CA-ACF2 Secret Security Assessment

 

 

Scope of Services

 

The objective of this service offering is to provide consulting expertise to perform an assessment of current IBM mainframe security within ACF_CO as secured by the CA-ACF2 security system. The assessment is based upon a professional review by a senior security consultant of the existing security architecture, operation, organization and security audit findings.  A formal document will be delivered describing the findings and recommendations resulting from this security assessment. The document will provide the following deliverables:

• An executive summary containing a business level introduction followed by a summary of main findings and recommendations.
• A comprehensive inventory of the current implementation. This is primarily a quantitative analysis that conveys primary security metrics such as userid counts, logging rates, enforcement levels, numbers of privileged users, number of users with security-bypass authority, new password requirements, obsolete userid counts, etc. Approximately 200 metrics are researched, inventoried, and explained. A systems overview is also included.
• The findings and recommendations pertaining to approximately twelve primary areas of security concern.  In each of these areas, the four topics are documented: Justification for review, Priority for concern, Methodology and Approach, and Findings and Recommendation. The primary areas of study include:
1. Started Task Security
2. Production Batch Security
3. CICS security
4. DB2 security
5. S/390 Unix System Services (USS) security
6. MVS integrity
7. S/390 (non-destructive) penetration test results
8. Auditing and Logging
9. Security Administration
10. Security system modifications
11. Security system performance
12. Scalability and potential for growth
13. Timeliness and accuracy of security information

 

This security assessment is estimated 10 man-days and will comprise onsite analysis and offsite report preparation.  A preliminary report is to be delivered within seven (7) business days following the completion of onsite data gathering. The preliminary report will be reviewed in meeting with ACF_CO staff; after which any changes will be promptly incorporated and the final report delivered.

 

Prerequisites

1. Online system access must be provided to the consultant throughout.
2. The sign-on ID assigned to the consultant requires security audit authority and audit privileges. 
3. One audit program provided by the consultant requires APF-authority to execute. The program is used during “MVS integrity” analysis and is used to identify which userids can update critical system libraries. This program is generally executed only once, after which it will be removed.  This program is optional and can be avoided if the above analysis is unwanted.
4. While onsite, the consultant will need access and support of certain staff.  One senior security administrator must be available for up to a half-day over a period of up to four days.  The one systems programmer most familiar with the installation of the security software must be available for up to one half-day.  The consultant will need to interview and ask questions of this staff.