Mainframe Security AssessmentThe objective of this service offering is to perform an assessment of current mainframe security. The assessment is to include a professional review of the current security implementation, operation and organization and is to be conducted by a skilled and qualified consultant familiar with IBM RACF, CA-Top Secret or CA-ACF2 and z/OS security. The primary deliverable of this service will be a formal security assessment report describing the findings and recommendations resulting from the assessment. This report will be presented in three sections as follows:
The executive summary contains an introduction followed by a summary of main security findings and recommendations resulting from the assessment. The executive summary presents weighted, prioritized, and judged top findings and recommendations based upon detailed analysis from the following two sections.
Comprehensive Security Inventory
This section of the assessment report provides a comprehensive inventory of the current security implementation and is based upon a quantitative analysis of primary security metrics and indicators. The inventory reports such number of mainframes, LPARS, security databases, implementation parameter setting, number of users/groups/profiles/permissions, enforcement levels, number of users with security-bypass authority, password requirements and more. As many of the available metrics will be researched, inventoried, and explained.
Areas of Security Review
This section of the assessment report provides detailed findings and recommendations pertaining to approximately twelve primary areas of security concern. While a list of presumed areas is shown below, the areas to be reviewed will slightly vary during each assessment. When reporting each area of review, four topics will be documented:
- Justification for review – An explanation of why the area warrants security review.
- Priority for Concern – A ranking of security importance versus other areas of security review.
- Methodology and Approach – A brief explanation of the steps involved in reviewing the area.
- Findings and Recommendation – The findings and advice for each area of review
The primary areas of security review include:
- Started Task Security
- Production Batch Security
- CICS Security
- DB2 Security
- z/OS Integrity
- z/OS Unix System Services (USS) Security
- z/OS (non-destructive) penetration tests
- Auditing and Logging
- Security Administration (practices, adequacy, etc.)
- Security system modifications
- Security system performance
- Scalability and potential for growth
- Timeliness and accuracy of security information
A formal security assessment report will result from analysis based upon consultant expertise and information obtained from the system being assessed and through interviews with client staff. A preliminary report will be delivered within seven (7) business days following the completion of analysis. The preliminary report will be reviewed with staff; after which any changes will be promptly incorporated and the final report delivered. The consultant(s) will conduct a formal review of the report to client management and staff.