Access Control Implementation Review

During the 1980's most IBM mainframe installations implemented an access control product (RACF®, CA-ACF2® or CA-TopSecret®) to provide system and resource access control.

Each of these products can provide a high level of systems security when appropriately used and effectively administered. Over a period of  a few years of operation, however, changes within the administrative and  technical environment can lead to a gradual and unnoticed degradation in the level of security provided. Sometimes quite serious exposures can  exist undetected for several years.

An independent review of the :

technical implementation

software control options used

user privileges and controls

critical system resource controls

security procedures and management

can prove extremely beneficial in exposing potential loopholes that may allow unauthorised use of apparently protected business resources. This review may be carried out at the request of Security Management, Computer Operations, Internal Audit or senior management.
Each review is individually tailored to the size and nature of the installation and the length of time the software  has been in use or elapses since the last review was carried out. Reviewing both the technical implementation and  administrative procedures is usual but not obligatory.

The time involved varies according to the depth of review required. Typically, they require one to three weeks including the preparation of a detailed report.

Our typical review reports consist of:

A non-technical management summary

A prioritised summary of suggested work

A detailed section which will describe :

All tests carried out

Explanation of any exposures detected

Recommended corrective actions.

As an alternative to a full in-depth review a  summary review with a minimal report can be carried out in a few days; this should expose any major problems and will identify any specific areas where a more detailed review would be justified.