Physical security

You can use the physical security checklist to plan or audit physical security of your system.

Note: See Planning and setting up system security for a complete discussion of physical security on the IBM i product.

Here is a checklist for planning physical security of your system:

  • The system unit and console are in a secure location.
  • Backup media is protected from damage and theft.
  • Access to publicly located workstations and the console is restricted. Use the DSPOBJAUT command to see who has *CHANGE authority to the workstations. Look for AF entries in the audit journal with the object type field equal to *DEVD to find attempts to sign on at restricted workstations.
  • Sign-on for users with *ALLOBJ or *SERVICE special authority is limited to a few workstations. Check to see that the QLMTSECOFR system value is 1. Use the DSPOBJAUT command for devices to see if the QSECOFR profile has *CHANGE authority.
  • Consider the physical location for printers, tape devices, fax machines, networking equipment, etc. to ensure that they are in a secure location. Sensitive data often is printed or sent by fax. Tape, or other removable media, contains data that needs to be secured. Networking equipment should be physically secured to ensure it cannot be disconnected or configuration settings changed (ports opened or closed, etc.).
  • Consider using hardware that encrypts backup media (tape encryption) and consider using encryption capable disk hardware to encrypt the data that is written to disk drives. Encrypting data on tape protects data in the event the physical media (tape) is lost or stolen. Encrypting data on disk will protect data in the event of a disk drive failure and you lose physical control of the broken disk drive after it has been removed or replaced.