When you do your i5/OS backups to tape media, the tapes are immediately loadable on another i5/OS system or on another system that can understand the save/restore format. Because these tapes contain all your most sensitive information, you must keep them in your firm control.

At 3:00 in the morning, when a curious operator wants to know how much everyone gets paid or wants to collect credit card information, can they simply walk the tape across the room and restore it on another system? If so, they have unfettered access to this sensitive data.

It's time to take a serious look at tape encryption. Encrypt your backup tapes, and guard the keys!

You guard the QSECOFR password right? Of course you do, and you need to be just as vigilant with your backup media. Lock the tapes up tightly, and use an off-site storage provider for today's backups and all your historical backups. Encrypt the tapes!

Tto track all Restore operations on your systems, implement Security Auditing for all *SAVRST operations. I wrote an article on Common Sense Security Auditing for System iNEWS that ProVIP members can read here [2].

What do you do with old tapes? The Initialize Tape (INZTAP) command does not erase data from the tape, it simply initializes the tape headers. Annihilate your old tapes, just as you do your old PC hard-drives! These old tapes contain the keys to your kingdom.