Introduction

For an I.S. auditor with limited technical systems experience, attempting to get to grips with the security concepts and potential exposures of an operating system, especially one as powerful and complex as IBM's z/OS ( ^* MVS), is a daunting task.  This is often made even more frustrating by the wall of jargon which surrounds the whole computing environment. Training in this area given by technical specialists may only serve to confuse the issue even further, and dependence on the computer centre staff can compromise the independence of an audit.

This seminar has been designed and written to introduce the security and integrity concepts and facilities within MVS to an audience without a detailed technical MVS background.  It specifically deals with the relevant MVS internal mechanisms in a manner intelligible to both technical and non technical audit staff.  The seminar consists of lectures, workshops and discussions presented over either four or five days. When presented as a private ‘onsite’ seminar the five-day version allows for practical sessions using the clients own system.
To ensure that the seminar is of value regardless of the security product in use, the details of the actual security product are not covered in detail in this seminar.

The seminar includes some supporting materials for the older OS/390 version of MVS in addition to z/OS for any clients still running this older system.
 

Public Schedule

This Seminar is scheduled to be presented in London on behalf of the MIS Training Institute from time to time.  Further details should be available on the MIS Europe web-site .
 Cronos Consulting .

Seminar Objectives

This seminar will enable you to audit or review an MVS installation for integrity and security exposures. It provides a foundation in the concepts of MVS and an understanding of its various components. The attendee will learn procedures for preparing an MVS audit program and techniques for conducting audits and reviews.

On completion of this seminar participants should be able to:

·  Identify the major security and audit concerns in MVS

·  Understand which areas can be secured by automated software and which must be controlled via manual and management procedures

·  Determine by inspection the risk areas existing on a given system

· Describe the controls which should be implemented to ensure a trustworthy environment

·  Communicate more easily and effectively with technical personnel

 

Seminar Structure

0. Introduction

The Seminar
Why we review an operating system
Risks associated with systems and some statistics

1. MVS - an Introduction

A brief history of the hardware and software
What it is and what it does

2. MVS - Data Storage & Use

How data is stored and managed by MVS
Creation and execution of programs
How work gets into MVS and is run

3. MVS - Security & Integrity features

Data protection and Access Control Software for MVS
Beyond simple 'Dataset' protection
What IBM's Integrity statement says and means
How the technology Integrity depends on works

4. MVS System Changes

How the system can be modified to be insecure
Methods and associated exposures and problems

5. MVS Audit Trails

The  records that MVS keeps
How they work and what they can be used for

6. Tools and Techniques

What to use and how to use it
How to monitor status and changes

7. Starting an MVS Audit

An approach to structuring and conducting a review

8. Protection in MVS

Additional areas of concern

.

Within each of Sections 3 through 6 it is intended that attendees will learn:

· What each system function is and what it does

· Under what circumstances it is used

· What exposures for misuse may exist

· What compensating controls exist

· How to monitor and review its use

Audience

Primarily expected to be I.S. Auditors who will be responsible for reviewing an MVS installation for security, integrity and reliability.  The subject matter and approach will also be of value to anyone involved in Security Management, Change Control Management or Technical Support Management but who does not have a MVS systems programming background.

A short introductory extract from the full seminar can be presented as a stand alone session at Security, Audit or mainframe technical conferences etc.

Prerequisites

A general knowledge of data processing concepts and mainframe terminology, including some exposure to the use of MVS (e.g.  TSO and ISPF) and JCL is assumed. No special technical or programming skills are required.

The seminar and associated attendee handouts are only available in English.

^* MVS is the long standing name generically used for IBM’s flagship mainframe operating system.  IBM change the name every few years, the current correct name is z/OS^TM.