Security Conversion and Consolidation

 

Scope of Services

The objective of this service offering is to enact a conversion and merger of the mainframe security environment acquired from BigCo into the existing XYZ Corp (XYZ) security environment.

Foremost, this migration requires conversion of BigCo security information, based on the RACF security product, into the format of the CA-ACF2 security system used throughout XYZ Corp. While initial plans were to convert this system from RACF-to-ACF2 format and then later merge it with the existing security environment, analysis by InfoSec suggests combining these efforts.  Two primary factors support this.  First, there is a low intersection and little overlap of userid and access right definitions between these environments. This lack of overlap invites immediate consolidation.  Second, the RACF rights must be restructured during conversion to ACF2 and also during any later merger. During conversion, restructuring could attempt to consider the later merger, but this consideration would likely fall short requiring later work on this task.  By combining the conversion and merger, both needs become primary and the restructuring is handled once.

The proposed methodology is to convert the RACF environment and merge it into a refreshable copy of the existing XYZ ACF2 environment.  The RACF environment would first cutover to this merged environment. Once this cutover is complete, XYZ can then optionally cutover its existing ACF2 environment onto the merged environment at its full discretion and with or without assistance from CA. This proposed methodology and sequence is illustrated by the following diagram:

 

 

 

 

 

 

 


To best achieve this one-time conversion and migration, consultants will be exploited who have product and conversion expertise with both the RACF and CA-ACF2 security systems.  This effort, excepting the optional cutover of existing XYZ ACF2 environment, is estimated 45 man-days or approximately 2˝ to 3 calendar months.


Detailed Description of Services

The following detailed proposal is based on the following key assumptions:

1.       Only a minority subset of the RACF userids and access rights need to converted

2.       Primarily, only RACF userids, dataset/file rights and CICS transactions rights need to be moved

3.       There is little intersection and overlapping of the userids, secured dataset/file names, and secured CICS transaction names between the two environments

4.       A majority of the RACF permissions to be converted are granted to individual userids or small user groupings

5.       Dataset/File names and Transactions names will not be renamed as part of the conversion

6.       Access rights within the existing XYZ ACF2 environment will not require change

7.       A test system will be available during primary hours to develop and refine the new ACF2 environment

8.       Conversion and migration are to be completed this year

 

Based on these assumptions and upon analysis of the stated objectives and needs, this proposal is organized into four primary tasks.  For each task, a detailed description is provided.

1.                   Project Planning

q       Research and Discovery

q       Creation of a comprehensive project plan

 

2.                   Implementation

q       ACF2 product installation, if required

q       Copy primary XYZ environment

q       RACF data extraction 

q       RACF-to-ACF2 data conversion and merge

q       RACF-to-ACF2 interfaces conversion

q       System checkout / Pre-acceptance testing

 

3.                   Acceptance

q       Acceptance testing without end-users

q       Acceptance testing with end-users

q       Actual production cutover

 

4.                   Post Acceptance

q       Onsite initial support and monitoring

q       Materials turnover

q       Project wrap-up



Detailed Description of Services

 

1.       Project Planning

 

q       Research & Discovery                                                                    Estimated 4 man-days

The consultant(s) will first research, identify and enumerate the elements and milestones required by this project.  Two elements are already known and noteworthy:  First, security rights are organized using vastly different schemes in RACF versus ACF2.  ACF2 rights are based on dynamic, run-time, user-groupings whereas RACF rights are based on fixed user groupings known as user Groups.  To perform this conversion, the consultant(s) will evaluate various conversion methods and the key elements of the best methods will be presented for XYZ acceptance.  Second, only a very small subset of the RACF environment received from BigCo requires retention.  The consultant(s) will consider methods for identifying and extracting the required subset. The following table summarizes the large amounts of items received versus items estimated to be required.

 

Type of Security Definition

# Received

# Estimated to be

Converted / Retained

Userids

1,260

500

Datasets:

# of secured files/prefixes

 

3,000

 

1,000

Datasets:

 # of Permissions

 

6,000

 

1,500

Secured resources:

# of secured/registered qualifiers

 

2,200

 

500

Secured resources:

 # of Permissions

 

6,700

 

1,500

 

q       Creation of a Project Plan                                                                Estimated 2 man-days

The consultant(s) will create a project management document.  This document will contain a project timeline that will summarize and track project tasks, major milestones, estimated hours, assigned resources, and scheduled completion dates.  Once created, this document will be maintained throughout this project using time allowed by this estimate.

 

 

2.       Implementation

 

q       ACF2 Product Installation                                                                 Estimated 2 man-days

If required, the consultant(s) will install a current version of the CA-ACF2 security product and CA90s software on a single test system to facilitate the RACF-to-ACF2 conversion.    

q       Copy XYZ primary environment                                                        Estimated 1 man-days    

The consultant(s) will create batch jobs to copy the primary XYZ ACF2 environment.  As the project proceeds, the batch jobs will be updated so that the copy can be refreshed… with any specific changes applied after each refresh copy.    

q       RACF Data Extraction                                                                    Estimated 5 man-days

As noted earlier, a significant aspect of this conversion is that only a small subset of the RACF environment requires conversion.  In critical areas, such as with the dataset and resource rules, the required subset is not easily and obviously identifiable.  The consultant(s) will develop a method so that the final conversion involves only the smallest subset of security information required, to the extent that the consultant(s) can best identify that subset.   This identification and or pre-elimination of unneeded information will require large one-time effort.  However, addressing this now, avoids subsequent long-term and ongoing administration and management concern over this information.  Overall therefore, the size of the converted subset will become a key measurable, that will be reported upon, as one gauge of the success of this project.

q       RACFto-ACF2 Security Conversion and Merge                              Estimated 10 man-days

Having earlier identified the best method for reorganizing the security rights, and having identified the subset requiring conversion, the consultant(s) will perform the data conversion from RACF-to-ACF2 format.  The consultant(s) will repeatedly refine and execute automated programs to complete this task.  The intent is to convert the existing level of security into the new environment without a noticeable change in security operation, enforcement or auditing.  To support this task, a secure password-gathering tool will need to be installed on the existing RACF environment.

q       RACF-to-ACF2 Interfaces                                                                   Estimated 2 man-days

The consultant(s) will research and identify all non-standard or customized interfaces to RACF and develop a conversion for them, if required, to ACF2 format.  If needed, the consultant(s) will use advanced skills to de-code and understand the existing interfaces and re-code these interfaces to fit ACF2 format.

q       System checkout / Pre-Acceptance testing                                       Estimated 3 man-days

The consultant(s) will perform the initial checkout and verification of the converted system.  The consultant(s) will verify security operation including sign-on, batch submission, password accuracy, administration, and system performance and stability. Testing will involve iterations where the conversion will be refined until the system passes quality assurances. The consultant(s) will provide XYZ with a summary of the tests performed so that XYZ can evaluate the extent and scope of consultant’s initial tests.

 

 

3.       Acceptance

 

q       Acceptance testing without end-users                                              Estimated 3 man-days

For this task, the consultant(s) will prepare and support the converted system for initial verification and pre-acceptance tests by XYZ security staff.  If required, this will include weekend support.  If required, the consultant(s) will provide knowledge transfer and / or informal training on the new environment to XYZ security staff.  This test is not to include end-users or production work. This task will require XYZ staff resources.  

q       Acceptance testing with end-users                                                   Estimated 3 man-days

The consultant(s) will prepare and support the converted system for end-user testing and verification. The time estimate allows for one weekend test.  This end-user test is not to include production work.    The consultant(s) will provide onsite support including weekends for this task.  No end-user training is expected and therefore none has been included. This task will require XYZ staff resources.  

q       Production cutover                                                                           Estimated 3 man-days

The consultant(s) will prepare and support the converted system for the final production cutover.  The estimate is for two man-days to prepare for the final cutover and one day to verify its successful production launch and activation.  If required, this will include weekend work.   XYZ staff will be required to attend the production activation.

 

 

4.       Post Acceptance

 

q       Onsite initial support and monitoring                                               Estimated 2 man-days

Following the production cutover, the consultant(s) will provide close support and monitoring of the new environment. Estimated are two man-days of onsite follow-up support by the consultant(s).  This will include onsite support during normal business hours and 24-hour on-call support throughout the follow-up period.

q       Materials turnover                                                                            Estimated 1 man-days

To ensure a successful project close, the consultant(s) will organize and cleanup the materials used to support the project and will then provide a turnover of materials to XYZ.  A list of all materials will be provided to XYZ to represent the formal turnover.  Final knowledge transfer and / or informal training will be provided to XYZ security staff at this time if required.                  

q       Project wrap-up                                                                                Estimated 1 man-days

A final onsite meeting will be held with XYZ to ensure that objectives of the project were met and understood.  The consultant(s) will prepare any final documents and / or instructions related to the new environment.  Any remaining materials including all XYZ badges, equipment and documents will be returned at this meeting.