Resource/User Inventory and Exposure Analysis

This section contains the following topics:

Introduction

Objectives of the Inventory

Prioritize Users, Resources, and Facilities

Organize Users into Groups

Take Inventory of Resources

Organize Resources

Assign Access Levels to Users/Resources

Introduction

A user and resource inventory and exposure analysis is often too large to be handled all at once. Address the analysis on a user group basis, targeting implementation a group at a time. It is often helpful to solicit the support of the various user groups in doing the inventory, since each group is the best source of information on the resources required for their own needs.

CA recommends that you address the inventory in manageable segments.You can further segment the effort by z/OS facility, since the nature of the resources differs among facilities.

Note: Be aware of the different resource types used in each facility and should carefully determine appropriate controls on each resource type.

Objectives of the Inventory

The inventory and exposure analysis should answer the following questions:

Who are the users?
What are the resources? Must they be classified?
Who is responsible for the resources?
Which users are accessing which resources?
Which users must access which resources to accomplish their job function, and at which access level?
Which operations and procedures leave critical resources exposed?

Prioritize Users, Resources, and Facilities

Prioritize the facilities to be protected, the users to be defined, and the resources to be protected. This allows you to implement security for the most critical facilities, users, and resources first. As each inventory phase is completed, input the results into your Security File design and implementation strategy before continuing with the next inventory phase.

Note that inventory information is dated. Since environments change and grow quickly, you might have to reanalyze the segment if you do not quickly implement the results of your research.

Organize Users into Groups

Group the users together by corporate entity and job function. This organization might have already been accomplished for you as part of z/OS subsystem assignment, such as the standard TSO, CICS, IMS or additional facility user tables. You might also have user and group USS assignments with security assignments to consider.

Take Inventory of Resources

Use existing automated records of resources that already exist in your site, such as:

JCL libraries, VTOC listings, and SMF information for data sets and volumes
Load library directories for programs
CICS tables for CICS resources
VTAM tables for available terminals
USS file system directories
USS user, group and security designations

Organize Resources

Detail each resource or set of resources as to:

The type of resource
Who owns or is responsible for the resource
Where the resource is recorded
The purpose of the resource

CA Top Secret supports data set masking as well as full resource prefixing, so you might not have to detail each resource specifically if you can easily detail a resource group by masking or prefixing.

Assign Access Levels to Users/Resources

After you have decided which resources are candidates for protection, assign these resources to the appropriate user group at the appropriate access level. This information is specific input to resource ownership decisions and design of profiles.

Record Assignments Online

Recording your inventory results in an automated fashion, possibly using an online editor such as TSO/ISPF, might serve you in later converting this information into the required TSS commands. It saves time to record the results of your inventory in TSS command format. The results are easily revised for last‑minute adjustments and can be directly input to the batch TMP to update the CA Top Secret Security File. It is important that this inventory be carefully restricted to avoid security pilferage or tampering.