Issues for the Auditor › Implementation Queries

Implementation Queries

Raise the following questions before and during an implementation:

• Are the data security exposures of the z/OS operating system critical applications and support personnel both evaluated and understood?
• Is the corporate data security policy or the upper management position regarding data security complete and adequate? Does the policy address all of the logical security exposures like:
  • Operating system?
  • Applications development?
  • Personnel responsibilities?
  • Password management and control?
  • Resource ownership?
  • Resource administration?
  • Delegation of responsibility?
  • Accountability?
• Is a security committee required? If it is, does it consist of members from:
  • Security administration?
  • Auditing?
  • System programming?
  • Application development?
  • General user community at large?
  • Operations?
• Is administration to be centralized or decentralized? If decentralized to what extent: divisional, departmental, or user?
• Has a general plan of attack for implementation been established and approved?
  • WARN mode first then escalation to FAIL mode?
  • WARN mode with special categories of users or groups in FAIL mode?
  • IMPL mode then FAIL mode?
  • When is CICS IMS implemented?
  • Objectives and dates established?
• How are users to be identified for batch jobs? Are JCL changes required?
• Have the procedures for access authorization changes been established including written authorization forms?
• Is there an established policy regarding data access for:
  • Application programmers and production data?
  • Operations and production data?
  • Systems and the overall maintenance of the system?
• Has a policy been established for emergency access to data?
• Has a list of critical resources been established? Do the accesses to these critical resources include stringent controls?
• Are CA Top Secret files adequately protected? Who is allowed to access them?
• Has a chart of group departmental and divisional access to resources been established allowing the auditor to easily verify scope and boundaries?
• Are the password controls adequate? Some additional auditor considerations are:
  • The minimum password length
  • Variable expiration periods by function sensitivity
  • Expiration warning message interval
  • Password violation threshold
  • Members of a restricted password list
  • Password masking
  • Who can list passwords
  • Penalties for disclosure
• Have the procedures for incident reporting been established?
  • Are the reports properly produced distributed and reviewed?
  • Are logging options for violations and auditors correct?
  • Is there an audit trail of changes to critical data components?
• Is online tracking to be used and by whom?
• What are the violation investigation procedures? Are violations acted upon immediately?
• Will a user be held accountable for their actions?
• Are any CA Top Secret exits used and if so for what purpose?
• Is the security officer reviewing batch reports daily or is online tracking being used? Are the procedures effective?
• Has a policy been established for external users through JES remote job entry stations or online dial‑up facilities?
• Have default ACIDs been established?
• Do adequate procedures exist for backing up the Security File?
• How many auditors are required at central division and department levels?
• Have all policies been communicated to and acknowledged by all appropriate personnel (like legal action considerations and end user training)?
• Are recovery procedures tested and documented?
• Is the auditory group involved in development of a proper application benchmark?