Batch Security Upgrade
The objective of this
project is to enact improved information security and control over the
production batch environments within the MX and FCT mainframe systems. Currently within these environments, a single
Userid with unlimited security access is assigned and
used for all production batch jobs submitted via the CA-7 scheduling
system. This project would phase out the
single Userid with its unlimited access and instead
implement many new batch Userids each having
appropriately restricted and limited access.
This upgrade would resolve exposures within these environments that the
estimated 2,000 production batch jobs currently have to accidentally or
deliberately access or damage unintended data.
This upgrade would also greatly improve the security control, auditability and accountability of production batch within
these environments.
The proposed security
upgrade would be the primary responsible of one or more consultants each with
over ten years direct experience with mainframe security and the ACF2 security
system.
The upgrade is divided into
two phases. Phase one tasks encompass
the identification, creation, and initial activation of the new batch Userids. Phase two
tasks commence once the new Userids are activated and
provide for appropriate security to be tailored and implemented for each new
batch Userid.
The specific tasks to be performed within each Phase are detailed below.
Note that the time estimates provided reflect the effort of the consultant(s)
and not the calendar days that may be needed.
PHASE 1:
1. The consultant(s) will conduct an assessment of the
current MX and FCT production batch environments to inventory and roughly group
existing batch jobs. The batch jobs
defined to the CA-7 scheduling system will be the concern. Reasonable efforts will be made to identify
and exclude from analysis any large number of obviously inactive or unused
batch jobs if this appears warranted.
Ten man-days are estimated for this task based on an estimated 2,000
existing batch jobs. As the first
project task, this estimate also includes project startup and orientation.
2. The consultant(s) will next work with MegaCorp staff and guidance to refine the batch job
groupings with the idea that a new batch Userid will
service each group. The batch jobs will be grouped primarily based upon the
perceived commonality of their required access rights and security
clearance. This will allow each new
batch Userid to develop a subset of security access
as confined and limited by the needs of the batch jobs it serves. For example, all batch jobs concerning one
business function or group might be grouped under one new Userid
to be created. 250 or less groupings and
new batch Userids are estimated.
A
formal plan for batch job groupings and Userid
assignments will be written and submitted for MegaCorp
acceptance. The plan will include
proposed UIDSTRING settings for each proposed new Userid.
The consultant(s) will follow MegaCorp guidance to
establish a proper naming convention for each proposed new batch Userid.
Fifteen
man-days of effort are estimated for creation and acceptance of this plan. The
accepted plan will be considered a major project milestone.
3. The consultant(s) will create and define the new Userids within the appropriate CA-ACF2 security system(s)
and will work with MegaCorp staff to activate the new
Userids. Five
man-days consultant effort is estimated for this task.
The new batch Userids will be initially created and activated with
unlimited security clearance. (As
noted earlier, production batch already executes with this clearance.) It is during Phase 2 tasks that access will
be monitored and security restrictions imposed. The new batch Userids will however be initially activated with usage and
submission restrictions based upon the newer “SURROGAT” security control
feature. This will be done since
SURROGAT controls over batch Userid usage and
submission are a newer capability that is already known as separately desired
for implementation throughout MegaCorp.
Activation
of the new Userids will be done via administrative
updates to JCL or to the CA-7 scheduling system that MegaCorp
staff would perform. The consultant(s)
will provide information regarding the several option paths available in this
area.
PHASE
2:
1. During this task, security access/clearance
restrictions will be phased in for the newly created and activated batch Userids. For each of
the new batch Userids, the consultant(s) will
establish daily security activity monitoring and analysis and daily refinement
of the access rights/rules pertaining to the new Userids. Through this daily methodology, security
access rights/rules and restrictions will be developed and gradually
implemented for the new batch Userids. This daily process of security analysis and
security refinement is estimated to occur for six to ten weeks by calendar.
This task will be performed via remote access to best utilize consultant
man-hours, which will be incurred on an hourly basis during this period and
only as work is performed in direct support of this project.
During most of this task, the new Userids
will remain exempt from security violation enforcement. Only once it appears that all access
rights/rules have been appropriately written to restrict each of the new Userids, the consultant(s) will advise MegaCorp
to approve the cutover of each Userid to full
security enforcement. At that time, the
consultant(s) will provide knowledge transfer to MegaCorp
staff concerning the new Userid and its access
rights/rules. When the cutover to full enforcement is made, the consultant(s)
will monitor the Userid for an additional week after
which the Userid will become a responsibility of MegaCorp security staff.
This task and the project will conclude when all of
the new Userids are active with restricted security
clearance and subject to full enforcement.
A final project wrap-up meeting with be held to ensure that project
objectives were appropriately and fully achieved. Twenty-five man-days are estimated for Phase
2 tasks.