Planning the Implementation › Appointing a Security Administrator

Appointing a Security Administrator

The SA serves as the central coordinator for information security and represents a permanent staff position. The SA’s responsibility encompasses all phases of implementing CA ACF2 for z/VM (that is, initial planning, migrating to full security, and ongoing administrative activities). Most of the CA ACF2 for z/VM effort occurs early, during the planning and implementation phases (usually the first few months). After CA ACF2 for z/VM controls have been integrated into production systems, the SA must make an ongoing effort to properly enforce security measures. Ongoing administrative functions for CA ACF2 for z/VM include:

• Updating CA ACF2 for z/VM databases
• Reviewing CA ACF2 for z/VM reports
• Following up on questionable acts or possible violations (based on these reports).

These administrative functions and responsibilities can be centralized or decentralized. One way to decentralize the administrative responsibilities is to authorize people throughout the organization to fill out forms that request changes to logonid records, access rules, or other CA ACF2 for z/VM security controls. You can centralize the validation and updating function by requiring that requests be forwarded to the SA, who performs the updates.

Whether CA ACF2 for z/VM administration is centralized or decentralized (and to what degree) depends on your size, structure, and unique needs. CA ACF2 for z/VM lets you decide how administration is handled, both initially and on a continuing basis.

Planning also requires that you determine the scope of authority for various users (whether they should be allowed to update logonid records and access rules). In a decentralized environment, multiple SAs can have jurisdiction over limited groups of users, data, or resources. These limitations are imposed through CA ACF2 for z/VM scoping features. See the Administrator Guide for details.

The Security Administrator’s Workload after Implementation

The total workload of the SA after CA ACF2 for z/VM implementation depends on:

• The volume of work on the system.
• The degree of centralization or decentralization of CA ACF2 for z/VM administrative duties (for example, how many users have the SECURITY or ACCOUNT privilege).
• Centralization or decentralization of responsibilities and authorization functions.
• Site commitment to data security. This commitment is reflected in areas such as the level of CA ACF2 for z/VM rules, follow‑up actions taken on violation attempts, and whether you are using special interfaces.

Activity levels and the factors mentioned above determine the person best suited for this job. Although an SA does not have to be a programmer or computer operator, a SA should have some data processing expertise. The SA normally chairs the Implementation Team and:

• Schedules meetings with other members of the team
• Performs the majority of the coordination functions
• Is instrumental in selecting CA ACF2 for z/VM system options.

After CA ACF2 for z/VM is installed, the SA coordinates administration of the system. The SA should have a relatively autonomous position in the organization. This allows for independent and unbiased decisions and enforces site policies and rules. A low‑level position inside the data processing department is not independent. The SA’s position should not be in the EDP audit area because EDP auditors must independently audit the security system and its implementation and administration. Commitment to data security is vital to achieve a standard level of protection and security enforcement.