This article is written like a manual or guidebook. (September 2015) (Learn how and when to remove this template message) |
A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.
A mainframe computer is not easy to define. Most people associate a mainframe with a large computer, but mainframes are getting smaller all the time. The terms mainframe and enterprise server are converging. Supercomputers are generally used for their speed and complexity, while mainframes are used for storing large volumes of sensitive data. Mainframes are typically the most secure, efficient, and cost-effective computing option for organizations dealing with transactions on a large, enterprise-level scale.
Organizations in different industries have different auditing and security requirements. Some factors affecting the organizations' requirements are: regulatory requirements and other external factors; management, objectives, and business practices; and the organizations' performance compared to the industry. This information can be obtained by conducting outside research, interviewing employees, touring the data center and observing activities, consultations with technical experts, and looking at company manuals and business plans.
Another consideration is the level of mainframe access employees have and if password policies are in place and followed. Evidence of implementation can be obtained by requesting employee manuals, evaluating the software and user histories, and by physical observation of the environment. (Gallegos, 2004).
Physical access is also an area of interest. Are cables adequately protected from damage and sniffing between the Network and the Data Center? This can be achieved by proper routing of the cables, encryption, and a good network topology. Physical observation of where the cables are routed and confirmation of the security procedures should be obtained. Tests of controls should be conducted to determine any additional weaknesses.
Does the mainframe have access to an adequate uninterruptible power supply? Are physical controls such as power badges for access, fire suppression devices, and locks in place to protect the data center (and the mainframe inside) from theft, manipulation or damage? Physical observation is necessary to ensure these requirements.
After performing the necessary tests and procedures, determine whether the evidence obtained is sufficient to come to a conclusion and recommendation.
Mainframes, despite their reliability, possess so much data that precautions need to be taken to protect the information they hold and the integrity of the system. Security is maintained with the following techniques:
To gauge the effectiveness of these internal controls an auditor should do outside research, physically observe controls as needed, test the controls, perform substantive tests, and employ computer assisted audit techniques when prudent.
Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible or intangible. Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:
Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings.
RACF, [usually pronounced Rack-Eff] short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems. RACF was introduced in 1976.
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.
Data migration is the process of selecting, preparing, extracting, and transforming data and permanently transferring it from one computer storage system to another. Additionally, the validation of migrated data for completeness and the decommissioning of legacy data storage are considered part of the entire data migration process. Data migration is a key consideration for any system implementation, upgrade, or consolidation, and it is typically performed in such a way as to be as automated as possible, freeing up human resources from tedious tasks. Data migration occurs for a variety of reasons, including server or storage equipment replacements, maintenance or upgrades, application migration, website consolidation, disaster recovery, and data center relocation.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems, Applications, Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit the two main areas of concern are security and data integrity.
In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.
Given organizations' increasing dependency on information technology to run their operations, Business continuity planning covers the entire organization, and Disaster recovery focuses on IT.
An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.
Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.
Software security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software. Software is itself a resource and thus must be afforded appropriate security.
ACF2 is a commercial, discretionary access control software security system developed for the MVS, VSE and VM IBM mainframe operating systems by SKK, Inc. Barry Schrager, Eberhard Klemens, and Scott Krueger combined to develop ACF2 at London Life Insurance in London, Ontario in 1978. The "2" was added to the ACF2 name by Cambridge Systems to differentiate it from the prototype, which was developed by Schrager and Klemens at the University of Illinois—the prototype name was ACF. The "2" also helped to distinguish the product from IBM's ACF/VTAM.
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.
The term "software independence" (SI) was coined by Dr. Ron Rivest and NIST researcher John Wack. A software independent voting machine is one whose tabulation record does not rely solely on software. The goal of an SI system is to definitively determine whether all votes were recorded legitimately or in error.
Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.
Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.
In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.