A PCI audit, which included a mainframe vulnerability scan, using KRI’s z/Assure® VAP, found a number of zero day vulnerabilities in the operating system layer (SVC’s & PC routines). The Executive Audit Committee of the Group reviewed the audit results and noted the following:
- Requirement: Third Party Software, Internally Written Exits, and privileged programs, if coded improperly, can be exploited and bypass the Enterprise Security Manager (RACF). Our vulnerability management policy and program should be updated to include the mainframe; sighting PCI Requirement 5: Protect all systems against malware and regularly update antivirus software or programs.
- The current mainframe quality assurance and testing systems had stringent performance and downtime requirements.
- Building consensus on risk mitigation strategies and buy-in from the mainframe operational team.
- How to test vendor mediation in a timely manner and incorporate into the vulnerability management program.
Read the Study
Read the study to learn how The Group is using the vulnerability reporting process. Each code vulnerability found on the system has a Vulnerability Detail Report associated to it. This report collects all of the information required for the vendor or code owner to test and fix the errant code in a timely manner.
The Group’s current vulnerability remediation process is being reworked to include more extensive system testing. Retesting is one vulnerability management step that most companies overlook. Rerunning z/Assure VAP helps verify that a patch has been applied correctly, the vulnerability has been addressed, and no new coding vulnerabilities might have been introduced.