Eleven Steps to Make Mainframe Security Audits More Effective and Efficient

Similar documents
MANEWS Issue Number 21 the Mainframe Audit News

How to Go About Setting Mainframe Security Options

Top 12 Mainframe Security Exposures and Lessons From A Real Mainframe Break-In

What's Missing in Mainframe InfoSec: (What We Don't Know We Don't Know)"

Tutorial: Lessons From A Real Mainframe Break-In Over the Internet

New Security Options in DB2 for z/os Release 9 and 10

What s Cool About the CONNECT Command in RACF

=============================================== ===============================================

Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

Developing Legacy Platform Security. Philip Young, Information Security Specialist, Visa, Inc. Professional Techniques T21

Off-Line The SC Midlands Chapter of the Information Systems Audit & Control Association

Securing Mainframe File Transfers and TN3270

Is Your z/os System Secure?

MANEWS 01 ========================================== ==========================================

DATA SHEET. ez/piv CARD KEY FEATURES:

DATA SHEET VANGUARD CONFIGURATION MANAGER TM KEY FEATURES: VANGUARD TAKES THE TARGET OFF YOUR

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Performing a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals

MANEWS 04 ========================================== ==========================================

Challenges and Issues for RACF Systems

VANGUARD INTEGRITY PROFESSIONALS Page 1

How to Get Full Security from Security Software and Tape Management Software Together

Insurance Industry - PCI DSS

Performing a z/os Vulnerability Assessment. Part 1 - Data Collection. Presented by Vanguard Integrity Professionals

How Vanguard Solves. Your PCI DSS Challenges. Title. Sub-title. Peter Roberts Sr. Consultant 5/27/2016 1

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Information Security Policy

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

ISO9001:2015 LEAD IMPLEMENTER & LEAD AUDITOR

EU General Data Protection Regulation (GDPR) Achieving compliance

PeopleSoft Finance Access and Security Audit

CA Top Secret and CA ACF2 101

VANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer

Frequently Asked Question Regarding 201 CMR 17.00

POSITION DESCRIPTION

Security and Privacy Governance Program Guidelines

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

A Security Review of MVS/RACF: Part 2 Kurt Meiser Payoff

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

The ABCs of HIPAA Security

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

SECURITY & PRIVACY DOCUMENTATION

Overview. Business value

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

WHITE PAPER. Title. Managed Services for SAS Technology

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Internal Audit Report DATA CENTER LOGICAL SECURITY

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Analyzer runs thousands of integrity checks for both RACF and z/os Security Server.

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

z/os Operating System Vulnerabilities ( )

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

PROFESSIONAL SERVICES (Solution Brief)

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

_isms_27001_fnd_en_sample_set01_v2, Group A

Minimum Requirements For The Operation of Management System Certification Bodies

Iso Controls Checklist File Type S

Are Your Auditors and NIST Security Configuration Controls Driving You Crazy? Configuration Manager Implementation

NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study

How Secure is Your Mainframe, Really?

Keep the Door Open for Users and Closed to Hackers

EMC ControlCenter PLANNING AND INSTALLATION GUIDE VOLUME 2 (MVS AGENTS) 6.0 P/N REV A02

NOTE: This process is not to be used for Grouping/ Member Classes. Those will be covered in another White Paper.

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Tools & Techniques I: New Internal Auditor

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

zsc40 Beyond Legacy Security Paul R. Robichaux NewEra Software, Inc. Thursday, May 9th at 9:00 10:15 am Session Number - zsc40 Location Melrose

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

LOWER THE COST OF PROVIDING z/os SERVICES

Is USS the Elephant in the Room?

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

Professional Evaluation and Certification Board Frequently Asked Questions

ISACA MANILA CHAPTER CALENDAR OF ACTIVITIES

Information Lifecycle Management for Business Data. An Oracle White Paper September 2005

SECURITY AND DATA REDUNDANCY. A White Paper

CISA EXAM PREPARATION - Weekend Program

Electronic Signature Policy

COURSE BROCHURE CISA TRAINING

Training Catalog. Decker Consulting GmbH Birkenstrasse 49 CH 6343 Rotkreuz. Revision public. Authorized Training Partner

HIPAA RISK ADVISOR SAMPLE REPORT

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Compliance and OBS Online Backup

Tim Heagarty, CISA CISSP - (859) Lexington, KY

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Effective Strategies for Managing Cybersecurity Risks

ISO LEAD AUDITOR TRAINING

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Building a Case for Mainframe Security

SERVICE DESCRIPTION ISO Lex. Certifications

Transcription:

Eleven Steps to Make Mainframe Security Audits More Effective and Efficient These are some things I ve learned about auditing IBM mainframe computers by trying a lot of approaches, some of which worked for me, and some of which didn t. I ve been the system programmer being audited and the auditor trying to conduct a good audit. As you ll see below, much of what works is based on establishing a factual basis for the findings and identifying a clear standard against which to evaluate them. Some of these steps you may already be following. None should conflict with whatever formal audit methodology you are using. Feel free to take what works for you. 1. Focus your scope by recognizing that mainframe security with z/os has two basic parts: MVS (the operating system) security and the security software. The security software is always one of: RACF, ACF2, or TopSecret. So make your focus be either MVS security or the security software. (You could make the focus be the mainframe network or an application s security or how encryption is managed, but that would be different sets of Steps, which we intend to cover in other documents.) 2. Before the audit starts (or at least by the end of the first hour), get these basic documents in hand: For MVS, names of the parmlib datasets and copies of them (get the output of the operator command D PARMLIB to get the names); For MVS, the output of the operator command D IPLINFO, to learn what release of z/os (MVS) is in effect For MVS, dataset rules from the security software covering all parmlibs, proclibs APF authorized datasets, the SMF datasets, the page files; JES spool file, JES checkpoint file, security software datasets, and all datasets whose names begin SYS1.. For RACF, output of SETR LIST and DSMON For ACF2, output of SHOW ALL For TopSecret, output of TSS MODIFY(STATUS) Policy statements, standards, and relevant baseline documents describing how options are supposed to be set, who is responsible for what, how change control functions, applicable standards and regulations, and administrative procedures Copyright 2017 Stuart C. Henderson www.stuhenderson.com Phone (301) 229-7187 Page 1

3. Verify the financial audit control objectives (reliability of numbers, compliance, protection of assets, going concern, etc.) and decide which if any will be the foundation for the IT audit. If none of these, then decide what is the foundation. The foundation should not be someone s subjective opinion, nor a standard which has not been adopted as company policy. 4. Decide what will be the standard you compare against for the audit. You want to avoid arguments over your findings that amount to your opinion against some system programmer s. 5. Understand that there is no finding unless you identify either significant risk or violation of an applicable law or standard. 6. Keep the findings fact-based. For example, Password limits are automatically set to a minimum length of five characters. is easy to prove. However, We believe that this is too short. is an opinion that will not survive a closing meeting. 7. Avoid basing findings on such vague, subjective concepts as privileges consistent with their job descriptions or necessary to do their jobs. These turn out to be meaningless. 8. If there is no standard to compare a finding against, and no one responsible for making a decision, that may be the audit finding. Consider Twelve system programmers have privileges that give them access to every dataset. How do you judge whether this is acceptable or not? If you ask the system programmers, they will tell you that they need the privileges to do their jobs. Now consider, Twelve system programmers have privileges that give them access to every dataset. We were unable to identify any formal approval for these privileges. We were unable to identify any manager responsible for approving them. We were therefore unable to determine whether these system programmers should have these privileges, since the organization has not set a standard we could compare to. The heads of several business units w ere not aware that this many people could access their applications data without approval from the business unit. We recommend that the organization implement formal approval procedures with a specific individual responsible for Copyright 2017 Stuart C. Henderson www.stuhenderson.com Phone (301) 229-7187 Page 2

the approval of such privileges and annual re-certification, based on actual need. Such a finding directly addresses the issue of IT governance. 9. Enlarge your audience whenever necessary. If you are discussing whether an application programmer should have access to his application s production data, include the business unit manager responsible for the application in the discussion. Consider including a financial auditor, or at least reference to the financial control objectives. 10. For an MVS security audit, your starting point is IBM s integrity statement for MVS that gives us their assurance that the architecture of the MVS operating system provides reliable security. You will want to address programs which have been added to MVS with privileges that permit the programs to bypass all the security on the system. Such programs are often called back doors and are commonly found on every computer platform, including Windows and UNIX. The concept of a back door is not a security problem, so long as the back door can be demonstrated to be secure. (You may have a back door to your house. Your insurance company probably expects you to keep it locked at night.) Your control objectives might be to evaluate whether system programming management has the tools available for them to know and for them to be able to demonstrate that all the back-doors to the system: Are safe Have been approved Can t be modified without formal approval, testing, and detection For each of these, you should be able to find a standard against which to compare your findings. Copyright 2017 Stuart C. Henderson www.stuhenderson.com Phone (301) 229-7187 Page 3

10 For a security software audit, whether RACF, ACF2, or TopSecret, you will want to learn basic settings from the reports in Step 2 above. These will include: Password length and content and other settings How passwords are encrypted How residual data on disk is handled How tape datasets are protected What resource classes (to protect resources such as sensitive programs, online transactions, and printouts) are active How batch job userids are handled How started task userids are handled For each of these, you should be able to find a standard against which to compare your findings. 11. Recognize that IBM mainframes with MVS and z/os now have full-fledged UNIX systems running under the control of MVS and protected by the security software. This UNIX is called USS, for UNIX System Services, and is arguably the most secure, reliable, standard, flexible, and cost-effective UNIX you will find anywhere. It supports full-fledged TCP/IP, including FTP, telnet, an httpd daemon (like Apache or IIS), and connection to the Internet. IBM prov ides excellent tools to secure this all, but these tools are often not properly implemented. This is usually a result of various organizational issues. Frequently this is a major opportunity for auditors to help make things better, but should be addressed in a separate audit. Copyright 2017 Stuart C. Henderson www.stuhenderson.com Phone (301) 229-7187 Page 4

For More Information: The Mainframe Audit News provides lots of background information, audit tips,and explanations of terms. See back issues or subscribe at: http://www.stuhenderson.com/newsletters-archive.html The RACF User News provides technical and administrative advice for IBM s mainframe security software. See back issues or subscribe at: http://www.stuhenderson.com/newsletters-archive.html The Henderson Group website offers several free, no-registration-required, white papers and webinars on mainframe audit topics. See what s available to download at: http://www.stuhenderson.com/xartstxt.htm The NIST STIGs (Security Technical Information Guides) for various types of computer, including mainframes https://web.nvd.nist.gov/view/ncp/repository Useful guidelines for knowing that your InfoSec is comprehensive (Note especially Publication 800-53): http://csrc.nist.gov/publications/pubssps.html#800-53 About the Author: Stu Henderson has worked both as a system programmer and as an auditor. As a consultant and trainer, he likes to share with others what he has learned on both sides of the fence. Copyright 2017 Stuart C. Henderson www.stuhenderson.com Phone (301) 229-7187 Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback