Integrity Assessment Services
KRI’s Integrity Assessment Services (IAS) are a key element of any information security program. Mainframe vulnerabilities can come from a variety of sources, including hardware configurations, IPL parameters, External Security Manager (ESM) configurations, and operating system programs.
An integrity assessment focuses on the health and security of the mainframe operating system. Our services help companies’ rapidly identify and remediate critical vulnerabilities — and help build disconnected security processes into ongoing, policy-based governance.
An assessment will answer these types of questions:
- Is patching up to date?
- Are unnecessary services running?
- Are there any zero-day vulnerabilities in your software?
We first conduct a scan of your environment using z/Assure® VAP, measuring the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS) methodology. As a trusted industry system for ranking the severity of vulnerabilities, CVSS allows us to report on code gaps that we may find in your system. Our detailed reporting can help you understand and communicate mainframe risks to your internal
development team or software providers for remediation. As a result, you’re empowered to proactively protect your business from emerging mainframe threats. You can choose from three levels of consultation:
- Vulnerability Analysis Light (VAL)
- Vulnerability Analysis & Management (VAM)
- Vulnerability Management – Expert (VAM-Ex)
Until recently, z/OS installations did not have access to a tool capable of performing real-time binary code scanning. Binary code scanning software makes it possible for enterprises to scan the operating system layer of the mainframe to identify Severe Security Code Vulnerabilities™ (SSCV’s). Find out more in our FAQ. Scans performed by Key Resources, Inc. using the z/Assure® Vulnerability Analysis Program (VAP) validate that the vast majority of mainframes have SSCV’s running on their production systems. The vulnerabilities may exist in operating system, vendor or internally written code.