Having installed an MVS access control product there is a natural assumption by most organisations that the system and applications are safe from misuse or  attack.
Although this may be reasonably accurate in many installations, such faith can sometimes be misplaced.

MVS system options determine the integrity, and  therefore the security, of the entire environment.  These are set up locally during the system maintenance process by the systems programmers then selected, and possibly modified, at IPL  time by the operations staff.

That resulting exposures can exist is a function of the extreme flexibility and resulting complexity of MVS. The situation is further compounded by the number of third party systems software products installed at most sites. Most often these are installed following the vendors instructions and taking default options. The vendors rarely consider security important - other than as a challenge to be overcome, and will not give an integrity concerns a passing thought. It is unlikely that the local overworked MVS technician(s) will look for the problems.

Click here for further information about the risk areas to be reviewed.

The need to review system integrity applies equally to installations whether the access control software in use is IBM's RACF, CA-ACF2 or CA-TopSecret. The differences in this respect are small (CA-ACF2 provides more protection against a small part of the risks.)

A summary review of the system can normally be completed within a week and will highlight areas where relatively small corrective changes can improve the integrity of the system. Fully comprehensive reviews usually require two or three weeks to complete and should include a review of the access control system itself.

A cost-effective approach may be to carry out a series of smaller reviews, typically of one week each, over a period. Each is designed to verify  the extent to which recommendations from the previous review have been carried out and then to delve a little deeper into the system controls.

MVS (Multiple Virtual Systems) is the original and traditional name for IBM's flagship mainframe operating system. Over the years it has also been called MVS/XA, MVS/ESA, OS390 and most recently z/OS.  For simplicity the more traditional name is usually used throughout this Site.

Further information about IBM's hardware and software offerings will be found on the IBM web-site.

A note re Integrity :

Systems Integrity is one of the many threats which fall within the overall description ‘security’. Others include ‘virus’, ‘spyware’ etc.

All computer operating systems are potentially at risk of  integrity problems.
An integrity weakness may allow the system security (access control system) to be bypassed or other unwanted events such as system failures to occur.
The well known ‘buffer overflow’ problems in Windows™ are just one example of a systems integrity failure which can lead to a security failure or breach.

When properly configured and managed IBM's MVS is probably the strongest operating system in use in commercial environments. As far as is known it is the only commercial operating system for which the vendor offers a statement of integrity. This statement from IBM,  known informally as ‘The Blue Letter’, forms the basis for the integrity review.