The objective
of this service offering is to provide ACORP with an overall assessment of
their ACF2 security environment. The
assessment is to be conducted by a skilled and qualified consultant familiar
with ACF2 and OS/390 security. At the conclusion of this service, a formal
report of findings and recommendations will be prepared and presented.
Detailed
objectives of this service offering include:
1. Ensure the security software is
properly installed and operating.
2. Determine that ACF2 features and
controls have been implemented to secure system and data access paths.
3. Determine the extent to which the
security implementation supports and complies with the ACORP’s
objectives, policies, and standards (as described to the consultant).
4. Evaluate the scope of existing
access authorizations to determine if they are too global or restrictive.
5. Review and identify potential
problem areas, i.e., excessive or other inappropriate access authorizations or
user attributes, apparent security exposures, and improper security configuration.
This will include a review of the OS/390 Unix System
Services (USS) component.
6. Knowledge transfer.
7. Prepare a document of security
findings and recommendations.
The
consultant will review and evaluate the installation and maintenance of the
security software and its suitability for the current Operating System and
Program Product environment. This will
include an audit of the vendors currently published high-impact (HYPER) security
product fixes.
q
Determine
product features used and not used
q
Determine
the default security controls that are in effect or disabled
q
Identify
system-wide options or parameters that may create security exposure,
administrative problems, or production issues
q
Evaluate
the UID-String design and efficiency
The
consultant will review security procedures and/or interview security
administrations on security procedures, practices, service levels, and known problems. This information will be correlated against
all project findings and used to identify areas where the objectives of ACORP
are being supported or where improvements can be made.
During
this task, the consultant will evaluate existing dataset and resource rules to
identify excessive or inappropriate levels of security, overly restrictive
access authorizations, complex or inefficient rules, and conflicting or
inconsistent rules. A crosscheck of
system catalog aliases against ACF2 dataset rule sets will be done. The
consultant will also review the LOGONID database to identify obsolete or
overlapping userids and excessive user privileges.
The
consultant will review possible security problem areas including
logging/auditing rates and frequency, OS/390 Unix
System Services security, excessive sign on activity, Started-Task security,
SDSF security.
Throughout
the engagement, the consultant will transfer security product and related
knowledge to ACORP staff. While no
formal training is foreseen, the consultant will explain and convey the basic
security assessment requirements and methods.
The consultant will convey information about areas where items of
concern are apparent.
At the
conclusion of this service offering, a formal report of findings and
recommendations will be prepared and submitted.
The report will be delivered within seven business days following the
final day of onsite attendance by the consultant.