IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.8

K.8.3

System Logs -Cont'd If the system log is not used, determine if the auditing journal (QAUDJRN) is generated and reviewed.

The Security Officer can monitor security by gathering audit information about specific security-related events. This can be achieved by performing the following steps:

(1) Create journal receiver:

CRTJRNRCV JRNRCV(user-lib/user-name1) AUT(*EXCLUDE)

(2) Create journal:

CRTJRN JRN(QSYS/QAUDJRN) JRNRCV (user-lib/user-name1) AUT(*EXCLUDE)

(3) Change system value:

CHGSYSVAL QAUDLVL VALUES ('AUTFAIL *SECURITY *PGMFAIL ...'

The QAUDLVL values control which security-related events are logged to this journal. E&Y recommended QAUDLVL values are as follows:

? AUTFAIL - logs all access authorization failures;

? SECURITY - logs security-related activities, such as those

related to object authority, user profiles, and system values; and

? PGMFAIL (security level 40) - creates an authorization failure

entry for each object domain, blocked instruction or program validation check failure.

K.8.4

Ensure that there are inquiry letters written by the Security Officer to the users' heads of department when significant access violations are detected by the logging facility. Also review the responses received from the users' heads of department explaining the violations.

Determine if a procedure is in place to provide a report to each user department identifiying the respective department's responsible transactions (especially update) and the authorized users for those transactions. The reports should be provided not less than every 6 months. Verify the authorizations.

K.8.5

SYSTEM SECURITY

K/PROG

Page 22 of 22

40

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

L. Physical Inventory

1. Leases/contracts are available and in force for hardware, including

peripheral equipment, and software.

2. Lists of existing equipment is complete and current (including all

PCs).

3. Determine procedure for disposing of equipment.

4. Validate equipment to the Asset list.

PHYSICAL INVENTORY

L/PROG

41

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

M. System Performance Monitoring

1. Are there performance standards established?

If not, what is the allowable limits of: a. Response time b. Disk Capacity

2. What capacity planning is performed with new systems

development?

3. Is a report provided management depicting system performance?

If yes, how frequent?

SYSTEMS PERFORMANCE MONITORING

M/PROG

N. Preventative Maintenance (PM)

42

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

1. Insure Preventative Maintenance agreements are available.

a. Time period (Start and ending PM dates). b. Equipment description. c. Frequency of PM

d. Charge per call or per year.

2. Insure PM is performed on contracted equipment only.

PREVENTATIVE MAINTENANCE

43

N/PROG

Page 1 of 1