S/390 Security Assessment Service
The objective of this service offering is to perform an assessment of current mainframe security through the utilization of consultant expertise and tools. This environment is secured by the CA-Top Secret and IBM RACF security systems. The assessment is to include a professional review of the current security implementation, operation and organization and is to be conducted by a skilled and qualified consultant familiar with IBM RACF, CA-Top Secret and S/390 security. The primary deliverable of this service will be a formal security assessment report describing the findings and recommendations resulting from the assessment. This report will be presented in three sections as follows:
1.
Executive
Summary – The executive summary
contains an introduction followed by a summary of main security findings and
recommendations resulting from the assessment.
The executive summary presents weighted, prioritized, and judged top
findings and recommendations based upon detailed analysis from the following
two sections.
2.
Comprehensive
Security Inventory – This section of
the assessment report provides a comprehensive inventory of the current
security implementation and is based upon a quantitative analysis of primary
security metrics and indicators. The
inventory reports such items as logging rates, number of privileged users,
enforcement levels, number of users with security-bypass authority, password
requirements, obsolete userid counts, and so forth. Approximately 200 metrics
will be researched, inventoried, and explained for both CA-Top Secret and IBM
RACF security. A pictorial systems overview is also included.
3.
Areas of
Security Review – This section of
the assessment report provides detailed findings and recommendations pertaining
to approximately twelve primary areas of security concern. While a list of presumed areas is shown
below, the areas to be reviewed will slightly vary during each assessment. When reporting each area of review, four
topics will be documented:
1.
Justification
for review – An explanation of why the area warrants security review.
2.
Priority for
Concern – A ranking of security importance versus other areas of security
review.
3.
Methodology and
Approach – A brief explanation of the steps involved in reviewing the area.
4.
Findings and
Recommendation – The findings and advice
for each area of review
The primary areas of security review include:
a)
Started Task
Security
b)
Production Batch
Security
c)
CICS security
d)
DB2 security
e)
MVS integrity
f)
S/390 Unix
System Services (USS) security
g)
S/390
(non-destructive) penetration tests
h)
Auditing and
Logging
i)
Security
Administration (practices, adequacy, etc.)
j)
Security system
modifications
k)
Security system performance
l)
Scalability and
potential for growth
m) Timeliness and accuracy of security information
A formal security assessment report will result from
analysis based upon consultant expertise and tools. A preliminary report will
be delivered within seven (7) business days following the completion of
analysis. The preliminary report will be reviewed with staff; after which any
changes will be promptly incorporated and the final report delivered. The consultant(s) will conduct a professional
review of the current security implementation, operation and organization
including CA-Top Secret, IBM RACF and
S/390 security. The consultant(s) will possess over ten (10) years
experience with large-scale (IBM mainframe) information security. The consultant(s) will be further
advantaged through the utilization of the following security automation
tools/products:
1. TSXCOPY™ – This product is used to assess the level of synchronization between multiple security databases and estimate the effort involved with security database consolidation and merger.
2. Access Evaluator (RSRCACC) – This is a software program used to evaluate “MVS integrity”. Specifically, this is a single program used to identify the users who can update critical system libraries. This program does require APF-authority to execute. This program is generally executed only once per environment, after which it is removed. Use of this program is highly recommended but is optional and can be avoided if the above analysis is unwanted.
3. The Automated Security Administrator™ (TASA) - This product performs automated security cleanup and is used to assess the timeliness and accuracy of security information and the level of obsolete unused and excessive access.
The following key assumptions have been made in preparation of this document. Changes to these assumptions will affect time estimates and pricing.
1. (n) CA-Top Secret environments and (n) IBM
RACF environment are to be assessed.
2. This service is to be begun (x) and
completed (y).
3. Throughout
this service the consultant(s) will be provided appropriate online access to
the systems within both the CA-Top Secret and RACF security environments. The user ID assigned to the consultant(s)
must have unrestricted unscoped security
AUDIT authority and the ability to execute the TSSCFILE and IRRDBU00 utilities.
4. No presumption is made about the level of
synchronization between the environments. Note however that if these systems
are highly synchronized, meaning their security information is very nearly
identical, this may favorably impact time estimates.
5. Consultant
tools/products will be included and utilized during this service without
separate cost. These tools/products are
for consultant use alone and will be consultant installed and removed during the
assessment.
6. The consultant(s) will need access and support of certain staff. Security administration staff should expect daily involvement during the assessment totaling up to two (2) hours per day. Systems programming staff familiar with the installation of the security software should expect involvement during the assessment totaling one day. Primarily, the consultant will need to interview and ask questions of this staff.
7. The consultant(s) will be provided information and documentation concerning relevant systems and applications including relevant business and technical documentation.
8. The security policies and security systems of other platforms/systems will be assessed only to the extent to which they were a primary factor in influencing the security of the IBM mainframe environment.
Note:
Product names are trademarks of their respective companies