The primary function of the Implementation Team (IT) is to properly implement CA ACF2 for z/VM and related information security systems and procedures. This is a limited function. Most of the work occurs during the planning and implementation phases. Often, the team even disbands after CA ACF2 for z/VM has successfully been implemented and is functioning in ABORT mode. However, many sites choose to retain the team and have meetings periodically to review the system, reconsider options, and evaluate overall security measures. After CA ACF2 for z/VM is active, you will be in a better position to determine whether the IT should remain intact.
The activities of the Implementation Team include:
This team can also be useful as an ongoing Information Security Committee to assist the SA in identifying security policies and enforcing or eliminating these policies at different levels. A similar security committee might already exist at your site. It can even serve as the basis for an CA ACF2 for z/VM Implementation Team.
The Implementation Team normally consists of the SA (as chairperson) and three to eight other persons. They usually represent areas such as:
Usually the IT representative is the systems programmer responsible for installing and maintaining CA ACF2 for z/VM. This person should be familiar with VM, the VM Control Program (CP), the Conversational Monitoring System (CMS), SYSGENS, and related areas.
Someone from operations who is familiar with current naming conventions, production schedules, and normal operations maintenance.
A representative to present the user’s point of view and provide communication between the technical and nontechnical personnel.
Representatives from these groups (for example, the accounting department) might be included on the IT where user support services people are not available to represent the user’s point of view.
If database administrators (DBAs), physical security personnel, or other personnel are already active in the data security area, they can often provide valuable input on current use and future needs of data security.
A representative from the EDP audit group can help define audit concerns for internal controls and their auditability. An auditor can often suggest why you should use certain options for acceptable levels of control, accountability, and auditability.
Rather than have upper management attend all the committee meetings, the SA can represent upper management. If this arrangement is inadequate, the committee can prepare recommendations to forward for action by a higher group. This may be required if corporate security policies must be clarified or established. Either arrangement can work smoothly, as long as communication channels are open.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|