This page is an attempt to provide a short introduction to the areas of MVS in which it is possible for security exposures to be introduced by accident, or intention! The vast majority of such exposures exist at a site solely due to the complexity of MVS and the very limited time available for the technical support staff to search for and eliminate those which appear over time. However, the possibility does exist that one of the many ‘opportunities’ might be taken advantage of to permit the carrying out of some unauthorised activity.

As a starting point all of the following areas will need to be reviewed.

• IPL options as defined in SYS1.PARMLIB and associated datasets
• Control over the IPL process
• APF libraries and control over changes to these
• The Link Pack Area (LPA) and it’s components
• The range of IBM and other SVC’s installed and their usage
• System Catalogues and their usage
• System Procedure Libraries
• The Job-Entry Subsystem (JES)
• Control over Started Tasks (STC’s)
• Other MVS Sub-Systems in use
• The Program Properties Table (PPT)
• Program execution controls in the installed Security product
• Special TSO and SDSF settings
• Controls for the Open Edition (USS, UNIX) environment
• System Exits (including I/O appendages and NSL routines)
• The system audit trails (SMF, SYSLOG, System Logger)
• Change controls, both technical and procedural, over all of the above

To be complete, all of these areas should be analysed for each LPAR in use, including any used by the technicians for systems maintenance and testing.

At a later time this list will be enhanced to provide further information regarding the relevant importance of each area in terms of the risk introduced and the amount of time likely to be involved in the complete analysis of each.