Application audit on AS/400

5 pts.
AS/400 administration
AS/400 audit
Hello All, What is application audit and how is that done on AS/400? Can anyone help me on this?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Let me first say that unless your auditors have a clue about what an AS/400 is, this can be a royal pain in the arse. I work at a US Dept of Justice location and have to deal with application audits all the time.

A strict definition (take a look at this white paper for more information) is:

“An application audit is a specific audit of one application.”
“Application Audits can also pertain to a business process that heavily relies on various information
technology systems.”

Most of the time with application audits, the auditors want to know about what security measures the application has. Depending on your AS/400 application, it may have none. Some typical legacy RPG apps had maybe menu security based on the user id. Auditors will also want to know that the system that host the application is secure.

The important thing to remember is that the AS/400 operating system provides lots of security – if you implement it correctly. You may want to do a Google search for “Security Best Practices” specifically for AS/400 or iSeries – there are references. NetIQ has a security package for the iSeries that came from a company called “Pentasafe” and I know they published a guide at one time.

Most of the guidelines the auditors work with are based on Windows-based systems. They may have no references to AS/400 or iSeries and you may need to find those “Best Practices” and then demonstrate that your system follows those guidelines.

Good luck..


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Gilly400
    Hi, I remember having the auditors ask me if I could change an in-house application to allow field-level security for every field in the system based on user Id (for display/non-display/change etc). The system wasn't that big or complex, but it still would have had several thousand fields in various files. I told them I could do this, but it would take me about a year full-time to accomplish and then we'd need to hire several extra people in to maintain the security settings. I also mentioned that the performance of the system would probably suffer, with every program having to lookup the security values for every field for the current user before displaying a screen. Needless to say, they didn't push it any further.... Always makes me wonder what sort of background or training these people have. Regards, Martin Gilbert.
    23,730 pointsBadges:
  • DeepikaR
    Hi, I work with the Bsafe (Now enforcive) tool for AS400 security. The application audit involves the use of various application servers like 1. FTP server/Client, 2. RMTCMD's program call and command call 3.RMTSQL 4.DDM 5. Database 6.Data Queue 7. File transfer 8. File server 9. TFTP etc. The application audit log shows the use of above application with the details like user profile, application, sub function, action type etc.
    115 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: