Comprehensive Security Modernization
The objective of this
proposed effort is to enact an extensive modernization of information security
within XYZ Corporation (XYZ) through the utilization of consultant expertise,
assistance, and security automation tools.
Services include:
1. Policy/Standards
1. Develop an enterprise Information Security Policy
2. Develop information security procedures and standards
3. Establish Asset Ownership
2. Security Administration
1. Complete a technical security assessment
2. Address known security exposures
3. Implement automation for security administration &
cleanup
4. Provide additional security staff training
3. Interoperability
1. Implement security system interoperability
2. Synchronize existing security databases
Based on our analysis of
the stated objectives and needs, this proposal is organized into three primary
areas of focus, each identifying multiple actions or steps (tasks) that enact
security improvements. For each task, a
detailed description of the security improvement is provided.
A task summary is provided
showing our time estimates for each task. Also provided is a qualifications and
skills summary for the two senior consultant candidates that we propose for
staffing pending XYZ consideration and review.
Proposed security
improvements have been organized into three primary areas of focus: Policy and
Standards improvements, Technical improvements, and Security System
Interoperability improvements. Within
each of these areas, several tasks that provide security improvements are
identified and detailed as follows:
1
Policy and
Standards
1.1 Prepare a comprehensive Information Security Policy
for XYZ.
The consultant(s) will prepare and deliver a
comprehensive policy regarding information security. The scope and tone of this policy will be
first drafted by the consultant(s) based upon input from XYZ along with the senior
experience of the consultant(s). Once
first drafted, the consultant(s) will work extensively with the guidance of XYZ
staff to specifically adjust the policy scope and tone to tailor fit XYZ. The time estimate provided for this task
includes time for repeated discussion, review, and approval of this document.
The policy will be intended for distribution to all
computer users within XYZ. Therefore, the policy will be generally high-level
and covering all computer platforms. In
conjunction with creation of this policy document, the consultant(s) will help
XYZ staff create a security policy awareness campaign and distribution plan.
XYZ staff will be responsible for ensuring awareness and distribution of the
new policy. The consultant(s) will create (write) the policy in either MS-WORD
or HTML format depending on which best supports the XYZ policy awareness and
distribution plan.
The key elements of the policy will be to educate all
computer users about XYZ requirements and expectations concerning:
·
Computer
passwords
·
Information
disclosure and access based on “need to know”
·
Internet policy
·
Virus guidelines
·
Dialup/Remote
computer access
·
Individual
accountability
1.2 Prepare a standards guide for security staff
The
consultant(s) will prepare and deliver a standards guide for use by the
security staff. The guide will document
and convey security standards for the OS/390 platform such as:
·
Administration
standards for creating users and Permissions within the CA Top Secret security
system
·
Administration
standards for maintaining the security of key mainframe applications including
CICS applications, SDSF, MQ Series, DB2, etc.
·
Escalation and
reporting standards
1.3 Help create and initiate asset ownership
The consultant(s) will
help XYZ staff devise and initiate an ownership plan for mainframe information
assets. Asset ownership is a security
approach and model that clarifies the person(s) responsible and accountable
for information assets such as computer files (data) and computer users (userids). When
ownership exists for information assets (files and userids),
security improves because the security staff becomes able to identify, share
and work with asset owners to best ensure appropriate security. In effect, asset ownership expands the
responsibility and awareness for information security.
The
consultant(s) will specifically help devise the method by which each asset
owner is tracked and readily accessed and managed. The consultant(s) will help explain and
advocate the requirements of a successful asset ownership plan. The consultant(s) will help ensure a feedback
mechanism is incorporated so that each asset owner remains aware of security
violations and breaches involving their asset.
2
Technical Tasks
2.1 Finish the information security assessment begun
during February covering the OS/390 platform.
The consultant(s) will complete a full assessment of
the information security within XYZ for the OS/390 platform and will deliver a
written report of security findings and recommendations. An assessment and report was already begun
and partially completed by the consultant during February (when working to
support the NBS upgrade by XYZ). That
effort revealed valuable security recommendations but it was not fully complete
due to time constraints and other priorities.
Portions of the assessment that are to be completed include:
·
MVS Integrity –
this will include a security analysis of System and APF libraries and will
produce a list showing every userid that is able to
update any system library.
·
OS/390 Unix Security – this will include a security analysis for
the new Unix System Services (USS) online platform that now exists, and is
always active, within the OS/390 platform.
·
CICS Security –
this will include an analysis of CICS sign-on and transaction security and will
include a CICS security performance and overhead analysis.
·
OS/390
Penetration Tests – this will include a report of non-destructive attempts made
by the consultant to gain unsecured access to the OS/390 platform.
2.2 Address known security issues
The
consultant(s) will address the following known security issues:
·
Source
restrictions will be implemented for the CICS region userids. This will prevent their misuse and resolve a
security exposure recently uncovered. To
implement these controls, the consultant(s) will first monitor and audit these userids to determine their source usage and
requirements. This analysis is required
to avoid the production impact that would otherwise occur if these controls
were implemented without analysis.
·
Security logging
improvements: Excessive numbers of security event audit and log records are
being produced. The consultant(s) will resolve this condition. This condition is causing unnecessary
overhead and is negating the usefulness of the security audit files, which are
full of too many meaningless records. CICS online response times and system
throughput will improve when this is addressed.
Related to this, the consultant(s) will establish automatic switching
and archiving of the security log files instead of the current file wrap-around
and data loss that currently occurs. The consultant(s) will also re-size and
re-allocate the security audit files to ensure they hold three days of security
activity.
·
Cleanup and
removal will be done of obviously obsolete and unused security file definitions
and access rights. This cleanup will be
performed separately from the implementation of the TASA cleanup product. While TASA will eventually identify obsolete
items, the consultant(s) will first perform a general and obvious cleanup of
unused userids, empty Profiles, and Profiles with no
connected userids.
The cleanup will involve first preparing a list of items to be removed
for XYZ staff review and approval. Once
approved, the items will be removed.
·
Security file
recovery procedures will be established.
The consultant(s) will create the JCL and procedures needed to ensure a
rapid and accurate recovery incase of an unexpected loss of a XYZ security
file.
·
Security bypass
privileges will be eliminated for the few userids
that have these. This will include
phased elimination of the NODSN, NORES, NOLCF and NOVOL bypass privileges. It will not include the NOSUB privilege. The
consultant(s) will identify the access required for these userids
and then remove the security bypass privilege.
This will also reduce excessive logging levels.
·
Security
performance and tuning adjustments will be made. The cache for the security database will be
tuned. Logging adjustments will be
made. CICS performance-related security
options will be reviewed and adjusted.
·
OS/390 Unix System Services (USS) security implementation within CA
Top Secret will be reviewed and adjusted to avoid known security problems that
will otherwise occur when OS/390 is upgraded.
The consultant(s) will review and adjust the basic userids
and access rights needed for USS to meet the initial security recommendations
outlined per IBM and CA documentation.
2.3 Implement security automation to perform automatic
security file cleanup and synchronization of the multiple XYZ security files
The
consultant(s) will install and implement the security automation products: The
Automated Security Administrator (TASA) and TSXCOPY. The consultant(s) will provide full training
and knowledge transfer to XYZ staff regarding these security automation
products. These products must be
licensed as discussed later.
TASA performs ongoing and automated security database
cleanup. TASA continuously identifies
unused security definitions and access-rights and produces commands to remove
unused security entries. TASA identifies
unused Userids, Permissions, and Profile-connections.
Automated security cleanup provides many benefits not detailed here, but
overall, TASA will resolve the accumulation of excessive and obsolete security
definitions and access rights that have occurred within the XYZ security
database.
TSXCOPY is a utility used to easily copy, merge, and
reproduce all or a portion of a CA-Top Secret security file. TSXCOPY allows XYZ to easily synchronize and
manage its multiple, nearly identical, security files maintained on the
production and test systems. TSXCOPY
will allow security definitions to be easily copied between test and
production. TSXCOPY will also allow XYZ
staff to easily identify synchronization issues (gaps, discrepancies, conflicts
etc) between the test and production environments and easily synchronize these
environments whenever desired.
2.4 Provide training and knowledge-transfer to the
security staff regarding the CA Top Secret security system and OS/390
platform security
The
consultant(s) will provide knowledge transfer and education to XYZ staff
regarding information and mainframe security.
The consultant will provide:
·
Knowledge
transfer concerning improved security practices including security
administration and reporting.
·
Knowledge
transfer on Top Secret product techniques, options, and problem solving.
·
Knowledge
transfer on developing improved security guidelines and policies.
3
Security System
Interoperability
3.1 Establish security system networking and
password-synchronization between the test and production environments.
The consultant(s) will configure and activate the Command Propagation
Facility (CPF) feature of CA Top Secret.
This widely used and stable feature will establish a network
communication and interoperability between the security systems running on the
production and test environments of XYZ.
Configuration and activation of this networking feature will allow end-user
password changes made on either environment to be automatically propagated and
synchronized. Security staff can also
use this feature to administrate these environments from each other.
Configuration and activation of this feature by the consultant(s) will include:
·
Configuration of
the CA90s software, specifically including activation of the Common
Communications Interface (CAI-CCI) component and NODE definitions.
·
Configuration of
the TSS startup options including the TSS control options: CPF, CPFRCVUND and
CPFNODE.
·
Configuration of
the TSS JCL procedure and related setup of the CPF journal files and CPF
recovery file.
3.2 Synchronize the
XYZ Production and Test security files
·
The consultant(s)
will use the identify all of the synchronization gaps that exist between these
two environments and present this list to XYZ staff for review.
·
To the extent
desired by XYZ staff, the consultant will synchronize these security files.
·
The consultant(s)
will create a procedure (batch job and instructions) whereby these two security
files can be synchronized whenever wanted.