Reporting scenarios - IBM Security Access Manager for Web Version 7.0. Auditing Guide SC

The following detailed report scenarios describes a situation and suggests a report that would give you the information that you need.

Roles

There are four types of roles that are defined for auditing and reporting of security events in these scenarios.

Table 40. Roles for auditing and reporting

Title

Name that are

used in scenarios Goals

Chief Security Officer

Robert v _{Provide the best security solution at the least} cost to the company.

v _{Make the computer systems secure.}

v _{Ensure that all security audits are successfully} passed.

System Administrator

James v _{Ensure that applications and systems he} manages are always available and running smoothly.

Security Auditor Christine v _{Make sure the CEO and Board trust the} security and confidentiality of their systems. Application

platform owner

Miguel v _{Make sure the CEO and Board trust the} security and confidentiality of their systems. v _{Maintain a stable environment for applications}

that stay running 24 hours a day.

Incident investigation scenario

Which user is logging in the system between 3 AM and 4 AM on Wednesdays?

Scenario description

This scenario involves an administrator who is concerned about the number of after-hour logins. Following is the flow of an example situation:

1. Someone on Robert's staff notices that there is an abnormal number of after-hour logins between 3 AM and 4 AM.

2. Robert calls Miguel and ask Miguel to investigate who is logging in at that time of night.

3. Miguel uses BIRT to run a report that shows all the users who logged in between 3 AM and 4 AM.

4. Miguel runs the same report after he restores previously archived events and publishes those reports to Tivoli Common Reporting so that someone on Robert's staff can look at them and determine the next steps to take.

Report to use

Parameters to use

Start date and time

01/09/12 12:00:00 AM

End date and time

03/19/12 12:00:00 AM

Number of audit events

200 Event type AUDIT_AUTHN Product name All Sort by Timestamp

How to use the report

Scan the report from the beginning. Look for the 3:00 AM to 4:00 AM time frame for each day. Note the users and the events.

Resource access compliance scenario

Do I have the reports that I need to pass the next audit?

Scenario description

This scenario involves running a compliance report on a monthly basis to prepare for future audits. Following is the flow of an example situation:

1. The company is required to keep records of all accesses to a sensitive

application. Robert wants to make sure that this data is on hand in case he is audited.

2. Robert runs a report once a month to show all accesses to the specified application. Robert prints that report and files it away for safekeeping.

Report to use

v _{General Authorization Event History}

Parameters to use

Start date and time

02/01/12 12:00:00 AM

End date and time

03/01/12 12:00:00 AM

Product name

IBM Security Access Manager for Web

Location PS0760 Location class Source Resource name All

Access decision

All

Authenticated type

All

Number of events to show

1000

Sort by

Timestamp

How to use the report

Scan the report to make sure that the correct data was used and file the report for future audits. Create a report for each sensitive application.

Login policy compliance scenario

How effective is the new login policy?

Scenario description

This scenario involves running a report that captures the number of locked-out accounts. Following is the flow of an example situation:

1. Robert wants to see how the new login policy is affecting users. The new login policy states that when a user attempts to log in more than three times with a password that is not valid, that account is locked out.

2. Robert asks someone on his staff to run a nightly report (each night for six months) that shows how many account lockout events occurred each night. 3. In the nightly reports that generated during this six-month period, Robert

notices that when the new login policy was enacted, there were many locked out account events. Over time, the number of locked out account events decreased. Robert assumes that the policy is effective and that users are remembering their passwords.

Report to use

v _{Locked Account History}

Parameters to use

Start date and time (for first nightly report)

02/01/12 12:00:00 AM

End date and time (for first nightly report)

02/02/12 12:00:00 AM

Number of users

100

How to use the report

The report displays the list of accounts that were locked out in date sequence.

Server availability scenario

Scenario description

This scenario involves running a report to show the availability of a server over time. The following steps show the flow of an example situation:

1. The Security Access Manager policy server was recently installed on a new machine.

2. James wants to be sure that the policy server is up and operating as expected and runs a report to show the activity for this server.

3. James reviews the report to determine if the activity for this server is normal and operating on target.

Report to use

v _{Server Availability Report}

Parameters to use

Begin time 04/01/12 12:00:00 AM End time 04/02/12 12:00:00 AM Product name All Product name

IBM Security Access Manager for Web

Location

PS0555

Time increment

Hourly

How to use the report

Note the heartbeat count for each hour the policy server was running to see whether the server was operating normally.

In document IBM Security Access Manager for Web Version 7.0. Auditing Guide SC (Page 139-143)