2008, the System i and System p product lines were combined into a new product line: IBM Power Systems.
The operating system was also rebranded from OS/400 to i5/OS and finally to IBM i.
It IS an old system. But it is STILL widely used. Mostly where data safety and stability is above everything else. It is mostly used in banks, but often in manufacturing, transportation and logistics, finance, and so on…

What is unique about AS/400?

Why is it a big deal? How is it so different from other operating systems?
Let’s look the short philosophy behind the different operation systems!
Linux: There are a lot of small devices, apps, etc. for specific tasks, and then they “link” them together to do something bigger.
Windows: Monumental target-programs (solutions) for a concrete problem. (See it mostly as a “package”).
AS/400: A stable system, with an excellent documentation and fool-proof operations. Applications are good enough alone. They are not monumental and don’t need to link them together to make something useful out of them.

The operating system itself was object-orientated already from the beginning.

What does it mean?
Everything is an object and not a file!
For example, on Linux, everything is a file, even the devices, the printers, etc.
AS400 has objects. The number of the object-types is almost 100, and the *FILE type that represents a database file of the built-in relational database is only one of them.
Few other object types:
*DTAQ: Data queue (used to queue up data entries for communicating and distributing data between different jobs).
*DIR: Directory
*LIB: Library (where everything below, except directories and stream files, is stored; libraries cannot exist within other libraries)
*PGM: Program
What kind of programming languages can you use on AS/400?
Programming languages available for the AS/400 include RPG, assembly language, C, C++, Pascal, Java, EGL, Perl, Smalltalk, COBOL, SQL, BASIC, PHP, PL/I, Python and REXX. Several CASE tools are available: CA Plex (formerly AllFusion Plex), Synon, IBM Rational Business Developer Extension, Accelerator, LANSA, Uniface and GeneXus.
And there is a complete layer called PASE to help to port anything from AIX to IBM i with minimal effort.

The topic of IBM i / AS/400 / OS/400, etc. is much deeper, we only have scratched the surface in this article.

Stay tuned for more info in the future!
Facebook | Twitter | LinkedIn



Thousands of fill already in OUR GLOBAL IBM i SURVEY!
Only 4 minutes to fill.
Click here to help the Community with your answers!


About the author:
Gabor Nagy

Senior Developer (RPG, Cobol, Java, HTML)

Gabor has 20 years of experience in building large enterprise systems on the AS400 platform (RPG, Cobol) as well as in Java/J2EE/HTML. Gabor has experience in the banking and operating lease industries. Gabor is another mastermind on our team: he can understand and solve problems extremely fast and then can deliver very high-quality code. Other developers watch him working with awe. Gabor has an MsC (Programming Mathematician).