Tuesday, 31 October 2006

IBM System i hardware Will Not Protect Critical Data, says Study

IBM has architected the System i with security capabilities. The majority of Fortune 1000 companies have trusted the System i for years to house the most sensitive and critical applications used for Enterprise Resource Planning (ERP), finance, inventory, and human resources...

IBM has architected the System i with security capabilities. The majority of Fortune 1000 companies have trusted the System i for years to house the most sensitive and critical applications used for Enterprise Resource Planning (ERP), finance, inventory, and human resources. These organisations may have been given a false sense of security by their IT auditors and staff, who are unaware of vulnerabilities. The PowerTech Group, has released its third annual review of the state of security on IBM's System i platform (also known as AS/400 or iSeries). The study is based on the results of 188 different system audits that were conducted by PowerTech over the last 12 months.

"The results of this annual study are consistent with previous years and led us to believe that the majority of AS/400s (System i) are unable to pass an IT audit and comply with government regulations," said Jon Scott, CEO of PowerTech. "This study should serve as a wake up call for IT Executives, Administrators and Auditors to the fact that the reputable AS/400 platform is plagued with poorly written applications that do a bad job of protecting critical data."

Listed are a few of the examples of the findings that should alert auditors and executives alike:

• 91% of systems don't control or audit changes to data made thru PC access, a violation of COBIT standards, which should be a material weakness
• 95% of all systems have more than ten user width ALLOBJ (root) authority, a threat to data integrity and an audit deficiency
• 77% of all systems have more than 20 users with passwords the same as user name – an obvious violation of COBIT and ISO password standards