The IT should have some idea of your company data security goals and objectives before implementing CA ACF2 for z/VM. CA ACF2 for z/VM is a tool to implement security policies, automate policy enforcement, and help the company achieve its goals. If you do not define these policies, it is very difficult for the IT to choose appropriate CA ACF2 for z/VM options and proceed successfully through implementation.
Various factors influence your policies and objectives. These include, but are not limited to, the following areas. Review them for applicability to your site:
The U.S. federal government has a number of regulations that can impact data security requirements. These include the Privacy Act, Foreign Corrupt Practices Act, Securities and Exchange Commission and other agency regulations, and various other accounting and reporting requirements. There are also similar regulations in other countries, such as national privacy acts, transborder data flow regulations, and accounting and taxing regulations. Additionally, take into account any state, provincial, or other local regulations. Government regulations for government agencies are often even more encompassing.
Many legal requirements are tied to government regulations, such as requirements about controls over Electronic Fund Transfers. Others may be contractual, such as union agreements (unauthorized employee record accessibility). You may be subject to other requirements if you operate as a service bureau and have contractual agreements with customers about the confidentiality and protection of their data and programs.
Some industries share certain data, while many highly competitive industries tightly guard much of their data. In some areas, the possibility of industrial espionage can be a factor to contend with. Using access control software and personal passwords for individual identities are examples of data security.
Weigh threats from external forces (such as activist groups and competition) and internal forces (such as disgruntled employees and opportunists). Other factors that can affect these areas include: How easy is it to convert to cash your available assets using computer fraud? How many people (in collusion) would need to be involved? What are your personnel practices? For example, how are dismissals handled?
Use normal business practices (the same practices that your company uses in non‑computerized areas) in computerized environments. These include separation of function, a clear line of responsibility and authority, individual accountability, knowing what the control procedures are and that they are in place, knowing who has access to data and records and controlling this access, and various auditability information.
Almost every company or agency has some written policies already in place. Many of them do not relate to data or system security. Others are due to the factors mentioned above and can be reviewed as part of these other areas. Identify and consider all existing policies relating to data security, access control, and computer control auditability when you select CA ACF2 for z/VM options and build an overall security plan. Do not overlook future policies because they will probably be easier to implement and enforce if you consider them when designing the initial overall plan.
Sites usually want to implement data security that is transparent to users. While CA ACF2 for z/VM provides options to assist in its implementation and transition phases, these alone do not make security transparent. Normally, a site is changing from little or no data access control to significant controls. This is a big difference that cannot be totally transparent. With the proper planning, education, and phased implementation, CA ACF2 for z/VM can alleviate most problems and even create a positive, progressive attitude among users. The IT can also make organizational decisions about how to implement CA ACF2 for z/VM. These decisions include separation of function and centralization or decentralization in the administration of CA ACF2 for z/VM and related controls. The outcome requires organizational and job responsibility changes or minimize these changes if the selected approach is similar to the procedures that already exist at your site.
CA ACF2 for z/VM can also be a valuable aid in enforcing various corporate policies not directly related to data protection. These include items such as naming conventions for user identification. It can help enforce consistent policies throughout the corporation or agency, including different physical locations. The IT should consider these needs when selecting CA ACF2 for z/VM options and implementing its controls.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|