 | This article contains instructions, advice, or how-to content .(September 2015) |
A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.
| This article contains instructions, advice, or how-to content .(September 2015) |
A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.
A mainframe computer is not easy to define. Most people associate a mainframe with a large computer, but mainframes are getting smaller all the time. The terms mainframe and enterprise server are converging. Supercomputers are generally used for their speed and complexity, while mainframes are used for storing large volumes of sensitive data. Mainframes are typically the most secure, efficient, and cost-effective computing option for organizations dealing with transactions on a large, enterprise-level scale.
Organizations in different industries have different auditing and security requirements. Some factors affecting the organizations' requirements are: regulatory requirements and other external factors; management, objectives, and business practices; and the organizations' performance compared to the industry. This information can be obtained by conducting outside research, interviewing employees, touring the data center and observing activities, consultations with technical experts, and looking at company manuals and business plans.
Another consideration is the level of mainframe access employees have and if password policies are in place and followed. Evidence of implementation can be obtained by requesting employee manuals, evaluating the software and user histories, and by physical observation of the environment. (Gallegos, 2004).
Physical access is also an area of interest. Are cables adequately protected from damage and sniffing between the Network and the Data Center? This can be achieved by proper routing of the cables, encryption, and a good network topology. Physical observation of where the cables are routed and confirmation of the security procedures should be obtained. Tests of controls should be conducted to determine any additional weaknesses.
Does the mainframe have access to an adequate uninterruptible power supply? Are physical controls such as power badges for access, fire suppression devices, and locks in place to protect the data center (and the mainframe inside) from theft, manipulation or damage? Physical observation is necessary to ensure these requirements.
After performing the necessary tests and procedures, determine whether the evidence obtained is sufficient to come to a conclusion and recommendation.
Mainframes, despite their reliability, possess so much data that precautions need to be taken to protect the information they hold and the integrity of the system. Security is maintained with the following techniques:
To gauge the effectiveness of these internal controls an auditor should do outside research, physically observe controls as needed, test the controls, perform substantive tests, and employ computer assisted audit techniques when prudent.
Software testing is the act of checking whether software satisfies expectations.
Configuration management (CM) is a management process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings.
A cycle count is a perpetual inventory auditing procedure, where you follow a regularly repeated sequence of checks on a subset of inventory. Cycle counts contrast with traditional physical inventory in that a traditional physical inventory ceases operations at a facility while all items are counted. Cycle counts are less disruptive to daily operations, provide an ongoing measure of inventory accuracy and procedure execution, and can be tailored to focus on items with higher value, higher movement volume, or that are critical to business processes. Although some say that cycle counting should only be performed in facilities with a high degree of inventory accuracy, cycle counting is a means of achieving and sustaining high degrees of accuracy. Cycle counting can be used to identify root causes of problems in control processes and then monitor the effectiveness of the actions to eliminate the root causes. In contrast, identifying root causes of inventory errors, agreeing on actions to eliminate them to the point of perfecting control processes is virtually impossible with traditional inventory audit approaches.
White-box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality. In white-box testing, an internal perspective of the system is used to design test cases. The tester chooses inputs to exercise paths through the code and determine the expected outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system–level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. Where white-box testing is design-driven, that is, driven exclusively by agreed specifications of how each component of software is required to behave, white-box test techniques can accomplish assessment for unimplemented or missing requirements.
RACF [pronounced Rack-Eff], short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems. RACF was introduced in 1976. Originally called RACF it was renamed to z/OS Security Server (RACF), although most mainframe folks still refer to it as RACF.
Data migration is the process of selecting, preparing, extracting, and transforming data and permanently transferring it from one computer storage system to another. Additionally, the validation of migrated data for completeness and the decommissioning of legacy data storage are considered part of the entire data migration process. Data migration is a key consideration for any system implementation, upgrade, or consolidation, and it is typically performed in such a way as to be as automated as possible, freeing up human resources from tedious tasks. Data migration occurs for a variety of reasons, including server or storage equipment replacements, maintenance or upgrades, application migration, website consolidation, disaster recovery, and data center relocation.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
A Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit, the two main areas of concern are security and data integrity.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
Given organizations' increasing dependency on information technology (IT) to run their operations, business continuity planning covers the entire organization, while disaster recovery focuses on IT.
An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.
Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.
Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.
Software security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software. Software is itself a resource and thus must be afforded appropriate security.
ACF2 is a commercial, discretionary access control software security system developed for the MVS, VSE and VM IBM mainframe operating systems by SKK, Inc. Barry Schrager, Eberhard Klemens, and Scott Krueger combined to develop ACF2 at London Life Insurance in London, Ontario in 1978. The "2" was added to the ACF2 name by Cambridge Systems to differentiate it from the prototype, which was developed by Schrager and Klemens at the University of Illinois—the prototype name was ACF. The "2" also helped to distinguish the product from IBM's ACF/VTAM.
Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.
Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.
Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.
Audit technology is the use of computer technology to improve an audit. Audit technology is used by accounting firms to improve the efficiency of the external audit procedures they perform.