Mainframe Security | Compliance
Regulatory compliance is everywhere in today’s world; government regulations must be adhered to in order to stay in business. Some think these rules and regulations are all too much, but they’re in place to keep everyone as safe as possible. Mainframe compliance has many facets and should be taken seriously.
Security compliance and monitoring for the mainframe will always be a difficult task and really never ends. This should be an ongoing process enterprise-wide, but the mainframe lacks many of the solutions available to other platforms. Doing all the compliance and monitoring work simply for an audit or in response to one really isn’t doing any good and all the data within the system isn’t as safe and secure as it should be.
We’re trying to create a resource that will make true mainframe security and compliance monitoring a bit easier to achieve. These articles and resources are focused on mainframe security compliance.
An Introduction to DISA STIGs for z/OS Security Compliance
This DISA STIG briefing is at the right level for anyone looking to learn more about the STIG compliance process or simply refresh their memory on STIGs. This primer looks specifically at the DoD DISA STIGs and their relationship with mainframe security compliance. STIGs will help solidify a process to verify that your organization is following z/OS security standards.
But, keeping up with newly released STIGs, identifying vulnerabilities within your system, and issue remediation is quite a lot of work. This work is typically done manually or some of it accomplished with a homemade program, which only adds to potential problems and security compliance issues moving forward. It’s worth taking a look at this STIG introduction if you’re not overly familiar with the value and power of STIG monitoring. And if you’re not a z/OS STIG novice, you may want to check out IronSphere for z/OS to automate the STIG monitoring process. The implementation of fixes will still be done manually, but the tool even makes that part simpler by providing remediation steps to follow.
How good is your mainframe at data security? Not as good as you think.
This article provides some security risks associated with mainframes and their increasing connectivity. The risks to data security need to be taken seriously by everyone within an organization, especially compliance officers. There’s definitely more to a mainframe compliance audit now than there would have been before the internet and even just a few short years ago.
The more connected a mainframe is, the more work to secure it and potential compliance issues arise. Mainframes that are connected to web-based applications also present very real hacking and security concerns that must be addressed. This article finishes by stating, “Gaining a full and current view of one’s mainframe security, however, helps provide a clearer picture of what it should look like to satisfy regulatory requirements and keep data secure.” Creating a comprehensive plan to achieve security is extremely important; only then can software solutions be implemented.
Regulatory Compliance: How Do I Know if We’re Compliant?
Regulatory compliance has grown exponentially in the past couple decades. It hasn’t been just an option to consider it for a long while and now, the thought of compliance needs to be ever-present. Compliance and compliance documentation is big business now. “Standardized tests, documented results and quantifiable reports” are required to prove compliance. This article provides a nice set of questions to ask to ensure new installations are compliant.
Regulatory Compliance: How Do I Know if We’re Compliant? by Mark S. Hahn
Mainframe Security: Baby Steps to Compliance
Stan H. King lays out a plan to become compliant over time; making your system secure over a period of time once certain issues present themselves rather than rushing to secure everything immediately. As all of us know, security never stops- it should be thought about when adding new software or hardware to the system or when anything changes. He’s laid out four “baby steps” to take that will allow you to make sure your systems are secure and compliant before an audit.
Mainframe Security: Baby Steps to Compliance by Stan H. King
The On-Ramp to the Compliance Superhighway
Compliance and monitoring isn’t something that should simply be done once a year with an audit, but rather an ongoing process that is constantly thought about. Why? This article gives plenty of examples of what can happen to companies that don’t take mainframe security and achieving regulatory compliance seriously. It’s best to be on the proactive front regarding compliance and all security matters rather than being reactionary; it’s cheaper and more effective. Some excellent ideas are discussed here on how to go beyond the minimum requirements of compliance and implement effective mainframe security compliance management.
The On-Ramp to the Compliance Superhighway by Rana Zayed
Reduce Your Security Risk By Complying With Standards
Common sense would say organizations that don’t have policies regulating information security are more vulnerable to attack and having some sort of a breach. This article confirms this thinking; when security standards are in place and taken seriously, breaches become quite rare. It’s important to realize all threats as well; insider breaches are still on the rise and make up nearly 50% of all breaches. For full compliance and to strengthen security, all systems and software (especially z/OS mainframes because that’s typically where all the valuable data is) must be examined and worked on. This article will help with reducing threats by recognizing potential specific problems.
Reduce Your Security Risk By Complying With Standards by Barry Schrager
Compliance Options: Solvency II Compliance: The New Kid in Town
Solvency II is effectively the new-age Sarbanes-Oxley. It was created for insurance regulation in the European Union. But, now the policies are spreading to enterprise-level organizations throughout the world. Many organizations’ Governance, Risk and Compliance departments are adopting the data portion of Solvency II. This is having a trickle down affect and more and more people (and jobs) are going to be learning about and complying to it sooner rather than later. To give yourself a quick tune-up, check out this article.
Compliance Options: Anyone Up for Basketball?
Quite a fun article comparing what should happen regarding compliance with what’s actually happening in many organizations. This paradox is outlined in a hypothetical game of basketball. It emphasizes the most important thing- if departments play together to accomplish regulatory compliance, it goes a lot smoother and much more efficiently than if everyone’s doing their own thing trying to “score their own points.”
Compliance Options: Anyone Up for Basketball? by Gwen Thomas
Avoiding Compliance Nightmares
In this article, there are a few situations that highlight the need for comprehensive security and compliance and monitoring policies for every organization. Also, there’s a nice list for what mature data centers should be currently doing to keep things secure and standards that will enable fixes to unforeseeable (or more likely foreseeable) problems. There are plenty of compliance standards and procedures every organization should attain- many are outlined here.
Avoiding Compliance Nightmares by Peter G. McCullough
Best Practices: Using Security to Help Meet Changing IT Environment & Compliance Requirements
Many constant changes to the IT environment are propelled by regulatory compliance and monitoring needs, privacy concerns and audits. Achieving and maintaining strict access control to achieve compliance for the mainframe by segregation of duties and management of data is the primary focus of this article. Complying just to comply isn’t the way organizations should go about this issue. If solid policies are in place to secure the system, the data within and the access to the system, regulatory compliance and monitoring on the mainframe will come easy.
Storage & Data Management: eDiscovery – Not Just Another Challenge
Some ideas are explored here on how to prepare in the event that your organization is involved in litigation where eDiscovery is warranted. eDiscovery is essentially a one-time event that should be done only when needed; however, certain procedures can be implemented to be better prepared. Preservation (saving all records and information related to a contested matter) and production (necessity of providing the requested information in a format the other party can handle) are two challenges outside of the Electronic Discovery Reference Model that along with the need for database archiving are discussed here.
Using SMF for Cost-Effective DB2 Security, Auditing & Compliance Monitoring
This is quite a thorough article detailing both the importance of keeping your organization free of data breaches and ways to do it. It’s broken down to the following categories: background, the evolving security function, security breach costs, personal liability, DB2 on z/OS security, using DB2 SMF records as event tracking, using DB2 SMF audit trace records, thinking outside the box, log management, SEIM products supporting DB2, DB2 mainframe homegrown solutions. As you can see, there’s quite a bit covered and it really is a top-flight read.
Using SMF for Cost-Effective DB2 Security, Auditing & Compliance Monitoring by Jerry Harding, Stephen D. Rubin, & William Buriak
Compliance Options: Performance and Conformance
This is a quick article devoted to people needing to conform what they do at work to achieve compliance in some fashion. There are several ways to handle any change at work, especially one that adds more duties to your plate and expects more of you. That’s the premise here and without being technical at all, Gwen has provided the options to people in this unsettling situation and best ways to handle it while coming off looking good to your superiors.
Compliance Options: Performance and Conformance by Gwen Thomas
Compliance Options: The Data Management Body of Knowledge
The DMBOK (Data Management Body of Knowledge) published by DAMA (The Data Management Association International) is listed here with brief summaries. The “DMBOK organizes data management activities into 10 different functions.” Each of the 10 has different missions, goals and functions. The whole point of the DMBOK is to provide a uniform way of performing important data management functions that are necessary for regulatory compliance and monitoring.
Compliance Options: The Data Management Body of Knowledge by Gwen Thomas
How to Audit the Security of Your Tape Library
Data centers usually have their disk data sets protected, but this article explains why having disk data protected doesn’t necessarily mean it’s secure. The “four most basic aspects of security protection of a tape library” are listed and explained in depth. They are: standard security checks, bypassing the tape management system with EXPDT=98000, updating the tape management system and its database, protecting your tape library. By following this information, your tape library is surely going to be more secure than ever.
How to Audit the Security of Your Tape Library by Russ Witt
z/Data Perspectives: Recovery Is a Compliance Issue
It’s extremely important to focus not only on securing your production databases in a number of ways, but also backup and recovery practices to ensure regulatory compliance. This article focuses on database recovery through the eyes of COBIT (the Control OBjectives for Information and related Technology), a framework used by companies to “link IT and business goals, identify responsibilities of business and IT owners, and monitor performance, evaluating it against metrics and maturity models.” COBIT is looked at a bit further along with their objectives related to recoverability.
z/Data Perspectives: Recovery Is a Compliance Issue by Craig S. Mullins
Compliance Options: Stewards, Custodians, and Compliance
This is a quick, informal article showing some of the differences between data governance efforts and compliance and monitoring efforts. Data governance and compliance are much more similar than they are different. Regulatory compliance is more about what absolutely needs to be done while data governance efforts are more flexible and there are more options to decide the best plan for the organization. There are also some questions listed that you, as a “mainframe person,” may want to ask at any meeting devoted to the creation of a data governance plan.
Compliance Options: Stewards, Custodians, and Compliance by Gwen Thomas