The objective of this service offering is to enact a conversion of the mainframe security system used by the ACORP Northeast organization to match the system used by the ACORP Southwest organization. This conversion is a main component of efforts to converge the ACORP mainframe security environments. Specifically, this effort requires the conversion of security information for the Northeast organization, based on the IBM RACF security system, into the format of the CA-Top Secret (TSS) security system used by the Southwest organization.
To best achieve this one-time conversion, one or more consultants will be exploited who have product and conversion expertise with both the RACF and TSS security systems. The consultant(s) will perform key tasks such as the actual conversion of existing RACF data and associated materials into TSS format, installation assistance, and some product training for security personnel. Not burdened by these tasks, ACORP is free to focus on other conversion tasks such as gathering requested information, organizing conversion schedules, training staff on use of the new security system, and on security policy improvements or revisions.
This service offering is divided into two phases, each
with specific tasks as documented as follows:
1.
Phase 1
q Information Gathering / Research and Discovery
q Product Installation
q Security Data Conversion
2.
Phase 2
q Acceptance Testing without End-Users
q Acceptance Testing with End-Users
q Cutover to production
q Materials turnover / Project Wrap-up
1. Phase 1
q
Information
Gathering / Research and Discovery
Estimated 8 man-days
During this task, the consultant(s) will identify all items relevant to the existing and desired security environment and will collect all data requiring conversion. During this task, a dialog will be established between ACORP and an assigned conversion expert. The consultant(s) will review existing security options and interfaces for IBM and OEM products and subsystems, such as TSO (SDSF, UADS), CICS (SIT), IMS/DB2, JES, CONSOLE, APPC, ADABAS, Session managers, etc. During this task, a tool will be provided to ACORP staff to initiate secure password tracking on the RACF system. Once installed on the RACF system, passwords will be securely tracked and later transferred to the TSS security system by ACORP personnel without disclosure or handling by the consultant(s). Overall, all data requiring conversion will be collected during this task. The following table summarizes the amounts of information requiring conversion.
|
Type of Security
Definition |
Estimated # currently defined |
|
Userids |
2,400 |
|
Access Groups / Access
Profiles |
650 |
|
Datasets: # of registered secured names |
2,400 |
|
Datasets: # of permissions
to users/groups |
30,500 |
|
Secured resources: # of registered secured names |
1,250 |
|
Secured resources: # of
permissions to users/groups |
8,500 |
q
TSS Product
Installation Estimated 2 man-days
A non-standalone, shared-use, test system will be required to build and test the new security environment. The consultant(s) will assist ACORP staff in installation of a current version of the TSS security product and CA90s software on the test system to support the conversion. Note that this task is not intended to configure the new TSS security system, as this will be done later when security information is loaded. Instead, the goal of this task is to properly install the software and verify the installation. During this task, the consultant(s) and ACORP staff will identify the procedure by which the test system security software will be later cutover and implemented on the production system.
q
Security Data
Conversion Estimated 15 man-days
The consultant(s) will perform the data conversion from RACF-to-TSS format. The consultant(s) will repeatedly refine and execute automated programs to complete this task. The intent is to convert the existing level of security into the new environment without a noticeable change in security operation, enforcement or auditing. During this task, obvious cleanup and removal of clearly obsolete items will occur. Specifically, the consultant(s) will provide ACORP staff with lists of recommended removals for userids and permissions. During this task, the consultant(s) will research and identify all non-standard or customized interfaces to RACF and develop a conversion for them, if required, to TSS format. As warranted, the consultant(s) will re-code these interfaces to fit TSS format. The consultant(s) will perform an initial checkout and verification of the converted system. The consultant(s) will verify security operation including sign-on, batch submission, password accuracy, administration, system performance and stability. Testing will involve iterations where the conversion will be refined until the system passes quality assurances. The consultant(s) will provide ACORP with a summary of the tests performed by so that ACORP can evaluate the extent and scope of the consultant(s) initial tests. The above tasks will be performed via onsite and remote (dial-up) access to the test system.
2. Phase 2
Once phase one tasks are complete, phase two can commence. This phase will be performed as ACORP schedules and needs dictate. Time estimates shown below may vary substantially and are subject to the machine availability and ACORP staffing requirements.
q
Acceptance
testing without end-users Estimated 3 man-days
For this task, the consultant(s) will prepare and support the converted system for initial verification and pre-acceptance tests by ACORP security staff. If required, this will include weekend support. This testing is not to include end-users or production work. If required, during this task, the consultant(s) will provide knowledge transfer and / or informal training on the new environment to ACORP security staff. Training will be limited and is only for the ACORP security staff directly involved with the conversion. This task will require ACORP staff resources.
q
Acceptance
testing with end-users Estimated 4 man-days
The consultant(s) will prepare and support the converted system for end-user testing and verification. The time estimate allows for one weekend test. This end-user test is not to include production work. The consultant(s) will provide onsite support including weekends for this task. No end-user training is expected and therefore none has been included. This task will require ACORP staff resources.
q
Production
cutover Estimated 4 man-days
The consultant(s) will prepare and support the converted system for the final production cutover. The estimate is for two man-days to prepare for the final cutover and two man-days to verify its successful production launch and activation. If required, this will include weekend work. Following the production cutover, the consultant(s) will provide close support and monitoring of the new environment. This will include onsite support during normal business hours and 24-hour on-call support throughout the follow-up period. ACORP staff will be required to attend the production activation.
q
Materials
turnover / Project wrap-up Estimated 3 man-days
To ensure a successful project close, the consultant(s) will organize and cleanup the materials used to support the project and will then provide a turnover of materials to ACORP. A list of all materials will be provided. Final knowledge transfer and / or informal training will be provided to security staff at this time if required. Any remaining materials including all ACORP badges, userids, equipment and documents will be returned.