Detailed objectives of this service offering include:

Review of the implemented RACF security options
The consultant will examine the system-wide RACF options (SETROPTS). He will determine what security features are in place for each subsystem and product running on each of the client's LPARs. He will identify system-wide options or parameters that may create security exposure, administrative problems, or production issues. An evaluation of the RACF group structure design and efficiency will be made.

Policy/Standards review
The consultant will review security procedures and/or interview security administrators on security procedures, practices, service levels, and known problems. This information will be correlated against all project findings and used to identify areas where the objectives of the client are not being supported or where improvements can be made.

Security authorization review
During this task, the consultant will evaluate existing dataset and resource profiles to identify excessive or inappropriate levels of security, overly restrictive access authorizations, complex or inefficient rules, and conflicting or inconsistent rules. A crosscheck of system catalog aliases against RACF dataset profiles will be done. The consultant will also identify obsolete userids and excessive user privileges.

Potential problem areas review
The consultant will review possible security problem areas including logging/auditing controls, Unix System Services security, Started Task security, SDSF security.

Knowledge transfer
Throughout the engagement, the consultant will transfer security product and related knowledge to client's staff. While no formal training is foreseen, the consultant will explain and convey the basic security assessment requirements and methods. The consultant will convey information about areas where items of concern are apparent.

Report of findings and recommendations
At the conclusion of this service offering, a formal report of findings and recommendations will be prepared and submitted.

The report will consists of the following sections:

• A summary containing a business level introduction
• A summary of main findings and recommendations.
• A comprehensive description of the RACF protection by subsystem and product by highlighting gaps between the checklist and the present RACF controls. Reviewed are SETROPTS, privileged users, started tasks, job submission, protection of sensitive system and application datasets, CICS , DB2, IMS, USS security, auditing and logging, security system modifications etc.

We have developed an automated version of this assessment using CARLA language from the zSECURE CONSUL product. Clients having CONSUL or planning to install CONSUL will benefit substantially cost-wise by having the assessment done for 3-4 times less time compared with the manual assessment.

back