| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| How to conduct review and Audit of IBM Message Broker and MQ |
« View previous topic :: View next topic » |
| Author |
Message
|
| lancelotlinc |
 Posted: Sat Jan 26, 2013 5:46 am Post subject: |
 |
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
I guess what he is trying to ascertain is service level objective measurement of latency between the input of MQ to the output of MQ when transactions flow through WMB. In other words, "Turnaround time of the request is not within acceptable threshold".
He is interested in being given a methodology for determining metrics.
Download this document, and follow the methodology in it to measure your application-specific timings.
http://www-01.ibm.com/support/docview.wss?uid=swg24025868
For your specific site, you must define standardized, repeatable tests in a controlled test environment. The audit checklist, which you will write yourself and cannot be downloaded from any internet site because all of the information contained in it is very detailed specific to your application, may look alot like this:
http://support.sas.com/rnd/emi/EbiApm92/sas92.ebiapm.unix.pdf
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
 |
| SAFraser |
| Posted: Sat Jan 26, 2013 6:51 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
In our shop, "controls" refer to security standards based upon NIST (National Institute of Standards & Technology) guidelines which are published and administered by our security division. These controls deal with how access is granted and controlled, as well as how configuration changes are managed. It's an extensive list, several hundred items pertaining to operating systems, network devices, middleware & end user software.  The controls catalog is used by IT to evaluate controls, and is also used by internal and external auditors to measure our compliance.
This just emphasizes the point that you and I made earlier -- his question is not framed very well!!! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Sat Jan 26, 2013 6:59 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Other topics he wants to know about are how to measure "Turnaround time of the request is increasing with increase in request volume" and "Average Turnaround time of the platform is increasing with increase in parallel requests".
In essence, his goal is to provide a report to management that details a baseline comprehensive performance measurement so that future system changes can be delta'd against the baseline.
It seems his management is more focused on performance-related issues and not so much about if the sys admins have access to read the payload in the queues.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Jan 26, 2013 10:20 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
In essence, his goal is to provide a report to management that details a baseline comprehensive performance measurement so that future system changes can be delta'd against the baseline.
It seems his management is more focused on performance-related issues and not so much about if the sys admins have access to read the payload in the queues. |
I would assert that his management are more focused on producing a "general controls review" because a) someone in the audit department asked for that and, not knowing what was meant, his PHB just passed it on or b) his PHB saw the phrase in "Management Monthly" while he was waiting for the plane to take off & thought it sounded cool.
I doubt the management in question knows what that means in terms of what they expect to be reported. I'm fairly certain the OP doesn't, hence the original request for a check list to indicate what should be reported on. Which is of course impossible because the check list is driven by the reporting requirements not the other way round. As I think everyone has broadly agreed.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nshad007 |
| Posted: Tue Feb 05, 2013 1:48 am Post subject: |
|
|
Newbie
Joined: 22 Jan 2013
Posts: 6
|
Hi @SAFraser
Thanks for the reply.
I am looking for controls as in security and configuration management.
I am looking for a controls catalogue/checklist to evaluate controls in an MQ enviornment (Componets include MQ,MB, Datapower, Ilog) |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Feb 05, 2013 6:23 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 05, 2013 6:44 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
| lancelotlinc wrote: |
Your request is too broad. |
Audits usually begin from the broad viewpoint of where (and if) organizational business practices meet the policies of the organization; and, beyond that, whether these policies and practices meet industry best-practices.
So, for example, let's presume that there is a policy that states: authorization to access organizational data, applications, hardware, software, shall be limited to persons or groups who require such access to fulfill their job description. The purpose of the audit would be to examine (and test) the security rules, and the facilities that implement those rules, to validate that the policy is effectively implemented and enforced.
An application-focused audit would go further, and validate that, for example, a payroll time-card results in a paycheck; and that all business policies (calculations, taxes, deductions, etc.) comply with established policy.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| SAFraser |
| Posted: Tue Feb 05, 2013 11:09 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
| nshad007 wrote: |
Hi @SAFraser
Thanks for the reply.
I am looking for controls as in security and configuration management.
I am looking for a controls catalogue/checklist to evaluate controls in an MQ enviornment (Componets include MQ,MB, Datapower, Ilog) |
I am wondering if you are an audit person or an MQ person?
Your audit person should have given you a list of controls. Controls for MQ are the same as for anything else and (in my experience) are not written specifically for MQ.
The audit person would state a control, such as:
"The organization manages accounts, including:
c. Identifying authorized users of the organization's components and specifying access privileges;"
I would substitute the term "MQ team" for "organization" and then describe how we authorize both users and applications for access to MQ.
If you are asking us for the list of these controls -- well, that is an auditor's job, to describe the controls that apply to the organization. Such controls will often be based upon external guidelines from any one of a number of security organizations.
If your management has asked you (an MQ person) to list your own controls, well that's a bad thing for them to expect! However, you should be able to describe how you secure your environment (group memberships, MCAUSER, SSL, channel authorizations, sudo, etc).
You might get better information if you could be more specific with your questions, as well as be more specific with a description of your current situation. |
|
| Back to top |
|
|
| nshad007 |
| Posted: Tue Feb 05, 2013 11:38 am Post subject: |
|
|
Newbie
Joined: 22 Jan 2013
Posts: 6
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Feb 06, 2013 6:34 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| nshad007 wrote: |
| I am an audit person. |
So who will be your subject matter experts on this technology seeing as you are not an expert on the technologies you listed.
| Quote: |
| MQ,MB, Datapower, Ilog |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| SAFraser |
| Posted: Wed Feb 06, 2013 12:36 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
| nshad007 wrote: |
| I am an audit person. |
Well, nsha007, I feel like I've written a lot in trying to be helpful. And you have written very little in reply or clarification.
The best advice I can give you is to present your controls to the middleware messaging team and ask them to respond with their operating practices relative to the controls. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Feb 06, 2013 1:26 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
| nshad007 wrote: |
| I am an audit person. |
I gather from your limited replies that you are not educated and trained as a professional audit person.
Search Google for 'technology auditing' and 'information system auditing.'
Here is a place to start your research http://en.wikipedia.org/wiki/Information_technology_audit
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Feb 06, 2013 3:39 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| nshad007 wrote: |
Hi @SAFraser
Thanks for the reply.
I am looking for controls as in security and configuration management.
I am looking for a controls catalogue/checklist to evaluate controls in an MQ enviornment (Componets include MQ,MB, Datapower, Ilog) |
We can't tell you what your security controls and management standards should be. It needs to be based on your company policy and informed recommendations of your middleware and security experts.
IBM's new MQ security Redbook is a great source of ideas and draws on all the material referenced in posts above. It covers everything that I have done in MQ security compliance audits for large organizations, although I can't send you any of the checklists because they are confidential.
See http://www.redbooks.ibm.com/abstracts/sg248069.html?Open
particularly Chapters 1-7. I was the primary author of Chapter 6-7. T-Rob Wyatt was the primary author for 1-5.
_________________
Glenn |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
